System Engineer - IT Administration

Setup Self SSL with tomcat...

2010-11-16T23:46:00.001+05:30

Type the following command in UNIX

keytool -genkey -alias mycert -keyalg RSA -keystore /etc/tomcat6/keystore

and answered the prompts

Then edit my server.xml file and uncommented/edited this line

maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/tomcat6/keystore"
keystorePass="mypassword" />

https://localhost:8443

Install Tomcat 6 on CentOS 5

2010-08-27T11:16:00.003+05:30

Tomcat 6 on CentOS 5

It is easy to install tomcat6 on CentOs without wasting the time.

Step 1 cd /etc/yum.repos.d
Step 2 wget 'http://www.jpackage.org/jpackage50.repo'
Step 3 yum update
Step 4 yum install tomcat6 tomcat6-webapps tomcat6-admin-webapps
Step 5 service tomcat6 start

Path to deploy the application /var/lib/tomcat6/webapps/

conf path: - /usr/share/tomcat6/webapps

SSH password less authentication

2010-08-02T22:16:00.003+05:30

SSH use to login from one PC to another without supplying the passwords.

# ssh-keygen -t rsa (Press Enter)

Generating public/private rsa key pair.
Enter file in which to save the key (/home/skx/.ssh/id_rsa): (Enter)
Enter passphrase (empty for no passphrase): (empty)
Enter same passphrase again: (empty)
Your identification has been saved in /home/skx/.ssh/id_rsa.
Your public key has been saved in /home/skx/.ssh/id_rsa.pub.

# ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host - IP Address

Windows Server processes

2010-06-17T23:40:00.000+05:30

1) smss.exe
Description
smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager Subsystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
smss.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
smss.exe general information
Author: Microsoft Corp.
Part of: Microsoft Windows Operating System
Common Path(s): %system%\smss.exe

2) csrss.exe
Description
The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. As such Csrss.exe provides the critical functions of the operating system, and its termination can result in the Blue Screen of Death being displayed.

Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. Threads supported by csrss.exe are different from processes in that threads are commonly contained within the process, with various threads sharing resources within the same process. The Win32 console is the plain text window in the Windows API system (programs can use the console without the need for image display).

In mobile devices such as notebooks and laptops, the process csrss.exe is closely dependent on power management schemes implemented by the system as defined under the Control Panel option.

Recommendation
csrss.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
csrss.exe general information
Author: Microsoft Corp
Part of: Microsoft Windows Operating System
Common Path(s): %system%\csrss.exe
3) winlogon.exe
Description
Description
winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
winlogon.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
winlogon.exe general information
Author: Microsoft Corp.
Part of: Microsoft Windows Operating System
Common Path(s): %system%\winlogon.exe
services.exe
Description
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of your computer and should not be terminated
Recommendation
services.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
services.exe general information
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\services.exe
lsass.exe
Description
The process lsass.exe serves as the Local Security Authentication Server by Microsoft, Inc. It is responsible for the enforcement of the security policy within the operating system. This process checks whether a user’s supplied identification is valid or not whenever he or she tries to access the computer system.

With the execution of the file lsass.exe, the system acquires security by preventing the access of unwanted users to any private information. The file lsass.exe also handles the password modifications done by the user.

The process lsass.exe mainly operates in the system through its ability to create access tokens. These tokens encapsulate the file’s security descriptor, which contains the necessary information to process user authentication such as data on which user holds access to the system and whether the access is mandatory or discretionary.
Recommendation
lsass.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
lsass.exe general information

Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\LSASS.exe
%system%\system32\lsass.exe
svchost.exe
Description
The file svchost.exe is the Generic Host Process for Win32 Services used for administering 16-bit-based dynamically linked library files (DLL files) including other supplementary support applications.

As operating systems became more complex Microsoft decided to run more software functionality from a dynamic link library (DLL) interface. However DLLs are unable to launch themselves and require at least one executable program, i.e. svchost.exe, is needed to bridge between the library process and the operating system.

Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine.
Recommendation
svchost.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\svchost.exe
ccsetmgr.exe
Description
ccsetmgr.exe is a process associated with the Symantec Internet Security suite and is essential to it's functioning. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Symantec Corporation

Part of:
Symantec Internet Security suite

Common Path(s):
%programfilescommon%\Symantec Shared\ccSetMgr.exe
spoolsv.exe
Description
The spoolsv.exe file is described as the Spooler SubSystem App or Windows Print Spooler Service and is the main component of the printing interfaces. The spoolsv.exe file is initialized when the computer starts, and it runs in the background until the computer is turned off.

The process spoolsv.exe transfers the data in a buffer. If the printer needs the data, it will retrieve it from the buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out other operations. The spoolsv.exe process is also responsible for queuing printing tasks. Through this function, the user does not need to wait for each printing task to be completed one after the other.

When a printer is in use, the Print Spooler service or the spoolsv.exe file is launched, and the process can be seen running in Windows Task Manager. In case you are not using a printer, the spoolsv.exe process can be closed through the Task Manager.
Recommendation
spoolsv.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System
Common Path(s):
%system%\spoolsv.exe
Msdtc.exe
Description
msdtc.exe is the Microsoft Distributed Transaction Coordinator. The process is loaded into the system by Microsoft Personal Web Server and Microsoft SQL Server. The service is used to manage transactions across multiple servers.
Recommendation
msdtc.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Personal Web Server

Common Path(s):
N/A
bbattachserver.exe
Description
bbattachserver.exe is a Server belonging to BlackBerry® Attachment Server from Research In Motion Limited
Recommendation
This process is still being reviewed by our team. We shall be adding additional information, such as Security Rating, once the process is reviewed. If you have any information to contribute, you can send it to pl[at]Uniblue[dot]net.
Author:
Research In Motion Limited

Part of:
BlackBerry® Attachment Server

Common Path(s):
e:\program files\research in motion\blackberry enterprise server\attachserver
defwatch.exe
Description
defwatch.exe is a part of Norton Antivirus Corporate Edition, and is responsible for monitoring the virus definition files and initiating processes to bring them up to date if they aren't.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Symantec Corporation

Part of:
Norton Antivirus Corporarte Edition

Common Path(s):
N/A
dfssvc.exe
Description
dfssvc.exe is the Distributed File System service. Only found on Microsoft Windows Server suites, this process is crucial for the DFS service. Essential Microsoft server service.
Recommendation
dfssvc.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Server suite

Common Path(s):
N/A
dns.exe
Description
dns.exe is the main process which handles the Microsoft Windows DNS server, if enabled. This program is important for the stable and secure running of your server and should not be terminated.
Recommendation
dns.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Server Suites

Common Path(s):
N/A
nhancer.exe
Description
nhancer.exe is a nHancer.exe belonging to nHancer from KSE - Korndörfer Software Engineering
Recommendation
This process is still being reviewed by our team. We shall be adding additional information, such as Security Rating, once the process is reviewed. If you have any information to contribute, you can send it to pl[at]Uniblue[dot]net.
Author:
KSE - Korndörfer Software Engineering

Part of:
nHancer

Common Path(s):
%programfiles%\nhancer
inetinfo.exe
Description
inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
inetinfo.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Server Suites

Common Path(s):
%system%\inetinfo.exe
pds.exe
Description
pds.exe is associated with Intel LANDesk Management Suite software and discovers registered products on your computer. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Intel Corporation.

Part of:
Intel Ping Discovery Service

Common Path(s):
N/A

llssrv.exe

Description
llssrv.exe on Microsoft Windows Server suites is a license logging service and should not be stopped under any circumstances.
Recommendation
Monitors and records client access licensing for portions of the operating system (such as IIS, Terminal Server and File/Print) as well as products that aren't a part of the OS, like SQL and Exchange Server. If this service is stopped, licensing will be enforced, but will not be monitored.
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Microsoft Corp.

Part of:
Microsoft License Service

Common Path(s):
N/A
mr2kserv.exe
Description
mr2kserv.exe is a process belonging to the Dell OpenManage and provides Array management functionality. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Dell

Part of:
Dell OpenManage

Common Path(s):
N/A
nsctop.exe
Description
nsctop.exe is a process belonging to Symantec System Center. The application searches AV servers on the network.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Symantec Corporation

Part of:
Symantec System Center

Common Path(s):
N/A
ntfrs.exe
Description
ntfrs.exe is process belonging to Windows. It is used to maintain file synchronization of file directory contents among multiple servers. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
ntfrs.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Windows

Common Path(s):
N/A
qserver.exe
Description
qserver.exe is a process associated with the Norton Internet Security Suite and deals with the communication of quarantined files.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Symantec

Part of:
Norton Internet Security Suite

Common Path(s):
N/A

reportersvc.exe
Description
reportersvc.exe is a Symantec Reporting Service from Symantec Corporation belonging to Reporting
Description
reportersvc.exe is a Symantec Reporting Service from Symantec Corporation belonging to Reporting
Author:
Symantec Corporation

Part of:
Reporting

Common Path(s):
%programfilescommon%\symantec shared\reporting agents\win32
sbscrexe.exe
SBS Licensing Service
Description
sbscrexe.exe is a SBS Licensing Service from Microsoft Corporation belonging to Microsoft® Windows® Operating System
Author:
Microsoft Corporation

Part of:
Microsoft® Windows® Operating System

Common Path(s):
%system%
scanexplicit.exe
Description
scanexplicit.exe is a part of Norton Internet Security Suite and scans files submitted to the Quarantine section using a separate set of definitions. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
scanexplicit.exe general information
Author:
Symantec Corporation

Part of:
NAV Symantec Quarantine Scanner

Common Path(s):
N/A
owstimer.exe
owstimer.exe description
Description
owstimer.exe is a SharePoint Timer Service from Microsoft Corporation belonging to Microsoft SharePoint
Recommendation
owstimer.exe general information
Author:
Microsoft Corporation

Part of:
Microsoft SharePoint

Common Path(s):
%programfilescommon%\microsoft shared\web server extensions\50\bin
%programfilescommon%\microsoft shared\web server extensions\60\bin
sqlagent.exe
Microsoft SQL Server Agent
Description
sqlagent.exe is a process belonging to the Microsoft SQL Server Agent and is used for executing scheduled jobs.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Microsoft Corp.

Part of:
Microsoft SQL Server Agent

Common Path(s):
N/A
appmgr.exe
Description
appmgr.exe is a process belonging to the Windows Server operating system which provides remote server management functionality. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
appmgr.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft

Part of:
Microsoft Windows Server

Common Path(s):
%system%\serverappliance\appmgr.exe
conduit.exe
Description
conduit.exe is a conduit_client belonging to Symantec Brightmail AntiSpam[tm] from Symantec Corporation
conduit.exe general information
Author:
Symantec Corporation

Part of:
Symantec Brightmail AntiSpam[tm]

Common Path(s):
%programfiles%\symantec\sbas\scanner\bin
uphclean.exe
Description
uphclean.exe is a process belonging to Microsoft's User profile cleanup service. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Microsoft Corporation

Part of:
Microsoft Windows Operating System

Common Path(s):
%programfiles%\uphclean\uphclean.exe
tcpsvcs.exe
Description
tcpsvcs.exe is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
tcpsvcs.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\tcpsvcs.exe
icepack.exe
Description
icepack.exe is a part of the Norton Antivirus Corporate edition suite and acts as a medium between server and client. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Symantec Corporation

Part of:
NAV CE Server/Client - Symantec Quarantine Agent

Common Path(s):
N/A
hndlrsvc.exe
Intel Alert Handler
Description
hndlrsvc.exe is a process associated with Intel Alert Handler which alerts you regarding e-mails, and other options. This is a non-essential process. Disabling or enabling it is down to user preference.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Intel Corporation

Part of:
Intel Alert Handler

Common Path(s):
N/A
iao.exe
Description
iao.exe is a process belonging to Symantec Internet security suite. This program is important for the stable and secure running of your computer and should not be terminated.
Click to run a free scan for iao.exe related errors.

Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
exmgmt.exe
exmgmt.exe description
Description
exmgmt.exe is a process belonging to the Microsoft Exchange Console which allows for configuration of this e-mail server product. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
Recommendation
Not a critical component, but see the information above before disabling it. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings..
Author:
Microsoft

Part of:
Microsoft Exchange Server Suite

Common Path(s):
%programfiles%\Exchsrvr\bin\exmgmt.exe
mad.exe
mad.exe description
Description
mad.exe is a process which deals with certain important Microsoft Exchange functions such as the loading of DLL's and message logging. This program is important for the stable and secure running of your computer and should not be terminated.
Recommendation
mad.exe should not be disabled, required for essential applications to work properly.. It is highly recommended to Run a Free Performance Scan to automatically optimize memory, CPU and Internet Settings.
Author:
Microsoft Corp.

Part of:
Microsoft Exchance Server

Common Path(s):
N/A

mssearch.exe

mssearch.exe is a process relating to Microsoft Windows Server suite, which is responsible for the cataloguing of indexes for Exchange server and SQL server. This program is important for the stable and secure running of your computer and should not be terminated.
mssearch.exe general information

Author: Microsoft Corp.
Part of: Microsoft Windows Server suite
Common Path(s):
N/A
wmiprvse.exe
wmiprvse.exe description
The wmiprvse.exe file is otherwise known as Windows Management Instrumentation. It is a Microsoft Windows-based component that provides control and information about management in an enterprise environment.

Developers use the wmiprvse.exe file in order to develop applications used for monitoring purposes. These programs can notify users about important events related to network and file or application management right after each event occurs. With wmiprvse.exe, file managers in the enterprise environment are capable of configuring and searching for desktop system information or network and application information across the network.

The wmiprvse.exe file is placed with other services in the shared service host. This started to be applied with the release of MS Windows XP. Providers are also loaded separately in the wmiprvse.exe file since it considers the wmiprvse.exe executable as a host process.

Author: Microsoft
Part of: Microsoft Windows Operating System
Common Path(s):
%system%\wbem\wmiprvse.exe
itadminserver.exe

Description
itadminserver.exe is a ITAdminServer belonging to BlackBerry® Policy Service from Research In Motion Limited
Recommendation
Author: Research In Motion Limited
Part of: BlackBerry® Policy Services
Common Path(s): e:\program files\research in motion\blackberry enterprise server
IMBSERVICE.EXE
Description
imbservice.exe is a IMBSERVICE.EXE belonging to Microsoft® Windows® Small Business Server from Microsoft Corporation
Author:
Microsoft Corporation

Part of:
Microsoft® Windows® Small Business Server

Common Path(s):
%programfiles%\microsoft windows small business server\networking\pop3

Locator.exe
locator.exe is the remote procedure call locator service and is essential for the smooth running of Microsoft Windows. This process maintains a database of publicly declared procedures. This program is important for the stable and secure running of your computer and should not be terminated.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System
Common Path(s):
%system%\locator.exe

w3wp.exe
Description
w3wp.exe is a process associated with application pool in ISS. If you have more than one application pool, you will have more than one instance of w3wp.exe running. This process usually allocates large amounts of resources. This program is important for the stable and secure running of your computer and should not be terminated.
Author:
Microsoft

Part of:
Microsoft Web Server

Common Path(s):
N/A
SFMSVC.EXE - Windows NT Macintosh File Server Service
Sfmsvc.exe is related to Windows NT Macintosh File Server Service.
Manufacturer: Microsoft Corp.
beremote.exe

beremote.exe is a process that belongs to Backup Exec from Veritas. This process should not be removed to ensure that the backup process is not interrupted
Author:
Veritas

Part of:
Backup Exec

Common Path(s):
N/A

pvlsvr.exe

Description
pvlsvr.exe is a part of Veritas Backup Exec and offers essential functionality for Backup Exec. This program is important for the stable and secure running of your computer and should not be terminated.
Author:
VERITAS Software Corporation.

Part of:
Veritas Backup Exec

Common Path(s):
N/A
beserver.exe
Description
beserver.exe is the main backup service for Veritas Backup Exec. This program is essential in keeping backups up to date and should not be terminated.
Author:
VERITAS Software Corporation.

Part of:
Unknown

Common Path(s):
N/A
bengine.exe
Description
bengine.exe is the main backup service for Veritas Backup Exec. This program is essential in keeping backups up to date and should not be terminated.
Author:
Veritas Software Corporation

Part of:
Veritas Backup Exec

Common Path(s):
N/A
benetns.exe
Description
benetns.exe belongs to the Backup Exec application from Veritas. This process provides a remote browsing agent for the Backup Exec service on the backup server. This process should not be removed to ensure that your backup applications works properly.
Author:
VERITAS Software Corporation.

Part of:
Veritas Backup Exec

Common Path(s):
N/A
dlt.exe
Description
dlt.exe is a part of the Dell OpenManage system management software. Essential system process for the running of Dell OpenManage, and should not be disabled whilst this application is used.
Author:
Dell

Part of:
Dell Legacy

Common Path(s):
N/A
savfmsesp.exe
Symantec Mail Security for Microsoft Exchange

Description
savfmsesp.exe is a Symantec Mail Security for Microsoft Exchange from Symantec Corporation belonging to Symantec Mail Security for Microsoft Exchange
Author:
Symantec Corporation

Part of:
Symantec Mail Security for Microsoft Exchange

Common Path(s):
%programfiles%\symantec\smsmse\4.6\server
ccApp.exe
ccapp.exe
Description
The ccapp.exe file stands for Common Client Application and is the executable responsible for checking emails and auto-protect facilities as part of the Norton Antivirus suite.

The ccapp.exe file is used as the Norton Antivirus’ real-time scanner. When Windows loads, the ccapp.exe file also loads as VxD or virtual device driver. As the ccapp.exe file executes behind the scenes, it scans your system for Trojan Horses, viruses, and worms.

Before Windows can completely shut down, the ccapp.exe file will scan the boot drives for sector viruses if a floppy disk can be found inside the drive. In case a virus is detected, a message will be displayed asking you to repair the infected floppy disk boot record.

