mellimik
Content Type
Profiles
Forums
Events
Posts posted by mellimik
-
-
Hi there. Would any one of you be able to share insight onto Internet Explorer and add-ons? Specifically, whether they are per user or per system? We have a bunch of Windows Server 2003 servers running with Terminal Services enabled. One software that people run while logged in is browser based, which requires Internet Explorer add-on to function correctly. The website contains a function to test if the add-on has been correctly installed. For some reason the site keeps saying that the add-on is installed when the user is a member of BUILTIN\Administrator, and the opposite if not. The Internet Explorer version we're using is 6 due to number of applications requiring it.
0 -
Thanks for the reply. I understand this a lot better now.
Technet has an article about this that you should probably review going forward.I'll definitely take a look of this article.
0 -
We have a test user at the office who has been given a Windows 7 installation. He recently came to me to ask how can he add our network printers to his computer. The network printers are shared by our file server that is a Windows Server 2003 R2 installation. I told him to browse his way to the file server and choose Connect from the right click menu, but Windows is requesting elevation for some reason. He's running as a Power User, and even normal user should be able to do this, right?
0 -
I'll reply to myself since I now know what caused our problem with the RPC over HTTPS function.
Basically my colleague had created a split DNS configuration of our AD integrated zone. Since the clients connected in the local office LAN use RPC and internal AD DNS zone to talk with the Exchange they have no problem, now for clients connected externally through the internet this caused issues, because the same DNS zone resolvable in the office LAN was suddenly resolvable from the internet as well.. just that it was a different server replying to clients which had no idea about the host name of the exchange server clients tried to resolve.
0 -
We've lately started seeing something out of normal behavior from our Outlook 2003 installations. Or then it might be that we've never really understood the application to begin with
We use the combination of Outlook 2003, ISA 2006 and Exchange 2007. Clients connect using HTTPS outside of office network and then RPC while in the office. ISA is expecting HTTP basic authentication from the client protected using SSL.
Outlook is configured to use HTTPS for slow and RPC for fast connections. For some magic reason we've never even had to bother our minds with this, things have just *worked*. Lately, though, Outlook clients connected outside of office have started to stall before prompting the user for credentials to proceed with login. And by looking at the Connection Status (outlook.exe /rpcdiag) we can see that for each connection made, it takes significantly long for Outlook to switch from RPC to HTTPS.
So, I understand that this has to do with Outlook judging a connection either a slow or fast, which based on my Google skills seems to be 128Kb / s. What I don't understand is if this before mentioned value is the Adapter negotiated link speed or actually some calculated value between the Exchange/ISA server and the Outlook client? We have not changed anything since the original setup of our infra, so the Outlook acting differently is a bit mind boggling.. By looking at the Connection Status (see the attached image) it has always said Reg/fail being x/1 meaning it has always tried first using RPC then failed over to HTTPS. Now it just seems to take bloody long from it to do the fail over
Has anyone else struggled with this issue?
0 -
Hello,
I've been thinking about this by myself for some time now and I seem to be unable to come up with the answer. How can I utilize the Wireless Zero Configuration and RADIUS based Wlan network?
Basically what I have now is Microsoft IAS server configured to ask EAP (with Smart card or other certificate) + MS-CHAP v2. I have my own enterprise CA or actually two of them, one being Root and the other Subordinate. Wireless clients (Windows XP SP2) have the Root CA certificate pushed by GPO and users logged in to these wireless clients have their own User certificate automatically enrolled. This setup works, but it requires that there is a valid user logged in to the computer for Windows to connect to my wireless network.
This poses some issues since I would like all my client PC's to be always connected, which, for my understanding at least, means authenticating with computer account and computer certificate instead of user account and user certificate. Is this correct? I know that if you use Windows to configure wireless networks, there is this Wireless Zero Configuration system service that connects to known networks without the user logging in first. That is my goal, so I can manage computers without user logged in to them.
How have others done this? I don't really know what keywords to start to use with Google, as "Microsoft IAS computer certificate" really only links to articles covering IAS setup, and that is something I've already done.
0 -
Ah, okey, sorry guys.. You have to use sort-object BEFORE you format the list with ft
0 -
The command:
Get-MailboxStatistics -Database MBD1 | where {$_.displayname -notmatch 'system'} | ft displayname,totalitemsize,itemcount | Sort-Object displaynameProduces the following output:
out-lineoutput : Object of type "Microsoft.PowerShell.Commands.Internal.Format.FormatEntryData" is not legal or not in the correct sequence. This is likely caused by a user-specified "format-*" command which is conflicting with the default formatting.There's obviously a very simple reason for this, like my syntax being wrong, but then how should I tell Management Shell to format the output from Get-MailboxStatistics based on DisplayName?
