Microsoft Hyper-V VMMS & System services stop after December 2012 Updates (KB2506143)

Posted by Ahmed Nabil In | 0 comments»
I had an issue recently with some Hyper-V servers where it was noticed that the Hyper-V system services (VMMS, VHDSVC & NVSPWMI) gets stopped all in a sudden and no one can access or manage the Hyper-V Virtual machines from the console as per attached image.


I noticed that these services stop on specific time on daily basis, after several investigations it was related to a specific rule/job based on WMI (CCMEVAL) that runs from the System Center Configuration Manager 2012 (SCCM) server

The only thing related to WMI that was updated on December is the Windows Management Framework 3.0 (KB2506143)

http://support.microsoft.com/kb/2506143

When this update get installed the SCCM client health check Read/Write WMI actions fail resulting in these services stopped.

To fix this issue Uninstall this KB and reboot the server, If this didn't work, please try the following:

  1. Uninstall the Windows Management Framework 3.0 (KB2506143)
  2. Run ccmclean.exe /all to uninstall the ConfigMgr 2012 client.
  3. Run ccmdelcert.exe
  4. Once the above steps are done, rename the WMI repository and restart the WMI service
  5. Reboot the Server
  6. Install the ConfigMgr 2012 client and check the services.

Microsoft released a bulletin confirming this KB compatibility problems with SCCM 2012

http://support.microsoft.com/kb/2796086

This issue will get fixed with SCCM2012 SP1 expected to be released Quarter 1 2013.


 

Increasing SCCM 2012 Add/Remove Programs Simple Query Value

Posted by Ahmed Nabil In | 2 comments»
We passed by this issue with one of our new System Center configuration Manager SCCM 2012 installations when trying to create a new device collection with the Add/Remove Programs used in the Query. The List of programs was limited till applications starting with the "M" Letter and other applications weren't displayed as shown below.



I recall we passed by this issue in SCCM 2007 and we had to add the Valuelimit registry key and looks like its not fixed in SCCM 2012 and you need to do the same, however due to the change in the OS/SCCM version, the key location is changed, to fix this issue you need to apply the following:

  1. Open the Registry (using Regedit) on the SCCM server
  2. Explore HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI\QueryProcessors
  3. Add a new DWORD value named "Valuelimit" with Hexadecimal value of 10000 (The maximum value is 20000, its recommended to start up with 10000 and check if the problem is fixed instead of just entering the maximum number which can eat your memory). Check this article for more details http://support.microsoft.com/kb/269201
  4. Stop the SMS_EXECUTIVE & SMS_SITE_COMPONENT_MANAGER services in this order
  5. Start both services in the same order.

Note: If you managing the SCCM from a console on a terminal computer (most of the cases) and not directly from the SCCM server then you need to apply these settings on your console computer and reboot the computer after adding the registry key.

Microsoft UAG 2010 SP3 Under Work to Support Windows 8 & IE 10

Posted by Ahmed Nabil In | 2 comments»
Microsoft officially announced couple of days ago that UAG 2010 SP3 will be released the first quarter of 2013. This new Service pack will provide support for Windows 8 and IE 10 as well as other applications as Exchange 2013, Sharepoint 2013.........etc

The support of DirectAccess clients running Windows 8 as well as the normal Service pack fixes and improvements are expected.


Looking forward to getting the new Service pack and testing it with Windows 8.




Update: Microsoft UAG SP3 is released on Feb 2013 and can be downloaded from http://www.microsoft.com/en-eg/download/details.aspx?id=36788

Also UAG SP3 Rollup 1 which is released to fix several issues with SP3 is released on April 2013 (Need SP3 to be already installed) and can be downloaded from http://support.microsoft.com/kb/2827350

System Center DPM 2012 DPMDB Transaction Logs increases dramatically filling Server Disk Space

Posted by Ahmed Nabil In | 1 comments»


I noticed that my DPM 2012 server disk space gets filled on daily basis, the DPMDB transaction log (LDF file) under \Microsoft System Center 2012\DPM\DPM\DPMDB grows till it fill the disk space and all jobs fail accordingly. This issue occurs when the Sharepoint Catalog Task starts, If you are not protecting any Sharepoint Workload you won't notice this issue.

After working several hours with Microsoft DPM Escalation Team, it turned to be a bug in one of the procedures after System center 2012 Rollup 3 implementation.

For more information about Rollup 3 for System Center 2012, please check the following link: http://support.microsoft.com/kb/2756127

For that we modified store procedure prc_PRM_SharePointRecoverableObject_Update. (You can find it under the SQL Management Studio - DPMDB - Programability - Stored Procedures), Just take a DPM backup before any change for your reference.

