Carl’s Blog

Microsoft’s Small Business Server 2008 is too expensive.

The trade cost for an OEM copy of SBS 2008 Standard Edition is now exactly double that of SBS 2003 R2 Standard Edition. Most people talking about the price increase only state that Premium Edition costs more because of the extra functionality, but I am talking about Standard Edition.

My OEM supplier is asking exactly double for SBS 2008 Std incl 5 CALs, OEM.

Additional licenses are a little cheaper – 20% cheaper. So, the product is 100% more expensive and the additional CALs are 20% cheaper.

Add to that the fact that you now have to buy the Outlook client separately (Office 2007 SBE or Basic) for £100 + vat per user, I think it’s too expensive.

I’ve mentioned this before, in my About Me page, but I just tried out a more current release of OpenChange and the Evolution mapi plugin, from this source: http://download.opensuse.org/repositories/home:/msuman:/evolution-mapi-provider/

This thing is so close to being totally sorted. I’m really impressed. The current build from the OpenSuse build farm service (19th Sept) has problems displaying the message body, but they are aware of this problem and believe it was introduced in a recent patch, so should be resolved shortly.

This is great stuff.

I had a chat with one of the developers on the #openchange IRC channel on Freenode, and he told me that RPC/HTTP support may well be here in the future!

Wow. This took me totally by surprise, and it seems to work very well. There’s no sound redirection or clipboard, but basically you connect to the Linux machine using an RDP client (Microsoft Remote Desktop Connection, or Terminal Server Client), and instead of getting a Windows logon box, you get an xrdp one. You choose a session and hey presto you have a Gnome or KDE session, through RDP!

It has two ways of working. The first, and easiest to get going, is that it uses vncserver (the VNC X Server) as the actual X server, and the xrdp program grabs the vnc display and RDPs it over to you. So you have the performance of RDP.
The other way is that it uses an RDP X server, so I suppose you could call that native X-RDP rather than VNC served RDP. This is a touch more complicated, and I was unable to get the svn version of the X11rdp Xserver to compile. There is a precompiled binary of what might be an old version at http://server1.xrdp.org/temp/ though.

The precompiled binary was the only way I could get X11rdp to work (that is native RDP – I got the vnc/rdp to work almost right away)

Let me clarify some points:

• xrdp is the name of the project, and also the name of one of the binary files that deals with RDP and integrates with the VNC server and sends it to you through RDP.

• X11rdp is the name of the special RDP Xserver that is another part of the project, which skips out vnc altogether. When you grab the (small) sourcecode off the project website, and do the make/make install, it will not build X11rdp.

• X11rdp is also called “Xserver” within the project.

You will see in /usr/local/xrdp/sesman.log something like: “No such file or directory” if you are trying to use X11rdp server (sesman-X11rdp) but don’t have the X11rdp Xserver compiled/installed, or if you are trying to use VNC (sesman-Xvnc) but don’t have vncserver installed. VNC server will be provided by your distribution (Fedora, Ubuntu..) so is very easy to get. X11rdp is made by the xrdp project, so is not so easy, but the precompiled binary seemed to work OK for me.

The project’s website is very low priority, and does not reflect the true activity of the project.

The website is at http://xrdp.sourceforge.net/

Some random files, including a pre-compiled X11rdp (that’s the rdp-native Xserver remember..) are at http://server1.xrdp.org/temp/

There are some forums here: https://sourceforge.net/forum/?group_id=112022

You can browse the developer mailing list here: https://sourceforge.net/mailarchive/forum.php?forum_name=xrdp-devel

and there might one day be a new homepage at http://server1.xrdp.org

That’s about all the links I could find. The developer mailing list gives a nice indication that the project is moving forwards.

This is due to the print spooler service not running, or dying during the install.

You may also find that the print spooler service frequently dies – “spoolsv.exe has encountered a problem and needs to close”, or the Printers and Faxes folder frequently appears empty – i.e. all your printers are missing.

NetSupport Manager or NetSupport PC Duo version 8 on Windows XP SP2 will cause this to happen. Update NetSupport and all will be well.

It is possible to stop Outlook prompting for the user’s password when using RPC/HTTP (Outlook Anywhere / Outlook via Internet) on a client running Windows XP Home or Vista Home Edition. We already know how to do this on XP Pro/Vista Business, even if the XP Pro/Vista Business machine is not joined to the domain, by using “Manage Network Passwords” within User Accounts.

Home Edition of Windows does not have the ability to either join the domain, or save network passwords, so we have to configure the workgroup-based machine as if we were trying our best to integrate it into a domain environment.

As per my previous article, lmcompatibilitylevel was set to 2, mutual-auth not enabled, NTLM authentication, and the certificate was imported to the “trusted root certification authorities” store.