You will be able to view the details of the scan in the recorded report log. Details in the report include the name of the virus, location of the file infected, time it was detected, and the action taken by the application or the user.
Author:
Symantec Corporation

Part of:
Norton AntiVirus Suite

Common Path(s):
%program files%\common\symantec shared\

vptray.exe
Description
vptray.exe is the tray bar process for Norton AntiVirus. It gives the user fast access to Norton AntiVirus. This process can safely be removed without reducing system security.
Author:
Symantec Corporation

Part of:
Norton AntiVirus

Common Path(s):
N/A
ctfmon.exe
Description
ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
Author:
Microsoft Corp.

Part of:
Microsoft Office Suite

Common Path(s):
%system%\ctfmon.exe
sqlmangr.exe
Description
sqlmangr.exe is a system tray application from Microsoft which allows the user to start and stop SQL related services. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
Author:
Microsoft Corp.

Part of:
Microsoft SQL Server Service Manager

Common Path(s):
%programfiles%\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

logon.scr
Microsoft Logon Screensaver

Description
logon.scr is a process belonging to the Microsoft Windows Operating System and provides a screensaver during the login phase. This is a non-essential process. Disabling or enabling it is down to user preference.
Author:
Microsoft

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\logon.scr

bbconvert.exe
Description
bbconvert.exe is a Convert belonging to BlackBerry® Attachment Server from Research In Motion Limited
Author:
Research In Motion Limited

Part of:
BlackBerry® Attachment Server

Common Path(s):
e:\program files\research in motion\blackberry enterprise server\attachserver

csrss.exe
bbconvert.exe description
Description
bbconvert.exe is a Convert belonging to BlackBerry® Attachment Server from Research In Motion Limited
Author:
Research In Motion Limited

Part of:
BlackBerry® Attachment Server

Common Path(s):
e:\program files\research in motion\blackberry enterprise server\attachserver

winlogon.exe
winlogon.exe is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer and should not be terminated.
Author:
Microsoft Corp.

Part of:
Microsoft Windows Operating System

Common Path(s):
%system%\winlogon.exe
VPTray.exe
vptray.exe is the tray bar process for Norton AntiVirus. It gives the user fast access to Norton AntiVirus. This process can safely be removed without reducing system security.
Author:
Symantec Corporation

Part of:
Norton AntiVirus

Common Path(s):
N/A
ctfmon.exe

Mono on Linux

2010-06-17T23:37:00.000+05:30

Steps:-

1: Install Mono 2.4 And Mod_mono On RHEL5 With Mysql Support
2: To Install BIRT Runtime On RHEL 5

Assumptions
1: You have root access on your RHEL 5 system
2: You are aware of basic sysadmin commands.
Note: This install was tested on a x64 system.

1:Install Mono 2.4 and mod_mono on RHEL5 with Mysql support

Files to Download
Http://Ftp.Novell.Com/Pub/Mono/Sources/Libgdiplus/Libgdiplus-2.4.2.Tar.Bz2
Http://Ftp.Novell.Com/Pub/Mono/Sources/Mono/Mono-2.4.2.3.Tar.Bz2
Http://Ftp.Novell.Com/Pub/Mono/Sources/Xsp/Xsp-2.4.2.Tar.Bz2
Http://Ftp.Novell.Com/Pub/Mono/Sources/Mod_mono/Mod_mono-2.4.2.Tar.Bz2
Http://Mirror.Cogentco.Com/Pub/Mysql/Connector-Net/Mysql-Connector-Net-6.0.4-Noinstall.Zip

RPMs
You need the following rpms to compile mod_mono. You should have these on your RHEL CD.
httpd-devel
apr-devel
apr-util
apr-util-devel

All my sources are placed in /opt/downloads
All my sources will be untared in /opt/build

To install mono on RHEL5

Step 1 : Untar libgdi and build it

tar -jxvf /opt/downloads/libgdiplus-2.4.2.tar.bz2 -C /opt/build
cd /opt/build/libgdiplus-2.4.2
./configure;make;make install

Step 2: Untar mono and build

cd /opt/downloads/mono-2.4.2.3/
./configure ;make;make install

To install mod mono

Step 1: Untar mod_mono package, configure, build & install

tar -jxvf /opt/downloads/mod_mono-2.4.2.tar.bz2
./configure ;make;make install

Move the mod_mono.conf file to the right location so that it is automatically loaded

mv /etc/httpd/conf/mod_mono.conf /etc/httpd/conf.d/

Add this line to the mod_mono.conf
MonoServerPath /usr/local/bin/mod-mono-server2

Step 2: Untar xsp, configure, build & install

tar -jxvf xsp-2.4.2.tar.bz2 -C /opt/build
cd /opt/build/xsp-2.4.2
./configure;make;make install

Now to test mod_mono
copy xsp files to your document root dir

cp -a /usr/local/lib/xsp/test /var/www/html/

Now go to your browser and check out your installation
http://localhost/test/

Now go ahead if you need to install mysql support

cd /opt/build
unzip /opt/downloads/mysql-connector-net-6.0.4-noinstall.zip
mv mysql.data.dll MySql.Data.dll
/usr/local/bin/gacutil -i /opt/build/MySql.Data.dll

Common error

Object reference not set to an instance of an object
Description: HTTP 500. Error processing request.

1: If you do not change the name of the dll you might get this
error below. So make sure your dll is MySql.Data.dll

2: Make sure you save these config settings in your web.conf

Return To Top

2: To install BIRT runtime on RHEL 5

Files to download
Http://Apache.Mirrors.Hoobly.Com/Tomcat/Tomcat-6/V6.0.20/Bin/Apache-Tomcat-6.0.20.Tar.Gz
Http://Www.Eclipse.Org/Downloads/Download.Php?File=/Birt/Downloads/Drops/R-R1-2_5_0-200906180630/Birt-Runtime-2_5_0.Zip
Jre-6u16-Linux-Amd64.Rpm

Note: Since you are installing the Web Viewer on Tomcat 6, you will need to download the Commons Logging Library.

Install Sun JDK

rpm -ivh /opt/downloads/jre-6u16-linux-amd64.rpm

set your java home

export JAVA_HOME=/usr/java/jre1.6.0_16/

Install Apache tomcat

tar -zxvf /opt/downloads/apache-tomcat-6.0.20.tar.gz -C /opt/build/
cd /opt/build/apache-tomcat-6.0.20/bin/
./startup.sh

Test your installation from the browser
http://localhost:8080/
To use the tomcat manager, set manager user for tomcat in tomcat-users.xml

Restart tomcat and check the url http://localhost:8080/manager/html

Install BIRT runtime

cd /opt/build
unzip /opt/downloads/birt-runtime-2.1.3.zip
cd /opt/build/birt-runtime-2_1_3/
cp -a WebViewerExample /opt/build/apache-tomcat-6.0.20/webapps
mv /opt/build/apache-tomcat-6.0.20/webapps/WebViewerExample/ /opt/build/apache-tomcat-6.0.20/webapps/birt-viewer

Install Commons Logging Library

tar -zxvf /opt/downloads/used/commons-logging-1.1.1-bin.tar.gz -C /opt/build

Copy the jar file into birt-viewer

cp /opt/build/commons-logging-1.1.1/commons-logging-1.1.1.jar /opt/build/apache-tomcat-6.0.20/webapps/birt-viewer/WEB-INF/lib/

Use the tomcat manager to see whether birt-viewer has been auto deployed.

Now you can check your birt-viewer report from your browser http://localhost:8080/birt-viewer/

A page confirming that the BIRT viewer has been installed should be displayed.
Click on the link labeled "View Example" to confirm that your installation is working properly.
The BIRT Viewer requires that cookies be enabled.

Common Errors:
I tried BIRT with the default install of jre on RHEL5/ Fedora8 and I came across so many errors.
After a lot of google I gave up on those versions and downloaded tomcat 6 and sun jre and it worked fine.

Create certificate using keytool on glassfish

2010-06-17T23:17:00.002+05:30

Create certificate

Use keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run. You can find the keytool utility under the bin directory of java folder.
Note: - When you install Glassfish, it creates a default self-signed certificate as the server certificate. (localhost)

Step:- 1

Delete exiting certificate :-

Type the following command to delete the default self-signed certificate by issuing the following command.
keytool -delete -alias s1as -keystore keystore.jks -storepass

Generate self signed certificate

Steps 1:- Type the following command to create new certificate:
keytool -genkey -alias test

Fill all the information to create the certificate.

Enter keystore password: p@ssw0rd!
What is your first and last name?
[Unknown]: Chandra
what is the name of your organizational unit?
[Unknown]: Paxcel
what is the name of your organization?
[Unknown]: Paxcel
what is the name of your City or Locality?
[Unknown]: Gurgaon
What is the name of your State or Province?
[Unknown]: HR
What is the two-letter country code for this unit?
[Unknown]: IN
Is correct?
[no]: yes
Import certificate

A certificate can be imported into a keystore using keytool. Type the following command to import the certificate:-
keytool -storepass my-keystore-password(paxcel) -alias test -import -file test.cer

Generate expired certificate

Steps:

Default days is 7 and cant not be set 0 day. You need to specify at least 1 day to

create.
keytool -genkey -alias test –validity 1

Note: - To change the location of certificate files - admin console.
Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config.

Open the Glassfish admin console in the web browser.
Login into glassfish admin console (http://localhost:4848), Default uid and password:

admin and adminadmin

a) In the Admin Console tree, select the Application Server node.
b) Select JVM Settings.
c) Click the JVM Options tab.
d) On the JVM Options page, add or modify the following values in the Value

field to reflect the new location of the certificate files:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/path/ks-name
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/path/ts-name

e) Where ks-name is the keystore file name and ts-name is the trust store file name.

f) Click Save.

g) Restart the Application Server if Restart Required displays in the console.

Install certificate in GlassFish server

Here are the instructions for enabling GlassFish v2 as an SSL server when the application server is configured with the developer profile.

1. Delete the default self-signed certificate by issuing the following command (note that the commands in this and subsequent steps are shown on multiple lines for formatting purposes):
keytool -delete -alias s1as -keystore keystore.jks -storepass
where is the password for the keystore, for example, "mypass". Note that s1as is the default alias of the GlassFish v2 keystore.

2. Generate a new key pair for the application server by issuing the following command:
keytool -genkeypair -keyalg
-keystore keystore.jks -validity -alias s1as

where is the algorithm to be used for generating the key pair, for example RSA, and is the number of days that the certificate should be considered valid, for example, 365.
Note that in addition to generating a key pair, the command wraps the public key into a self-signed certificate and stores the certificate and the private key in a new keystore entry identified by the alias.

It's important to ensure that the name of the certificate matches the fully-qualified hostname of your site. If the names don't match, clients connecting to the server will see a security alert stating that the name of the certificate does not match the name of the site. You should notice that the name of the default self-signed certificate matches the fully-qualified hostname.

3. Generate a Certificate Signing Request (CSR) by issuing the following command:
keytool -certreq -alias s1as -file
-keystore keystore.jks -storepass
where is the file in which the CSR is stored, for example, s1as.csr, and is the password for the keystore, for example, changeit.

4. keytool -import -v -alias s1as -file s1as.cert -keystore keystore.jks -storepass
When you import the certificate using the same original alias "s1as", keytool treats it as a command to replace the original certificate with the certificate obtained as reply to a CSR.
s1as (self-signed):
Owner: CN=chandra, OU=Paxcel, O=Paxcel Technologies, L=Gurgaon , ST=Haryana, C=IN
Issuer: CN=Chandra, OU=Paxcel Technologies, O=Paxcel Technologies
, L=Gurgaon, ST=Haryana, C=IN
Serial number: 472acd34
Valid from:

Multiple Private Keys in a GlassFish

2010-05-30T21:35:00.001+05:30

Multiple Private Keys in a GlassFish domain
GlassFish uses Java JKS for storing keys and certificates. Out of the box, the keyStore (keystore.jks) and the trustStore (cacerts.jks) reside in $GLASSFISH_HOME/domains/domain1. Even though there are several CA root certificates in cacerts.jks, there is only one private key in keystore.jks.

GlassFish supports the use of multiple private keys in a given domains. For instance, you may have two https listeners having different server private keys. This is a very useful scenario especially when one have EC key. So, in a given domain, we can have one https listener using RSA key for normal browser and one https listener using EC key for PDA.

In this blog, we will discuss the configuration when there are multiple private keys in a given domain of GlassFish. In this case, one needs to specify the private key / certificate to be used for SSL communication. If the information is not specified, then the server will pick up one which may not be desirable. Since one wants to be more precise in security environment, one would like to specify the corresponding certificate nickname in order to pick up the correct key.

There are two kinds of certificate nicknames: inbound, https outbound.

Inbound Certificate Nickname

One needs to specify the inbound cert-nickname for a given listener in domain.xml. For instance, in http listener, it is as follows:

...

Instead of hand-crafting the domain.xml, it would be a good idea to use Admin Console as follows: Configuration > HTTP Services > Http listeners > http-listener-2, and choose SSL tab and enter the valid alias value you want in "Certificate Nickname" textbox. Then one needs to restart the given domain (if there is a change of certificate nickname) in order to activate the change.

Similarly for iiop listeners.

Https Outbound Certificate Nickname

GlassFish also supports the https outbound from server. A private key / certificate is used for https outbound mutual SSL authentication. In this case, we can specify the https outbound certificate nickname as jvm-options in domain.xml:

-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=YOUR_ALIAS

One can achieve this through Admin Console as follows: Application Server > JVM Settings > JVM Options > Add JVM option, and enter the above jvm option in the new textbox. Then one needs to restart the server in order to activate this change.

Delete certificate - Keytool

2010-05-30T21:33:00.001+05:30

Deleting a Certificate Using the keytool Utility
To delete an existing certificate, use the keytool -delete command, for example:

keytool -delete -alias keyAlias -keystore keystore-name -storepass password

Sign a digital certificate using the keytool utility

2010-05-30T21:31:00.000+05:30

To sign a digital certificate using the keytool utility
After creating a digital certificate, the owner must sign it to prevent forgery. E-commerce sites, or those for which authentication of identity is important can purchase a certificate from a well-known Certificate Authority (CA). If authentication is not a concern, for example if private secure communications is all that is required, save the time and expense involved in obtaining a CA certificate and use a self-signed certificate.

Follow the instructions on the CA’s Web site for generating certificate key pairs.

Download the generated certificate key pair.

Save the certificate in the directory containing the keystore and truststore files, by default domain-dir/config directory. See To change the location of certificate files.

In your shell, change to the directory containing the certificate.

Use keytool to import the certificate into the local keystore and, if necessary, the local truststore.

keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit
If the keystore or private key password is not the default password, then substitute the new password for changeit in the above command.

Restart the Application Server.

Generate a certificate using the keytool utility

2010-05-30T21:30:00.002+05:30

To generate a certificate using the keytool utility
Use keytool to generate, import, and export certificates. By default, keytool creates a keystore file in the directory where it is run.

Change to the directory where the certificate is to be run.

Always generate the certificate in the directory containing the keystore and truststore files, by default domain-dir/config. For information on changing the location of these files, see To change the location of certificate files.

Enter the following keytool command to generate the certificate in the keystore file, keystore.jks:

keytool -genkey -alias keyAlias -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks
Use any unique name as your keyAlias. If you have changed the keystore or private key password from their default, then substitute the new password for changeit in the above command.

A prompt appears that asks for your name, organization, and other information that keytool uses to generate the certificate.

Enter the following keytool command to export the generated certificate to the file server.cer (or client.cer if you prefer):

keytool -export -alias keyAlias-storepass changeit
-file server.cer
-keystore keystore.jks
If a certificate signed by a certificate authority is required, see To sign a digital certificate using the keytool utility.

To create the truststore file cacerts.jks and add the certificate to the truststore, enter the following keytool command:

keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit
If you have changed the keystore or private key password from their default, then substitute the new password for changeit in the above command.

The tool displays information about the certificate and prompts whether you want to trust the certificate.

Type yes, then press Enter.

Then keytool displays something like this:

Certificate was added to keystore [Saving cacerts.jks]
Restart the Application Server.