From:

USE[DPMDB]
GO
/****** Object: StoredProcedure [dbo].[prc_PRM_SharePointRecoverableObject_Update] Script Date: 11/02/2012 17:42:07 ******/
SETANSI_NULLS ON
GO
SETQUOTED_IDENTIFIER ON
GO
ALTERPROCEDURE [dbo].[prc_PRM_SharePointRecoverableObject_Update]
(
@Captionnvarchar(40),
@ComponentTypenvarchar(16),
@RecoverableObjectIdBIGINT
)
AS
DECLARE@error INT,
@rowCountINT
SET@error = 0

SETNOCOUNT ON

UPDATEtbl_RM_SharePointRecoverableObject SET Caption =@Caption
UPDATEtbl_RM_SharePointRecoverableObject SET Caption =@Caption,
ComponentType= @ComponentType
WHERERecoverableObjectId =@RecoverableObjectId

SELECT@error = dbo.udf_DPS_CheckRowCount(1)

SETNOCOUNT OFF
RETURN@error

To:

USE[DPMDB]
GO
/****** Object: StoredProcedure [dbo].[prc_PRM_SharePointRecoverableObject_Update] Script Date: 11/03/2012 01:36:08 ******/
SETANSI_NULLS ON
GO
SETQUOTED_IDENTIFIER ON
GO
ALTERPROCEDURE [dbo].[prc_PRM_SharePointRecoverableObject_Update]
(
@Captionnvarchar(40),
@ComponentTypenvarchar(16),
@RecoverableObjectIdBIGINT
)
AS
DECLARE@error INT,
@rowCountINT
SET@error = 0

SETNOCOUNT ON

-- UPDATE tbl_RM_SharePointRecoverableObject SET Caption = @Caption
UPDATEtbl_RM_SharePointRecoverableObject SET Caption =@Caption,
ComponentType= @ComponentType
WHERERecoverableObjectId =@RecoverableObjectId

SELECT@error = dbo.udf_DPS_CheckRowCount(1)

SETNOCOUNT OFF
RETURN@error


After that we had a successful SharePoint catalog task that didn’t cause TempDB or DPMDB transaction log to grow.

I also have this fix update on Microsoft DPM Technet Forum

http://social.technet.microsoft.com/Forums/en-US/dataprotectionmanager/thread/e0e70be6-7249-438d-b43c-a0456f7c1338/#a93a3ed8-39bd-40bc-8224-ef7d6232299e

UAG 2010 RDP Application Failure after applying November 2012 KB2592687 Update

Posted by Ahmed Nabil In | 1 comments»

I had a problem accessing any RDP application on my UAG portal (whether its Remote App application , RDP User defined, RDP Gateway or VDI Pool– Predefined Remote Desktop Host), after several hours and investigation with Microsoft team, it turned to be an update released more than 2 weeks ago KB2592687 regarding RDP 8.0 update.
 
 
Looks like UAG Portal is not yet compatible with the new RDP 8.0 update. After uninstalling/Removing this update from my client machine (Windows 7), everything worked fine. I would recommend everyone using the UAG portal to hold for this update till its fully compatible. I escalated this issue for further investigation.
 
For Corporates with WSUS implementation, they may decline/Disapprove this update till further update.

Microsoft UAG 2010 Web Monitor All Events displays Message ID 108 Every Minute

Posted by Ahmed Nabil In | 3 comments»
After applying Microsoft UAG 2010 SP2 released couple of month ago I noticed that the UAG Web Monitor All Events Message ID 108 is repeated all the way and almost every minute as shown below.



After discussing this issue with Microsoft Escalation Team, it turned that its a known issue after UAG SP2 related to group memberships. Microsoft is aware of this issue and they have a private fix for this specific problem. After applying this fix, I didn't encounter this warning again.

I would recommend anyone having this warning to open a case with Microsoft to get this fix, this case shouldn't be counted since its a known bug.

SQL Server 2008R2 Reporting Services Failed to start after GDR security patch KB 2716440

Posted by Ahmed Nabil In | 1 comments»
After Applying the last Tuesday Microsoft (October 2012) patches/Updates, SQL reporting services wasn't able to start on several servers and the below error is displayed when you try to start the service



One of the Updates released on that date is the KB 2716440 http://support.microsoft.com/kb/2716440  which resolves a vulnerability in the SQL server. To make sure that this update specifically caused this behavior. I uninstalled this update and after that I was able to start the SRSS (Reporting services) without any problem.