The Home Edition client was configured as if it was to be accessing a server in a domain. That is:

• Workgroup name was set to the netbios domain name of the company (OURDOMAIN)
• The user account name was the same as the user account in the domain. If this does not match, simply changing the account name in User Accounts will not suffice. All that does is change the “Full Name”, not the Username. It needs to be either done through “Local Users & Groups” within Computer Management (if that exists on Home Edition.. ?), or a new account must be created with the name exactly as the username on the domain.
• The user’s password on his Home Edition client was set to the same as on the domain. The user was instructed not to change his password.

The two users are not being prompted for their password when launching Outlook outside of the office. It’s been a couple of weeks now since I set them up.

This is useful. The params can be a filespec, e.g. “*.pdf”, or they can just be values given on the command-line.

Let’s say you are remotely accessing a computer, and you want to release and renew its IP address. When you release the IP address, you’ll lose connectivity and won’t be able to renew. You could make a batch file, or you could do:

for %a in (release renew) do ipconfig /%a

This will run “ipconfig /release” followed by “ipconfig /renew”.

Or let’s say you have a thousand home directory folders, and you set the permissions a bit wrong. You want each user to have full control of their own folder. You could do:

for /D %a in (*) do cacls %a /E /G %a:F

This will run “cacls carl.farrington /E /G carl.farrington:F”, substituting carl.farrington for the folder name and user name until every folder has been done. This example assumes of course that the folder name is the same as the user name who you want to grant the permissions to. Notice the /D – this means the filespec matches directory names, not filenames. Without the /D the * would not return any directory names.

Another example. You might want to search within every .ini file in the current directory. NT’s “find” command doesn’t accept wildcards/multiple files. So what you do is use a for loop and pipe the output into a text file that you can check when the process completes:

for %a in (*.ini) do find /i “Microsoft” %a >>output.txt

This will do “find /i “Microsoft” file1.ini >>output.txt”, then file2.ini, then file3.ini. You can check the output of output.txt to see which files contained the text you were searching for.

I sometimes use this to search all the oem*.inf files in %windir%\inf to find the inf file that’s supplying driver information for a particular piece of hardware. Then I can delete that inf file, remove the hardware from device manager and Windows will not just re-install the existing driver for the device, allowing you to supply a different driver. Searching for the INF file is not necessary on Vista because the details tab in a device’s properties within Device Manager has been extended to display the inf source.

“Stop: c000021a {Fatal System Error}
The initial session process or system process terminated unexpectedly with a status of 0×000000000 (some more hex codes)”

Can’t repair this. Trying to pinpoint source of problem.

System Restore through Repair Environment is failing. Replacing registry files with those from RegBack hasn’t helped.

Clean install of Vista, moved contents of system32\config from broken install to clean one, also moved old Users directory, and problem still exhibited. Must be a registry/configuration issue then, not system files.

Now going to try to see if I can pin it down to either System registry or Software.

Update: It is fixed. The problem was within the SOFTWARE hive. I moved all the clean install stuff (Windows , Program Files, Users, ProgramData) to a folder called “clean”, and move all the folders out of Windows.old back into C:\ , so in effect returning the machine back to its original state before the clean install. I then replaced SOFTWARE with SOFTWARE.OLD and all is well.

Something within the Software registry hive was wrong/broken. Hope this helps someone. Not sure why the SOFTWARE hive out of RegBack was no good.

At least we know from now on that  troubleshooting “Stop: c000021a {Fatal System Error}, the initial session process or system process terminated unexpectedly.” should be done from within HLKM\Software of the registry, or just replacing the Software hive with a good backup. Earlier in the process I opened regedit from the Repair Environment’s command prompt, and loaded the Software Hive, but it looked bare. There were only Microsoft subkeys, nothing else. Either this is because of the fault, or perhaps it’s a Vista security feature? (no.. it’s not a security feature – see below):

Another update: I have taken the bad software hive, and the good working one (software.old), and loaded them up into Regedit on my XP machine to compare.

Both files are around 45mb, but the bad one is completely bare except for a couple of Microsoft subkeys. I wonder what caused this? Here’s a picture of the two hives – bad-vista and good-vista:

Here the good software hive is compared against the bad one.

Perhaps I am barking up the wrong tree. Maybe the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Reliability\Srt key means “system restore”, and this bare registry is normal during a system restore. Perhaps the registry is supposed to be bare until System Restore finishes after the reboot, and the bare registry wasn’t the actual cause of the stop error. Perhaps the stop error was triggered during System Restore’s finishing up. Who knows. I suppose I could create a restore point on the machine now, and see if System Restore causes the Stop error to return. I might do that.

At least for now, the solution here was to replace software with software.old.

So, I have a customer’s laptop here, which is broken & won’t boot. I can’t get it to boot in any way shape or form. Startup Repair doesn’t work, System Restore fails, I have manually taken all registry backups from RegBack and put them in \Windows\System32\config. Still, I get the same message:

“Stop: c000021a {Fatal System Error}
The initial session process or system process terminated unexpectedly with a status of 0×000000000 (0xc00000001 0×0010034c)”

This is one of those situations where the good old repair install would fix it. This was known as an “in place upgrade”.

