SCVMM the domain account specified for the service account could not be verified

Recently when installing system center virtual machine manager I decided to use a domain account for it so I could do HA and got the error "the domain account specified for the service account could not be verified" when trying to click next. I had just created this account while I was installing SCVMM. To fix it I ended up rebooting the machine and logging in as the service account I had created then logging back out and completing the install with my normal admin account. Make sure your service account is an admin on the machine as well though.

Pinning Outlook 2013 icon to Windows 7 taskbar shows a 2nd icon when opened

There appears to be a bug with Outlook 2013 that will cause Windows 7 to show a 2nd icon if you pin it to the taskbar "too soon".  From testing if you pin the icon to the taskbar before first running it or even during the first run it will start showing 2 icons in the taskbar. I have managed to resolve this by unpinning all the Outlook icons on my taskbar, closing out Outlook, opening and reclosing Outlook (just to be sure) then pinning Outlook again from the start menu. Now when I open Outlook I am only getting the 1 icon in the taskbar and multiple Outlook 2013 windows stack correctly.

Update: The above was back during beta. If you have problems today I suggest unpinning your icons then run Outlook and right click and pin from the running icon instead of from the start menu.

Connecting via VPN to authenticate to a domain in Windows 7

In XP there used to be an option to connect via dial-up to log in to a computer. This is no longer obviously available in Window 7. The good news is it still exists and works really well. This is how to configure it.

  1. Login as a user with local admin rights 
  2. Create the VPN connection by going to “Network and Sharing Center”, then click “Setup up a connection or network” - “Connect to a workplace”.
  3. Fill out the details to connect to your work VPN and choose the option to allow other people to use this connection. This is what will make the option appear on the log in screen. 
  4. Complete the wizard and save the connection.
You can now use this connection to log in directly to the domain and/or to join the PC to the domain if needed.
  1. After rebooting, press Ctrl-Alt-Delete to log on if prompted. 
  2. Click Switch User to view other logon options. 
  3. Will now see a blue button in the lower left for each connection shared with all users. 
  4. Click the blue button.
  5. Type the username and password for the connection and click the blue arrow to connect. 
  6. After the connection is established, Windows will use the same credentials to try to log into Windows. If that fails, (for example you use a different password for your VPN) the connection remains active and you will be taken back to the Windows log in screen to submit Windows credentials.

HP RAID 50 NPG raid info

Lately when buying HP servers I have started seeing what looks like a new type of RAID listed when choosing RAID 50. Depending on the number of disks you have you may see the following options available as part of RAID 50.

RAID 50 NPG:2
RAID 50 NPG:3
RAID 50 NPG:4

When I asked around what these were no one seemed to know so I started creating them on a D2700 and seeing what the result was. Below is a listing of what you end up with when you create each of these. It appears all the NPG means is Number of Parity Groups. I’ve seen a lot of confusion about this both inside and outside of HP support. One advantage to this is the ability to lose more than 1 disk as long as they are different parity groups. A disadvantage is to increase storage you would need to add the number of disks you have of parity groups.

RAID 50 NPG:2
Drives Assigned to Parity Group 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 3
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 4
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 5
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 6

Drives Assigned to Parity Group 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 7
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 8
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 9
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 10
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 11
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 12

RAID 50 NPG:3
Drives Assigned to Parity Group 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 3
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 4

Drives Assigned to Parity Group 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 5
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 6
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 7
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 8

Drives Assigned to Parity Group 3
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 9
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 10
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 11
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 12

RAID 50 NPG:4
Drives Assigned to Parity Group 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 1
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 3

Drives Assigned to Parity Group 2
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 4
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 5
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 6

Drives Assigned to Parity Group 3
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 7
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 8
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 9

Drives Assigned to Parity Group 4
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 10
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 11
146 GB 2-Port SAS Drive at Port 2E : Box 1 : Bay 12

Connect PowerShell to Office 365 cloud

We do quite a few Office 365 migrations and recently found out you can connect PowerShell to the Office 365 cloud and do quite a lot of tasks that way instead of using their web interface. This is going to make our jobs much easier. I will show you how to connect to 365 and some examples of things you can do. Some of the more powerful scripts such as user control require you to install the Office 365 sign in tool and the Microsoft Online PowerShell snap-in.

To be able to run commands that affect user accounts you must install the Microsoft Online Services Module for PowerShell which can be found here which also requires the single sign on tool located here.