Installing and Configuring SSL Support & XML and Web Services Security

2010-05-30T21:26:00.002+05:30

Installing and Configuring SSL Support
What Is Secure Socket Layer Technology?
Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. In this secure connection, the data that is being sent is encrypted before being sent and then is decrypted upon receipt and before processing. Both the browser and the server encrypt all traffic before sending any data. SSL addresses the following important security considerations.
• Authentication: During your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate that the client is who and what it claims to be (which is known as client authentication).
• Confidentiality: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.
• Integrity: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.
To install and configure SSL support on your stand-alone web server, you need the following components. SSL support is already provided if you are using the Application Server. If you are using a different web server, consult the documentation for your product.
• A server certificate keystore (see Understanding Digital Certificates).
• An HTTPS connector (see Using SSL).
To verify that SSL support is enabled, see Verifying SSL Support.
Understanding Digital Certificates
________________________________________
Note: Digital certificates for the Application Server have already been generated and can be found in the directory /domains/domain1/config/. These digital certificates are self-signed and are intended for use in a development environment; they are not intended for production purposes. For production purposes, generate your own certificates and have them signed by a CA.
________________________________________
To use SSL, an application server must have an associated certificate for each external interface, or IP address, that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a "digital driver's license" for an Internet address. It states with which company the site is associated, along with some basic contact information about the site owner or administrator.
The digital certificate is cryptographically signed by its owner and is difficult for anyone else to forge. For sites involved in e-commerce or in any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority (CA) such as VeriSign or Thawte.
Sometimes authentication is not really a concern--for example, an administrator may simply want to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection. In such cases, you can save the time and expense involved in obtaining a CA certificate and simply use a self-signed certificate.
SSL uses public key cryptography, which is based on key pairs. Key pairs contain one public key and one private key. If data is encrypted with one key, it can be decrypted only with the other key of the pair. This property is fundamental to establishing trust and privacy in transactions. For example, using SSL, the server computes a value and encrypts the value using its private key. The encrypted value is called a digital signature. The client decrypts the encrypted value using the server's public key and compares the value to its own computed value. If the two values match, the client can trust that the signature is authentic, because only the private key could have been used to produce such a signature.
Digital certificates are used with the HTTPS protocol to authenticate web clients. The HTTPS service of most web servers will not run unless a digital certificate has been installed. Use the procedure outlined later to set up a digital certificate that can be used by your web server to enable SSL.
One tool that can be used to set up a digital certificate is keytool, a key and certificate management utility that ships with the J2SE SDK. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself or herself to other users or services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers. For a better understanding of keytool and public key cryptography, read the keytool documentation at the following URL:
http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/key-
tool.html
Creating a Server Certificate
A server certificate has already been created for the Application Server. The certificate can be found in the /domains/domain1/config/ directory. The server certificate is in keystore.jks. Thecacerts.jks file contains all the trusted certificates, including client certificates.
If necessary, you can use keytool to generate certificates. The keytool stores the keys and certificates in a file termed a keystore, a repository of certificates used for identifying a client or a server. Typically, a keystore contains one client or one server's identity. The default keystore implementation implements the keystore as a file. It protects private keys by using a password.
The keystores are created in the directory from which you run keytool. This can be the directory where the application resides, or it can be a directory common to many applications. If you don't specify the keystore file name, the keystores are created in the user's home directory.
To create a server certificate follow these steps:
1. Create the keystore.
2. Export the certificate from the keystore.
3. Sign the certificate.
4. Import the certificate into a trust-store: a repository of certificates used for verifying the certificates. A trust-store typically contains more than one certificate. An example using a trust-store for SSL-based mutual authentication is discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.
Run keytool to generate the server keystore, which we will name keystore.jks. This step uses the alias server-alias to generate a new public/private key pair and wrap the public key into a self-signed certificate inside keystore.jks. The key pair is generated using an algorithm of type RSA, with a default password of changeit. For more information on keytool options, see its online help athttp://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
________________________________________
Note: RSA is public-key encryption technology developed by RSA Data Security, Inc. The acronym stands for Rivest, Shamir, and Adelman, the inventors of the technology.
________________________________________
From the directory in which you want to create the keystore, run keytool with the following parameters.
1. Generate the server certificate.
\bin\keytool -genkey -alias server-alias
-keyalg RSA -keypass changeit -storepass changeit
-keystore keystore.jks
When you press Enter, keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code. Note that you must enter the server name in response to keytool'sfirst prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in the/j2eetutorial14/examples/common/build.properties when running the example applications.
2. Export the generated server certificate in keystore.jks into the file server.cer.
\bin\keytool -export -alias server-alias
-storepass changeit -file server.cer -keystore keystore.jks
3. If you want to have the certificate signed by a CA, read Signing Digital Certificates for more information.
4. To create the trust-store file cacerts.jks and add the server certificate to the trust-store, run keytool from the directory where you created the keystore and server certificate. Use the following parameters:
\bin\keytool -import -v -trustcacerts
-alias server-alias -file server.cer
-keystore cacerts.jks -keypass changeit
-storepass changeit
Information on the certificate, such as that shown next, will display.
/j2eetutorial14/examples/gs 60% keytool -import
-v -trustcacerts -alias server-alias -file server.cer
-keystore cacerts.jks -keypass changeit -storepass changeit
Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
Issuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, C=US
Serial number: 3e932169
Valid from: Tue Apr 08
Certificate fingerprints:
MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90
SHA1: EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:
Trust this certificate? [no]:
5. Enter yes, and then press the Enter or Return key. The following information displays:
Certificate was added to keystore
[Saving cacerts.jks]
Signing Digital Certificates
After you've created a digital certificate, you will want to have it signed by its owner. After the digital certificate has been cryptographically signed by its owner, it is difficult for anyone else to forge. For sites involved in e-commerce or any other business transaction in which authentication of identity is important, a certificate can be purchased from a well-known certificate authority such as VeriSign or Thawte.
As mentioned earlier, if authentication is not really a concern, you can save the time and expense involved in obtaining a CA certificate and simply use the self-signed certificate.
Using a Different Server Certificate with the Application Server
Follow the steps in Creating a Server Certificate, to create your own server certificate, have it signed by a CA, and import the certificate into keystore.jks.
Make sure that when you create the certificate, you follow these rules:
• When you press create the server certificate, keytool prompts you to enter your first and last name. In response to this prompt, you must enter the name of your server. For testing purposes, this can belocalhost.
• The server/host specified in the keystore must match the host identified in the host variable specified in the /j2eetutorial14/examples/common/build.properties file for running the example applications.
• Your key/certificate password in keystore.jks should match the password of your keystore, keystore.jks. This is a bug. If there is a mismatch, the Java SDK cannot read the certificate and you get a "tampered" message.
• If you want to replace the existing keystore.jks, you must either change your keystore's password to the default password (changeit) or change the default password to your keystore's password:
To specify that the Application Server should use the new keystore for authentication and authorization decisions, you must set the JVM options for the Application Server so that they recognize the new keystore. To use a different keystore than the one provided for development purposes, follow these steps.
1. Start the Application Server if you haven't already done so. Information on starting the Application Server can be found in Starting and Stopping the Application Server.
2. Start the Admin Console. Information on starting the Admin Console can be found in Starting the Admin Console.
3. Select Application Server in the Admin Console tree.
4. Select the JVM Settings tab.
5. Select the JVM Options tab.
6. Change the following JVM options so that they point to the location and name of the new keystore. There current settings are shown below:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks
-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/cacerts.jks
7. If you've changed the keystore password from its default value, you need to add the password option as well:
-Djavax.net.ssl.keyStorePassword=your_new_password
8. Logout of the Admin Console and restart the Application Server.
Creating a Client Certificate for Mutual Authentication
This section discusses setting up client-side authentication. When both server-side and client-side authentication are enabled, it is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. From the directory where you want to create the client certificate, run keytool as outlined here. When you press Enter,keytool prompts you to enter the server name, organizational unit, organization, locality, state, and country code.
________________________________________
Note: You must enter the server name in response to keytool's first prompt, in which it asks for first and last names. For testing purposes, this can be localhost. The host specified in the keystore must match the host identified in the host variable specified in the /j2eetutorial14/examples/common/build.properties file. If this example is to verify mutual authentication and you receive a runtime error stating that the HTTPS host name is wrong, re-create the client certificate, being sure to use the same host name that you will use when running the example. For example, if your machine name is duke, then enterduke as the certificate CN or when prompted for first and last names. When accessing the application, enter a URL that points to the same location--for example, https://duke:8181/mutualauth/hello. This is necessary because during SSL handshake, the server verifies the client certificate by comparing the certificate name and the host name from which it originates.
________________________________________
To create a keystore named client-keystore.jks that contains a client certificate named client.cer, follow these steps:
1. Generate the client certificate.
\bin\keytool -genkey -alias client-alias -keyalg RSA -keypass changeit
-storepass changeit -keystore keystore.jks
2. Export the generated client certificate into the file client.cer.
\bin\keytool -export -alias client-alias
-storepass changeit -file client.cer -keystore keystore.jks
3. Add the certificate to the trust-store file /domains/domain1/config/cacerts.jks. Run keytool from the directory where you created the keystore and client certificate. Use the following parameters:
\bin\keytool -import -v -trustcacerts
-alias client-alias -file client.cer
-keystore /domains/domain1/config/cacerts.jks
-keypass changeit -storepass changeit
The keytool utility returns this message:
Owner: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=J2EE Client, OU=Java Web Services, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 3e39e66a
Valid from: Thu Jan 30 18:58:50 PST 2003 until: Wed Apr 30
19:58:50 PDT 2003
Certificate fingerprints:
MD5: 5A:B0:4C:88:4E:F8:EF:E9:E5:8B:53:BD:D0:AA:8E:5A
SHA1:90:00:36:5B:E0:A7:A2:BD:67:DB:EA:37:B9:61:3E:26:B3:89:46:
32
Trust this certificate? [no]: yes
Certificate was added to keystore
For an example application that uses mutual authentication, see Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC. For information on verifying that mutual authentication is running, seeVerifying That Mutual Authentication Is Running.
Miscellaneous Commands for Certificates
To check the contents of a keystore that contains a certificate with an alias server-alias, use this command:
keytool -list -keystore keystore.jks -alias server-alias -v
To check the contents of the cacerts file, use this command:
keytool -list -keystore cacerts.jks
Using SSL
An SSL connector is preconfigured for the Application Server. You do not have to configure anything. If you are working with another application server, see its documentation for setting up its SSL connector.
Verifying SSL Support
For testing purposes, and to verify that SSL support has been correctly installed, load the default introduction page with a URL that connects to the port defined in the server deployment descriptor:
https://localhost:8181/
The https in this URL indicates that the browser should be using the SSL protocol. The localhost in this example assumes that you are running the example on your local machine as part of the development process. The 8181 in this example is the secure port that was specified where the SSL connector was created in Using SSL. If you are using a different server or port, modify this value accordingly.
The first time a user loads this application, the New Site Certificate or Security Alert dialog box displays. Select Next to move through the series of dialog boxes, and select Finish when you reach the last dialog box. The certificates will display only the first time. When you accept the certificates, subsequent hits to this site assume that you still trust the content.
Tips on Running SSL
The SSL protocol is designed to be as efficient as securely possible. However, encryption and decryption are computationally expensive processes from a performance standpoint. It is not strictly necessary to run an entire web application over SSL, and it is customary for a developer to decide which pages require a secure connection and which do not. Pages that might require a secure connection include login pages, personal information pages, shopping cart checkouts, or any pages where credit card information could possibly be transmitted. Any page within an application can be requested over a secure socket by simply prefixing the address with https: instead of http:. Any pages that absolutely require a secure connection should check the protocol type associated with the page request and take the appropriate action if https: is not specified.
Using name-based virtual hosts on a secured connection can be problematic. This is a design limitation of the SSL protocol itself. The SSL handshake, where the client browser accepts the server certificate, must occur before the HTTP request is accessed. As a result, the request information containing the virtual host name cannot be determined before authentication, and it is therefore not possible to assign multiple certificates to a single IP address. If all virtual hosts on a single IP address need to authenticate against the same certificate, the addition of multiple virtual hosts should not interfere with normal SSL operations on the server. Be aware, however, that most client browsers will compare the server's domain name against the domain name listed in the certificate, if any (this is applicable primarily to official, CA-signed certificates). If the domain names do not match, these browsers will display a warning to the client. In general, only address-based virtual hosts are commonly used with SSL in a production environment.
Enabling Mutual Authentication over SSL
This section discusses setting up client-side authentication. As mentioned earlier, when both server-side and client-side authentication are enabled, it is called mutual, or two-way, authentication. In client authentication, clients are required to submit certificates that are issued by a certificate authority that you choose to accept. If you regulate it through the application (via the Client-Certificate authentication requirement), the check is performed when the application requires client authentication. You must enter the keystore location and password in the web server configuration file to enable SSL, as discussed in Using SSL.
Here are two ways to enable mutual authentication over SSL:
• PREFERRED: Set the method of authentication to Client-Certificate using deploytool. This enforces mutual authentication by modifying the deployment descriptor of the given application. By enabling client authentication in this way, client authentication is enabled only for a specific resource controlled by the security constraint. Setting client authentication in this way is discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.
• RARELY: Set the clientAuth property in the certificate realm to true. To do this, follow these steps:
a. Start the Application Server if you haven't already done so. Information on starting the Application Server can be found in Starting and Stopping the Application Server.
b. Start the Admin Console. Information on starting the Admin Console can be found in Starting the Admin Console.
c. In the Admin Console tree, expand Configuration, expand Security, then expand Realms, and then select certificate. The certificate realm is used for all transfers over HTTP with SSL.
d. Select Add to add the property of clientAuth to the server. Enter clientAuth in the Name field, and enter true in the Value field.
e. Click Save to save these new properties.
f. Log out of the Admin Console.
When client authentication is enabled in both of these ways, client authentication will be performed twice.
Verifying That Mutual Authentication Is Running
You can verify that mutual authentication is working by obtaining debug messages. This should be done at the client end, and this example shows how to pass a system property in targets.xml so thattargets.xml forks a client with javax.net.debug in its system properties, which could be added in a file such as /j2eetutorial14/examples/security/common/targets.xml.
To enable debug messages for SSL mutual authentication, pass the system property javax.net.debug=ssl,handshake, which will provide information on whether or not mutual authentication is working. The following example modifies the run-mutualauth-client target from the /j2eetutorial14/examples/security/common/targets.xml file by adding sysproperty as shown in bold:
description="Runs a client with mutual authentication over
SSL">

value="${key.store}" />
value="${key.store.password}"/>

XML and Web Services Security
Security can be applied to web services at both the transport-level and the message-level.
In message security, security information travels along with the web services message. WSS in the SOAP layer is the use of XML Encryption and XML Digital Signatures to secure SOAP messages. WSS profiles the use of various security tokens including X.509 certificates, SAML assertions, and username/password tokens to achieve this.
Message layer security differs from transport layer security in that message layer security can be used to decouple message protection from message transport so that messages remain protected after transmission, regardless of how many hops they travel on.
Message-level security is discussed in the following documentation:
• Configuring Message Security chapter of the Application Server Administration Guide. This chapter is for system administrators or others attempting to set up the Application Server for message security.
• Securing Applications chapter of the Application Server Developers' Guide. This chapter is for developers, assemblers, and deployers attempting to implement message security at the application or method level.
Transport-level security is discussed in the following example sections:
• Transport-Level Security
• Example: Basic Authentication with JAX-RPC
• Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC
Transport-Level Security
Authentication verifies the identity of a user, device, or other entity in a computer system, usually as a prerequisite to allowing access to resources in a system. There are several ways in which this can happen. The following ways are discussed in this section:
One approach is that a user authentication method can be defined for an application in its deployment descriptor. When a user authentication method is specified for an application, the web container activates the specified authentication mechanism when you attempt to access a protected resource. The options for user authentication methods are discussed in Understanding Login Authentication. The example application discussed in Example: Basic Authentication with JAX-RPC shows how to add basic authentication to a JAX-RPC application. The example discussed in Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC shows how to add client-certificate, or mutual, authentication to a JAX-RPC application.
A second approach is that a transport guarantee can be defined for an application in its deployment descriptor. Use this method to run over an SSL-protected session and ensure that all message content is protected for confidentiality. The options for transport guarantees are discussed in Specifying a Secure Connection. For an example application that demonstrates running over an SSL-protected session, seeExample: Client-Certificate Authentication over HTTP/SSL with JAX-RPC.
When running over an SSL-protected session, the server and client can authenticate one another and negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data.
SSL technology allows web browsers and web servers to communicate over a secure connection. In this secure connection, the data is encrypted before being sent, and then is decrypted upon receipt and before processing. Both the browser and the server encrypt all traffic before sending any data. For more information, see What Is Secure Socket Layer Technology?.
Digital certificates are necessary when running HTTP over SSL (HTTPS). The HTTPS service of most web servers will not run unless a digital certificate has been installed. Digital certificates have already been created for the Application Server.
Example: Basic Authentication with JAX-RPC
In this section, we discuss how to configure JAX-RPC-based web service applications for HTTP basic authentication. With HTTP basic authentication, the web server authenticates a user by using the user name and password obtained from the web client. If the topic of authentication is new to you, please refer to the section titled Understanding Login Authentication. For an explanation of how basic authentication works, seeFigure 32-2.
For this tutorial, we begin with the example application in /j2eetutorial14/examples/jaxrpc/staticstub/ and /j2eetutorial14/examples/jaxrpc/helloservice/ and add user name and password authentication. The resulting application can be found in the directories /j2eetutorial14/examples/security/basicauth/ and/j2eetutorial14/examples/security/basicauthclient/.
In general, the following steps are necessary to add basic authentication to a JAX-RPC application. In the example application included with this tutorial, many of these steps have been completed for you and are listed here to show what needs to be done should you wish to create a similar application.
1. Complete the JAX-RPC application as described in Creating a Simple Web Service and Client with JAX-RPC.
2. If the default port value is changed from 8080, see Setting the Port for information on updating the example files to reflect this change. The WAR files mentioned in this tutorial will not work if the port has been changed.
3. Edit the /j2eetutorial14/examples/common/build.properties file and the admin-password.txt file. These files need to be modified because the properties in these file are specific to your installation. See Building the Examples for information on which properties need to be set in which files. While you are looking at these files, note the value entered for admin.user and check the fileadmin-password.txt for the value of the admin password.
4. Add a user with the name that matches the value set in the build.properties file (admin) for the admin.user property and a password that matches the value set in the admin-password.txt file for theAS_ADMIN_PASSWORD property to the file realm. Refer to the section Managing Users, for instructions for doing this.
5. Set security properties in the client code. For the example application, this step has been completed. The code for this example is shown in Setting Security Properties in the Client Code.
6. Add the appropriate security elements using deploytool. For this example, the security elements are added in the packaging and deployment phase. Refer to Adding Basic Authentication Using deploytoolfor more information.
7. Build, package, deploy, and run the web service. You will use the asant tool to compile the client and service, and deploytool to package and deploy the service. Instructions for this example can be found inBuilding, Packaging, Deploying, and Running the Example for Basic Authentication.
Setting Security Properties in the Client Code
The source code for the client is in the HelloClient.java file of the /j2eetutorial14/examples/security/basicauthclient/src/ directory. For basic authentication, the client code must setusername and password properties. The username and password properties correspond to the admin group (which includes the user name and password combination entered during installation) and the role ofadmin, which is provided in the application deployment descriptor as an authorized role for secure transactions. (See Setting Up Security Roles.)
The client sets the aforementioned security properties as shown in the following code. The code in bold is the code that has been added from the original version of the jaxrpc/staticstub example application.
package basicauthclient;

import javax.xml.rpc.Stub;

public class HelloClient {

public static void main(String[] args) {

if (args.length !=3) {
System.out.println("HelloClient Error: Wrong
number of runtime arguments!");
System.exit(1);
}

