Wednesday, August 19, 2009

The logon screen turns black after you press CTRL+ALT+DELETE

Today i logged in to a server and this is what i saw:

black_logon_screen.jpg

Microsoft has an article on this matter: http://support.microsoft.com/kb/906510

I have no clue what caused this, however the resolution is simple. Import the following .reg file:

Windows Registry Editor Version 5.00 

[HKEY_USERS\.DEFAULT\Control Panel\Colors] 
"ActiveBorder"="212 208 200" 
"ActiveTitle"="10 36 106" 
"AppWorkSpace"="128 128 128" 
"Background"="102 111 116" 
"ButtonAlternateFace"="181 181 181" 
"ButtonDkShadow"="64 64 64" 
"ButtonFace"="212 208 200" 
"ButtonHilight"="255 255 255" 
"ButtonLight"="212 208 200" 
"ButtonShadow"="128 128 128" 
"ButtonText"="0 0 0" 
"GradientActiveTitle"="166 202 240" 
"GradientInactiveTitle"="192 192 192" 
"GrayText"="128 128 128" 
"Hilight"="10 36 106" 
"HilightText"="255 255 255" 
"HotTrackingColor"="0 0 128" 
"InactiveBorder"="212 208 200" 
"InactiveTitle"="128 128 128" 
"InactiveTitleText"="212 208 200" 
"InfoText"="0 0 0" 
"InfoWindow"="255 255 225" 
"Menu"="212 208 200" 
"MenuText"="0 0 0" 
"Scrollbar"="212 208 200" 
"TitleText"="255 255 255" 
"Window"="255 255 255" 
"WindowFrame"="0 0 0" 
"WindowText"="0 0 0"

Big thanks to my friend at Tech Notes for helping me out so quickly.

Friday, August 14, 2009

SSL, Exchange 2007, request a SAN certificate

SSL, the basics:

A SSL certifcate enables secure communication (encryption) between client and server. For this to work, there are 3 checks performed by your client (which can be a computer, pda, smartphone, etc):

  1. Date of the certificate. Is it valid? Isn’t the certificate expired yet?
  2. Trusted Authority. In short: which trusted company sold this certificate? e.g. Verisign, Thawte, etc. Your client has a list of well-known and trusted companys. If this company is on the list, this certificate can be trusted also.
  3. The common name. If the common name on the certificate is www.domain1.com and you want to visit webmail.domain1.com through ssl, check 3 fails.

Exchange 2007 and SSL

After installing Exchange 2007, a self-signed SSL certificate is installed by default. This SSL certificate is used to secure communication between both Internet clients (Exchange ActiveSync, Outlook Web Access, Outlook Anywhere, POP3 and IMAP4) and internal clients (Outlook 2007) to the Client Access server.

Exchange Server 2007 also introduces a new Exchange web service called the Autodiscover service. The autodiscover service is used to configure Outlook 2007 clients. More specifically, the Autodiscover service is used by Outlook 2007 client features such as the Availability service (free/busy), Auto Account Setup (automatic profile creation), Out of Office (OOF), Offline Address Book (OAB), and Unified Messaging (UM). This means that in order for these features to work correctly, the Autodiscover service must be properly configured. Since the Autodiscover service is a web-based service, it’s located on the Client Access server (CAS). And since it’s a webbased service, it needs an SSL certificate that is accepted by all clients, internal but also on the internet.

We now have one problem.
As the common name of the server is different, based on where you reside at that moment, you’ll need a SSL certificate with at least 5 different common names, e.g.

  • the netbios name of the computer, lets say: “EXCH2K7SRV02”
  • the fully qualified domain name in the local network; EXCH2k7SRV02.domain1.local
  • the fully qualified domain name on internet; webmail.domain1.com
  • the fully qualified domain name for the autodiscovery in the local network; autodiscover.domain1.local
  • the fully qualified domain name for the autodiscovery on internet; autodiscover.domain1.com

SAN certificate

With Exchange Server 2007 a new type of certificate is introduced; it’s called a subject alternative name (SAN) certificate. The interesting thing about a SAN certificate is that it allows us to include multiple FQDNs (aka common names) in one single certificate.
So in case you wondered: this SAN certificate has nothing to do with your SAN storage. It’s something different.

Request a SAN certificate

Start the Exchange 2007 Management Shell
In the Powershell we type:

[PS] C:\Windows\System32> New-ExchangeCertificate -DomainName EXCH2k7SRV02, EXCH2k7SRV02.domain1.local, webmail.domain1.com, autodiscover.domain1.local, autodiscover.domain1.com -FriendlyName Domain1SSLCertificate -GenerateRequest:$True -Keysize 1024 -path c:\certreq.txt -privatekeyExportable:$true -subjectName "c=US, o=My Company, CN=domain1.com"  -privatekeyExportable:$true

As you see, with the “-DomainName” parameter, i’m requesting a certificate for 5 Subject Alternative Names which makes it a SAN certificate.
Make the “-FriendlyName” something obvious. And remember it, you’ll need it later!
I mark the private key as exportable (”-privatekeyExportable:$true”) in order to re-use the certificate whenever i want to transfer it to another server. I know this is less secure, but i’ve been in a lot of situations where customers didn’t remember where they bought the certificate or didn’t have the appropriate login info etc. So that’s why.
In the “-subjectName”, specify your country “c=US”, organisation “o=My Company” and the domain you are working with “CN=domain1.com”.
As you see (”-path”) the request is stored in a file called c:\certreq.txt. The content of this file is required to actually request the certificate at your SSL reseller or your own active directory CA.