To connect to Office 365 with PowerShell run the following 4 commands. You will be prompted for your account credentials.

set-executionpolicy remotesigned
$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
To connect to the user management service issue the following
connect-msolservice
To set a users password to something you know and set them to not have to change it
Set-MsolUserPassword -UserPrincipalName CHANGETO@USERNAME -NewPassword SETTHISTOTHENEWPW -ForceChangePassword $false
To set all users to not have to change password every 90 days
Get-MsolUser | Set-MsolUser –PasswordNeverExpires $True

SBS Server 2003 Exchange ActiveSync forbidden

Recently I worked on a customer who had Exchange 2003 and a new iPhone he wanted to connect but was failing. The phone actually verified and connected but they kept get a message of cannot get mail.  Their first issue was an invalid SSL certificate but once we cleared that up the iPhone was still kicking back an error it could not get email and an android device we tested with gave a access denied error. The tool at https://www.testexchangeconnectivity.com gave the following error

An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <body><h2>HTTP/1.1 403 Forbidden</h2></body>

I saw several suggestions for this on the web but their problem ended up being that their previous IT had configured a website on port 80 and redirected the default website to port 8082. Once we switched this back everything started working and the support tool passed all tests.

If you have additional issues this post is a good resource.

VBscript FileSystemObject copy file gives permission denied error

This is something I forget about since I don't do a lot of file copying using VBS but I figured it is good information to have out there.

Any time you are copying to a folder using VBScript your folder path needs to have the trailing \ on it or your script will try to treat your folder like a file and try to overwrite it and give a permission denied.

So while this example will not work:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile("c:\test.txt")
objFile.Copy "c:\temp", True

This one will:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.GetFile("c:\test.txt")
objFile.Copy "c:\temp\", True

Windows 7 gadgets show a white box with greater than sign

Recently had a Windows 7 user who had some desktop gadgets from MSDN that were showing up as a small white box with a greater than sign in it while other gadgets were showing up fine. The fix was surprisingly simple.

Go into the control panel, choose default programs, set program access and computer defaults, select the Microsoft Windows option and click ok. Close down the sidebar process and restart it.  Gadgets should show up normal again.

You can reset your default programs back after this.

Setup was unable to create a new system partition or locate an existing system partition

As part of trying to recover data from a Novell NSS partition we attempted to install Windows 7 onto a brand new disk so we could run some recovery tools. During the install at the disk selection part we got the error in the title of this post. It took me awhile to figure it out but the resolution ended up being very simple. We had 2 raid controllers plugged in that once we unplugged the system was able to create the partition. It was a bit odd since the install did not even see these disks but it worked.

Recovering data from a corrupted VMWare guest


Recently I had a client whose previous support team had set them up with 2 servers running VMWare with one of them being duplicated to the other using Veeam. The one thing they failed to do was limit the growth of the VM partition to the available space of the drive so guess what happened? Yep the VM storage drive ran out of space and corrupted the heck out of the 2 disks attached to the only guest on it. Veeam then dutifully copied over the corrupted data. Once they called us the machine was beyond recovery as a usable machine (did I mention this was their DC?) even after trying several snapshots. We freed up enough space to boot the guest and got a solid 45 minutes of check disk repair and then a notice that were was no available AD information and a notice we needed to boot into recovery mode and restore that data. Too bad that was gone. So now the client really just wants their data back and a new machine built but how were we going to get into the drive hosted on a Unix machine with multiple snapshots?  It turns out this ended up being easier than expected.  There is a great bootable CD called SystemRescueCD which I was able to upload to the storage partition on VMWare and attach it as a CD image to the corrupted guest and boot from. Once booted you can attach the drives using the mount command and the drive name in our case it was sdb1 so:

mount -t ntfs /dev/sdb1 /mnt/windows -o ro

Once the drive is mounted you can copy the data off over the network just like normal assuming the rescue cd was able to initialize your network card. I would recommend the use of a program like teracopy to do the copy rather than normal windows copy. Keep in mind this mounts the drive read only so any tools like teracopy need to be installed on the destination machine. You can mount the drive read/write but this is not recommended.

iTunes artwork not modifiable

So I had a user ask me the other day why in iTunes he can't change any of his artwork on his TV shows he put on his iPad. Odd question but since I have an iPad I was curious as well. I did some looking online and saw some other people asking the same question but no answers or answers like "you don't have enough rights to the file to edit it." None of the sparse answers I found were right but after some questioning I did find out that he had recently enabled the sync TV shows option under the main iPad settings/TV Shows section and then later disabled. The odd thing was every time he went and sync'd TV shows manually again it would put that check back in sync TV shows. It turned out once we put a check in "manually manage my music and videos" in the main section it stopped doing this and it enabled him to modify the artwork again.