String username=args[0];
String password=args[1];
String endpointAddress=args[2];

// print to display for verification purposes
System.out.println("username: " + username);
System.out.println("password: " + password);
System.out.println("Endpoint address = " +
endpointAddress);

try {
Stub stub = createProxy();
stub._setProperty(
javax.xml.rpc.Stub.USERNAME_PROPERTY,
username);
stub._setProperty(
javax.xml.rpc.Stub.PASSWORD_PROPERTY,
password);
stub._setProperty
(javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY,
endpointAddress);

HelloIF hello = (HelloIF)stub;
System.out.println(hello.sayHello("Duke (secure)"));
} catch (Exception ex) {
ex.printStackTrace();
}
}

private static Stub createProxy() {
// Note: MyHelloService_Impl is implementation-specific.
return (Stub)(new
MyHelloService_Impl().getHelloIFPort());
}
}
Read Static Stub Client for more information about JAX-RPC static stub clients.
Building, Packaging, Deploying, and Running the Example for Basic Authentication
To build, package, deploy, and run the security/basicauth example using basic authentication, follow these steps.
Building the Basic Authentication Service
1. Set up your system for running the tutorial examples if you haven't done so already by following the instructions in Building the Examples.
2. From a terminal window or command prompt, go to the /j2eetutorial14/examples/security/basicauth/ directory.
3. Build the JAX-RPC service by entering the following at the terminal window or command prompt in the basicauth/ directory (this and the following steps that use asant assume that you have the executable for asant in your path; if not, you will need to provide the fully qualified path to the executable). This command runs the target named build in the build.xml file.
asant build
Packaging the Basic Authentication Service
You can package the basic authentication example using asant or deploytool, or you can just open the WAR file located in the /j2eetutorial14/examples/security/provided-wars/basicauth.war file.
To package the example using asant, run the following command from the /basicauth directory:
asant create-war
To package the example using deploytool, follow the steps described in Packaging and Deploying the Service with deploytool and Specifying the Endpoint Address. When following these steps, replace the following:
• The path to the example should be replaced with /j2eetutorial14/examples/security/basicauth/.
• Replace helloservice with basicauth throughout.
• Use /basicauth-jaxrpc for the Context Root field.
Adding Basic Authentication Using deploytool
For HTTP basic authentication, the application deployment descriptor, web.xml, includes the information on who is authorized to access the application, which URL patterns and HTTP methods are protected, and what type of user authentication method this application uses. This information is added to the deployment descriptor using deploytool. Its contents are discussed in more detail in Web-Tier Security and in the Java Servlet specification, which can be browsed or downloaded online at http://java.sun.com/products/servlet/.
1. If you packaged the example using deploytool, select the basic authentication example, BasicAuth, in the deploytool tree. If you packaged the example using asant, open the generated WAR file (basicauth.war) in deploytool and then select the basic authentication example.
2. Select the Security tabbed pane.
3. Select Basic in the User Authentication Method field.
4. Select Add Constraints to add a security constraint.
5. Select Add Collections to add a web resource collection.
6. Select the web resource collection from the list, and then select Edit Collections.
7. Select Add URL Pattern. Enter /hello in the text field. Click OK.
8. Select the HTTP GET and POST methods.
9. Click OK to close the Edit Contents dialog box.
10. Select Edit Roles on the Security tabbed pane to specify an authorized role for this application.
11. Click Edit Roles in the Authorized Roles dialog box to add an authorized user to this application. Click Add in the Edit Roles dialog box and add the Name of admin. Click OK to close this dialog box.
12. Select admin under the Roles In field, and then click Add to add it to the list of authorized roles for this application. Click OK to close the dialog box.
Note that the Authorized Roles list specifies admin, a group that was specified during installation. To map this role to a user, follow these steps.
1. Select the General tabbed pane.
2. Click the Sun-specific Settings button.
3. In the Sun-specific Settings dialog box, select User to Role Mappings from the View list.
4. Select admin from the list of roles.
5. Click the Edit button under the Users box.
6. Select admin from the Available Users list, and then click the Add button to map the role of admin (defined for the application) to the user named admin (defined for the Application Server). Click OK.
________________________________________
Note: If you don't see the list of users or groups that you defined using the Admin Console, connect to the Admin Server by double-clicking localhost:4848 in the deploytool tree and entering your admin user name and password. If this is not the current target server, change to this server by selecting it and then selecting File Set Current Target Server.
________________________________________
1. Click Close to return to the General tabbed pane.
2. Select Save from the File menu to save these settings.
Deploying the Basic Authentication Service
To deploy the example using asant, run the following command:
asant deploy-war
To deploy the example using deploytool, follow these steps:
1. Select the BasicAuth application in the deploytool tree. Then select Tools Deploy.
2. Make sure the server is correct, localhost:4848 by default.
3. Enter your admin user name and password.
4. Click OK.
5. Click the Close button after the messages indicating successful completion are finished.
You can view the WSDL file of the deployed service by requesting the URL http://localhost:8080/basicauth-jaxrpc/hello?WSDL in a web browser.
Building and Running the Basic Authentication Client
To build the JAX-RPC client, do the following:
1. Enter the following command at the terminal window or command prompt in the basicauthclient/ directory:
asant build
2. Run the JAX-RPC client by entering the following at the terminal window or command prompt in the basicauthclient/ directory:
asant run
The client should display the following output:
Buildfile: build.xml

run-secure-client:
[java] username: your_name
[java] password: your_pwd
[java] Endpoint address = http://localhost:8080/basicauth-
jaxrpc/hello
[java] Hello Duke (secure)

BUILD SUCCESSFUL
Example: Client-Certificate Authentication over HTTP/SSL with JAX-RPC
In this section, we discuss how to configure a simple JAX-RPC-based web service application for client-certificate authentication over HTTP/SSL. Client-certificate authentication uses HTTP over SSL, in which the server and, optionally, the client authenticate one another using public key certificates. If the topic of authentication is new to you, please refer to the section titled Understanding Login Authentication. For more information on how client-certificate authentication works, see Figure 32-4.
This example application starts with the example application in /j2eetutorial14/examples/jaxrpc/helloservice/ and adds both client and server authentication to the example. In SSL certificate-based basic authentication, the server presents its certificate to the client, and the client authenticates itself to the server by sending its user name and password. This type of authentication is sometimes called server authentication. Mutual authentication adds the dimension of client authentication. For mutual authentication, we need both the client's identity, as contained in a client certificate, and the server's identity, as contained in a server certificate inside a keystore file (keystore.jks). We also need both of these identities to be contained in a mutual trust-store (cacerts.jks) where they can be verified.
To add mutual authentication to a basic JAX-RPC service, complete the following steps. In the example application included with this tutorial, many of these steps have been completed for you and are listed here to show what needs to be done should you wish to create a similar application.
1. Complete the JAX-RPC application as described in Creating a Simple Web Service and Client with JAX-RPC.
2. Create the appropriate certificates and keystores. For this example, the certificates and keystores are created for the server as a generic localhost and are included with the Application Server. See the section Keystores and Trust-Stores in the Mutual Authentication Example for a discussion of how to create the client certificates for this example.
3. If the port value is changed from the default of localhost:8080, see Setting the Port for information on updating the example files to reflect this change. The WAR files mentioned in this tutorial will not work if the port has been changed.
4. Edit the build.properties files to add the location and password to the trust-store, and other properties, as appropriate. For a discussion of the modifications that need to be made to build.properties, see Modifying the Build Properties. While you are looking at this file, note the value entered for admin.user. Also note the value for the admin password as specified in the file admin-password.txt in the field AS_ADMIN_PASSWORD.
5. Add a user to the file realm with the name that matches the value set in the build.properties file (admin) for the admin.user property and a password that matches the value set in the admin-password.txt file for the AS_ADMIN_PASSWORD property. Refer to the section Managing Users, for instructions for doing this.
6. Set security properties in the client code. For the example application, this step has been completed. For a discussion of the security properties that have been set in HelloClient, see Setting Security Properties in the Client Code.
7. Add the appropriate security elements using deploytool. The security elements are discussed in the section Enabling Client-Certificate Authentication for the Mutual Authentication Example.
8. Build, package, and deploy the service, deploy the server, and then build and run the client (see Building, Packaging, Deploying, and Running the Mutual Authentication Example). You will use the asant tool to compile the client and service and to run the client. You will use deploytool to package and deploy the service.
Keystores and Trust-Stores in the Mutual Authentication Example
In this example, the keystore file (keystore.jks) and the trust-store file (cacerts.jks) have been created for the server as a generic localhost and are included with the Application Server in the directory/domains/domain1/config/. You must follow the instructions in Creating a Client Certificate for Mutual Authentication to create a client certificate and add it to the existing trust-store. You must create the client certificates in the directory /domains/domain1/config/, and you must restart the Application Server for the client certificate to be accessed by the application.
Modifying the Build Properties
To build and run the application with mutual authentication, we have set up the example so that some of the values are passed to the application from various build.properties files.
To run any of the examples, you must modify the build.properties file located in the /j2eetutorial14/examples/common/ directory to provide your admin password and the location where the Application Server is installed. If you need more information, see Building the Examples.
For this example, the build.properties file that is specific to this application, /j2eetutorial14/examples/security/common/build.properties, has been modified for you. This file provides specific information about the JAX-RPC examples to the asant targets we will be running later. This information concerns the location of the keystore and trust-store files and their associated passwords.
Make sure that the following properties exist and are correctly defined.
trust.store=${j2ee.home}/domains/domain1/config/cacerts.jks
trust.store.password=changeit
key.store=${j2ee.home}/domains/domain1/config/keystore.jks
key.store.password=changeit
Setting Security Properties in the Client Code
The source code for the client is in the HelloClient.java file of the /j2eetutorial14/examples/security/mutualauthclient/src/ directory. For mutual authentication, the client code must set several security-related properties. These values are passed into the client code when the asant build and run tasks are executed.
• trustStore: The value of the trustStore property is the fully qualified name of the trust-store file: /domains/domain1/config/cacerts.jks.
• trustStorePassword: The trustStorePassword property is the password of the trust-store. The default value of this password is changeit.
• keyStore: The value of the keyStore property is the fully qualified name of the keystore file: /domains/domain1/config/keystore.jks
• keyStorePassword: The keyStorePassword property is the password of the keystore. The default value of this password is changeit.
• ENDPOINT_ADDRESS_PROPERTY: The ENDPOINT_ADDRESS_PROPERTY property sets the endpoint address that the stub uses to access the service.
The client sets the aforementioned security properties as shown in the following code. The code in bold is the code that has been added from the original version of the jaxrpc/staticstub example application.
package mutualauthclient;

import javax.xml.rpc.Stub;

public class HelloClient {

public static void main(String[] args) {

if (args.length !=5) {
System.out.println("HelloClient Error: Need 5
runtime arguments!");
System.exit(1);
}

String keyStore=args[0];
String keyStorePassword=args[1];
String trustStore=args[2];
String trustStorePassword=args[3];
String endpointAddress=args[4];

// print to display for verification purposes
System.out.println("keystore: " + keyStore);
System.out.println("keystorePassword: " +
keyStorePassword);
System.out.println("trustStore: " + trustStore);
System.out.println("trustStorePassword: " +
trustStorePassword);
System.out.println("Endpoint address: " +
endpointAddress);

try {
Stub stub = createProxy();
System.setProperty("javax.net.ssl.keyStore",
keyStore);
System.setProperty("javax.net.ssl.keyStorePassword",
keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",
trustStore);
System.setProperty("javax.net.ssl.trustStorePassword",
trustStorePassword);
stub._setProperty(
javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY,
endpointAddress);

HelloIF hello = (HelloIF)stub;
System.out.println(hello.sayHello("Duke! ( secure!"));
} catch (Exception ex) {
ex.printStackTrace();
}
}

private static Stub createProxy() {
// Note: MyHelloService_Impl is implementation-specific.
return (Stub)(new
MySecureHelloService_Impl().getHelloIFPort());
}
}
Enabling Client-Certificate Authentication for the Mutual Authentication Example
The two ways of implementing client authentication are discussed in Enabling Mutual Authentication over SSL. You can set client authentication for all applications (by specifying this in the deployment descriptor for the server) or for only a single application (by specifying this in the deployment descriptor for the application). For this example, we are enabling client authentication for this application only, so we specify the login authentication method as being Client-Certificate. The steps for adding client-certificate authentication are shown in Adding Client-Certificate Authentication Using deploytool.
For more information on login configuration options, read Understanding Login Authentication.
The user authentication method specifies a client-certificate method of authentication in this example. For this authentication to run over SSL, you must also specify which type of transport guarantee to use. For this example, we have chosen CONFIDENTIAL, which is specified in the Network Security Requirement field on the Security tabbed pane in deploytool.
For more information on this type of constraint, read Specifying a Secure Connection.
Building, Packaging, Deploying, and Running the Mutual Authentication Example
To build, deploy, and run the JAX-RPC service example with mutual authentication, follow these steps.
Building the Mutual Authentication Example
To compile the application files and copy them to the correct directories, run the asant build task. More information on what happens when the build task is called can be found in Building the Service.
1. If you haven't already done so, follow these steps for setting up the example.
o Using SSL
o Building the Examples
2. Go to the /j2eetutorial14/examples/security/mutualauth/ directory.
3. Build the JAX-RPC service by entering the following at the terminal window or command prompt in the mutualauth/ directory (this and the following steps that use asant assume that you have the executable for asant in your path; if not, you will need to provide the fully qualified path to the asant executable):
asant build
4. Change to the directory /j2eetutorial14/examples/security/mutualauthclient/.
5. Build the JAX-RPC client by entering the following at the terminal window or command prompt:
asant build
Packaging the Mutual Authentication Example
You can package the mutual authentication example using asant or deploytool, or you can open the WAR file located in the /j2eetutorial14/examples/security/provided-wars/mutualauth.war file.
To package the example using asant, run the following command and then skip to the section titled Deploying the Mutual Authentication Example:
asant create-war
To package the example using deploytool, follow the steps described in Packaging and Deploying the Service with deploytool and Specifying the Endpoint Address. When following these steps, replace the following:
• The path to the example should be replaced with /j2eetutorial14/examples/security/mutualauth/.
• Replace helloservice with mutualauth throughout.
• Use /mutualauth-jaxrpc for the Context Root field.
Adding Client-Certificate Authentication Using deploytool
For HTTP client-certificate authentication, the application deployment descriptor, web.xml, includes the information on who is authorized to access the application, which URL patterns and HTTP methods are protected, and what type of user authentication method this application uses. This information is added to the deployment descriptor using deploytool, and its contents are discussed in more detail in Web-Tier Security and in the Java Servlet specification, which can be browsed or downloaded online at http://java.sun.com/products/servlet/.
1. If you packaged the example using deploytool, select the MutualAuth example in the deploytool tree. If you packaged the example using asant, you can ignore this section as these steps were completed by the asant task.
2. Select the Security tabbed pane.
3. Select Client Certificate in the User Authentication Method field.
4. Select Add Constraints to add a security constraint.
5. Select Add Collections to add a web resource collection.
6. Select the web resource collection from the list, and then select Edit Collections.
7. Select Add URL Pattern. Enter /hello in the text field. Click OK.
8. Select the HTTP GET and POST methods.
9. Click OK to close the Edit Contents dialog box.
10. Select CONFIDENTIAL under Network Security Requirement so that the application requires HTTP/SSL.
11. Select Save from the File menu to save these settings.
Deploying the Mutual Authentication Example
To deploy the example using asant, run the following command:
asant deploy-war
To deploy the application using deploytool, follow these steps:
1. Deploy the JAX-RPC service by selecting the MutualAuth example in the deploytool tree. Then select Tools Deploy.
2. Make sure the server is correct. By default, this will be localhost:4848.
3. Enter your admin user name and password.
4. Click OK.
5. Click the Close button after the messages indicating successful completion are finished.
Running the Mutual Authentication Example
Enter the following command from the mutualauthclient/ directory at the terminal window or command prompt to run the JAX-RPC client:
asant run
The client should display the following output:
Buildfile: build.xml

run-mutualauth-client:
[java] keystore: /domains/domain1/config/
keystore.jks
[java] keystorePassword: changeit
[java] trustStore: /domains/domain1/config/
cacerts.jks
[java] trustStorePassword: changeit
[java] Endpoint address = https://localhost:8181/
mutualauth-jaxrpc/hello

[java] Hello Duke (secure)

run:

BUILD SUCCESSFUL

Sun Glassfish Installation

2010-05-25T15:59:00.006+05:30

% java -version
The installation is very easy as the download file include all necessary files.
1. Download Glassfish into the directory the server should later run
2. Run:
% java -Xmx256m -jar filename.jar
This command will unbundle GlassFish and create a new directory structure rooted under a directory named 'glassfish'.
3. % cd glassfish
4. Set the execute permission for the Ant binaries that are included with the GlassFish bundle. If you have not the necessary permissions run the command as sudo (you have to put "sudo" before the command)
% chmod -R +x lib/ant/bin
% lib/ant/bin/ant -f setup.xml
5. start the server using the asadmin command. For that be maybe you first have to change the current directory to /glassfish/bin.
% asadmin Use "exit" to exit and "help" for online help.
6. next start the database simply needed to run
./asadmin
7. asadmin> start-database

7. and finally you can start the server...
asadmin> start-domain domain1 Starting Domain domain1, please wait.....
8. The server is now up and running. You can log into the web admin interface by the following url:
http://localhost:4848
Login as Admin - userid="admin", password ="adminadmin"
./asadmin start-domain domain1

Changing Default GlassFish v3 Prelude Port Numbers 4848, 8080, and 8181

When you create courses, you sometimes do crazy things like installing multiple GlassFish domain administration servers (DAS) in a single host.

