About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.


OCS 2007 R2 and Server 2008 R2

Originally posted the 17 November 2009, now updated on 20 November 2009

I get this question over and over:  Can we deploy OCS 2007 R2 on Server 2008 R2?

According to the Office Communications Server 2007 R2 Documentation:

  • All domain controllers in the forest where you deploy Office Communications Server run Windows Server 2003 with SP1, Windows Server 2003 R2, or Windows Server 2008.

  • All global catalog servers in the forest where you deploy Office Communications Server run Windows Server 2003 with SP1, Windows Server 2003 R2, or Windows Server 2008.

  • All domains in which you deploy Office Communications Server are raised to a domain functional level of Windows Server 2003 or Windows Server 2008.

  • The forest in which you deploy Office Communications Server is raised to a forest functional level of Windows Server 2003 or Windows Server 2008.

    As of 16 November 2009, Windows Server 2008 R2 is still not supported.

    Having established the “official” facts, I can tell you empirically, OCS R2 on Server 2008 R2 might be OK (emphasis on MIGHT) in a lab, but it is nothing I want to try (again) in anything resembling a production environment.

  • 2009/11/17

    SharePoint stuck in Read-Only

    Our office, like many others, uses SharePoint for a wide variety of uses.  To say that our SharePoint is “business critical” is not an over-statement.  Recently, we ran our SQL Express instance of the SharePoint database into the SQL Express 4GB database size limit.  While moving the database was not a huge issue, what was an issue is that SharePoint, on an internal basis, apparently marked the database as “read-only.”

    What is important here is that SQL did not think the database was locked, SharePoint thought it was locked.  After we moved the database to full SQL server, and reconnected the database to the SharePoint farm server, we still could not edit, add, or remove items, documents, or perform other action/task except look at database contents.

    Running the following command showed that SharePoint had the database marked as “readonly” (command may have wrapped)

    stsadm -o getsitelock -url http://servername

    This command returned this output, which explained our issue!

    <SiteLock Lock="readonly" />

    How to fix this?  Here’s how: (command may have wrapped)

    stsadm -o setsitelock -url http://servername -lock  none

    Problem solved!


    Users unable to join LM session, MEET NOW button not working, LM functions grayed out.

    In the middle of a deployment - an OCS R1 to R2 migration - we noticed that the LM functions were not working.  LM worked for the individual workstations when connecting to a remote session initiated by a federated partner.  The meeting policy at the global level was created, edited, and assigned correctly.

    We noticed that we had neglected to run the Web Conferencing validation tests.  We had a tick box on our checklist, we had just overlooked it.  Running the validation wizard revealed that the validation connection checks were failing to successfully contact the MCU on either of the Front End servers.  We double-checked everything, and concluded that everything on the OCS side was correct.

    “Aha,” says we.  “Must be a certificate issue.”  Except that we were using good public certificates on all the interfaces for the FE servers.  Bummer.  Except, I then read this blog article.

    Oddly, this was so on target it floored me.  I used the solution that changed the usage on the Trusted Root Certificate to “ALL” - voila!  problem resolved.  I don’t know who exactly wrote this, and what follows is a cut ‘n paste and edit of the relevant parts of that blog that fixed my issue. Many thanks to the unknown CSS engineer (Dave) who took the time to write this up.

    Event Type:    Error
    Event Source:    OCS MCU Infrastructure
    Event ID:    61013
    User:        N/A
    Computer:    OCS1
    The process DataMCUSvc(2596) failed to send health notifications to the MCU factory at https://OCS1.contoso.com:444/LiveServer/MCUFactory/.
    Failure occurrences: 3491, since 3/24/2009 10:05:18 PM.

    If you run the Web Conferencing validation wizard from the OCS Pool, you may find the following error in the output log:

    MCU Type: meeting
    URL: https://OCS1.contoso.com:444/LiveServer/MCUFactory/
    HTTP Connectivity Error : ReceiveFailure
    HTTP Connectivity Error : Receive failure typically indicates that the connection was closed by
    the remote host. This can happen if the remote server does not trust the certificate presented by the
    Local Server.

    HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
    valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
    of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
    on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
    the server certificate must be present.

    When you see errors like these, it usually indicates that a certificate-related authentication problem exists with the OCS Pool (or with a particular OCS Front End server).  Most of the time, this turns out to be a problem with the certificate from an issuing Certification Authority.  To troubleshoot this issue, you would typically perform the following steps:

      1. Log in to the affected OCS 2007 Front End server either locally or remotely using Remote Desktops.
      2. If the issuing CA is a Root CA (the top of the list), expand Trusted Root Certification Authorities > Certificates
      1. If the issuing CA is an Intermediate CA (not the top of the list), expand Intermediate Certification Authorities > Certificates
      2. From the list of CA certificates, right click on the certificate and choose Properties
      3. Under the General tab, verify that Enable all purposes for this certificate is selected (or, if Enable only the following purposes is selected, verify that both Server Authentication and Client Authentication are enabled)
      4. Click OK to close the properties of the CA certificate.
      5. If this was an Intermediate CA certificate, repeat steps 6 through 10 until these settings from all certificates in the trusted certification chain are verified
      6. Close the Certificates Management Console (be sure to restart services if you made any changes)


    Why this occurred on a brand new R2 installation on server 2008 SP2 is beyond me.  The OCS R1 system (on Server 2003 SP2 R2) did not have this issue, but the brand new setup did.  Go figure.

    Edge Server Certs and blank Communicator message windows

    A client recently changed their certificates on the edge server.  They put together a certificate that handled everything with one certificate.  However, the SAN construction on the cert was a little wrong.