Quickly update self signed Exchange certificates

We have several customers who use self signed certificates for their Exchange SBS servers and I wanted to share a quick easy way to update expired certificates.

First you can get a list of all certificates using Get-ExchangeCertificate

Then when you have the certificate you need to replace copy the thumbprint and issue the following command.

Get-ExchangeCertificate -Thumbprint <the thumbprint> | New-ExchangeCertificate

Once you are sure it is installed and working you can remove the old expired cert with

Remove-ExchangeCertificate -Thumbprint <the thumbprint>

This process makes it a bit easier since it retains all the information you need that already existed in the old cert.

Get details about user mailboxes on Exchange 2010

Ever wanted to see how much email all of your users have or how much space their deleted items is taking up? This PowerShell command will give you some nice details on all of your mailboxes on an Exchange Server. Replace exchange with your server name.

Get-MailboxStatistics -server exchange | where {$_.ObjectClass -eq "Mailbox"} | Sort-Object TotalItemSize -Descending | ft @{label="User";expression={$_.DisplayName}},@{label="Total Size (MB)";expression={$_.TotalItemSize.Value.ToMB()}},@{label="Items";expression={$_.ItemCount}},@{label="DeletedItems";expression={$_.deletedItemCount}},@{label="DeletedItemSize (KB)";expression={$_.totalDeletedItemSize.value.toKB()}},@{label="Storage Limit";expression={$_.StorageLimitStatus}} -auto

You will get a report like this

 User                         Total Size (MB)  Items DeletedItems DeletedItemSize (KB) Storage Limit
----                              ---------------             -----      ------------   --------------------     -------------
User1                          10466                  96237          490                 2888           NoChecking
User2                            6021                  71813          248                 5219           NoChecking
User3                            4033                  46138          809                 7921           NoChecking
User4                            3843                  37157          945                 4141           NoChecking

How to remove multiple contacts from a users Exchange 2010 mailbox

We recently noticed that we had a user with 516,000 contacts in his mailbox. Many of them duplicated hundreds of times. We figured out this was an issue that other people had seen when switching from one mobile device to another. Mostly it seems from a BlackBerry to an Android. For some reason this has caused some users to experience a massive replication of contacts. I did not delve much into why as this had stopped already but we needed to clean up his current contacts. He had already tried to  manually do it but this was not working.

It turned out the easiest way to clean up the contacts was to have him backup 1 copy of the correct contacts and then run the following PowerShell command.

 Search-Mailbox -Identity "<user name>" -SearchQuery kind:contacts -DeleteContent -TargetMailbox "<logging mailbox>" -TargetFolder "SearchAndDeleteLog" -LogLevel Full

This command will search the <user name> mailbox for all contacts and delete them. This process will be logged into the folder SeachAndDeleteLog in the account you specify in <logging mailbox>

After this completed (about 3 hours) we had him replace his saved contacts.

Search-Mailbox replaces the old Export-Mailbox with deletecontent in Exchange 2010.

More information on Search-Mailbox can be found at http://technet.microsoft.com/en-us/library/dd298173.aspx

You can find information on advanced querying here http://msdn.microsoft.com/en-us/library/aa965711%28v=vs.85%29.aspx

Hyper-V specified node is not an owner or possible owner

Recently I added a 3rd not to our Hyper-V cluster which uses cluster shared volumes. After this I started seeing errors when trying to live migrate or backup with BackupExec some of the VM's. The error was:

"The operation failed because either the specified cluster node is not the owner of the group, or the node is not a possible owner of the group"

This error is from BackupExec but the error from live migration is almost exactly the same. Looking at the VM's they all appeared to inherit the new cluster node correctly so it was not obvious what the issue was. After a bit of digging I finally figured out the problem was with the cluster shared volumes they had not added the new node as a possible owner. The normal volumes had though. to determine if this is the problem you can run the following PowerShell command:

cluster.exe res "<cluster disk name>" /listowners
e.g.   cluster.exe res "test disk" /listowners

To add owners use the following command

 cluster.exe res "<cluster disk name>" /addowner:<new owner>
e.g.  cluster.exe res "test disk" /addowner:node3

There is no GUI option for viewing or setting these that I have found.

Exchange 2010 clear move request fails

In the process of migrating users to Exchange 2010 we will occasionally get an error clearing move requests through the console after they have completed.

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Action 'Clear Move Request' could not be performed on object 'user name'.

User Name
Failed
Error:
Couldn't find a move request that corresponds to the specified identity domain.name/user name'.
--------------------------------------------------------
OK
--------------------------------------------------------

We have found these can usually be cleared through PowerShell using Remove-MoveRequest "user name" and you can add -verbose to the end to get details if there are any issues.