0 -
I have set up my WDS service to ask for the Administrator to approve the installation in case the GUID is uknown to directory services. When I open the Windows Deployment Services snap-in and go to the Pending Devices section to approve new installation, I get Access is Denied everytime I either choose to Approve or Name and Approve the client. Event Viewer logs ID 524 everytime I get that Access is Denied on the WDS server.
Microsoft has a rather well detailed article about this:
Event ID 524 — Active Directory Integration
My problem is that even after following the instructions outlined in this document, I'm getting that Access is Denied dialog when approving (or Name and Approve)
I have created security group to our AD with the computer account WDS is running on and delegated Full permissions for this group against the OU where computer accounts are to be created. I've also tried rebooting the WDS server, waiting couple of hours just in case if the DC's would've not yet replicated.. but at this point I'm clueless.
RIS used to work in the way that CIW used the credentials of the logged in user to create the computer object, but in case of WDS (according to Microsoft) the comptuter account running the WDS service needs to have permissions on the destined OU. Btw. when I use the WDS snap-in, I'm logged in with my Domain Admin account.
0 -
I am in the process of doing a new install of Windows Server 2008 and hopefully will have some suggestions for you shortly
See if you can use the prestage option using the Active Directory Users and Computers snap-in running on the Domain Contoller?
I just installed the Adminpak.msi onto my old RIS server, using the AD Users and Computers snap-in I can verify that Remote Install tab is present when browing properties of the RIS computer object, and when creating new computer object I can also prestage it. I have no clue why, though? Why would that snap-in behave differently when run on the RIS server and when run on DC for e.g.?
0 -
hi, did you do the following when setting up WDS on Windows Server 2008 ?Before you begin, you need to configure Windows Deployment Services by running either the Windows Deployment Services Configuration Wizard or WDSUtil.exe. You will also need to add at least one boot image and one install image in the image store.
cheers
anyweb
Yes, I did follow that. WDS is functioning just fine, just as the old RIS server, too. Problem is that I cannot prestage machines using Active Directory Users and Computers snap-in nor can I view that Remote Install tab anymore on our RIS machine's AD object.
I just installed virtual environment to test this and I cannot prestage computer accounts there either. The virtual env consists of AD running in Windows 2003 Server mode, all the member servers running 2003 R2 SP2 and WDS configured using the legacy wizard.
What in earth is the problem here? Where's my RIS related tabs and prestaging functionality?
0 -
Actually there's nothing RIS related visible when using the Active Directory Users and Computers snap-in. When I used to right click the RIS server computer object there was that "Remote install" tab where you could view properties of the RIS server, even that tab is gone now. I have tried this on both of our Domain Controllers.
0 -
I just installed one Windows 2008 Standard server and added the WDS role on it. We are running our AD in Windows Server 2003 mode and had already earlier installed a RIS server on an 2003 R2 server. The wdsserver service is turned off on our old RIS machine and only the new 2008 server with the WDS role is on. I'm trying to manually approve a machine requesting to get service but am instantly greeted with just the "access is denied" prompt. This is the Windows Deployment Services snap-in opened using the "Run as an Administrator" from the context menu, that is.
After googling a lot about this problem I have learned that the computer object of the new 2008 server needs to have the "Create computer object" rights in the Domain Controller OU etc.
2: WDS When pending devices try to Approve --> Access Denied
Following the instructions explained on those before mentioned links don't provide a solution for us. After too many hours of hitting my head against the wall I figured out that I could still prestage the machine with GUID. Things is that Active Directory Users and Computers snap-in does not have the option to do so anymore? When I click "New -> Computer" on top of one of our OU's I can only type the name of the machine and there is no option to click next and choose "This is an managed computer" like I've seen at least before.
Anyone has any clues what's going on, did I irreversibly change something on our AD when I installed WDS?
0 -
Okay, thank you guys very much. I Had no clue about this, and was starting to wonder if my install media was pirated/modified or something odd.
0 -
Uum, have you guys ran into this that your 2008 Server thinks it's equipped with Service Pack 1? My server says it's version 6.0 (Build 6001: Service Pack 1)..
Am i entirely wrong here, but isn't it so that there is no SP1 for 2008 Server?
0 -
Actually, they shouldn't. I'm not sure about the OWA logon before RPC over HTTPS, but it could have something to do with creating the kerb token in the AD for the user before they can use the RPC proxy to use the mailbox. I'm not sure on it, but I think it's a valid educated guess.