This issue could occur by a missing registry key and a common solution to such problem is to add this key as follows:


  1. Open Regedit on the Problematic Server
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  3. In the Right Pane create the following Key (If not already created)
    1. Value: DWORD (32-bit)
    2. Name: ServicesPipeTimeout
    3. Value Data, Click Decimal and type 60000 (Not less than 60000)
  4. Reboot the server

After reboot the SQL Server Reporting services was started normally without any problem.






Manual add of Shares to Microsoft UAG File Access

Posted by Ahmed Nabil In | 1 comments»
Microsoft UAG 2010 File Access is a nice feature to securely publish your internal shares on your UAG Portal for Internet users. To successfully publish your shares on UAG portal and for the File access to work, it requires the following:


  1. NETBIOS should be enabled, Ports 137-139 should be open and not blocked by any internal Firewall
  2. Port 445 for SMB should be open so UAG server can access/Locate the shares.
  3. On the UAG NIC facing the internal Network as well as on your Domain Controllers NICs, make sure to enable the NETBIOS Over TCP from the NIC advanced properties (WINS Tab).
  4. The File servers should have the Turn On discovery feature enabled (check attached) from the Network card advanced sharing options. By design it will turn off automatically unless you started several services as SSDP and UPnP services, please check this thread for more information http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2networking/thread/17e7b386-53ea-411c-8d90-cf4a6229ba27
Turn on Network Discovery


Sometimes its hard to configure all these settings or maybe its restricted by your network policy. To manually add a network share or even DFS share to your UAG file access you need to modify the ShareAccessCfg.xml (This is the core file for the File Access Application). This file is located under ..\Microsoft Forefront Unified Access Gateway\von\FileAccess

The ShareAccessCfg.xml file can be edited easily using a notepad or any Free XML Editor, one editor that i use frequently is the Microsoft XML Notepad 2007 http://www.microsoft.com/en-us/download/details.aspx?id=7973

To manually add a server or Share you need to add them under the Server section or Share section as shown below

   <servers>
<server name="Domain\Server1" marked="1" provider="MS"/>
</servers>
<shares>
<share name="Domain\Server1\Share_name" marked="1" provider="MS"/>
</shares>

After changing and saving the ShareAccessCfg.xml, make sure of the following:

  1. Restart Microsoft Forefront UAG File Sharing Service
  2. Open the Application from the UAG Console - Admin - File Access and make sure to hit Apply on each item (Domain, Server and Share)
  3. Activate UAG

DHCP Superscope Keeps reverting back after Deletion

Posted by Ahmed Nabil In | 0 comments»
I passed by this experience after the deletion of a DHCP superscope where the Superscope reverts back after the DHCP server is rebooted or after the restart of the DHCP service. To properly remove a DHCP Superscope, you can perform any of the following methods:




1.      Right click on the Superscope and click delete. It’s safe and won't have any impact on the Sub-scopes under this DHCP superscope. In fact you will receive a message that confirms the deletion without impacting or deleting any child scopes as per attached below.
DHCP Superscope deletion


2.      One other way is to deactivate the sub-scopes (under your DHCP Superscope), move these scopes and then activate them. After all sub-scopes are moved, the DHCP superscope was removed/deleted automatically.
DHCP Technical Documentation:


SQL 2012 Protection with DPM 2012 RTM fails immediately after the job starts

Posted by Ahmed Nabil In , | 1 comments»
I passed by this experience when i was setting a new protection group using DPM 2012 for the latest SQL database server 2012. As per Microsoft System Center 2012 - Data Protection Manager Release Notes http://technet.microsoft.com/en-us/library/hh848297.aspx DPM 2012 should backup and recover SQL 2012 Databases except if the AlwaysOn feature is enabled. The AlwaysOn feature is not supported under the current DPM 2012 RTM but expected to be fully supported with the release of the System Center 2012 SP1 (expected in the next few weeks).

DPM 2012 RTM release notes

Although my SQL 2012 DB AlwaysOn feature wasn't enabled the DPM job always fails immediately after it starts, Consistency check also didn't work as well. After some investigation and several trials it turns out that the NT AUTHORITY\SYSTEM account on the SQL server needs to have Sysadmin role/right

SQL NT Authority account


Briefly, To backup and recover SQL 2012 workload under DPM 2012 RTM

  1. Make sure the AlwaysOn feature is not enabled (Currently DPM 2012 RTM doesn't support it)
  2. Grant the SQL NT AUTHORITY\SYSTEM account SysAdmin Right.
  3. Remove the Protection group and add it again after applying the above changes.