When you install GlassFish, it gives you default port numbers of of 4848 (for administration), 8080 (for the HTTP listener), and 8181 (for the HTTPS listener). But what do you do if you want to change them?

I got a few ideas googling "asadmin port number" and the like but couldn't really find a good example. So, I figured out how you do it and thought I would post an example in case anyone finds themselves in the same predicament as I did today.

Here are some examples that work in GlassFish v3 Prelude:

1.To change the HTTP port to 10080:

asadmin set server.http-service.http-listener.http-listener-1.port=10080

2.To change the HTTPS port to 10443:

asadmin set server.http-service.http-listener.http-listener-2.port=10443

3.To change the administration server port to 14848:

asadmin set server.http-service.http-listener.admin-listener.port=14848

It's handy to know you can grep for server properties in GlassFish v3 Prelude as follows:

asadmin get server | grep listener

shows all the properties with the text "listener" in them.

In GlassFish v3 Prelude, you can set port numbers for administration and the HTTP listener in the installer - but not for the HTTPS listener. You might find yourself needing to explicitly specify the administration port in your asadmin command. For example:

asadmin set --port 14848 server.http-service.http-listener.http-listener-2.port=10443

Glassfish path

C:\glassfish\config\asenv.bat:

REM set AS_JAVA=C:\Program Files\Java\jdk1.6.0_04\jre/..
set AS_JAVA=C:\Program Files\Java\jdk1.5.0_16

IT Security Policy

2010-04-23T14:32:00.001+05:30

Data Access Security
Security Firewalls are installed to prevent unauthorized access to the network
Group policies in place for accessing PCs and workstations for authorized access
Access to important files and directories is given only to specific personnel
All email and web servers are located at an independent internet data center
Backup policy in place. Monthly backups are stored at an off-site location and removable backups are kept safe with logs duly maintained. Daily backup are stored in fire-proof safe.
External security audits are enforced to assess any breach with multi level security management in control
By default, all ports (USB, Serial, Parallel) are disabled on PCs. Enabling of the required ports is done only on specific requests by the client
Physical security ensures no CDs, Pen-drives, movable media goes in and out of the facility without written permission from the management
Network Security
Each client's process is run on a separate VLAN/VPN when run off-shore/off-site
Software defined secure tunnels through the internet
Only client authorized personnel is allowed to access the VNC/VLAN/VPN. This setup prevents others from accessing the project information
Real-time Anti-virus, Ant and AntuPAM protection for desktops and servers
Annual maintenance and scheduled preventive maintenance in place for critical assets
Adequate spares are available for all critical infrastructure, thereby minimizing downtime
Wireless LAN in the office is also security protected
Voice Calls Security
Authorization for use of VoIP lines and is provided on a need or project basis
VoIP is password protected
ACD reports are generated on a weekly basis and analyzed

Projectdotnet Change the Functional area value

2010-04-23T14:19:00.003+05:30

To add the funcational are value in Projectdont:-

To Add functional Value:-
Open the sqlpuls from command line then type the following command.

insert into pn_project_space_meta_combo values(6,'Paxcel','Paxcel');

select * from pn_project_space_meta_combo ;

To Rename the functional area value:-
Type the following command

SQL> update pn_project_space_meta_combo set COMBO_LABEL='QA' WHERE COMBO_LABEL='
Manufacturing';

SVN Commands

2010-04-23T13:11:00.003+05:30

$ svnadmin recover c:\svn\test(svn repository path)
$ svn admin verify c:\svn\test(svn repository path)

Create repository:-

svnadmin create c:\svn\test11 (svn repository path)

MIME Type File Extension

2010-01-27T23:48:00.002+05:30

application/SLA stl
application/STEP step
application/STEP stp
application/acad dwg
application/andrew-inset ez
application/clariscad ccad
application/drafting drw
application/dsptype tsp
application/dxf dxf
application/excel xls
application/i-deas unv
application/java-archive jar
application/mac-binhex40 hqx
application/mac-compactpro cpt
application/vnd.ms-powerpoint pot
application/vnd.ms-powerpoint pps
application/vnd.ms-powerpoint ppt
application/vnd.ms-powerpoint ppz
application/msword doc
application/octet-stream bin
application/octet-stream class
application/octet-stream dms
application/octet-stream exe
application/octet-stream lha
application/octet-stream lzh
application/oda oda
application/ogg ogg
application/ogg ogm
application/pdf pdf
application/pgp pgp
application/postscript ai
application/postscript eps
application/postscript ps
application/pro_eng prt
application/rtf rtf
application/set set
application/smil smi
application/smil smil
application/solids sol
application/vda vda
application/vnd.mif mif
application/vnd.ms-excel xlc
application/vnd.ms-excel xll
application/vnd.ms-excel xlm
application/vnd.ms-excel xls
application/vnd.ms-excel xlw
application/vnd.rim.cod cod
application/x-arj-compressed arj
application/x-bcpio bcpio
application/x-cdlink vcd
application/x-chess-pgn pgn
application/x-cpio cpio
application/x-csh csh
application/x-debian-package deb
application/x-director dcr
application/x-director dir
application/x-director dxr
application/x-dvi dvi
application/x-freelance pre
application/x-futuresplash spl
application/x-gtar gtar
application/x-gunzip gz
application/x-gzip gz
application/x-hdf hdf
application/x-ipix ipx
application/x-ipscript ips
application/x-javascript js
application/x-koan skd
application/x-koan skm
application/x-koan skp
application/x-koan skt
application/x-latex latex
application/x-lisp lsp
application/x-lotusscreencam scm
application/x-mif mif
application/x-msdos-program bat
application/x-msdos-program com
application/x-msdos-program exe
application/x-netcdf cdf
application/x-netcdf nc
application/x-perl pl
application/x-perl pm
application/x-rar-compressed rar
application/x-sh sh
application/x-shar shar
application/x-shockwave-flash swf
application/x-stuffit sit
application/x-sv4cpio sv4cpio
application/x-sv4crc sv4crc
application/x-tar-gz tar.gz
application/x-tar-gz tgz
application/x-tar tar
application/x-tcl tcl
application/x-tex tex
application/x-texinfo texi
application/x-texinfo texinfo
application/x-troff-man man
application/x-troff-me me
application/x-troff-ms ms
application/x-troff roff
application/x-troff t
application/x-troff tr
application/x-ustar ustar
application/x-wais-source src
application/x-zip-compressed zip
application/zip zip
audio/TSP-audio tsi
audio/basic au
audio/basic snd
audio/midi kar
audio/midi mid
audio/midi midi
audio/mpeg mp2
audio/mpeg mp3
audio/mpeg mpga
audio/ulaw au
audio/x-aiff aif
audio/x-aiff aifc
audio/x-aiff aiff
audio/x-mpegurl m3u
audio/x-ms-wax wax
audio/x-ms-wma wma
audio/x-pn-realaudio-plugin rpm
audio/x-pn-realaudio ram
audio/x-pn-realaudio rm
audio/x-realaudio ra
audio/x-wav wav
chemical/x-pdb pdb
chemical/x-pdb xyz
image/cmu-raster ras
image/gif gif
image/ief ief
image/jpeg jpe
image/jpeg jpeg
image/jpeg jpg
image/png png
image/tiff tif tiff
image/tiff tif
image/tiff tiff
image/x-cmu-raster ras
image/x-portable-anymap pnm
image/x-portable-bitmap pbm
image/x-portable-graymap pgm
image/x-portable-pixmap ppm
image/x-rgb rgb
image/x-xbitmap xbm
image/x-xpixmap xpm
image/x-xwindowdump xwd
model/iges iges
model/iges igs
model/mesh mesh
model/mesh msh
model/mesh silo
model/vrml vrml
model/vrml wrl
text/css css
text/html htm
text/html html htm
text/html html
text/plain asc txt
text/plain asc
text/plain c
text/plain cc
text/plain f90
text/plain f
text/plain h
text/plain hh
text/plain m
text/plain txt
text/richtext rtx
text/rtf rtf
text/sgml sgm
text/sgml sgml
text/tab-separated-values tsv
text/vnd.sun.j2me.app-descriptor jad
text/x-setext etx
text/xml xml
video/dl dl
video/fli fli
video/flv flv
video/gl gl
video/mpeg mp2
video/mp4 mp4
video/mpeg mpe
video/mpeg mpeg
video/mpeg mpg
video/quicktime mov
video/quicktime qt
video/vnd.vivo viv
video/vnd.vivo vivo
video/x-fli fli
video/x-ms-asf asf
video/x-ms-asx asx
video/x-ms-wmv wmv
video/x-ms-wmx wmx
video/x-ms-wvx wvx
video/x-msvideo avi
video/x-sgi-movie movie
www/mime mime
x-conference/x-cooltalk ice
x-world/x-vrml vrm
x-world/x-vrml vrml

What is new in Windows 7?

2009-12-13T22:15:00.001+05:30

What’s new in Windows Server 2008

2009-04-05T23:20:00.002+05:30

Active Directory Domain Services (formerly known as Active Directory) and Identity Management in Windows Server 2008 now cover several different services:

Active Directory Domain Services (AD DS)
Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Rights Management Services (AD RMS).
Active Directory Certificate Services (AD CS)
Each service represents a Server Role, a new concept in Windows Server 2008.

There have been a lot of new features and functions added to the Active Directory in Windows Server 2008.

In this article I will focus on the Active Directory Domain Services (AD DS) in Windows Server 2008, which includes several enhancements and new features compared to Windows Server 2003.

Here is a short overview of the main changes and new Domain Services functionality, which I will focus on in this article:

Active Directory Domain Services - Read-Only Domain Controllers
Active Directory Domain Services - Restartable Active Directory Domain Services
Active Directory Domain Services - Fine-Grained Password Policies

Active Directory Domain Services

The Domain Services functionality has been carried forward and updated in Windows Server 2008, along with an improved setup wizard (Server Manager). This also provides new management options for AD DS features such as Read-Only Domain Controllers (RODCs).

The Active Directory Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed.

The RODC’s main purpose is to improve security in branch offices. In branch offices it is often hard to get the physical security needed for an IT infrastructure, especially for Domain Controllers that contain sensitive data. Often a DC can be found under a desk in the office. If someone gets physical access to the DC, it is not hard to manipulate the system and get access to the data. The RODC solves these issues.

The essentials of RODC are:

Read-Only Domain Controller
Administrative Role Separation
Credential Caching
Read-Only DNS

Read-Only Domain Controller
RODC holds a non-writable and read-only copy of the Active Directory database with all objects and attributes. RODC only supports uni-directional replication of Active Directory changes, which means that the RODC always replicates directly with the Domain Controllers in the HUB site.

Administrative Role Separation

You can delegate local administrator permissions for the RODC server to any user in Active Directory. The delegated user account will now be able to log onto the server and do server maintenance tasks, without having any AD DS permissions and the user does not have access to other Domain Controllers in Active Directory, this way security is not compromised for the domain.

Credential Caching

What is difference between role and features in windows server 2008?

2009-03-01T13:47:00.002+05:30

Roles as major functions of the server and Features as smaller add-on packages. Whether it is a role or a feature, these are all Microsoft Windows 2008 add-ons, not 3rd party applications.
Here are some examples of each:

Roles

Windows AD/DC Server,
DNS,
DHCP,
File,
Print,
NAP,
Terminal Server,
IIS,
WDS,
WSS

Features
.NET,
Bitlocker Encryption,
BITS,
Remote Assistance,
SMTP Server,
SNMP,
telnet server & client,
failover,
NLB,
TFTP,
Windows Server Backup,
WINS,
Powershell

Troubleshooting some common SBS 2003 issues

2009-01-24T20:35:00.000+05:30

Subject: Process (store.exe) Alert on ServerName
Alert on ServerName at date time
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service. You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad.

It seems to me that first thing is first, lets determine how much memory store.exe is actually consuming. Also, I would like to know if it really is actually causing a problem in performance. If it is, it may explain why the server appears sluggish to some users.

Determining how much memory store.exe is using now, is not hard of course. Personally, I usually grab Sysinternals process explorer for this, cause it gives me more and better info than the default task manager app, I might grab it later, for now I only want a memory usage overview.

memory dump file options for Windows Server 2003, Windows XP, and Windows 2000

2009-01-20T23:26:00.000+05:30

configure Microsoft Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000 to write debugging information to three different file formats (also known as memory dump files) when your computer stops unexpectedly as a result of a Stop error (also known as a "blue screen," system crash, or bug check). You can also configure Windows not to write debugging information to a memory dump file.

Windows can generate any one of the following memory dump file types:

* Complete memory dump
* Kernel memory dump
* Small memory dump (64 KB)

Complete memory dump
A complete memory dump records all the contents of system memory when your computer stops unexpectedly. A complete memory dump may contain data from processes that were running when the memory dump was collected.

If you select the Complete memory dump option, you must have a paging file on the boot volume that is sufficient to hold all the physical RAM plus 1 megabyte (MB).

If a second problem occurs and another complete memory dump (or kernel memory dump) file is created, the previous file is overwritten.

Note The Complete memory dump option is not available on computers that are running a 32-bit operating system and that have 2 gigabytes (GB) or more of RAM.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
274598 (http://support.microsoft.com/kb/274598/ ) Complete memory dumps are not available on computers that have 2 or more gigabytes of RAM
Back to the top
Kernel memory dump
A kernel memory dump records only the kernel memory. This speeds up the process of recording information in a log when your computer stops unexpectedly. Depending on the RAM in your computer, you must have between 150MB and up to 2GB of pagefile space available based on server load and the amount of physical RAM available for page file space on the boot volume.

This dump file does not include unallocated memory or any memory that is allocated to User-mode programs. It includes only memory that is allocated to the kernel and hardware abstraction layer (HAL) in Windows 2000 and later, and memory allocated to Kernel-mode drivers and other Kernel-mode programs. For most purposes, this dump file is the most useful. It is significantly smaller than the complete memory dump file, but it omits only those parts of memory that are unlikely to have been involved in the problem.

If a second problem occurs and another kernel memory dump file (or a complete memory dump file) is created, the previous file is overwritten.
Back to the top
Small memory dump
A small memory dump records the smallest set of useful information that may help identify why your computer stopped unexpectedly. This option requires a paging file of at least 2 MB on the boot volume and specifies that Windows 2000 and later create a new file every time your computer stops unexpectedly. A history of these files is stored in a folder.

This dump file type includes the following information:

* The Stop message and its parameters and other data
* A list of loaded drivers
* The processor context (PRCB) for the processor that stopped
* The process information and kernel context (EPROCESS) for the process that stopped
* The process information and kernel context (ETHREAD) for the thread that stopped
* The Kernel-mode call stack for the thread that stopped

This kind of dump file can be useful when space is limited. However, because of the limited information included, errors that were not directly caused by the thread that was running at the time of the problem may not be discovered by an analysis of this file.

If a second problem occurs and a second small memory dump file is created, the previous file is preserved. Each additional file is given a distinct name. The date is encoded in the file name. For example, Mini022900-01.dmp is the first memory dump generated on February 29, 2000. A list of all small memory dump files is kept in the %SystemRoot%\Minidump folder.
Back to the top
Configure the dump type
To configure startup and recovery options (including the dump type), follow these steps.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System.
3. On the Advanced tab, click Startup and Recovery.

Back to the top
Tools for the various dump types
You can load complete memory dumps and kernel memory dumps with standard symbolic debuggers, such as I386kd.exe. I386kd.exe is included with the Windows 2000 Support CD-ROM.

Load small memory dumps by using Dumpchk.exe. Dumpchk.exe is included with the Support Tools for Windows 2000 and Windows XP. You can also use Dumpchk.exe to verify that a memory dump file has been created correctly.

For more information about how to use Dumpchk.exe in Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
315271 (http://support.microsoft.com/kb/315271/ ) How to use Dumpchk.exe to check a memory dump file
For more information about how to use Dumpchk.exe in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
156280 (http://support.microsoft.com/kb/156280/ ) How to use Dumpchk.exe to check a memory dump file
For more information about Windows debugging tools, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx (http://www.microsoft.com/whdc/devtools/debugging/default.mspx)
Back to the top
Definitions

* Boot volume: The volume that contains the Windows operating system and its support files. The boot volume can be, but does not have to be, the same as the system volume.
* System volume: The volume that contains the hardware-specific files that you must have to load Windows. The system volume can be, but does not have to be, the same as the boot volume. The Boot.ini, Ntdetect.com, and Ntbootdd.sys files are examples of files that are located on the system volume.

Back to the top
Registry values for startup and recovery
The following registry value is used:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl

CrashDumpEnabled REG_DWORD 0x0 = None
CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump
CrashDumpEnabled REG_DWORD 0x2 = Kernel memory dump
CrashDumpEnabled REG_DWORD 0x3 = Small memory dump (64KB)
Additional registry values for CrashControl:
0x0 = Disabled
0x1 = Enabled

AutoReboot REG_DWORD 0x1
DumpFile REG_EXPAND_SZ %SystemRoot%\Memory.dmp
LogEvent REG_DWORD 0x1
MinidumpDir REG_EXPAND_SZ %SystemRoot%\Minidump
Overwrite REG_DWORD 0x1
SendAlert REG_DWORD 0x1
Back to the top
Test to make sure that a dump file can be created
For more information about how to configure your computer to generate a dump file for testing purposes, click the following article number to view the article in the Microsoft Knowledge Base:
244139 (http://support.microsoft.com/kb/244139/ ) Windows feature lets you generate a memory dump file by using the keyboard
Back to the top
Default dump type options

* Windows 2000 Professional: Small memory dump (64 KB)
* Windows 2000 Server: Complete memory dump
* Windows 2000 Advanced Server: Complete memory dump
* Windows XP (Professional and Home Edition): Small memory dump (64 KB)
* Windows Server 2003 (All Editions): Complete memory dump

Back to the top
Maximum paging file size
Maximum paging file size is limited as follows:
Collapse this tableExpand this table
x86 x64 IA-64
Maximum size of a paging file 4 gigabytes 16 terabytes 32 terabytes
Maximum number of paging files 16 16 16
Total paging file size 64 gigabytes 256 terabytes 512 terabytes
Note When the Physical Address Extension (PAE) option is enabled for an x86-based processor, you can set the paging file size to a maximum of 16 terabytes (TB). However, we recommend that you set the paging file size to 1.5 times the installed physical memory.
Back to the top
Technical support for x64-based versions of Microsoft Windows
Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
http://www.microsoft.com/windowsxp/64bit/default.mspx (http://www.microsoft.com/windowsxp/64bit/default.mspx)
For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:
http://www.microsoft.com/windowsserver2003/64bit/x64/editions.mspx

How to Troubleshoot Memory Leaks in IIS

2009-01-20T23:22:00.000+05:30

how to use Performance Monitor to determine if an Internet Information Server (IIS) 4.0 or Internet Information Services (IIS) 5.0 process is leaking memory. Although this article outlines steps that are specific to IIS, the steps apply to any process that is running on Microsoft Windows NT 4.0 and Microsoft Windows 2000.