Actually, you make a whole lot of sense when I think about it. I was reading this yesterday:
http://www.msexchange.org/tutorials/outlookrpchttp.html
t is important to note that you must create the Outlook 2003 profile while the Outlook 2003 computer is on the internal network, or while the Outlook 2003 computer is on the Internet and can access the Exchange Server using RPC (TCP 135 – typically through an ISA Server 2000 secure Exchange RPC Publishing rule). You will not be able to create a new profile or change an existing profile to use RPC over HTTP if is does not have access to the Exchange Server via RPC (TCP 135).This bears repeating: you will not be able to create a new Outlook profile when the Outlook client is not on the internal network and can access the Exchange Server using RPC via TCP 135. In addition, a user with an existing profile will not be able to alter the existing profile so that it can use RPC over HTTP if that client is not located on the internal network and can access the Exchange Server using TCP 135. The Outlook 2003 profile must be configured to use RPC over HTTP while that machine is connected to the internal network and can access the Exchange Server via TCP port 135.
I think you can go around that by using that OWA login "trick".
0 -
Are you using the same certificate for OWA that you use for RPC over HTTPS?
Hey, thanks for reply! Uum, no. I have different web listener for OWA and RPC over HTTP, so they have their own certificate as well. The certificate has been granted with the FQDN of the web listener, so the local host name is not mentioned in it.
Why do you ask, should they use the same certificate?
0 -
----- Post Nº 1 -----
Has anyone been able to setup Outlook to use RPC over HTTP in non-domain (workgroup) machine?
I'm rolling Outlook Anywhere with Exchange 2007 to our remote offices and some of those employees are using a machine that has not been joined into our domain. My own tests implicate that it is not possible for some reason.
----- Post Nº 2 -----
I actually got an Outlook client using Workgroup networking to work with RPC over HTTPS, but the Outlook client refuses to authenticate before the user has logged in at least once using Outlook Web Access.. It's weird and sounds stupid, but it's the truth. Outlook is able to connect using HTTPS as soon as the user opens OWA at least once.
I cannot explain that nor does it make any sense to me, but I have to include that in the documentation
0 -
copy these text mode drivers to your i386 directory. They have been edited to work in RIS/WDS.
Ok, have copied those into the folder and still no luck getting it to work, which i386 folder should they be placed into, the riprep image, or the risetup image, i have also read about needing to delete some PNF files?
I'm talking about the RIS image (flat-file image). not RIPREP. There's actually very good howto somewhere here at the MSFN forum. You should check that out. Before that, see Microsoft KB:
How to add a third-party OEM network adapter to a RIS installation
Check with the OEM to determine whether the supplied network adapter driver is digitally signed. If the drivers from the manufacturer contain a catalog (.cat) file, they are probably properly signed. Drivers signed by Microsoft have been verified and tested to work with Windows. If your driver has not been signed but you still want to use it, make sure to add the following unattended-setup parameter to the .sif file that is located in the RemoteInstall\Setup\Language\Images\Dir_name\I386\Templates folder:[unattended]
DriverSigningPolicy = Ignore
Note that if the OEM driver is an update of an included Windows XP driver (for example, if the drivers have the same name), the file must be signed or else Setup uses the included driver instead.
1. On the RIS server, copy the OEM-supplied .inf and .sys files for the network adapter to the RemoteInstall\Setup\Language\Images\Dir_name\i386 folder. This allows Setup to use the driver during the text-mode portion of the installation.
2. At the same level as the i386 folder on the RIS image, create a $oem$ folder. Use the following structure:
\$oem$\$1\Drivers\Nic
3. Copy the OEM-supplied driver files to this folder. Note the folder in which the .inf file looks for its drivers. Some manufacturers place the .inf file in a folder and copy the driver files from a subfolder. If this is the case, create the same folder structure below the one you created in this step.
4. Make the following changes to the .sif file that is used for this image installation:
[unattended]
OemPreinstall = yes
OemPnpDriversPath = \Drivers\Nic
Stop and then restart the Remote Installation service (BINLSVC) on the RIS server. To do this, type the following commands at the command prompt and press ENTER after each command:
net Stop binlsvc
net Start binlsvc
Stopping and restarting the Remote Installation service is necessary because the Boot Information Negotiation Layer (BINL) needs to read all the new network adapter-related .inf files and create .pnf files in the image. This is a time-consuming task and is performed only when the Remote Installation service starts.
If you have multiple network adapters that require OEM drivers, follow the preceding steps for each adapter. Note that PXE clients that have included network adapter drivers are unaffected by these changes and can use this image for installation.
0 -
Hi,
We have recently purchased some Dell Inspiron 530's.
The first thing we did was to install them using a Windows XP with SP2 disc, we then added all the applications needed and used Riprep to make an image.
However, upon trying to image ther rest of the computers using RIS, with the image we just created, we got a message saying "Cannot find the network adapter drivers, contact your admin."