With Vista, an in-place upgrade can only be started from within Windows, which means the system must be bootable.

Also, the System Restore data files are not user accessible (they are VSS diffs or something, rather than just RPxx files) like they were with XP, so that’s two repair processes out the window.

In place upgrades have been a standard repair method for as long as I can remember.

I remember deleting win.com out of the Windows directory and then proceeding to re-run the OEM Win95 setup. (Or was that my trick for upgrading to Windows 95 with an OEM non upgrade disk? I can’t remember -  it’s been a while).

Does anybody remember the “clean install without reformat” technique from the Windows 95 days? You would rip out the HKLM\System\CCS\ENUM, Services and other hardware parts of the registry, then do an in-place upgrade over the top.

All the way from Windows Nothing to Windows XP SP2, in-place upgrades have been the way to “re-install over the top”.

None of this is possible now on Vista because to do an in-place upgrade on Vista requires the system to be working. How’s that for stupidity. You can only repair a working system!

I hate Vista. I wish Microsoft had not hyped it up so much, maybe then they’d let it slip on by like the Millennium Edition that it is.

So, I will install a clean copy, and then pull in the registry files and user’s data from the broken install. If that looks good I’ll go with that, if not I’ll just go clean and move data files back into place.

All the stuff I see out there, from knowledgeable folk like Daniel Petri, seems to recommend using Basic Authentication over HTTPS for RPC/HTTP. The problem with this is that Outlook will prompt for the user’s password every time, which could be useful in some situations, but it’s a pain in other situations.

The solution to stopping the password prompt is to use NTLM. There is a lot of discussion around people playing with lmcompatibilitylevel in the registry (under HKLM\System\CCS\Control\Lsa), and people talk about it in a hit and miss sort of way, e.g. “this way worked for me, but not that way”, and then somebody else does it a little differently. The consensus comes across that there’s no one way that just works.

Well, for me there is one way that just works. I’ll point out a few gotchas that can get in the way too.

Here’s how I do it. If for some reason this is bad, please let me know!

1. I “connect using SSL”.

2. I do not “mutually authenticate”, so that second box is left blank and greyed out.

3. I always have “on slow networks connect using HTTP first”.

4. I sometimes have “on fast networks connect using HTTP first”, but I configure split-DNS so that if the user is within the office, the Exchange proxy resolves to the internal IP of the RPC proxy. I do this just to test that RPC/HTTP is working. I Ctrl-RightClick the Outlook icon in the system tray and check the connection status to see if we’re working over HTTPS.

5. I set lmcompatibilitylevel to 2.

I use self-signed certificates, so I first browse to https://server, when the certificate warning comes up I view the certificate, go to the last tab and import the certificate. I manually choose where to store the cert and I put it in trusted root certification authorities. If the client is Vista then I “run as administrator” Internet Explorer before doing this.

In SBS 2003, under IIS Manager -> websites -> default website -> RPC or RpcWithCert -> Properties -> Directory Security -> Authentication & Access, “Integrated Windows Authentication” is disabled out of the box, so NTLM doesn’t work until you tick this. This is easy to forget.

In SBS 2003, if you change the server’s IP address and subnet, e.g. from 192.168.0.x to 192.168.1.x or 10.x.x.x, you might want to check “IP address and domain name restrictions” on that same tab in IIS Manager as above. Also do the same for Microsoft-Server-ActiveSync because your smartphones won’t be working.

In SBS 2003 no ports need configuring.

In normal Server 2003 & Exchange 2003, I use “RpcNoFrontEnd” from the Petri.co.il article to configure the ports for me, after I have ticked to enable Exchange for RPC as per Daniel’s instructions.

Be Broadband (http://www.bethere.co.uk)’s Speedtouch routers won’t port-foward HTTPS when configured through the GUI. This is a pain. I’ll do a separate blog entry for how to fix that.

That’s about it. It works every time for me, for different companies with different ISPs. In most cases, the client computer is joined to the domain and the user is logging onto the computer with their domain account, hence there are no popups asking for the password when launching Outlook. If the computer is not joined to the domain, I open up User Accounts in the Control Panel and I click “Manage network passwords”, and I add something like “*.ourdomain.local” and put the password in and the username in the form of either user@domain or domain\user, and also “mail.ourdomain.com” (the outside hostname/IP) and put the credentials in there too. This works fine for XP Pro/Vista Business computers that aren’t part of the domain. For Home Edition of XP or Vista, there is no way to save the password that I know of see this article.

I’d be interested if anybody knows any reasons why the above should not be the preferred way of doing things. I know I should look into getting certificates from a globally trusted CA, as it’s a pain for OWA users with a self-signed cert.