    Presence worked, but federated contacts could not fully establish an IM session.  LM and AV did not work as expected either.  If a federated user initiated an IM, the internal user would get the toast and then when the toast was opened, there was nothing but a blank….but the toast had the initial message…but a blank content pane.  If the internal user attempted to initiate an IM session, the reverse would occur.  After the blank IM window appeared, any subsequent efforts at IM resulted in a timeout with a 504 error.

    What caused this?

    Logging on both edges revealed that the initial IM invite was addressed to the proper SIP SRV record, but after the initial ACK, the client system packets were being directed at a different FQDN.  Digging into the client’s edge server revealed that the FQDN was the actual server FQDN.  It seems the cert had been issued for the FQDN and that SIP, AV, and LM were on the cert, but that SIP was not the FIRST SAN name.

    So, what happens is that the federated contact can get to SIP.domain.com (via _sipfederatedtls._tcp.domain.com SRV) for the initial invite, but after that the packet sourcing of the remainder of the conversation looked like it came from FQDN of the client’s edge because, according to the certificate on the Access Edge, that is exactly where it came from. The initial SIP invite worked because the traffic arrived at the edge.domain.com access edge interface IP address, and the SAN on the existing (new) cert did indeed have SIP.domain.com as a valid domain.  However, certificate’s common name and first SAN entry is what drives that particular NIC FQDN name when it comes to transmitting vice receiving. The end result is the federated side of the conversation gets started just fine, but then tries to communicate to an FQDN that is not accessible from the internet.

    Clear as the bottom of a well on a dark night, eh?

    The Fix:

    Changing the certificates back to the originally installed set fixed the issue….

    • SIP.domain.com
    • AV.domain.com
    • LM.domain.com

    This will also work if you use ONE certificate with those three names (or whatever name you choose for each) as long as the SIP.domain.com is both the common name of the cert as well as the first SAN entry.  The FQDN of the actual server should only show on the internally-facing Edge interface.  For even MORE confusion, see this:

    Bon Appetit!


    MS KB 974571 and OCS/LCS

    http://communicationsserverteam.com/archive/2009/10/14/632.aspx  outlines and issue with applying this security patch to your OCS/LCS servers.  The only fix if this is happening to you is to uninstall the KB fix.


    Microsoft delivers zero license cost XMPP Gateway for OCS

    Today, Microsoft delivers a new gateway.  Read about it here.  This is GREAT news.

    Now you can federate/PIC with Microsoft Live, Google Talk, and Jabber.


    OCS 2007 R2 and Server Role Virtualization

    I get asked in every engagement, “…can we virtualize OCS R2?”  This is a great question.  Using virtualization has clear benefits - and also clear drawbacks.  On the benefit side, using virtualization offers more efficient hardware utilization; on the drawback side, applications that are time sensitive or are CPU sensitive may suffer degraded performance.  OCS 2007 R2 falls into both categories.  OCS has some roles that lend themselves to virtualization, but OCS also has server roles that Microsoft does not support in a VM environment (presumably because of the performance degradation).  Specifically, any server role that handles media (read A/V) is not supported in a virtualized environment.

    For reference see the Office Communications Server team blog on this subject.  Also, I encourage you to read this document that lays out the situation in more detail.

    Now that we know what is supported, what is practical and not practical?  We know that some organizations will weigh support issues against the advantages of an unsupported deployment and decide the benefits outweigh the risks. The documents I just pointed you to are definitive, yet the scale numbers in the second document are for large environments.  What about the smaller enterprises with only a few hundred users?  How about a company with less than 5000 users (the implied limit for a Standard Edition server)?  What about the ancillary OCS server roles (archiving, monitoring, directors)? What follows is purely my opinion and experience.  If you are concerned with being in a supported status (from the Microsoft CSS viewpoint), stop here and follow the guidance in the references to the letter.

    Let’s look at the VM host environment and then see what we can do. When you plan your VM host server, make sure it has PLENTY of CPU cycles - read many fast cores.  RAM is an important item on your VM host server.  Do not scrimp on RAM.  The guest VM must have at LEAST the minimum number of CPU cores and amount RAM as that server role is required to have on a physical server.  If the recommended minimum is 2 CPU cores and 4GB RAM, then that is the minimum for the guest VM instance also.  As to drive speed on the VM host, resist using SATA and go with 15k RPM SCSI.  And do not try to cram too many guests VM’s onto one host.  As always, leave enough RAM and CPU for the host OS to function properly.

    Plan your VM host server network support carefully.  Good resources for this critical task when using Microsoft's Hyper-V are here and here.  I highly recommend using at least two physical Network Interface Cards - one for the host server and one for the guests. Resist the urge to get fancy and do NOT use wireless.  The combination of VM, OCS, and wireless creates performance issues.  Another item of note is that you can adjust the performance of both the VM host and the VM guest to maximize performance.  Face it, GUI is nice, bells and whistles are cool, but do you really need that stuff on your servers?  You will never miss these fancy features…they are just fluff. In a virtualized environment, where cost reduction through hardware consolidation is generally a main goal, performance is king.This is what I do for every VM host and guest I touch - the performance gain is noticeable:


    Now that we have looked at the VM host and guest environment we can consider which OCS roles are candidates for virtualization, and in my experience, what is practical. The following table outlines the OCS 2007 R2 servers roles and their respective VM possibilities:

    Server role

    VM Yes/No


    Consolidated FE (SE) No Just don’t
    Consolidated FE (EE) Yes for IM&P only No for anything A/V, desktop share, or Live Meeting
    CWA Yes As the user numbers climb, performance will drop off.  IE; You will see some screen-draw issues as the user count climbs.
    Group Chat Yes Works well
    Group Chat Archiving Yes Works well.
    Mediation No Just don’t
    Director Yes For the numbers we quoted above, it works
    Consolidated Edge No Just don’t
    Archiving Yes For the numbers we quoted above, it works
    Monitoring Yes For the number we quoted above, it works
    Web Components Yes This will depend on your LM work load, how many remote users are expanding DL’s etc.
    SQL Yes SQL in VM is supported; but not SQL cluster.  However, I have done SQL cluster on two separate VM hosts.  Do not do VMotion or equivalent on the cluster.