DNS64 Not Healthy after Applying UAG SP2

Posted by Ahmed Nabil In | 0 comments»
For those who missed the latest news on UAG, Microsoft released UAG SP2 early this month. For what is new in Microsoft UAG SP2 please check the following link:

http://technet.microsoft.com/library/jj590875

http://support.microsoft.com/kb/2710791

To Download Microsoft UAG SP2, please follow this link:

http://www.microsoft.com/en-us/download/details.aspx?id=30459

Everything went fine while downloading and updating UAG server with the latest SP2, After reboot i noticed that the DNS64 shows Not healthy under the DirectAccess Monitor/Current Status. This is the same behavior that i faced while installing update 1 Rollup 1 early this year and the workaround to fix it was to disable/enable Direct Access from the UAG 2010 console. For detailed steps please check my earlier link:

http://itcalls.blogspot.com/2012/01/dns64-unhealthy-after-applying-uag-sp1.html


Windows 8 and Server 2012 RTM available for Software Assurance Customers

Posted by Ahmed Nabil | 2 comments»
Yesterday August 16, 2012 Windows 8 and Server 2012 RTM versions became available for all Software Assurance Customers

Windows 8 for volume License and Software Assurance Customers

Everyone is talking about Windows 8 and how it will change the world again with the new Microsoft Ecosystem and Cloud support. I would encourage everyone to get their hands on the new Windows 8 and start testing the new features and enhancements promised by Microsoft.

Windows 8 New Features:

http://technet.microsoft.com/en-us/windows/explore-windows-8.aspx

Windows 8 different milestones and release dates for different programs:

http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/08/01/windows-8-has-reached-the-rtm-milestone.aspx


Microsoft UAG DirectAccess Clients Cannot Reach and Ping your Partner/Newly Acquired Company Network

Posted by Ahmed Nabil In , | 1 comments»
Its quite often that many corporations acquire a new company or merge with another company with different domain name, subnets................etc. DirectAccess clients in one company cannot reach or ping the different resources, servers, routers..........etc in the other side (acquired/partner company). This can be solved by modifying your DNS infrastructure and UAG DirectAccess Settings as per the following steps:

  1. Configure the UAG server to have an IPV4 route to the new acquired network(s). 
  2. Make sure that the new acquired Network(s) are added to the UAG internal Networks. This can be done from the UAG Admin Menu – Network Interfaces – Define Internal network IP address range.
  3. The DNS servers used by the UAG and DirectAccess clients should be configured to resolve the acquired/Partner Domain either by having their DNS zone or by using conditional Forwarders.
  4. Configure your DirectAccess clients to use a DNS suffix search list. This list should include their current original company domain and the newly acquired domain. You may want to test it manually to ensure its working however its preferred to be done on the UAG DirectAcccess clients OU using Group policy as per attached.
  5. DNS Suffix Group Policy for DriectAccess OU in Active Directory
  6. Microsoft UAG need to be configured to ensure that the client’s NRPT (Name Resolution Policy Table) instructs the client to contact UAG for name resolution of the acquired domain. This will be done from the DirectAccess UAG configuration Step 3 (Infrastructure Servers – DNS Suffixes) as shown below
  7. UAG DirectAccess configuration step 3 Infrastructure servers
  8. Apply the new config/policy and Activate the UAG.
  9. Finally run gpupdate /force on the client to refresh the client group policy. To ensure that the policy is updated on the DirectAccess client you can run the “netsh namespace show pol”.



RemoteApp and Web Application ICON Customization in UAG 2010 Portal

Posted by Ahmed Nabil In | 2 comments»
UAG 2010 Portal customization is one of the key strengths in the UAG system. The Customization of UAG is based on the Custom Update concept, for more details and real life example, please check the following articles:


One of the main customization issues that i faced during the last few weeks is changing the Default icons for applications and RemoteApp published applications on the portal. UAG by default is pre-loaded with several default icons for different applications however Custom apps published using the Remote Desktop Services (RDS) RemoteApp or custom Web published apps gets the default ICON which is not sometimes representing the application as per the Owner point of view. In this article i will provide two examples for ICON customization in UAG 2010 Portal.