A memory leak occurs when the memory usage of an IIS process (Inetinfo.exe or Mtx.exe for IIS 4.0, Inetinfo.exe or Dllhost.exe for IIS 5.0) continues to grow steadily over a long time, or when memory usage of IIS grows until IIS runs out of memory. On heavy-use sites, a growth in memory over the first 24 hours of use is not uncommon. IIS caches a lot of data and the Time To Live (TTL) on the cache is 24 hours.

You can generally confirm whether a memory leak exists through a Performance Monitor log that demonstrates the growth of the leak.

Note Because Task Manager can only display real-time memory use of a process (instead of logging it over a period of time), it is not a valid indicator of a memory leak. Ideally, the performance log is started shortly after the server is restarted, and it is run long enough to show that the leak exists.
How to Generate a Performance Monitor Log for IIS 4.0

1. Click Start, point to Programs, select Administrative Tools, and then click Performance Monitor.
2. On the View menu, click Log.
3. On the Edit menu, select Add to log to open the Add to Log dialog box. (You can also click + on the toolbar).
4. Hold down the CTRL key and select each of the following objects:
* Active Server Pages
* Internet Information Services Global
* Memory
* Process
* Processor
* Thread
* Web Service
5. Click Add, and then click Done.
6. On the Options menu, click Log. Provide an appropriate file name, and then verify that the format is .log under Save as Type.
7. For Update Time, provide an interval that is between the time that it takes to show the leak and the time when the computer will run out of hard disk space. If the leak takes several days to occur, a longer interval of 10-15 minutes is appropriate; if it only takes a few hours, a shorter interval is appropriate. Note that for Windows NT, generating a Performance Monitor log requires an active logon to the computer, so you can use a mapped drive or UNC path for the log file output. Generation of the log file stops when one of the following occurs:
* The log is stopped.
* Available hard disk space is exhausted.
* The log file size reaches 2 GB.
* The server stops responding because of the memory leak.
8. After you click Start Log, Performance Monitor starts to log data. While the log is running, you can view the size of the log that is being generated in the lower right corner of Performance Monitor.
9. After sufficient time has passed for the leak to occur, click Log on the Options menu, and then click Stop Log.

How to Generate a Performance Monitor Log for IIS 5.0

1. Click Start, point to Programs, select Administrative Tools, and then click Performance.
2. Expand Performance Logs and Alerts.
3. Right-click Counter Logs, and then click New Log Settings.
4. Provide a name for the new log file.
5. On the General tab, click Add.
6. Click both All Counters and All Instances.
7. In the Performance Object list, click Active Server Pages. Verify that All Counters is enabled. Note that All Instances is not available. Click Add.
8. Repeat this process for the following objects:
* Internet Information Services Global
* Memory
* Process
* Processor
* Thread
* Service
If you do this correctly, each counter is listed as \\computername\counterobject\* on the General tab.
9. Set the sample data interval that is between the time that it takes to show the leak and the time when the computer will run out of hard disk space. If the leak takes several days to occur, a longer interval of 10-15 minutes is appropriate; if it only takes several hours, a shorter interval is appropriate. Make sure to pay attention to the unit of the interval (seconds, minutes, hours, or days).
10. On the Log Files tab, change the location of the log if you have to. Leave all other options on this tab at the default values.
11. If you must generate the log file without anyone being logged on to the server, set a start and stop time for the log file on the Schedule tab. (This option does not exist on Windows NT 4.0).
12. Click OK to return to the Performance Microsoft Management Console (MMC) snap-in.
13. If you have to, in the right pane of the MMC snap-in, right-click the log file name that you created, and then click Start. If the icon is green, the log is running. If it is red, it is stopped.

How to Open and View the Performance Monitor Log for IIS 4.0

1. Click Start, point to Programs, select Administrative Tools, and then click Performance Monitor.
2. On the Options menu, click Data From.
3. Click Log File, and then click the Edit (...) button to open the Open Input Log File dialog box.
4. Select the Performance Monitor log that you want, and then click Open.
5. In the Data From dialog box, click OK.
6. On the Edit menu, click Add to Chart (or click the + toolbar button).
7. In the Object list, click Memory. In the Counter list, click Available Bytes.
8. In the Object list, click Process. In the Counter list, hold down the CTRL key, and then click Private Bytes, Virtual Bytes, and Working Set. In the Instance list, click the appropriate process name (Inetinfo.exe or Mtx.exe), and then click Add. If you have to, repeat this process for each instance of Mtx.exe.
9. Click Done after you add the counters to the chart.

How to Open and View the Performance Monitor Log for IIS 5.0

1. Click Start, point to Programs, select Administrative Tools, and then click Performance.
2. Under Console Root, click System Monitor.
3. In the right pane, right-click in the chart area, and then click Properties.
4. On the Source tab, click Log file. Locate and select the Performance Monitor log that you want.
5. Click Open to return to the Source tab.
6. Click the Data tab, and then click Add.
7. In the Performance object list, click Memory. Under Select counters from list, click Available Bytes, and then click Add.
8. In the Performance object list, click Process. Under Select counters from list, hold down the CTRL key, and then click Private Bytes, Virtual Bytes, and Working set. Under Select instances from list, select the process that you suspect is leaking memory (Inetinfo.exe or Dllhost.exe). If you have to, repeat this process for each instance of Dllhost.exe.
9. Click Close to return to the Data tab.
10. Click OK to display the data.

How to Confirm a Memory Leak With a Performance Monitor Log
A memory leak is confirmed if you see the following in the Performance Monitor log:

* The Available Bytes counter under the Memory object drops over time and does not eventually level off.
* Under typical conditions, the Process object counters for a process (Private Bytes and Virtual Bytes) are basically parallel. If one of these counters for a process is not consistent with the other, a memory leak may exist.

Note that troubleshooting a memory leak is a repetitive process that frequently requires isolating suspected applications down to the individual processes to determine the application that is the source of the leak. For additional information about how to isolate applications to individual processes for troubleshooting, click the following article numbers to view the articles in the Microsoft Knowledge Base:
281434 (http://support.microsoft.com/kb/281434/EN-US/ ) How to Isolate a DLL Into a Separate Process By Using Microsoft Transaction Server (MTS)
281335 (http://support.microsoft.com/kb/281335/EN-US/ ) How to Isolate a DLL Into a Separate Process By Using Component Services
After you have confirmed the memory leak and, if necessary, isolated the leak to an individual process, contact Microsoft Product Support Services for more help. Having a Performance Monitor log available decreases the troubleshooting time.

How to use Memory Pool Monitor (Poolmon.exe) to troubleshoot kernel mode memory leaks

2009-01-20T23:20:00.000+05:30

Poolmon displays data that the operating system collects about memory allocations from the system paged and nonpaged kernel pools and about the memory pools used for Terminal Services sessions. The data is grouped by pool allocation tag. This information can be used by Microsoft Technical Support to find kernel mode memory leaks.

A memory leak is caused by an application or by a process that allocates memory for use but that does not free the memory when the application or process finishes. Therefore, available memory is completely used over time. Frequently, this condition causes the system to stop functioning correctly.

In this case, the following events may be logged in the System log:

Event ID: 2020
Source: Srv
Description: The server was unable to allocate from the system paged pool because the pool was empty.

Event ID: 2019
Source: Srv
Description: The server was unable to allocate from the system nonpaged pool because the pool was empty.

The first section that follows describes how to enable tag mode for using Poolmon. The second section describes how to gather the information for troubleshooting by using Poolmon.
Back to the top
Enabling Tag Mode
Before running PoolMon, you must enable pool tagging and then restart your computer. The pool tagging feature collects and calculates statistics about pool memory sorted by the tag value of the memory allocation.

Note It is not necessary to enable pool tagging in Windows Server 2003 as it is enabled by default.

To enable pool tagging on a Windows NT 4.0-based, Windows 2000-based, or Windows XP-based computer, use one of the following methods:
Method 1: Edit the Registry
To change the registry value that enables tag mode for Poolmon.exe, follow these steps.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

1. Run Registry Editor.
2. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
3. Write down the value of GlobalFlag, or save the Session Manager key.
4. Double-click the GlobalFlag value in the right pane.
5. Change the value to 0x00000400 hexadecimal.

Note When you add the global flag value 0x00000400, it only shows up as being 0x400 after it is added. It is important to add all of the leading zeros or some of the Poolmon information will not display on the output screen.
6. Restart the computer.

Note When you are finished debugging, change the GlobalFlag value back to the original value that you were instructed to write down in step 3.
Method 2: Use the Gflags.exe Utility
You can also use the Global Flags Editor (Gflags.exe) utility to enable pool tagging. Gflags.exe is available in the Windows NT 4.0 Resource Kit and in the \Support\Tools folder of Windows 2000, Windows XP, and Windows Server 2003 CD-ROMs.

Note Because pool tagging is permanently enabled in Windows Server 2003, the Enable Pool Tagging check box in the Global Flags dialog box is dimmed and commands to enable or disable pool tagging fail.

To make the change by using Gflags.exe, follow these steps:

1. Click Start, click Run, type gflags.exe, and then click OK.
2. Select Enable Pool Tagging.
3. Click Apply, and then click OK.
4. Restart the computer.

Note When you are finished debugging, repeat the above steps to disable pool tagging.
Back to the top
Using Poolmon to Collect Information
PoolMon displays pool tag information within a command window. Use the arrow keys or the PAGE UP and PAGE DOWN keys to display all the tag information returned by the tool.

Poolmon.exe is available in the Windows NT 4.0 Resource Kit and in the \Support\Tools folder of Windows 2000, Windows XP, and Windows Server 2003 CD-ROMs.

Use the following steps to copy and store the tag information. Repeat these steps for two hours at 15 minute intervals. Append each update to the end of the Notepad file.

1. Click Start, point to Settings, click Control Panel, and then double-click Console.

Note For Windows 2000 you must perform the following steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Right-click the title bar, and then click Properties.
2. Click the Options tab, click QuickEdit Mode, and then click Insert Mode.
3. Click the Layout tab, change the Screen Buffer Size value to 99, and then click OK.
4. Click Start, point to Programs, and then click Command Prompt.
5. Locate Poolmon.exe in the Support\Debug\platform folder on the Windows NT 4.0 CD. Change to the drive and folder where Poolmon.exe is located. On the Windows 2000 CD Poolmon.exe is in the Support.CAB file. Support.CAB is located under the \Support\Tools folder.
6. Type Poolmon.exe.
7. Press P until Poolmon displays the second column "type" and shows the value paged.
8. Press B to sort the columns from largest to smallest.
9. Select the whole screen contents, and then press ENTER.
10. Click Start, point to Programs, point to Accessories, and then click Notepad.
11. On the Edit menu, click Paste.
12. Repeat step 7 to look for the value nonpaged.
13. Repeat steps 8 - 11 to paste.

Poolmon.exe also has a few command keys that sort the output for you. Press the letter indicated below to perform the operation. It takes a few seconds for each command to work. Here is a list of a few of the commands:
P - Sorts tag list by Paged, Non-Paged, or mixed. Note that P cycles through each one.
B - Sorts tags by max byte usage.
M - Sorts tags by max byte allocation.
T - Sort tags alphabetically by tag name.
E - Display Paged, Non-paged total across bottom. Cycles through.
A - Sorts tags by allocation size.
F - Sorts tags by "frees".
S - Sorts tags by the differences of allocs and frees.
E - Display Paged, Non-paged total across bottom. Cycles through.
Q - Quit.

Troubleshooting Windows Server Setup

2009-01-20T23:14:00.000+05:30

Troubleshooting Server Setup
Setup initialization error: Source \SQL2000_SP3a\x86\Setup\Sqlspre.ini.

Cause: You may receive this error when you try to install SQL Server 2000 Service Pack 3. It occurs when the Service Pack 3 Setup program tries to copy Setupsql.ini to the %Temp% folder, but cannot overwrite a pre-existing version of the file that is marked as read-only.

Solution: Browse to the %Temp% folder on your system drive, and either delete the pre-existing version of setupsql.ini or remove the read-only attribute. Then run SQL Server 2000 Service Pack 3 Setup again.
Troubleshooting Users and Groups
E-mail cannot be received or sent.

Cause: A user account has reached the assigned Exchange mailbox size limit.

Solution: Save e-mail messages in a local folder on the client computer. If this problem occurs often, consider increasing the mailbox size for the user account.
Files cannot be saved to shared folders on the server.

Cause: The user account has reached the assigned disk quota limit.

Solution: Save files in a local folder on the client computer. If this problem occurs often, consider increasing the disk quota for the user account.
Password cannot be changed.

Cause: The user account password does not comply with a password policy configured by the administrator.

Solution: Create a new password that complies with the password policies configured by the administrator.
User cannot connect remotely to a computer running Windows XP Professional.

Cause: The user does not have permissions to log on by using Remote Desktop.

Solution: Assign the user permissions to use Remote Desktop.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To assign user permissions to use Remote Desktop

1.

On a computer running Windows Small Business Server 2003, click Start, and then click Server Management.
2.

In the console tree, click Users.
3.

In the details pane, right-click the user account that requires permissions to log on to Terminal Services, and then click Change User Properties.
4.

On the User Properties page, click the Terminal Services Profile tab.
5.

Check the Allow to log on to Terminal Server check box.

Cause: The client computer running Windows XP Professional is not configured to allow Terminal Services connections.

Solution: Configure the client computer running Windows XP Professional to use Remote Desktop.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To configure the client computer running Windows XP Professional to use Remote Desktop

1.

On the client computer, click Start, point to Settings, click Control Panel, and then click System.
2.

On the Remote tab, under Remote Desktop, click Select Remote Users.
3.

In the Remote Desktop Users dialog box, click Add.
4.

In the Select Users dialog box, click Locations to specify the search location.
5.

To specify the types of objects that you want to search for, click Object Types.
6.

In Enter the object names to select, type the names of the objects that you want to search for.
7.

Click Check Names.
8.

When the name is located, click OK. The name appears in the list of users in the Remote Desktop Users dialog box.

User account is locked out.

Cause: There may be too many failed logon attempts.

Solution: Unlock the user account.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To unlock a user account

1.

On a computer running Windows Small Business Server 2003, click Start, and then click Server Management.
2.

In the console tree, click Users.
3.

In the details pane, right-click the user account that is locked out, and then click Properties.
4.

On the User Properties page, click the Account tab.
5.

Clear the Account is locked out check box to unlock the account.

Application with service account fails.

Cause: Service account passwords have been changed but automatic logon properties have not been updated to use the new passwords. Windows Small Business Server does not automatically propagate password changes to all applications that use the service account.

Solution: Update the service accounts and passwords used with a particular application by running Windows Small Business Server Setup again.
New user cannot log on or access e-mail.

Cause: A new user attempts to log on or access network resources immediately after the account is created and before Active Directory has had time to update. A delay can occur between the time a user account is created and when Active Directory recognizes the user account.

Solution: Wait fifteen minutes and try again.
Windows Small Business Server 2003 displays a GUID instead of a user name for an e-mail address.

Cause: This problem can occur if a user account name contains Unicode characters.

Solution: Use the Active Directory Users and Computers snap-in to change the SMTP e-mail address for the account.
To change the SMTP e-mail address for a user account

1.

Click Start, and then click Server Management.
2.

In the console tree, double-click Advanced Management, double-click Active Directory Users and Computers, double-click your server name, and then locate the account in either the Builtin or Users folder.
3.

Right-click the account, click Properties, and then click the E-mail Addresses tab.
4.

Under E-mail addresses, select the SMTP e-mail address to be changed, and then click Edit.
5.

In the E-mail address text box, replace the GUID with the correct e-mail alias, and then click OK.
6.

Click the Exchange General tab.
7.

In the Alias text box, replace the GUID with the correct e-mail alias, and then click OK twice to save your settings.

Troubleshooting Client Computers
I received the error, "This Service Pack requires the machine to be on AC Power before setup starts…" when I install Service Pack 2 for Windows XP.

The Setup program for Windows XP Service Pack 2 (SP2) requires that your computer uses AC power. If the battery power runs out during installation, the update cannot be completed. If this occurs, you might not be able to restore the operating system to its previous state.

Solution: To resolve this issue, connect your computer to an AC power source, such as an electrical outlet, and then run Setup.

For more information about this issue, see Article 883609, "This Service Pack requires the machine to be on AC Power before setup starts," at the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=70662).
After migrating user profiles, users cannot access redirected folders.

Cause: If you made user profiles private, administrative credentials were removed from user folders on the client computer. Users need these credentials to access folders that are redirected to the server. After you migrate private user profiles (which include redirected folders), users may be unable to access their folders.

Solution: Manually restore access to user folders on the client computer.
To restore access to user folders on the client computer

1.

Log on to the client computer.
2.

Click Start, click Control Panel, and then click Performance and Maintenance.
3.