    While you are at this, you may want to take a look at SQL databases.  Microsoft says you need a separate SQL instance for each database.  This is for performance reasons.  However, I know that one SQL server can host the backend OCS database, the Group Chat Archive Database, the archiving database, and the monitoring database and do just fine.  Again, this is a numbers game.  As the number of users climbs, the load on the SQL will climb also and eventually you will see a drop in performance.  Specifically, our second reference document says that the SQL backend is the limiting factor to how many users can be attached to a virtualized enterprise pool.  But, our target user numbers are only 1/8th of that limit.  Therefore, I feel confident in stating that one SQL server (with the proper resources) will support your OCS needs.

    Let’s take look at this table from a deployment perspective.  As an example, say you have 1000 users. Your usage projections are for moderate use of Live Meeting, about 100 users maximum for CWA, and about 200 or so of your users are remote, and federation/PIC will be used by 30% of your users (just picking numbers here for this example).  In this case, I would think that you could explore the possibilities of using VM for everything but your SE and your Edge.  A single SQL server, deployed in VM, will be able to host all of your OCS databases. Should you deploy Enterprise Voice, you would place your mediation server on physical as well.

    Before you move ahead with a project such as this, remember this is just my opinion, based on my experience, and that virtualizing OCS 2007 R2 roles that are not supported as virtualized by Microsoft places you in an unsupported configuration.


    Exchange 2010 OWA and IE

    It appears that there are significant differences between the IE versions and how OWA displays and operates with Exchange 2010 RC.

    IE7 is the minimum to get the premium OWA; IE6 gets you OWA lite.



    polite drivers

    Hello Wenatchee Washington.

    I have had the opportunity to cross the street recently, and I have to say; I wish my home town had drivers who stopped for pedestrians.  And I am not talking about just one or two, I mean everybody! 

    I am simply not used to drivers stopping 50-60 meters short of where I am waiting to allow me to walk across the street.  And these are four lane main streets, not some dinky-ass side street.

    In Portland (Oregon), and more specifically Gresham, where I live, crossing the street is an adventure - I fully expect some psycho to attempt to run me over should I have the temerity to use a cross-walk.  In Wenatchee, even crossing in the middle of the block worked just the way it should.


    Win7 wireless performance

    In my zeal to like Windows 7, I have now upgraded my work laptop to Windows 7.

    Lenovo T500, Win7x64Ent.

    Looks like everything is working just fine.

    And wireless appears to be twice as fast…

    Strange, it only says 65Mbps until I start a file transfer - at which point I magically have twice the bandwidth.  Nifty.  I will conduct some ad hoc OCS test next week to see how that is affected.


    But notice that Win7 still does not have it “right.”  Here is the exact same file transfer running, but now I have the Ethernet plugged in.  And it reports only 100Mbps, slower connection, but take a look at the bandwidth utilization…. 100% v 40ish on the wireless…


    C’mon!  Microsoft!  Fix this!


    DL Management from Outlook

    Exchange admins typically add/remove members from distribution lists.  However, as the organization grows in numbers and complexity, this situation needs addressing.

    You would think that simply adding the appropriate user to the DL manager as shown would work, but that is not the case.


    You will also need to do a little add-adpermission tweaking like this (the line may wrap):

    add-adpermission -identity: “DL Group1” -User:domain\joe.tester -accessrights readproperty, writeproperty -properties ‘member’

    you can add a group to this also:

    add-adpermission -identity: “DL Group1” -User:”display name of permissions group” -accessrights readproperty, writeproperty -properties ‘member’

    After this, the user should be able to open the DL from the outlook address book and modify the member list.  If you have a multiple domain scenario and this does not work, you have a global catalog issue.

    My thanks to http://knicksmith.blogspot.com/2007/04/delegating-distribution-group.html for pointing me in the right direction to remember what I had forgotten.  Thanks Nick!

    ws08 and srvany


    Hello Captain Obvious…

    I run a small domain in my home office - I use it for all manner of things.  I don’t want to pay the provider (Verizon in my case) a fee just to have fixed IP addressing.  Enter dynamic DNS.  Works great, less filling.

    But, being a cheap bastid, how to get it to work on Server 2008?  After casting about a bit, I decided to try the basics (always a good choice).


    instsrv.exe and srvany.exe work just fine under Server 2008.


    HC Madness

    I object!

    Just some food for thought.  The following article from the WSJ oversimplifies the underlying economic and social issues, but the bottom line statements are both stated and implied.  The Federal budget is too big, there is no way to pay for it with today's revenue streams, and the incumbents want this budget to get bigger and to raise taxes across the board to pay for it.  There is no source to create such revenue for the Government without turning to the center-mass of population numbers.  There are not enough "rich" earners out there to play Robin Hood; the poor are numerous, but they already pay almost zero in income taxes - and their sales tax revenue is not enough either (hence the hints at the VAT).  With no place to turn but the $50-300k earners (the 200-225 million US taxpayers in the middle) you can expect the politicians to go after the meat and potatoes next. 