  1. RDS RemoteApp applications, This includes three fairly simple steps:
    • You need to have your ICON file saved in PNG format, the size won't matter as the UAG will automatically re-size it according to its placement in the portal. I tried 15x15 and 32x32 and 64x64 Pixels and it worked fine for the three of them.
    • The ICON need to be saved under
      C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\images\AppIcons\CustomerUpdate (Provided that you installed the UAG in the default C-drive Location). The file should be saved under the application name, for example if your RemoteApp published application is named App1, then its icon should be App1.png.
    • Activate the UAG
  2. Custom Web Application, By default Custom Web application is published with the default App.gif file, to change this you have to do it in two locations:
    • The main (Home) Portal area will need a GIF icon 90x50 Pixels and it will be saved same as the RemoteApp under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\images\AppIcons\CustomerUpdate (Provided that you installed the UAG in the default C-drive Location). Again Make sure to name the GIF file with the same name as per your published Application (For example App1.GIF).
    • Edit the Properties of the published Application on the UAG portal and change the ICON properties on the Portal Link TAB to reflect the new ICON
”UAG

    • The LeftExplorer Menu needs another ICON file with lower Pixel 15x15 and it should be named with the application name_ICON (For example App1_icon.GIF), similar to the above example, its saved under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\images\AppIcons\CustomerUpdate (Provided that you installed the UAG in the default C-drive Location).
    • Activate the UAG

These two examples should lay the basic knowledge to customize your UAG Portal application ICONS and hopefully you will find it useful.


Publishing Microsoft Pool VDI on UAG 2010 Portal

Posted by Ahmed Nabil In | 7 comments»
Virtual Desktop Infrastructure is becoming a hot issue nowadays with many companies adopting this technology due to its flexibility, machines density, mobility, security, manageability and overall total cost of ownership. VDI can be either dedicated/Personal desktop assigned for specific user or pool of desktops available for all users (First come is first served); both flavors have their own benefits/drawbacks depending on your exact need and infrastructure. Microsoft allows you to publish the VDI solution on its UAG portal/Trunk however it’s not straight forward and not well explained/documented.

For an introduction to VDI components, please check the following link.


To publish your VDI Pool on UAG for External users, you need to do the following:

1.    Ensure the UAG server is fully updated and patched with latest UAG Service Pack and Rollups.


2.      From the UAG 2010 Server Copy the file ...\Microsoft Forefront Unified Access Gateway\common\conf\rd-template.txt to ...\Microsoft Forefront Unified Access Gateway\common\conf\Custom Update\rd-template.txt. This is needed to modify some RDP Parameters to make the VDI redirection work. For more information please check the attached link


For more information on the UAG Custom Update mechanism and a detailed example please check the following articles





3.    Add the below two lines to rd-template.txt and save it in Custom Update folder (mentioned in previous steps).



use redirection server name:i:1

loadbalanceinfo:s:tsv://vmresource.1.1



use redirection server name => Specifies whether a redirection server is allowed.

loadbalanceinfo => Contains the load balancing cookie used to choose the best server for the client computer. If you know your VDI Pool ID then you can change this command to be loadbalanceinfo:s:tsv://vmresource.1.PoolID



To get your VDI Pool ID, you need to connect to your Internal Connection Broker server then open the Server Manager – Roles – Remote Desktop Services – Remote Desktop Connection Manager – RD Virtualization Host servers– Pooled Virtual Desktops and then you can see all the properties including the Pool ID.

4.      From your UAG Portal/Trunk add new Application – Terminal Services– Remote Desktop (Predefined).

VDI Remote Desktop Predefined publishing rule

5.    In the Server Settings add the VDI Redirector session Host IP or Full Address and in the below space make sure to add all IP addresses or names of any system in your VDI solution (Session Broker, Gateway, Redirector, Session Host Virtualization and Virtual machines subnet). This is very critical step for the publishing rule to work fine. The Easiest thing is to add the full IP range for your VDI subnet. Then Activate your UAG.

UAG rule VDI Server settings



Note: If you already created the VDI publishing application and it wasn’t working, make sure to delete this application, apply all previous changes and then add the application again, the Custom update changes won’t work for existing published applications.





Microsoft MBAM Client Implementation Best Practices

Posted by Ahmed Nabil In | 4 comments»
Microsoft BitLocker Administration and Monitoring (MBAM) is part of Microsoft Desktop Optimization Pack suite (MDOP) which contain other important and business enabling tools available for Software Assurance Customers. MBAM is used to simplify and control the Bitlocker implementation (Windows 7 Machine encryption), deployment, help desk support as well as providing rich compliance reports. In this article I would like to share some of the best practices that I passed by recently while implementing MBAM.