Import the SAN certificate

Once you’ve got the certificate, save it to c:\certnew.cer.
In the Exchange Management Shell type:

[PS] C:\Windows\System32> Import-ExchangeCertificate -path c:\certnew.cer -friendlyname "Domain1SSLCertificate"

So this is where you’ll need that friendlyname again.
After his command you’ll see a “thumbprint” on your screen. My example: “795E704F73D47F6053A493961CB23DB349731141”
The certificate is now imported.

If you forgot the thumbprint, you can look it up by typing:

[PS] C:\Windows\System32> Get-ExchangeCertificate -DomainName "EXCH2K702"

All you have to do right now is activate the certificate for the required Exchange services. Do this by typing:

[PS] C:\Windows\System32> Enable-ExchangeCertificate -thumbprint 795E704F73D47F6053A493961CB23DB349731141 -services "IIS,POP,IMAP"

Wednesday, August 12, 2009

Timezone and time sync

How to make sure your client is in the right timezone and synchs with your preferred ntp server?

Control.exe TIMEDATE.CPL,,/Z (GMT+01:00) Amsterdam, Berlijn, Bern, Rome, Stockholm, Wenen
net time /setsntp:ntp.xs4all.nl
net time /querysntp
w32tm /Resync

Event viewer nicely logs the resync action:

Type gebeurtenis: Informatie
Bron van gebeurtenis: W32Time
Categorie van gebeurtenis: Geen
Gebeurtenis-ID: 35
Datum: 12-8-2009
Tijd: 10:04:10
Gebruiker: n.v.t.
Computer: HUGO7900SSF
Beschrijving:
De tijdservice is nu bezig met het synchroniseren van de systeemtijd met de tijdbron ntp.xs4all.nl (ntp.m|0×1|10.0.11.76:123->194.109.22.18:123).

Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.

Thursday, August 6, 2009

Default user registry - the most common mistake

If you want to make changes to the registry for the “default user” there is one BIG misunderstanding that i want to clarify here.

HKEY_USERS\.DEFAULT is NOT the Default User!

This is actually the registry for the Local System account. Changes in this hive will be applyed before a user logs in.
A clear example: when making the following change:

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"Wallpaper"="C:\Windows\mywallpaper.bmp"

the background called “mywallpaper.bmp” will be loaded onto the background while pressing ctrl+alt+del and entering your credentials. (e.g. this is how Dell or HP use their own backgrounds on a pre-installed system).

Ok so how do you make changes to the default user?

It’s actually pretty simple.
As you should know the registry for a user is placed in a file called ntuser.dat in the %userprofile% directory. Therefor, in c:\documents and settings\Default User you’ll find the registry for the default user (doh!).

Now load this file as a temporary hive to enabled making changes to it.
Start a dos prompt. Then type:

reg load HKU\Temp "c:\documents and settings\Default User\NTUSER.DAT"

Start regedit and go to HKEY_USERS\Temp and you’ll see the registry for the default user.
Make the desired changes. When done, close regedit to avoid locking issues and back in your dos prompt type:

reg unload HKU\Temp

And you’re done!
New users without existing profile will inherit the Default User profile and therefor inherit the changes you just made.

“Ok one question though, why not use (domain) policies for such purposes?”
Good question. Policies will always be a better solution because changes to the policies will automatically be applied to existing user profiles and changes to the default user profile will only be used when a user logs in and the user has no existing profile.
There are, however, settings that can not be changed from (domain) policies (at least not in current Windows versions…). Examples:

  • Power management (screensaver, disks going to stand-by), etc
  • Schemes for audio/sounds
  • (one of my favorites) Quick Launch behaviour (e.g. the number of items, the locked status, etc)
  • … etc!

Conclusion
Now you know how to edit the default user registry.
Think about making these changes when preparing an image that you’re going to deploy to a network. Or at least apply the changes to the clients before all users are going to log in!

Wednesday, August 5, 2009

Elevated (dos) prompt

Some actions require an elevated dos prompt.
The fastest way:

  • Click on the Windows (start) button
  • type: cmd in the search bar
  • hold down ctrl+shift and then press enter

NOTES:

  • Do not try to do this from the Run box (Win+R), this MUST to be done through the search bar.
  • UAC must be enabled otherwise it won’t work

Monday, August 3, 2009

Add server alias

I’m involved in a lot of network migrations (client/servers).
Usually, migrating the server isn’t that difficult. However, the software on the clients can be tricky. There can be a lot of registry keys, ini files or all sort of pointers pointing to the old servername.

There’s one sneaky trick that makes it all a lot easyer!

  • Raise your domain funtional level to 2003.
  • Download and install the latest Support Tools
  • Use netdom to add a server alias, e.g.
    netdom computername newserver /add:oldserver.domain.local
  • Import this regfile:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
    "DisableStrictNameChecking"=dword:00000001