    We should expect a smaller budget that fits within revenue; however, we know that will never happen.  Prime examples of the constant Federal bloat are the DoE and the TSA.  Other prime examples are the pork riders on every bill that passes either house.  Prime examples of Federal (and state) government's inability to plan, execute, and sustain plans of this scope are Social Security, Medicare (Medicaid), the IRS, and government itself.  Always growing larger, always demanding more money, always producing less return per dollar and constantly controlling more of your life.  And always in the name/guise/sham of being good to you.



    Teeing Up the Middle Class

    Joe the Plumber’s tax vindication is nigh.

    Few of President Obama’s 2008 campaign pledges were more definitive than his vow that anyone making less than $250,000 a year “will not see their taxes increase by a single dime” if he was elected. And he was right, very strictly speaking: It’s going to be many, many, many billions of dimes.

    Asked about raising taxes on the middle class on Sunday on CBS’s “Face the Nation,” White House economist Larry Summers wouldn’t repeat Mr. Obama’s pre-election promise. “It is never a good idea to absolutely rule things out no matter what,” Mr. Summers said—except, apparently, when his boss is running for office. Meanwhile, on ABC’s “This Week,” Treasury Secretary Timothy Geithner also slid around Mr. Obama’s vow and said, “We have to bring these deficits down very dramatically. And that’s going to require some very hard choices.”

    These aren’t even nondenial denials. The Obama advisers are laying the groundwork for taxing the middle class while claiming the deficit made them do it.

    The liberal establishment is even further along in finally admitting that Mr. Obama wasn’t, er, telling the truth. A piece in the New York Times over the weekend declared in a headline that “the Rich Can’t Pay for Everything, Analysts Say.” And it quoted Leonard Burman, a veteran of the Clinton Treasury who now runs the Brookings Tax Policy Center, as saying that “This idea that everything new that government provides ought to be paid for by the top 5%, that’s a basically unstable way of governing.” They’re right, but where were they during the campaign?

    In an editorial on February 26, “The 2% Illusion,” we wrote that the feds could take 100% of the taxable income of everyone in America earning more than $500,000 and still have raised only $1.3 trillion even in the boom year of 2006. The rich are fewer and less rich now, while the Obama budget is nearly $4 trillion.

    Democrats already plan to repeal the Bush tax cuts, but that won’t raise enough money. So they’re proposing an income tax surcharge on “the wealthy,” but that won’t raise enough either. Democrats have no choice but to soak the middle class because only they have enough money to finance the liberal dream of yoking the middle class to cradle-to-grave government entitlements.

    Democrats have already taxed the middle class by raising cigarette taxes to pay for the children’s health-care expansion. They’re also teeing up average earners with their cap-and-tax energy bill. Mr. Obama had hoped that cap-and-tax would raise some $646 billion over a decade, but Democrats in the House had to give most of that away in bribes to business to pass their bill. To finance ObamaCare, they’re also proposing another 10-percentage-point increase in the payroll tax on firms and individuals that don’t purchase health insurance. But this won’t raise enough money either.

    So waiting in the wings is the biggest middle-class tax increase of them all: a European-style value added tax, or VAT. This tax would apply to every level of production or service, and it is beloved by politicians in Europe because it raises so much money so easily without voters noticing. Ezekiel Emanuel, a White House aide and brother of Chief of Staff Rahm Emanuel, has advocated a 10% VAT to finance national health care. Look for a VAT to be one of the prominent options when Mr. Obama’s tax reform commission issues its report later this year.

    The undeniable reality is that you can’t run a European-style welfare-entitlement state without European-style levels of taxation on the middle class (and eventually without low European-style growth and high jobless rates). It’s looking more and more like Mr. Obama’s no-middle-class-tax pledge was one of the greatest confidence tricks in American political history.


    exchange 2010 and ws08

    I just noticed that removing PowerShell from Server 2008, and installing the PowerShell v2 CTP3 version results in the Server Manager not knowing that PowerShell V2 got installed.


    Control Panel knows about it.


    I wish we could have ONE place to look, ONE place manage this stuff.  I thought we were really onto something with the ServerManager route, but then MSFT does this.

    And oh, BTW, the PS CTP3 will not remove the existing PS.  Arrgh.


    The Black Swan

    Started reading “The Black Swan” by Nassim Nicholas Taleb (whoever he is).  This item hit my reading list because of a recommendation regarding (believe it or not) BCDR (Business Continuity/Disaster Recovery) discussions in a recent training event.

    The “hired gun” was pontificating (and doing very well, I might add) at some BCDR point, when, out came a reference to this book.

    I try hard to learn from everything I do; I also admit that I have severe shortcomings in this area - but I work on it.  So when this pontificator spouted this BCDR drivel, I wrote down the name of the book, and we moved on.  However, by the end of the session, I had added the book to my shopping cart on Amazon.

    Two reasons.  Numero Uno, Andrew Ehrensing (the hired gun) impressed the hell out of me - if he thought this book was worth reading, maybe there was something to it.  Number 2, the guns’ soliloquy made a tremendous amount of sense - I intend to make reference to it the next time I am in front of a customer. Ergo, I needed to at least skim the material so I could nominally refer to it.

    Wow.  I just finished the prologue.  If the rest of this book is as good as the opening, then this is a real gem.

    Thank you Andrew!