Click Administrative Tools, and then double-click Event Viewer.
4.

Under Event Viewer (Local), double-click Application.
5.

Search for an event with the type listed as Error and the source listed as Folder Redirection, and double-click that event.
6.

Note the source and destination directory listed in the event description.

Note
To complete the next part of this procedure, you must be logged on as a member of the Domain Admins security group.

1. Click Start, right-click My Computer, click Explore, and then browse to the user folder in the location you noted in step 6.

2. Right-click the folder, click Sharing and Security, click the Permissions tab, and verify that the user's name does not appear.

If the folder is empty, delete it.

Note
To perform the next part of this procedure, the user whose profile you are redirecting must be a member of the Local Admins security group on the client computer.

1. Click Start, right-click My Computer, click Explore, and then browse to the user folder in the location you noted in step 5 of the first procedure.

2. Right-click the folder, and then click Sharing and Security.

3. On the Security tab, click Advanced.

4. On the Owner tab, click the user name in the Change owner to box, and then select the Replace owner on subcontainers and objects check box.

5. Click Apply.

6. On the Permissions tab, verify that the user whose profile you want to redirect appears in the list under Permission entries. If the user's name does not appear, click Add, type the user name under Enter the object name to select, and then click Check Names.

7. Click OK.

8. Click Apply, and then click OK. The Permission Entry page appears.

9. Select the Full Control check box, and then click OK.

10. Click OK, and then click OK again.

11. Log off, and then log back on to the client computer.

I received an error stating that Client Setup cannot migrate private user settings.

Cause: This error occurs when one or more of the subfolders in a user's profile have been made private. This means that permissions giving other users access to the folders have been removed.

Solution: Manually configure the client computer to remove the restrictions that are preventing the migration.

If the client computer is running Windows XP Professional, make sure that the profile that did not migrate is configured as a "public" profile.
To configure the user profile as a "public" profile

1.

Click Start, and then click My Computer.
2.

Double-click the drive where Windows is installed (usually drive C:, unless you have more than one drive on your computer).
3.

Double-click the Documents and Settings folder.
4.

Right-click the user folder that did not migrate, and then click Sharing and Security.
5.

Select the Make this Folder Private check box, and then click OK.
6.

If this setting does not appear in the Properties dialog box, perform step 6, and then follow the instructions for client computers running Windows 2000 Professional.
7.

On the View tab, under Advanced settings, make sure Use simple file sharing (Recommended) is selected, and then click OK.

If the client computer is running Windows 2000 Professional, log on to the client computer as the user with the profile that did not migrate, and then grant the Administrators group full control over the profile folder and all subfolders.
To grant the Administrators group full control of the profile folder and all subfolders

1.

Click Start, and then click My Computer.
2.

Double-click the drive where Windows is installed (usually drive C:, unless you have more than one drive on your computer).
3.

Double-click the Documents and Settings folder.
4.

Right-click the user folder that did not migrate, click Properties, and then click the Security tab.
5.

Click Add, type Administrators in the text box, and then click OK.
6.

Under Group or user names, click the Administrators tab, select Allow for the Full Control permission, and then click OK.
7.

Repeat steps 4 through 6 for all subfolders in the user profile.
8.

Repeat steps 4 through 7 for each user folder that did not migrate.
9.

While you are logged on with the user profile that did not migrate, give the user ownership of all files in his or her profile.

To give the user ownership of all files in the user profile

1.

Right-click the user folder to be migrated, click Properties, and then click the Security tab.
2.

Click Advanced, and then click the Owner tab.
3.

In the Change owner to box, select the user that you are giving ownership to, and then click OK.
4.

Select the Replace owner on subcontainers and objects check box, and then click OK twice to save your settings.
5.

Run Client Setup again.

Note
Perform these steps for each user profile listed in the error message.

Note
If you are running Windows 2000 Professional with Service Pack 2, you must upgrade to any later version of the service pack.

Applications are missing after upgrading to Windows Small Business Server 2003.

Cause: If applications other than those available by default were installed on client computers, they will not be upgraded.

Solution: You must reinstall these applications on the computer running Windows Small Business Server 2003 and then reinstall them on client computers after the upgrade is complete. Command lines used to install these applications are stored in the registry in the following location:

HKLM\SOFTWARE\Microsoft\SmallBusinessServer\clientsetup\sbs2k_archive\Client Applications\
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

After the upgrade is complete, start the Client Setup Applications Wizard and use the command lines to reinstall the applications.
To start the Client Setup Applications Wizard

1.

Click Start, and then click Server Management.
2.

In the console tree, click Client Computers. In the details pane, click Set Up Client Applications.
3.

Follow the instructions in the wizard to add client applications.

Older versions of Microsoft Office do not run on client computers that have an Office 2003 application installed.

Cause: Older versions of Office conflict with Office 2003.

Solution: To run older versions of Office, you must uninstall all versions of Office on the client computer, and then reinstall the version you want to use.
To uninstall older versions of Office from the client computer

1.

Click Start, and then click Control Panel.
2.

Click Add or Remove Programs, click each version of Office installed on the client computer, and then click Remove.

After uninstalling all versions of Office, reinstall the version that you want to use on the client computer.
The initial logon process is slow after joining the Windows Small Business Server domain.

Cause: Redirection for My Documents folder has been enabled, and a large amount of data in the My Documents folder on the client computer is synchronizing with the server.

Solution: No action is required. After the initial logon, only changes to the My Documents folder are synchronized. Synchronization does not take as long as the initial logon.
Files in the local My Documents folder are not synchronizing with the server.

Cause: Disk quotas have been exceeded.

Solution: Reduce the size of the user's My Documents folder by deleting unnecessary files or compressing files. Or, increase the quota amount.
To increase disk quotas

1.

On a computer running Windows Small Business Server 2003, click Start, and then click My Computer.
2.

Right-click the volume for which you want to modify quota values, and then click Properties.
3.

On the Quota tab, click Quota Entries.
4.

Click the entries for the users whose options you want to modify, and on the Quota menu, click Properties.
5.

In the Quota Settings dialog box, do one of the following:
* To track disk space usage without limiting disk space, click Do not limit disk usage.

* To limit disk space, click Limit disk space to. Type a numeric value, and select a disk space limit unit from the drop-down list. You can use decimal values, for example, 20.5 megabytes (MB).

Note
If the volume is not formatted with the NTFS file system, or if you are not a member of the Administrators group, the Quota tab is not displayed in the volume's Properties dialog box.

I received an error stating that Client Setup cannot migrate private user settings.

Cause: This error occurs when one or more of the subfolders in a user's profile have been made private. This means that permissions giving other users access to the folders have been removed.

Solution: Manually configure the client computer to remove the restrictions that are preventing the migration.

If the client computer is running Windows XP Professional, make sure that simple file sharing is enabled on the computer, and then follow the steps outlined in the error message.
To enable simple file sharing on a client computer running Windows XP Professional

1.

Click Start, and then click Control Panel.
2.

Double-click Folder Options.
3.

On the View tab, under Advanced settings, make sure Use simple file sharing (Recommended) is selected, and then click OK.

If the client computer is running Windows 2000 Professional, log on to the client computer as the user with the profile that did not migrate, and then grant the Administrators group full control over the profile folder and all subfolders.
To grant the Administrators group full control of the profile folder and all subfolders

1.

Click Start, and then click My Computer.
2.

Double-click the drive where Windows is installed (usually drive C:, unless you have more than one drive on your computer).
3.

Double-click the Documents and Settings folder.
4.

Right-click the user folder that did not migrate, click Properties, and then click the Security tab.
5.

Click Add, type Administrators in the text box, and then click OK.
6.

Under Group or user names, click the Administrators tab, select Allow for the Full Control permission, and then click OK.
7.

Repeat steps 4 through 6 for all subfolders in the user profile.
8.

Repeat steps 4 through 7 for each user folder that did not migrate.
9.

While you are logged on with the user profile that did not migrate, give the user ownership of all files in his or her profile.

To give the user ownership of all files in the user profile

1.

Right-click the user folder to be migrated, click Properties, and then click the Security tab.
2.

Click Advanced, and then click the Owner tab.
3.

In the Change owner to box, select the user that you are giving ownership to, and then click OK.
4.

Select the Replace owner on subcontainers and objects check box, and then click OK twice to save your settings.
5.

Run Client Setup again.

Note
Perform these steps for each user profile listed in the error message.

Note
If you are running Windows 2000 Professional with Service Pack 2, you must upgrade to any later version of the service pack.

Troubleshooting Windows Vista on your Network

The following are known issues for troubleshooting Windows Vista. They are listed in "Using Windows Vista and Outlook 2007 in a Windows Small Business Server 2003 Network " at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=77626).
Troubleshooting Windows Vista Client Setup

Not all applications that are selected in the Windows Small Business Server Client Setup tools are installed on Windows Vista

I received an error stating that Client Setup does not configure client computers that are running this version of Windows

The logon screen shows "Other User" when the computer restarts after joining the Windows Small Business Server domain during client setup

I receive an error about multiple network adapters when I use Connect Computer to join a client to the domain, even though there is only one network adapter
Troubleshooting upgrades of Windows XP to Windows Vista

While upgrading Windows XP to Windows Vista, I receive a compatibility warning saying that the current ActiveSync version does not work with Windows Vista

The Group Policy settings for Windows Vista Firewall are not applied after I upgrade a client computer from Windows XP to Windows Vista

The CompanyWeb link that is listed in my computer’s network locations after I upgrade a client computer from Windows XP to Windows Vista is broken

The "Connect to Small Business Server" shortcut does not work after I upgrade a client computer from Windows XP to Windows Vista

I can no longer send a fax after I upgrade a client computer from Windows XP to Windows Vista
Troubleshooting E-mail in Windows Vista

Outlook cannot synchronize with the Exchange mailbox on the server
Troubleshooting Remote Connections in Windows Vista

I received an error stating that "Automation server can not create object" when trying to offer Remote Assistance to a client computer

I cannot deploy Connection Manager using the Setup Configuration Wizard on computers

I get an error message about a self-signed certificate when I browse to Remote Web Workplace from a computer that is running Windows Vista and that is not joined to the Windows Small Business Server domain
Troubleshooting Printers and Faxes

I see the shared printer in Windows Vista, even though I deleted the shared printer from the server

I deployed a printer to my x64 client computer, but the printer does not appear in the Printers list

I changed the name of the shared printer, but the original printer still appears on my computer that is running Windows Vista

I deployed a printer on Windows Vista but it does not appear in the printer folder

I get an error message saying "To use the shared printer, you need to install a printer driver on this computer …"

I cannot send faxes by using Microsoft Outlook on a 64-bit edition of Windows Vista

I can no longer send fax after upgrading from Windows XP to Windows Vista Enterprise
Miscellaneous

When I try to install the ISA Server 2004 hotfix on the server, I receive an error stating that Windows Installer cannot install the upgrade patch because the program to be upgraded may be missing

The list of user profiles on a client computer says "None"

The Windows Firewall settings list some applications twice, and one of the duplicated listings has its check box selected and is grayed out
Troubleshooting Mobile Devices
ActiveSync cannot be installed when a mobile device is connected to the client computer.

Cause: If a mobile device is connected to the client computer, ActiveSync cannot be completely installed.

Solution: Disconnect the mobile device from the client computer, log off, log on again, and then reinstall ActiveSync.

For more information, open Help and Support and search for "To connect a mobile device by using a cradle or cable."
Pocket PC 2003 is not automatically configured to synchronize with the server.

Cause: The server is configured to connect to the Internet using a dialup connection instead of a broadband connection.

Solution: Configure the Pocket PC 2003 using the instructions that came with your device, and manually configure it to synchronize with the server. You must also disable Secure Sockets Layer (SSL) on the mobile device.
Note
Before beginning the following procedure, obtain the server's fully qualified internal computer name and NetBios domain name.

To disable SSL on the mobile device

1.

Click Start, and then open ActiveSync.
2.

Click Tools, and then click Options.
3.

Click the Server tab, and then clear the This server uses an SSL connection check box.

Important
Disabling SSL means that you will send user name and password information over the network. Ensure that you have enabled Wired Equivalent Privacy (WEP) encryption on your wireless LAN.

After running the Get Connected Wizard and selecting "Synchronize with this desktop computer," my mobile device is not synching with my Inbox, calendar or contacts.

Cause: This problem can occur if any of the following conditions are true:

* The server is not connected to the Internet.

* The server is connected to the Internet using a dial-up connection.

* The user has configured ActiveSync to synchronize the mobile device with the server.

Solution: Manually configure ActiveSync to synchronize with the desktop computer.
To manually configure ActiveSync to synchronize with the desktop computer

1.

Plug the mobile device into the cradle.
2.

On the desktop computer, click Start, click All Programs, and then click Microsoft ActiveSync.
3.

Click Tools, and then click Options.
4.

On the Sync Options tab, clear the Enable synchronize with a server check box.
5.

When prompted to remove all synchronized data using ActiveSync, click OK.
6.

Select the Inbox, Calendar and Contacts check boxes, and then click OK.

The device then synchronizes with the desktop computer.

Note
The Routing and Remote Access (RRAS) Wizard configures mobile devices to synchronize with the server by default. Each time you run the RRAS Wizard, you must use the preceding steps to configure mobile devices to synchronize with the desktop computer.

Using a hardware router prevents synchronization when the mobile device is cradled.

Cause: If the server is configured with a single network card and a hardware firewall, routers that have built-in IP spoofing protection do not allow internal client computers to connect to the external domain.

Solution: Consult with your hardware provider for updated firmware for your specific device. As an alternative, you can add a DNS zone to bypass IP spoofing by some hardware routers.
To add a DNS zone

1.

Click Start, click Run, and then type dnsmgmt.msc. The DNS Management Console appears.
2.

Double-click your server name in the console tree.
3.

In the details pane, right-click Forward Lookup Zone, and then click New Zone. The New Zone Wizard appears. Click Next.
4.

On the Zone Type page, select Primary Zone, clear the Store the zone in Active Directory (available only if DNS Server is a domain controller) check box, and then click Next.
5.

On the Zone Name page, in the Zone Name box, type the fully qualified domain name of your external domain (for example, www.externaldomainname.com), and then click Next.
6.

On the Zone Files page, click Next.
7.

On the Dynamic Update page, select Do not allow dynamic updates, and then click Next.
8.

Click Finish to close the New Zone Wizard.
9.

Right-click the new zone in the DNS Management Console details pane, and then click New Host (A). The New Host dialog box appears.
10.

Leave the Name field empty. In the IP address box, type the Server Local Area IP address, and then click Add Host.
11.

Click OK, and then click Done to close the New Host dialog box.

The initial synchronization of the mobile device failed.

Cause: ActiveSync cannot create Microsoft Office Outlook 2003 profiles. If the user starts ActiveSync before running Outlook 2003, the user receives an error message stating that the profile cannot be found.

Solution: Connect the mobile device by using the cradle or cable, open Outlook, and then reconnect the mobile device.
The user cannot browse the Internet when the mobile device is connected using the cradle or cable (applies only if Internet Security and Acceleration Server 2000 is installed).

Cause: If you connect the mobile device by using a cradle or cable, you are considered anonymous when browsing the Internet. If ISA Server is installed on the computer running Windows Small Business Server 2003, anonymous browsing is not allowed.

Solution: Follow the instructions for Microsoft Pocket PC Phone Edition 2002, Microsoft Pocket PC Phone Edition 2003, or Microsoft SmartPhone 2003, and then follow the instructions to configure ActiveSync settings.
To configure connection settings for Microsoft Pocket PC 2003 or Microsoft Pocket PC Phone Edition 2003

1.

On the mobile device, click Start, and then click Settings.
2.

On the Connections tab, click Connections.
3.

Click Set up my proxy server.
4.

On the Proxy settings tab, check the This network connects to the Internet box, and then check the This network uses a proxy server to connect to the Internet box.
5.

Type the proxy server name, and then click Advanced.
6.

In the Port box, type 8080.
7.

Click OK, and then click OK again.

To configure connection settings for Microsoft SmartPhone 2003

1.

On the mobile device, select Start, select Settings, and then select Date connections.
2.

Select Menu, select Edit Connections, and then select Proxy Connections.
3.

Select Menu, and then select Add.
4.

In the Connects From box, select Work. In the Connects To box, select The Internet.
5.

In the Proxy (name:port) box, type the server name and port, using the following format:
6.

ServerName :8080
7.

Type your user name and password, and then select Done.

To configure connection settings for Microsoft Pocket PC Phone Edition 2002

1.

On the mobile device, click Start, and then click Settings.
2.

On the Connections tab, click Connections.
3.

Under Work Settings, click Modify.
4.

On the Proxy settings tab, check the This network connects to the Internet box, and then check the This network uses a proxy server to connect to the Internet box.
5.

Type the proxy server name, and then click Advanced.
6.

In the Port box, type 8080.
7.

Click OK, and then click OK again.

To configure ActiveSync settings

1.

On the client computer, click Start, point to All Programs, and then click Microsoft ActiveSync.
2.

On the Tools menu, click Options, and then click the Rules tab.
3.

In the Connection box (under Pass Through), click the down arrow, and then click Work.

The first time that you use the device to browse the Internet, you are prompted for a user name and password. Type a user name that is a member of the Windows Small Business Server Internet Users group, and save the password so that ActiveSync can synchronize with the server.
Note
If you still cannot browse the Internet, see the person responsible for your network to ensure that you have the correct permissions.

A connection cannot be established between the mobile device and the client computer.

Cause: There is a universal serial bus (USB) connection error.

Solution: Upgrade to the latest version of ActiveSync. If the user is already using the latest version, remove the mobile device from the cradle (or disconnect the cable), turn the device off and then back on, and then reconnect it.
The mobile device cannot be synchronized when connected using a cradle or cable.

Cause: The Pass Through option is not configured correctly in ActiveSync.

Solution: Configure the Pass Through option.
To configure the Pass Through option

1.