HP NC375T Network cards

This is a followup to my slow user login post from last year. We were finally able to figure out what was going on and it turns out it was an issue with our HP/Intel NC375T network card. When in the HP system management web page and the data source was in SNMP mode the card was reporting at 1500 MTU as was everything else we looked at on the system and there were no MTU settings in the registry overriding the default MTU settings. When I switched the datasource to WBEM mode though the card started reporting that it was set at 1486 MTU. This would certainly be a problem since windows wants to send its default packets at 1500.

After much back and forth with HP and them claiming I just need to set my MTU size in the registry to 1500 under HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\ their tier 3 support was able to figure out there was a setting in the registry called "*jumbopacket" under HKLM that was set wrong. When we went into the registry this setting was set to 1500 but apparently for this card it needs to be set to 1514. I noticed that on the other card in this system it was set to 1500 and working fine though. Once this was changed and we rebooted we are now able to test ping servers using ping servername -f -l 1472 with no issues.

If you run into this issue the fix seems to be editing the registry. This setting was in multiple places in the registry all under HKLM and were all labeled *JumboPacket (yes there is a * that is not a wildcard) and the setting needed to be changed in the dword default field under the *JumboPacket key and the *JumboPacket dword field in numbered (they appear to all be numbered keys 0000 and up) keys.


Failover Cluster migrations fail

We just added a 3rd node to our Hyper-V failover cluster and everything went great right up until I tried to do a test live migration. I got the ever so helpful
live migration did not succeed at the source.
Ok so going on past experience I know this has usually been the binding order to the adapters not being the same or name of the network adapter being different. So I go and check and everything looks great. The cluster passes verification and the cluster resources list all my network adapters as online and good but still a no go on the migration.

Ok for fun lets try to migrate just the disks and see if i get a more helpful error:
The operation failed because either the specified cluster node is not the owner of the group or the node is not possible owner of the group

Well that error SEEMS more helpful. Unfortunately it led me on a wild goosechase.  I do some more digging and find a more helpful error on the destination machine:
live migration did not succeed at the destination.

Configuration setup for live migration failed on the destination node. Make sure that name of the virtual network is the same on the source and destination nodes, and try the live migration again.
Ok this was interesting since the source machine said the problem was at the source. Long story short after a quick google I found  http://support.microsoft.com/kb/2475761 it turns out I was on the right track from the beginning and although all the names looked good in the network connections area it actually cares about the names in Hyper-V Manager/Virtual Network Manager. Once I fixed those it is back to migrating.

Restricting who can login to a system locally

Our company has a bunch of demo room computers that we wanted to limit which accounts had local log in rights on. The solution was surprisingly easy
  •  Login to the machine as an administrator
  • Remove the "<domain name>\Domain Users" from all local groups on the computer (it is default in the "Users" group).
  • Remove any other users from all local groups on the machine that should not have access.
  • Add the domain accounts of the users you want to be able to log on in one of the local groups ("Users", "Power Users, or "Administrators" ).
  • Make sure you leave Domain Administrators in the Administrators group.

Now only the accounts you added will be able to logon to the computer. All other accounts will get a message stating “The local policy of this system does not permit you to logon interactively.”

This of course will not prevent the accounts that do have access from adding more accounts if they have administrative access.

Create multiple distribution groups with powershell and a CSV

So recently I had a need to create over 100 mail enabled enabled security groups for a new application we are rolling out. I really did not want to do this by hand. Powershell it turns out is a great resource for doing this. Create a CSV file with headers (header fields are important!) for example:

name,OU,email
group1,mydomain.com/distrogroups/ou1,group1@mydomain.com
group2,mydomain.com/distrogroups/ou1,group2@mydomain.com
group3,mydomain.com/distrogroups/ou2,group3@mydomain.com

Then if your file is c:\newgroups.csv run the following Powershell command

Import-CSV "C:\newgroups.csv" | % { New-DistributionGroup -Name $_.name -OrganizationalUnit $_.OU -PrimarySmtpAddress $_.email -Type Security }

This will import your CSV file and parse it line by line replacing each $_ value with the correct value under the header for that line. There is one extra value at the end (-Type Security) that makes every group a mail enabled security group which can be omitted to create distribution only groups.

You can add or remove fields as needed just add or remove the $_ value and create a new header line. You can find a list of acceptable fields by entering Get-Help New-DistributionGroup -Detailed at an exchange Powershell prompt. You can name the header fields whatever you want.

If you just want to create AD groups you can use the following

Import-CSV "C:\newgroups.csv" | % { New-ADGroup -Name $_.name -groupscope Global }