    Install Exchange 2007 SP1 prerequisites on Server 2008


    Note: No Server 2008 Core - must be full version

    • This does NOT cover setting up for clustering.
    • This does not cover NLB

    I don't think you can have an Exchange Server without having PowerShell or the management tools; therefore, you will see that each section has PowerShell and management tool support. By having the management tools on each server, you will be able to manage the Exchange Organization from any role server. Exchange 2007 server should have things like dsa.msc, so you will also see the RSAT-ADDC install listed. I also think that not enabling the Outlook Anywhere (RPC/HTTP) is a crime, as is not using SSL on that component, so you will see that listed for the CAS role also (although not the SSL part).

    At the very bottom, you will see a "single server" section that will install ws08 support for a server that will be CAS, HT, MBX, and UM.  The first few sections for Powershell, IIS, and RPC proxy are just for reference.

    Feel free to cut and paste to fit your needs.

    #PowerShell install

    ServerManagerCmd -i PowerShell


    ServerManagerCmd -i Web-Server
    ServerManagerCmd -i Web-ISAPI-Ext
    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console
    ServerManagerCmd -i Web-Basic-Auth
    ServerManagerCmd -i Web-Digest-Auth
    ServerManagerCmd -i Web-Windows-Auth
    ServerManagerCmd -i Web-Dyn-Compression

    #RPC Proxy

    ServerManagerCmd -i RPC-over-HTTP-proxy

    # Mgmt Tools support

    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console


    ServerManagerCmd -i PowerShell

    ServerManagerCmd –i RSAT-ADDC
    ServerManagerCmd -i Web-Server
    ServerManagerCmd -i Web-ISAPI-Ext
    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console
    ServerManagerCmd -i Web-Basic-Auth
    ServerManagerCmd -i Web-Windows-Auth

    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console

    ServerManagerCmd -i PowerShell

    ServerManagerCmd –i RSAT-ADDC

    ServerManagerCmd -i Web-Server
    ServerManagerCmd -i Web-ISAPI-Ext
    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console
    ServerManagerCmd -i Web-Basic-Auth
    ServerManagerCmd -i Web-Digest-Auth
    ServerManagerCmd -i Web-Windows-Auth
    ServerManagerCmd -i Web-Dyn-Compression

    ServerManagerCmd -i RPC-over-HTTP-proxy

    ServerManagerCmd -i PowerShell

    ServerManagerCmd –i RSAT-ADDC

    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console

    ServerManagerCmd -i PowerShell
    ServerManagerCmd -i Desktop-Experience

    ServerManagerCmd –i RSAT-ADDC

    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console

    ServerManagerCmd -i PowerShell
    ServerManagerCmd -i ADLDS

    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console

    #Single Server (CAS, HT, MBX, UM)

    ServerManagerCmd -i PowerShell

    ServerManagerCmd -i RSAT-ADDC
    ServerManagerCmd -i Web-Server
    ServerManagerCmd -i Web-ISAPI-Ext
    ServerManagerCmd -i Web-Metabase
    ServerManagerCmd -i Web-Lgcy-Mgmt-Console
    ServerManagerCmd -i Web-Basic-Auth
    ServerManagerCmd -i Web-Digest-Auth
    ServerManagerCmd -i Web-Windows-Auth
    ServerManagerCmd -i Web-Dyn-Compression
    ServerManagerCmd -i RPC-over-HTTP-proxy
    ServerManagerCmd -i Desktop-Experience


    windows update on ws08

    Just ran into a really stupid issue.

    Silly me, I decided to fully update a ws08 server before installing Exchange 2007 SP1 onto that host.

    BITS was on, Update was set to notify but don’t download.

    WS08 is actually a VM on hyper-v.  Internet access was good.

    I could update update itself, and update got me the list of recommended updates and whatnot, complete with device drivers and everything, but it would not download anything.  

    The oh-so-helpful result of running Windows Update was:  “windows update encountered an unknown error 80200010”

    None of the fixes worked, but I did find a little blurb that indicated that the error code meant that there was no valid network.  Bullshit says I.  Alas, nothing fixed it.  Only 67 returns in Google for that error phrase.  I tried them all, but number 67 was the hint about “no network.”  After verifying the network was indeed there, I cycled the NIC.

    Walla!  Success.  You must be kidding me.  When the VM first started, I had fat-fingered the default gateway, and I am betting that the BITS never picked up on me fixing that…but cycling the NIC caused it to reread.


    TSA Parasites

    I am on my way to Oakland this morning.  Whilst standing in yet another line at the airport, I observed our government at work.

    No less than 16 TSA employees, 14 of them doing nothing.  To be fair, and politically correct, the Rastafarian-looking dude was working at loading and humping bags back and forth.  One other guy was pawing through (random?) bags.  Sneezed on a couple of them.  In the 15 minutes or so that I observed these high-achieving union employees, I never saw more than 2 of them working at any time.

    I assume that the color of the shirts denotes some sort of hierarchy – the folks in the blue shirts were serious nose-pickers.

    The scary part of all this is that this will NEVER go away.  We are stuck with these people and the entire tax burden until such time as the government collapses – with ever higher wages, ever higher retirement and benefits, and ever less actual security.  These people were working where when this glorious dole-based opportunity came along?

    Let us not discuss the baggage screening area where the even less motivated were checking ID and boarding passes.  I got through the screening so quickly, I wonder if anyone with more than two or three brain cells actually screened anything.  What exactly do we think, as tax payers, is being accomplished with all of this activity? Does this really make people feel safer; and because we “feel” it, we are?

    Moo.  Or maybe baah.