MBAM is implemented via Group Policies on your specified Windows 7 Laptops OU under Computer configuration - Policies - Administrative Templates - Windows Components - MDOP MBAM. This folder contain 4 main categories (check below image)

  1. Client Management
  2. Fixed Drive (Enable Password Protection)
  3. Operating System Drive (Enable PIN protection)
  4. Removable Drive
MBAM client Group Policy settings

    Normally we would enable the Client services and enforce the Fixed drive and OS drive encryption (PIN+Password). Depending on your Company policy you may enable or disable the Removable drive encryption (USB thumb drive). Under the Client Management category you can enable Hardware compatibility checking, this feature can be used to identify BitLocker-capable computers and exclude specific hardware that you don’t want encrypted. Only Laptops that are approved and turned to compatible (Hardware TAB in the MBAM admin site) will get encrypted.

    The Key steps for successful Bitlocker/MBAM client implementation are as follows:
    1. Enable TPM from the Laptop BIOS (check your Laptop Manufacturer BIOS settings)
    2. Activate the TPM from BIOS
    3. Install the MBAM client on the Laptop (32 bit or 64 bit client). Both are available in the MBAM source files.
    4. In many cases MBAM fails to take ownership of the TPM and its recommended to install this fix http://support.microsoft.com/kb/2640178
    5. By default the MBAM client will wait for 90 minutes random time delay before reporting to the MBAM server with any status, to overcome this default setting you need to add the DWORD key NoStartupDelay to the HKLM\Software\Microsoft\MBAM with value of 1 on each client. For more information about MBAM registry and Timers please check this link http://www.css-security.com/blog/mbam-real-world-information/
    6. If you enabled the Hardware Compatibility checking policy (mentioned above), the MBAM administrator need to to approve the devices to get encrypted and change their status to compatible from the MBAM admin site. There is a 24 hr check delay when you turn the machine compatible from the MBAM console. To overcome this you need to remove the following two keys from your client machines then restart the MBAM agent service
      • HKLM\software\microsoft\MBAM\HWExemptionTimer
      • HKLM\software\microsoft\MBAM\HWExemptionType

           

    MBAM Technical Documents:


    Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page

    http://www.microsoft.com/download/en/details.aspx?id=27555



    DirectAccess IPHTTPS interface qualify over Teredo

    Posted by Ahmed Nabil In | 2 comments»
    Its been noticed on several Direct access deployments that the Client IPHTTPS interface gets connected first over the Teredo interface although nothing is preventing the Teredo interface to get activated. Most of the clients won't prefer the IPHTTPS because of its high overhead and low performance compared to Teredo or 6to4. After some investigation and consulting Microsoft esclation engineers it turned out that its a well known issue on several clients where the Teredo and IPHTTPS race together and IPHTTPS wins at the end due to timing issues. This is elaborated in details on the following Microsoft Technet article http://technet.microsoft.com/en-us/library/ee844161(WS.10).aspx


    As per that attached below image extracted from the above mentioned article that this issue can occur and IPHTTPS will win and get qualified first.

    IPHTTPS qualify over Teredo due to timing issues

     To test whether my client is in this condition, i ran IPCONFIG /ALL on my client machine and i noticed that i have public addresses on both my Teredo and IPHTTPS interface as per attached.

    Both IPHTTPS and Teredo interface have public IP address



    To make sure you are using always Teredo you can implement one of the following workarounds:

    1. Disable IPHTTPSinterface from the Device Manager - View Hidden devices - Network adapters (unless you need IPHTTPS in locations where Teredo UDP port is blocked)
    2. After logging and connecting using the IPHTTPS, Restart the "IP Helper" Service.


    For more information about this issue please check Tom Shinder article http://blogs.technet.com/b/tomshinder/archive/2010/08/24/why-are-both-the-teredo-and-ip-https-interfaces-active.aspx

    Also its recommended to patch the UAG/Direct Access server with the latest fixes related to Direct Access, the most recent updates/fixes are as follows:

    http://support.microsoft.com/kb/2686921
    http://support.microsoft.com/kb/2633127
    http://support.microsoft.com/kb/2680464



    UAG Portal Home Page Customization – Left Side Menu/Scroll Bar Example

    Posted by Ahmed Nabil In | 0 comments»
    Microsoft UAG 2010 offers a very flexible way for customizing different pages and settings. The UAG Customization mechanism is deployed using a “CustomUpdate” Folder structure. Under the “Microsoft Forefront Unified Access Gateway” folder tree you will notice that several folders contain this “CustomUpdate” folder, in this folder the UAG admins can create their own Files and place them in the CustomUpdate folder. 