After spending 2 days on google and the MS Knowledgebase, trying all the different suggestions, adding the drivers to the $oem$ folder, editing the .inf file ect, we still cannot get it to work.
Any suggestions would be greatly appricatated.
On another note we made an image using sysprep, which we added to WDS install images, and the same message comes up, when booting into WDS setup.
During the text mode setup phase Windows will pick up network interface drivers from the i386 folder. You have to extract the .sys and .inf files from the driver package and copy them to the mentioned folder.
I might add that it is usually a good idea to spare one OEM installed machine intact, this way it is easier for you to go through the Device Manager and visually browse the hardware installed.
0 -
I have managed, thanks to all the contributors of MSFN, to put together a slipstreamed, nLite, RyanVM, Bashrat CD. It takes somewhat less than an hour to load, fully unattended. I have a scratch server in the shop running Windows 2000 Server that I can do whatever I want to with. I was wondering how much time could be saved, if any, using RIS over a CD install.
I was once working for slightly bigger company that very well could be described as an international by its acts and holdings and all those endless remote offices. Anyway, my job was to update the workstation installation method and bring it to the "global" level. It took about 3months to come up with rather competitive solution that pretty much owned any commercial product, at least price wise and they also had me to support it. What I did was just a bunch of batch scripts, RIS and DFS to distribute images throughout our offices. Simple and easy to maintain. I heard the guy left to maintain it is happy with it and has no reasons to complain or change anything, as he learned installing workstation can be done in an hour with everything included, where as using CD/DVD-ROM would take that hour just to install the OS. Even if it is not the speed that rules RIS flat-file image format against others, it is the simplicity of modifying anything inside it when you basically just work inside folder structure using Windows Explorer.
The story is mainly told to illustrate the fact that RIS and flat-file image format used through PXE is in most cases superior to anything else out there. And, it is as free as they come.
0 -
I think my problem was that [massStorageDrivers] section got over-looked because [unattended] was missing
OemPreinstall = Yes
Without this it seems that OemPnPDriversPath=<something> gets overlooked as well.
Nice to learn all the time!
0 -
Ok, what I have at my hands is something that is really driving me mad. I bought a Acer M5620 workstation to home that contained pre-installed Vista Home Premium OS. As I have the right to install 2003 Server Standard I chose to reinstall the machine with the latter one. Anyhow, I chose to quickly setup RIS to my home environment. As this is basically just a matter of creating new image for Aspire M5620 and downloading drivers I was suspecting rather easy-going night. And how wrong was I..
I used the newest Intel Storage Manager driver available from Intel to build the TEXTMODE (non-pnp) directory, then modified the .SIF file and booted with PXE. However, the CIW just keeps saying "cannot detect hard disk drives".
I know the M5620 contains an Intel G33 chipset with ICH9R mass storage controller, and this has been defined in the .SIF file as well. I chose this from the TXTSETUP.OEM as the storage controller:
Intel(R) ICH8R/ICH9R SATA RAID Controller (Desktop/Server/Workstation)
I think it should be working both with ICH8R and ICH9R controllers, but it doesn't. Currently my machine only has one SATA drive attached to the port number 1, while BIOS is claiming the SATA mode to be RAID. For some reason I cannot change that SATA mode setting onto ACHI as the value is just grayed out.
Anyway, I'm a bit clueless here so if any of you guys come up with something I would definitely appreciate
I'm starting to suspect that I have to actually create RAID array for the CIW to pick up the disk or something.0 -
@ECHO OFF&SETLOCAL
:: DEFINE THE HOSTS THAT SHOULD BE SKIPPED (SEPARATE WITH SPACE)
SET DISCARD=DC1 DC2 MGW
FOR %%a IN (%DISCARD%) DO ECHO/DISCARDED : %%aExactly what I was looking for. Thank you! I just don't get what is the difference between FOR %%a IN (%DISCARD%) and FOR %%a IN ('echo %DISCARD%')
0
. I'm not sure about the OWA logon before RPC over HTTPS, but it could have something to do with creating the kerb token in the AD for the user before they can use the RPC proxy to use the mailbox. I'm not sure on it, but I think it's a valid educated guess.
Internet Explorer add-ons
in Windows 2000/2003/NT4
Posted
Much appreciated for the reply. We actually got this issue sorted out by realizing that the problem lied in Local Group Policy. Some one or something had tampered with the security privilege called Create Global Objects. This privilege was assigned to BUILTIN\Administrators and one other group, where some users were members in. The browser add-in relied on this privilege, which was the actual problem. Or to put it another way, we had no problem. It was just that no one even thought of this kind of possibility.