    The Forgotten Man

    I was introduced to this essay yesterday.  Written by William Graham Sumner d. 1910.  So appropriate then, and even more so today.  Classic.  I cannot believe I had never seen this before.

    "The Forgotten Man"
    By William Graham Sumner.1

    The type and formula of most schemes of philanthropy or humanitarianism is this: A and B put their heads together to decide what C shall be made to do for D. The radical vice of all these schemes, from a sociological point of view, is that C is not allowed a voice in the matter, and his position, character, and interests, as well as the ultimate effects on society through C's interests, are entirely overlooked. I call C the Forgotten Man. For once let us look him up and consider his case, for the characteristic of all social doctors is, that they fix their minds on some man or group of men whose case appeals to the sympathies and the imagination, and they plan remedies addressed to the particular trouble; they do not understand that all the parts of society hold together, and that forces which are set in action act and react throughout the whole organism, until an equilibrium is produced by a re-adjustment of all interests and rights. They therefore ignore entirely the source from which they must draw all the energy which they employ in their remedies, and they ignore all the effects on other members of society than the ones they have in view. They are always under the dominion of the superstition of government, and, forgetting that a government produces nothing at all, they leave out of sight the first fact to be remembered in all social discussion - that the State cannot get a cent for any man without taking it from some other man, and this latter must be a man who has produced and saved it. This latter is the Forgotten Man.
    The friends of humanity start out with certain benevolent feelings toward "the poor," "the weak," "the laborers," and others of whom they make pets. They generalize these classes, and render them impersonal, and so constitute the classes into social pets. They turn to other classes and appeal to sympathy and generosity, and to all the other noble sentiments of the human heart. Action in the line proposed consists in a transfer of capital from the better off to the worse off. Capital, however, as we have seen, is the force by which civilization is maintained and carried on. The same piece of capital cannot be used in two ways. Every bit of capital, therefore, which is given to a shiftless and inefficient member of society, who makes no return for it, is diverted from a reproductive use; but if it was put into reproductive use, it would have to be granted in wages to an efficient and productive laborer. Hence the real sufferer by that kind of benevolence which consists in an expenditure of capital to protect the good-for-nothing is the industrious laborer. The latter, however, is never thought of in this connection. It is assumed that he is provided for and out of the account. Such a notion only shows how little true notions of political economy have as yet become popularized. There is an almost invincible prejudice that a man who gives a dollar to a beggar is generous and kind-hearted, but that a man who refuses the beggar and puts the dollar in a savings bank is stingy and mean. The former is putting capital where it is very sure to be wasted, and where it will be a kind of seed for a long succession of future dollars, which must be wasted to ward off a greater strain on the sympathies than would have been occasioned by a refusal in the first place. Inasmuch as the dollar might have been turned into capital and given to a laborer who, while earning it, would have reproduced it, it must be regarded as taken from the latter. When a millionaire gives a dollar to a beggar the gain of utility to the beggar is enormous, and the loss of utility to the millionaire is insignificant. Generally the discussion is allowed to rest there. But if the millionaire makes capital of the dollar, it must go upon the labor market, as a demand for productive services. Hence there is another party in interest - the person who supplies productive services. There always are two parties. The second one is always the Forgotten Man, and any one who wants to truly understand the matter in question must go and search for the Forgotten Man. He will be found to be worthy, industrious, independent, and self-supporting. He is not, technically, "poor" or "weak"; he minds his own business, and makes no complaint. Consequently the philanthropists never think of him, and trample on him.
    We hear a great deal of schemes for "improving the condition of the working-man." In the United States the farther down we go in the grade of labor, the greater is the advantage which the laborer has over the higher classes. A hod-carrier or digger here can, by one day's labor, command many times more days' labor of a carpenter, surveyor, book-keeper, or doctor than an unskilled laborer in Europe could command by one day's labor. The same is true, in a less degree, of the carpenter, as compared with the book-keeper, surveyor, and doctor. This is why the United States is the great country for the unskilled laborer. The economic conditions all favor that class. There is a great continent to be subdued, and there is a fertile soil available to labor, with scarcely any need of capital. Hence the people who have the strong arms have what is most needed, and, if it were not for social consideration, higher education would not pay. Such being the case, the working-man needs no improvement in his condition except to be freed from the parasites who are living on him. All schemes for patronizing "the working classes" savor of condescension. They are impertinent and out of place in this free democracy. There is not, in fact, any such state of things or any such relation as would make projects of this kind appropriate. Such projects demoralize both parties, flattering the vanity of one and undermining the self-respect of the other.
    For our present purpose it is most important to notice that if we lift any man up we must have a fulcrum, or point of reaction. In society that means that to lift one man up we push another down. The schemes for improving the condition of the working classes interfere in the competition of workmen with each other. The beneficiaries are selected by favoritism, and are apt to be those who have recommended themselves to the friends of humanity by language or conduct which does not betoken independence and energy. Those who suffer a corresponding depression by the interference are the independent and self-reliant, who once more are forgotten or passed over; and the friends of humanity once more appear, in their zeal to help somebody, to be trampling on those who are trying to help themselves.
    Trades-unions adopt various devices for raising wages, and those who give their time to philanthropy are interested in these devices, and wish them success. They fix their minds entirely on the workmen for the time being in the trade, and do not take note of any other workmen as interested in the matter. It is supposed that the fight is between the workmen and their employers, and it is believed that one can give sympathy in that contest to the workmen without feeling responsibility for anything farther. It is soon seen, however, that the employer adds the trades-union and strike risk to the other risks of his business, and settles down to it philosophically. If, now, we go farther, we see that he takes it philosophically because he has passed the loss along on the public. It then appears that the public wealth has been diminished, and that the danger of a trade war, like the danger of a revolution, is a constant reduction of the well-being of all. So far, however, we have seen only things which could lower wages - nothing which could raise them. The employer is worried, but that does not raise wages. The public loses, but the loss goes to cover extra risk, and that does not raise wages.
    A trades-union raises wages (aside from the legitimate and economic means notice in Chapter VI) by restricting the number of apprentices who may be taken into the trade. This device acts directly on the supply of laborers, and that produces effects on wages. If, however, the number of apprentices is limited, some are kept out who want to get in. Those who are in have, therefore, made a monopoly, and constituted themselves a privileged class on a basis exactly analogous to that of the old privileged aristocracies. But whatever is gained by this arrangement for those who are in is won at a greater loss to those who are kept out. Hence it is not upon the masters nor upon the public that trades-unions exert the pressure by which they raise wages; it is upon other persons of the labor class who want to get into the trades, but, not being able to do so, are pushed down into the unskilled labor class. These persons, however, are passed by entirely without notice in all the discussions about trades-unions. They are the Forgotten Men. But, since they want to get into the trade and win their living in it, it is fair to suppose that they are fit for it, would succeed at it, would do well for themselves and society in it; that is to say, that, of all persons interested or concerned, they most deserve our sympathy and attention.
    The cases already mentioned involve no legislation. Society, however, maintains police, sheriffs, and various institutions, the object of which is to protect people against themselves - that is, against their own vices. Almost all legislative effort to prevent vice is really protective of vice, because all such legislation saves the vicious man from the penalty of his vice. Nature's remedies against vice are terrible. She removes the victims without pity. A drunkard in the gutter is just where he ought to be, according to the fitness and tendency of things. Nature has set up on him the process of decline and dissolution by which she removes things which have survived their usefulness. Gambling and other less mentionable vices carry their own penalties with them.
    Now, we never can annihilate a penalty. We can only divert it from the head of the man who has incurred it to the heads of others who have not incurred it. A vast amount of "social reform" consists in just this operation. The consequence is that those who have gone astray, being relieved from Nature's fierce discipline, go on to worse, and that there is a constantly heavier burden for the others to bear. Who are the others? When we see a drunkard in the gutter we pity him. If a policeman picks him up, we say that society has interfered to save him from perishing. "Society" is a fine word, and it saves us the trouble of thinking. The industrious and sober workman, who is mulcted of a percentage of his day's wages to pay the policeman, is the one who bears the penalty. But he is the Forgotten Man. He passes by and is never noticed, because he has behaved himself, fulfilled his contracts, and asked for nothing.
    The fallacy of all prohibitory, sumptuary, and moral legislation is the same. A and B determine to be teetotalers, which is often a wise determination, and sometimes a necessary one. If A and B are moved by considerations which seem to them good, that is enough. But A and B put their heads together to get a law passed which shall force C to be a teetotaler for the sake of D, who is in danger of drinking too much. There is no pressure on A and B. They are having their own way, and they like it. There is rarely any pressure on D. He does not like it, and evades it. The pressure all comes on C. The question then arises, Who is C? He is the man who wants alcoholic liquors for any honest purpose whatsoever, who would use his liberty without abusing it, who would occasion no public question, and trouble nobody at all. He is the Forgotten Man again, and as soon as he is drawn from his obscurity we see that he is just what each one of us ought to be.