    When the UAG is activated it checks these folders first before checking the default folder. Its highly recommended to try all your customizations in this Folder “CustomUpdate” and the main reason is that if things went wrong, you can just delete these files and everything will be back to the default state before customization. Most of the Customization done for the UAG portal is done via the PortalHomePage folder as per attached screenshot.

    UAG 2010 Customization Folders


    An Example of Customization that I came across lately is the ability to increase the width of the Portal Home Page Left Side Menu. To Increase the Left Side Menu are you need to do the following:

    1. On the Forefront UAG server, open the folder Microsoft Forefront Unified Access Gateway\von\PortalHomePage
    2. Copy the file Standard.Master to the folder Microsoft Forefront Unified Access Gateway\von\PortalHomePage\CustomUpdate.
    3. Go to the Below section and modify the Width Portion <td class="midTopSideBarCell" style="width: 200px;"> then Activate the UAG and test the change.

    <td class="contentLeftSideBarCell" id="LeftSideBarCell">
                                <table cellpadding="0" cellspacing="0" class="leftSideBarTable">
                                    <tr>
                                        <td class="leftTopSideBarCell">
                                            &nbsp;</td>
                                        <%-- Folder View Title --%>
                                        <td class="midTopSideBarCell" style="width: 200px;">

    This will increase/Expand the left Side Menu however the Bottom scroll bar is not automatically sized according to the main cell, to adjust it to automatically size/fit with the main left area you will need to customize the Office.css (Thanks to Microsoft team) file as follows:

    1. On the Forefront UAG server, open the folder Microsoft Forefront Unified Access Gateway\von\PortalHomePage\App_Themes\Office\Office.css
    2. Copy the Office.css file to the \von\PortalHomePage\App_Themes\CustomUpdate\Office\Office.css
    3. Go to the below section (.SideBarContent) and modify the Width from 165px to 100% as shown below. Activate the UAG and test the change. This will automatically adjust the scroll bar to fit the left area in the portal.

    Office CSS side bar content UAG Portal Customization




    A very good reference is Technet Article of Customizing the Portal http://technet.microsoft.com/en-us/library/ff607389.aspx and Ben Ari/Rainier Amara Latest comprehensive book dedicated for UAG 2010 Customization.


    Publishing IMAP/IMAPS on Microsoft UAG 2010 – UAG Support Boundary

    Posted by Ahmed Nabil In | 0 comments»
    Recently several users with BlackBerry phones approached me seeking to access their corporate email on their phones. Microsoft UAG doesn’t support Blackberry service however a workaround to this is using the IMAP to access and download their emails on their Blackberry phones.

    Microsoft Highly recommend and Advice all UAG administrators to leave the TMG configuration (Installed by default on the UAG box) untouched. The TMG rules and configuration is controlled and configured by the UAG. The administrators should not use the TMG for publishing applications and other stuff. However there are some exceptions to this strict recommendation and its published in the UAG support Boundaries document. I also checked with Microsoft Support team and they confirmed the IMAP publishing based on this document.


    As per the above mentioned document, Forefront TMG can be used to publish IMAP/IMAPS. Attached below is the section dealing with supported configuration on the TMG as per the above document.

    TMG supported configuration on UAG

    Accordingly IMAP/IMAPS can be published normally from the TMG server (On UAG Box). This will be a simple Server Publishing Rule with the following settings:

    1. Action - Allow
    2. Traffic - IMAPS Server
    3. From - Anywhere
    4. To - Type You Exchange Server IP
    5. Networks - External or DMZ (As per your setting)
    6. Schedule  - Always
    Its Highly recommended to use the IMAPS over the IMAP to ensure the traffic is encrypted.

    Windows 7 Direct Access Client Troubleshooting – Part 1 – Client Transition Technologies

    Posted by Ahmed Nabil In | 3 comments»
    During the past few months I was heavily engaged with different DirectAccess implementations and passed by several interesting issues/problems. The Direct Access Wizard is so simple and normally things get working from the first time however sometimes things can go wrong.

    In this article series I will try to go through several troubleshooting items moving from the basic commands to more advanced issues.
    First of all we need to ensure that the Direct Access components on the Windows 7 client are running and functioning normally. The basic steps are as follows:


    1. From the Start Menu - Right Click Computer Object – Properties – Device Manager – View (Show Hidden Devices) – Expand Network Adapters – Ensure the “IPHTTPSinterface” and “Teredo Tunneling Pseudo-Interface” are enabled.
    2. From the Services, Check the “IP Helper” service startup type is Automatic and the status is up and running.
    3. IPconfig /all to check which interfaces are up and which interfaces have IPV6 address.
    4. Ensure the Machine is located outside the Corporate Network by running the following command:




              Netsh dnsclient show state

    Netsh dnsclient show state



    Which Transition Technology is my DA client using?