    1 William Graham Sumner (1840-1910) was a Professor of Political Economy and of Sociology at Yale. In the book in which I found this essay (Macmillan, 1916), the editors -- English Professors Berdan, Schultz and Joyce of Yale -- wrote a short introductory paragraph, as follows: "This brilliant essay by Professor Sumner illustrates the effective use of the deductive structure. In two paragraphs defining who is the Forgotten Man, the general principle is stated so fully that the reader unconsciously accepts it. But once the reader has accepted this principle, it is applied to the consideration of trades unions and temperance legislation, with startling results. The essay, then, consists in the statement of a general principle, followed by two illustrations. Just as the form resolves itself into a simple arrangement, so the style is simple. There is no attempt at rhetorical exaggeration, no appeal to the emotions. It does read, and it is intended to read, as an ordinary exercise of the logical faculty. This mathematical effect is gained by the device of using the A and B that are associated in the mind with school problems, And the brilliance of the essay lies in the apparent inevitability with which the author reaches conclusions widely differing from conventional views. Since the importance of the essay lies exactly in these applications, actually the structure approaches the deductive type.


    Migration from LCS to OCS R2

    In my new project, I am involved in figuring out the migration of LCS 2005 to OCS 2007 R2.

    Should you be in the same boat, you may appreciate the following list of prerequisites you will need on some/all of your LCS servers. And I suggest your read the supporting information on these updates and hotfixes.  There are some stumbling points.