    1.       If the Direct Access client has a public IPV4 address (Assigned to its Ethernet or Wireless NIC) and the IP Protocol 41 is allowed on Company Corporate Firewall/UAG/TMG then the client will connect using the 6to4 Transition Technology
                The Three main Netsh Commands that should be used for Troubleshooting are:
    ·         Netsh interface 6to4 show state (The State should be Default or Enabled, Disabled means the DA client will never bring 6to4 Interface up)
    ·         Netsh interface 6to4 show relay (This should list the First Consecutive public IPV4 address configured on the DA server)
    ·         Netsh interface 6to4 show interface (Displays the Configuration Information)
    ·         For detailed 6to4 Troubleshooting  http://technet.microsoft.com/en-us/library/ee844172(v=ws.10).aspx

    Troubleshooting 6to4 interface



    2.       If the 6to4 Interface didn’t come up (For DA clients with public IPV4 Addresses) then the DA client will automatically fall back to IPHTTPS Interface connection.
                      The main Netsh command for IPHTTPS is:
    ·         Netsh interface httpstunnel show interfaces (This will list the IPHTTPS URL and the status were active means the Interface is up and running, deactivated mostly means the DA client is connected using other transition technology)
    ·         For detailed Direct access HTTPS troubleshooting  http://technet.microsoft.com/en-us/library/ee844126(v=ws.10).aspx



    Troubleshooting IPHTTPS interface


    3.       If the DA client is behind a NAT device then it should connect using Teredo provided that Port 3544 (UDP) is enabled and allowed all the way to the DA Server
                      The main Netsh command used with Teredo is:

    ·         Netsh Interface Teredo show state (If the state is qualified then Teredo is functioning normally, otherwise there will be a problem mostly with the UDP port blocked)
    ·         For Detailed Teredo Troubleshooting  http://technet.microsoft.com/en-us/library/ee844188(v=ws.10).aspx

    Troubleshooting Teredo connectivity


    4.       If the Teredo didn’t work (Clients behind NAT) then the DA client will fall Automatically to the IPHTTPS option (Step 2)


    Troubleshooting Direct Access Teredo connectivity on Forefront UAG 2010

    Posted by Ahmed Nabil In | 0 comments»
    I encountered a problem on one of my installations for DirectAccess where all the clients were able to connect to DirectAccess using HTTPS only. After several investigations and with the help of senior Microsoft Engineers we noticed that the Teredo IPV6 route is missing on the server. When the server is trying to respond to Teredo requests, it uses the default Route (6to4) instead of the server Teredo Adapter due to the following route entry:

    UAG cannot respond to Teredo


    To fix this issue you need to manually add the Teredo route as follows:


    1. We need to obtain the Teredo Adapter interface index (IDX) from running the following elevated command on the UAG server “netsh int ipv6 show int
    2. Add the route manually (using the obtained IDX from the earlier step) as follows:

    Adding Teredo Route manually to UAG 2010 routing table






    Certificate CRL and Delta CRL are not copied automatically to the HTTP Path

    Posted by Ahmed Nabil In | 0 comments»
    A common problem noted on several implementations of Active Directory Certificate Services is the CRL and Delta CRL copies to the HTTP Path.  By default Microsoft Enterprise CA only publishes CRL automatically to LDAP path defined in the CRL Distribution Point (CDP). Normally CA administrators could define CDP in many locations as LDAP and HTTP (Inetpub Folder). Since it’s only copied to LDAP, the HTTP location gets expired and the user would encounter this error.

    HTTP CRL location get expired on daily basis


    The certificate will try to retrieve the CRL and Delta CRL from each defined location (LDAP and HTTP) when system check the revocation status of certificate. If it can get the CRL from one and only one of these locations then it will pass the revocation process and function normally even if the CRL is not copied to the HTTP location. However it will give the above Expired Status for CRL and Delta CRL HTTP Location.

    To solve this issue you have two options:



    1. Copy them manually from the CERTSRV folder to the Inetpub folder
    2. Create a batch file to copy them automatically and add this batch file to the daily scheduled tasks.

    The Batch file should be something like this
    Xcopy c:\windows\system32\certsrv\CertEnroll\*.crl  C:\Intetpub\