    Ensure that Live Communications Server 2005 servers are patched with the following updates:

    Live Communications Server Service Pack 1: This upgrade to the base LCS 2005 is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=3508860C-2616-4B5A-BA00-353BE599A7B1&displaylang=en

    Update for Live Communications Server 2005; February 10, 2006, available at http://support.microsoft.com/kb/911996

    Live Communications Server 2005 post-Service Pack1 hotfix package: July 21, 2006, available at http://support.microsoft.com/kb/921543

    Update for Live Communications Server 2005 Service Pack 1: September 2008 available at http://support.microsoft.com/kb/950614

    Update your Communicator 2005 clients with the Communicator 2005 hotfix package: December 19, 2008 available at http://support.microsoft.com/kb/949280



    Office Communicator 2007 R2 Install


    What you need:

    1. You do have Outlook installed, yes?
    2. Communicator.msi – get this from your network administrator.  This is licensed software.  Referred to in some circles as “MOC”
    3. .Net 3.5 SP1 with an update.  The update to .Net 3.5 SP1 is operating system specific.  Get the update here (MS KB959209).  Get .Net 3.5 SP1 here.
    4. MS KB936864 (Office 2007) or Office 2007 SP1.  Here is the link to the hotfix, you are on your own for the Office 2007 SP1.
    5. ConfAddins_Setup Get it here.  This allows Outlook to function with live meeting scheduling.
    6. LMSetup Get it here.  Live Meeting client.  What will you do without it?
    7. MS XML 6 SP1. This install is operating system specific. Get it here. 

    Ok, let us get started.

    1. Sign out of, and exit both Office Communicator 2007 (or LCS 2005), and Outlook.  The MOC installer wants them closed. YMMV.
    2. Install the .Net 3.5 SP1, followed by the update from MS KB959209.
    3. Install the MS XML 6 SP1.
    4. Ensure that you are either Office 2007 SP1 or have the hotfix as mentioned above (MS KB936864).
    5. Execute the Communicator.msi.  This will uninstall what is already there and install itself whilst retaining all settings.
    6. Execute ConfAddins_setup.exe. This will uninstall what is already there and install itself whilst retaining all settings.
    7. Execute LMSETUP.exe.  This will uninstall what is already there and install itself whilst retaining all settings.


    invalid static URL in R2 MOC/Svr/Pool


    Just ran across a strange problem.

    One user could not be contacted by other users even though their presence was good.

    This user could initiate conversations, and then things worked normally.

    logging revealed the following:

    TL_INFO(TF_PROTOCOL) [2]0AAC.0F60::02/10/2009-00:06:40.517.0000cb04 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
    Instance-Id: 00013F2B
    Direction: outgoing;source="local"
    Message-Type: response
    Start-Line: SIP/2.0 500 The server encountered an unexpected internal error
    From: "user"<sip:user@domain.org>;tag=3703bcb871;epid=de577344ca
    To: <sip:user2@domain.org>;tag=A1D2F034A80C8DC2C22BC2B0BB538B47
    CSeq: 1 INVITE
    Call-ID: 4f0e2c32a0ac42b8a3ebfa96c1704671
    Proxy-Authentication-Info: Kerberos rspauth="602306092A864886F71201020201011100FFFFFFFF5A639D1C74445CDE716249160B5E67D5", srand="99E853C4", snum="27", opaque="753DF002", qop="auth", targetname="sip/OCS1.domain.org", realm="SIP Communications Service"
    Via: SIP/2.0/TLS;ms-received-port=56634;ms-received-cid=1F9900
    ms-diagnostics: 1;reason="Service Unavailable";source="OCS1.domain.org";AppUri="
    http://www.microsoft.com/LCS/ApiModule";reason="The application specified an invalid static forwarding url"
    Content-Length: 0
    Message-Body: –

    Resolution:  removed a bogus entry in AD user object.

    Telephones| IP Phones | Other

    There was a text entry there rather than numeric.

    Question: What is the mechanics of the UR stuffing this bogus value into somewhere that caused this failure?  I doubt I will ever know.


    lcs 2005 revisited - ew

    For the morbidly curious, in support of the LCS 2005 Migration Document project, I have been building (yet another) lab.

    As of now, I have a fully functional (no PSTN :( ) LCS 2005 SP1 pool, Access Proxy, sited behind an ISA 2006.  And it connected first time through from my home network via the AP.

    All this goodness running under Hyper-V.

    Servers are ws03 r2 sp2.

    Client is currently OC2005 on XP and OC2005 on win7beta.

    A few notes:

    WS03 r2 SP2 breaks ISA 2006 (I had forgotten).  This requires two separate reg hacks (disable RSS and Task offload)

    Hklm\system\currentcontrolset\services\tcpip\parameters [dword EnableRSS = 0] [DisableTaskOffload = 1]

    DNS stinks for LCS.

    Certs came from a standalone CA on the DC.  An enterprise CA would not give me private keys on the certs unless I moved the DC to Server Enterprise which I was unwilling to do.

    It is amazing what we have to re-learn at times, eh wot?


    CA woes

    My new project is kicking off, and my first task is to build my lab.

    As the new project involves LCS 2005, I need to be able to issue PKI, so I installed my CA  - but I did it as an Enterprise CA on a ws03 Std server.

    Because LCS 2005 is such a bear on certs, my first round of testing on the CA involved getting some test certs with SAN entries that included exportable private keys.  Just to make sure I can do it and have it be right the first time through.

    This forced me to relearn certutil.exe and certreq.exe.

    I also relearned certreq.inf files....very handy - I cannot believe I ever stopped using that method.  Well, I know why: OCS 2007 has a cert wizard that works really well.

    At any rate it seems that there is no way to get an Enterprise CA running on ws03/08 standard edition server to give you private keys.  The issue is converting/duplicating the existing webserver template which makes the new template a v2 template - and to use that new template requires enterprise server edition.  arrrgh.

    No amount of tweaking the inf file allowed me to get a private key with the cert - the private key simply is not included with the issued certificate.

    My search for a solution will continue, as I need this to work.  My short term solution was to fall back to a Standalone CA, which allows the private keys very easily.  arrgh.  I wanted an Enterprise CA.

    test 02 Feb

    this is a test it’s only a test this should be a picture