On the client computer, click Start, point to All Programs, and then click Microsoft ActiveSync.
2.

On the Tools menu, click Options, and then click the Rules tab.
3.

In the Connection box (under Pass Through), click the down arrow, and then click Internet.

For more information, see Microsoft ActiveSync Help. To open ActiveSync Help, click Start, point to All Programs, click Microsoft ActiveSync, and then click Help.
Outlook Mobile Access with Secure Sockets Layer (SSL) does not work on a SmartPhone 2002, PocketPC 2002, or Wireless Application Protocol (WAP) 2.0 phone.

Cause: Some of these devices are not supported using the Windows Small Business Server unsigned certificate.

Solution: Purchase a signed certificate from a trusted certification authority (CA) for the server to support these devices.
Other considerations for troubleshooting mobile devices.

If you continue to have a problem using your mobile device, consider the following questions:

* Does your mobile device have sufficient signal strength?

* Can you browse to other internal or external Web sites?

* Have you tried turning off the device and then turning it back on?

* Does your mobile device synchronize when connected to the server?

* Have you allowed access to the Outlook Mobile Access Web service from the Internet using the Configure E-mail and Internet Connection Wizard?

* Are you using an external router? Are ports 80 and 443 open and pointed to the server?

* Have you tried reconfiguring your mobile device?

To reconfigure your mobile device

1.

On the client computer, click Start, point to All Programs, and then click Microsoft ActiveSync.
2.

Connect the mobile device to the client computer by using the cradle or cable included with the device.
3.

Click Start, and then click All Programs.
4.

Click Small Business Server Tools, and then click Configure Mobile Device.

The device will be reconfigured with the original Windows Small Business Server settings, and users will be able to synchronize with the server within a few seconds.

Note
The mobile device configuration program is at the following location:

Program Files/Windows Small Business Server/Clients/SBSMobConfig.exe

For more information, open Help and Support and search for "To allow access to Web services on the server.
Troubleshooting E-mail
I cannot see my deleted mailbox item when I try to recover it by using the Recover Deleted Items option on the Tools menu in Outlook.

Cause: You may not have selected the folder or the parent folder from where the item was permanently deleted.

Solution: If you are recovering a permanently deleted mail item, ensure that you select the folder from which the mail was deleted. For example, if you have a subfolder in your Inbox named Meeting Minutes, you must select the Meeting Minutes folder before you choose the Recover Deleted Items option on the Tools menu.

If you are recovering a deleted folder, ensure that you select the parent folder of the deleted folder. For example, if you permanently deleted a subfolder named Meeting Minutes from your Inbox, you must select the Inbox folder before you choose the Recover Deleted Items option on the Tools menu.
Note
You cannot recover a permanently deleted item if the retention time for permanently deleted items has elapsed. The default retention time is 30 days. An administrator can run the Backup Configuration Wizard to change the retention time or to turn it off.

The Recover Deleted Items option is disabled on a Windows XP-based client computer.

Cause: There are two possible causes. First, you may be using Outlook over the Internet (which is also called "RPC over HTTP") to check your e-mail. Second, you may have manually joined the Windows XP-based client computer t o the Windows Small Business Server network. If you did, then you bypassed Windows Small Business Server Client Setup, which enables the Recover Deleted Items option in Outlook.

Solution: You must manually enable the Recover Deleted Items option.
Note
You must log in as an Administrator of the client computer to complete the following procedure.

To manually enable the Recover Deleted Items option

1.

On the client computer, exit Outlook.
2.

Click Start, click Run, and then in the Open text box, type regedit.
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

3.

Browse to HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Exchange\ Client\ Options.
4.

From the Edit menu, click New, and then click DWORD Value.
5.

Type the name DumpsterAlwaysOn.
Note
Do not type any spaces in the name.

6.

Double-click DumpsterAlwaysOn, and then in the Value Data field, type 1.
7.

Restart Outlook.

I have more than one e-mail domain name, and the E-mail Domain page of the Configure E-mail and Internet Connection Wizard allows me to enter only one of the domain names.

Cause: The Configure E-mail and Internet Connection Wizard can configure reply-to addresses for only one e-mail domain on the E-mail Domain page.

Solution: Use one of the e-mail domain names when you run the wizard. Then, you can create a custom recipient policy in Exchange Server 2003 for a second e-mail domain. The custom recipient policy creates the appropriate e-mail addresses for users in the second e-mail domain.

For more information, search for "Create a New Recipient Policy" in Exchange server Help. To access Exchange server Help, click Start, click Server Management, and then press F1.
Unsolicited e-mail is being delivered to Exchange server mailboxes.

Cause: Connection filtering is not configured on your Exchange server.

Solution: Exchange 2003 supports connection filtering based on block lists, which are lists that can be queried by your Exchange server to identify verified spam sources. Connection filtering uses external services that list known sources of unsolicited e-mail, dial-up user account lists, and servers open for relay based on IP addresses on block lists that they maintain. Connection filtering complements third-party content filter products. You can also configure connection filtering without using a block list provider by creating global accept and deny lists of SMTP addresses from which you want to globally accept or deny all e-mail.

To configure connection filtering, you must first create and configure a connection filtering rule, and then apply it your SMTP virtual server. For more information, search for "Configure Connection Filtering" in Exchange server Help. To access Exchange server Help, click Start, click Server Management, and then press F1.
Troubleshooting Monitoring
I have received an alert notification that a user account is under attack.

Cause: A user has repeatedly tried to log on due to losing or forgetting the user account password. This alert occurs when the number of failed logons for a specific user exceeds the Account Lockout Threshold.

Solution: Reset the user account password.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To reset a user's password

1.

Click Start, and then click Server Management.
2.

In the console tree, click Users.
3.

In the details pane, select a user account, and then click Change Password.
4.

Type and confirm the new password.
5.

Select or clear the User must change password at next logon check box, and then click OK.

Cause: An actual attack has occurred. This alert occurs when the number of failed logons for a specific user exceeds the Account Lockout Threshold.

Solution: You need to do the following if you suspect the account is under attack:

* Unplug the Internet cable from your server or router if you are certain that your network has been attacked. Open Event Viewer and view the audit logon events in the Security Events log to determine if an attack has occurred.

To open Event Viewer

1.

Click Start, and then click Server Management.
2.

In the console tree, click Monitoring.
3.

In the details pane, click View Event Logs.

* View the event log to try and determine the IP address from which the attack is originating. Contact your Internet service provider (ISP) to report or block it.

* Check for any unknown user accounts by using the Manage Users snap-in in Server Management.

* Reset the user's password.

* Reset the administrator password.

* Disable the user account until the threat of the network attack passes.

Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To disable a user account

1.

Click Start, and then click Server Management.
2.

In the console tree, click Users.
3.

In the details pane, select a user account, and then click Disable Account.

Note
Disable accounts are not removed, but you cannot use them to log on or to access network resources.

* Consider setting strong password policies.

Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To configure password policies

1.

Click Start, and then click Server Management.
2.

In the console tree, click Users.
3.

In the details pane, click Configure Password Policies.
4.

Select the check boxes to configure the policies you want, select when you want the policies to become effective, and then click OK.

If you are still setting up the network and thus do not want the policies to be effective yet, you can choose to make them effective in a few days.

Note
This action changes the password policies used in your entire network. Enabling or changing password policies requires all users to change their passwords the next time they log on to the network.

For more information about keeping your network secure, visit the Microsoft Security and Privacy Web site (http://go.microsoft.com/fwlink/?LinkID=102).
Usage information for Internet activity cannot be viewed in the server usage reports.

Cause: You might be using a router as a firewall to access the Internet. If so, usage information for Internet activity cannot be included in the report because Windows Small Business Server 2003 is unable to monitor firewall statistics for third-party devices.

Solution: Install a second network adapter on the computer running Windows Small Business Server 2003, and then enable the Routing and Remote Access service as the firewall on the server by using the Configure E-mail and Internet Connection Wizard.

Cause: You might be using the Internet Security and Acceleration (ISA) Server firewall to access the Internet. Windows Small Business Server 2003 is unable to monitor firewall statistics for ISA Server.

Solution: Configure ISA Server for monitoring and reporting. For more information about configuring ISA Server for monitoring and reporting, search for "Configure monitoring and reporting" in the ISA Server Help. To access ISA Server Help, click Start, click Server Management, and then press F1.
I am not receiving server performance or usage reports in Outlook Express.

Cause: By default, Outlook Express blocks certain file attachments in e-mail to prevent you from opening potentially harmful attachments. As a result, you may not be able to open server performance or usage reports.

Solution: Configure Outlook Express to allow attachments.
To configure Outlook Express to allow attachments

1.

Open Outlook Express.
2.

On the Tools menu, click Options.
3.

On the Security tab, clear the Do not allow attachments to be saved or opened that could potentially be a virus check box, and then click OK.

Note
E-mail attachments can contain viruses. It is recommended that you open files sent by a reliable source only and that you use antivirus software to scan files received in e-mail.

Server performance or usage report does not contain all selected log files.

Cause: If a selected log file has not changed since the last time it was attached to a server performance or usage report, or if no new files exist for applications that generate multiple log files (such as Internet Information Services), the server performance or usage report will not contain attachments for those selections.

Solution: No action is required. To review the latest version of a selected log file, open the file attachment from the previously delivered server performance or usage report.
Services set to start automatically stop running.

Cause: When configured to start automatically, a small number of services may stop running if they are not performing any tasks. When this happens, these services are reported in the server performance report as not running. This is known to occur with the following services:

* Fax

* Performance Logs and Alerts

* Removable Storage

Solution: The noted services are designed to stop running when they are not being used. If you do not want these services to be reported in the server performance report when they are not running, you can change the Startup type for the service to Manual.
To change the startup type for a service to Manual

1.

Click Start, and then click Server Management.
2.

In the console tree, click Monitoring and Reporting, and then click View Services.
3.

In the details pane, right-click the service that you want to change, and then click Properties.
4.

For Startup type, select Manual, and then click OK.

For more information, open Help and Support and search for "Monitoring overview."
Monitoring alerts are not being delivered.

Cause: After a Health Monitor configuration is imported using the Import Health Monitor Configuration Wizard, imported actions may not run as expected. This problem can occur when settings for imported actions remain associated with the computer from which they were exported. For example, the SMTP server specified for e-mail actions could be inaccurate, or an inaccurate file path could be specified for script actions.

Solution: Review the settings for the imported actions and make changes as necessary.
To view the imported actions

1.

Click Start, point to Administrative Tools, and then click Health Monitor.
2.

In the console tree, click Actions.
3.

In the details pane, right-click an action, and then click Properties.
4.

Review the settings on each tab, and modify as necessary.
5.

Repeat steps 3 and 4 for each action.

For more information, open Help and Support, and then search for "To update settings for an imported Health Monitor configuration."
Troubleshooting Backup and Restore
The server locks down, reporting Event ID 21192 and the error message, "The ISA Server Web filter was unable to connect to MSDE database...."

Cause: If your server is running Internet Security and Acceleration (ISA) Server, then at midnight ISA Server creates a new MSDE instance to store the next day's logging information for the Web and proxy traffic. If a backup is also a scheduled to begin at midnight, there is a conflict between the ISA Server MSDE instance and the backup process, and this conflict causes the server to lock down.

Solution: To exit the lockdown, restart the Microsoft Firewall service.
To restart the Microsoft Firewall service

1.

Click Start, point to Administrative Tools, and then click Services.
2.

In the list of services, right-click the Microsoft Firewall service, and then click Properties.
3.

Ensure that the Startup type is set to Automatic.
4.

In Services status, click Start, and then click OK.

To prevent this issue in the future, schedule the server backup to start at either 11:30 P.M. or 12:30 A.M. This ensures that there is no conflict between the ISA Server MSDE instance and the backup process.
To modify the Backup schedule settings

1.

Click Start, and then click Server Management.
2.

In the Admin Console, in Standard Management, click Backup.
3.

In the details pane, click Modify the Backup Schedule. The Backup Configuration Wizard starts.
4.

On the Define Backup Schedule page, in the Start Backup at list box, choose either 11:30 P.M. or 12:30 A.M. or later.

Quarantined virus files are not backed up, and your backup reports a failed status.

Cause: If the quarantine folder for your antivirus software is saved to a volume that is protected by a previous version of Volume Shadow Copy service, then the shadow copy captures the quarantine folder. As a result, the shadow copy includes viruses.

Solution: You can either use the antivirus software to move the quarantine folder to a volume that is not protected by Volume Shadow Copy service or configure the anti-virus application to delete infected files instead of having them quarantined.

For more information about resolving this issue, if you are using TREND Micro, Inc. antivirus software on your server, see Article 888035, “Quarantined virus files are skipped and your backup reports a failed status on your Windows Small Business Server 2003-based computer” at the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=70319).
I do not have a backup copy of the mailbox database on my server.

Cause: You have not configured a back up solution for your mailbox database.

Solution: Use the recovery storage group feature in Exchange Server 2003 to create a backup copy of the Exchange mailbox database on the server. You can do this while the original database is still running and serving client computers. For information about how to create a backup copy of the Exchange mailbox database on the server, see "Using Microsoft Exchange Server 2003 Recovery Storage Groups" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=70663).
The NTBackup log is blank.

Cause: NTBackup.exe is being manually ended from the Task Manager, or NTBackup.exe encountered an error during launch.

Solution: Run NTBackup manually, and load the Small Business Backup Script.
To run NTBackup manually and load the script

1.

Click Start, click Run, type ntbackup, and then press Enter. The Backup or Restore Wizard launches.
2.

On the Welcome to the Backup or Restore Wizard page, click Advanced Mode.
3.

Click the Backup tab.
4.

From the Job menu, choose Load Selections.
5.

In the File Name box type %sbsprogramdir%\backup.
6.

Click Small Business Backup Script.bks to select, and click Open.
7.

On the Backup tab, click Start Backup.

If the backup succeeds, run the Windows Small Business Server Backup Configuration Wizard from the Backup taskpad in Server Management. If the problem persists, click Start, click Server Management, click the Information Center link, and then click either Community Website or Technical Support to get information about the problem.

If the backup fails, consult the error message for further information about the problem.
Backup fails, reporting "'Script.bks' file not found."

Cause: The Exchange Information Store is not running.

Solution: Start the Exchange Information Store.
To start the Exchange Information Store

1.

Click Start, click Run, and then type Services.msc.
2.

In the details pane, right-click Microsoft Exchange Information Store, and then click Start.

Cause:

* A folder explicitly marked to be included in the backup is not on the system.

* The Small Business Backup Script has been deleted or is corrupted.

* The UNC path you are backing up to does not exist or is inaccessible.

Solution: Re-run the Backup Configuration Wizard from the Backup snap-in in Server Management, accepting the defaults to reset.
Redirection of My Documents failed.

Cause: Certain files cannot be made available offline. Files with the following extensions cannot be made available offline:

* .db*

* .ldb

* .mdb

* .mde

* .mdw

* .pst

* .slm

When you have configured users' My Documents folders to be redirected to the server, files with these extensions are saved to the server only, and they are not saved at logon or logoff to the client computer.

The following error message appears if you try to synchronize these types of files:

"Warnings occurred while Windows was synchronizing your data. Results: Offline files.Unable to make file name available offline. Files of this type cannot be made available offline."

For more information about this issue, see article 252509, "Error Message: Files of This Type Cannot Be Made Available Offline," in the Microsoft Knowledge Base.

Solution: If you have a file that cannot be made available offline and you want to avoid seeing this message at logoff and logon, you can perform one of the following actions:

* Move the files that cannot be made available offline out of the My Documents folder and in to a shared folder on the server.

* Disable offline files.

In both of these instances, a file that cannot be made available offline will be unavailable if the server becomes unavailable. However, it will be included in the backup of the server by default. If you disable offline folders, none of your files, regardless of whether they can be made available offline, will be available if the server becomes unavailable.
To disable offline files

1.

In Windows Explorer, click Tools, and then click Folder Options.
2.

On the Offline Files tab, clear the Enable Offline Files check box.

Volume Shadow Copy Services fails, reporting error number 800xxxxx.

There are several causes for Volume Shadow Copy Services failure. They are listed in order of probability:

* Low disk space on a drive with Volume Shadow Copies Services enabled.

* The disk is highly fragmented.

* SQL Server 2000 is installed and one or more databases have a recovery model that is not set to Simple. Windows Small Business Server 2003 Backup can back up a database only if its recovery model is set to Simple.

* An Event Log is larger than 64 megabytes (MB).

* Directory Service Access auditing is enabled.

Use the information in the following sections to determine which of these issues is causing Volume Shadow Copy Services to fail and to correct the failure.

Cause: Low disk space on a drive with Volume Shadow Copies Services enabled.

Solution: Increase the space available on the system drive and on the drive with previous versions (Volume Shadow Copy Services) enabled.
To verify that a drive with Volume Shadow Copies Services enabled has low disk space

1.

Click Start, and then click My Computer.
2.

Click the Shadow Copies tab.
3.

Click the volume that has Shadow Copies enabled, and then click Settings.
4.

In the Storage Area dialog box, click Details, and compare the Used and Maximum Size columns to determine whether disk space is low.

Cause: The disk is highly fragmented.

Solution: Defragment all system hard disks.

Cause: SQL Server 2000 is installed and one or more databases have a recovery model that is not set to Simple. Windows Small Business Server 2003 Backup cannot back up this type of database.

Solution: Set the SQL Server 2000 database recovery model to Simple.
To set the SQL Server 2000 database recovery model to Simple

1.

Open SQL Server Enterprise Manager.
2.

Double-click Microsoft SQL Servers, double-click SQL Server Group, (Local), and then double-click Databases.
3.

Right click each database, choose Properties, and then on the Options tab, under Recovery, set the model to Simple.

For more information about SQL Server database recovery models, see SQL Server Help and search for "recovery model."

Cause: An Event Log is larger than 64 MB.

Solution: Reduce the size of the Event Log to a maximum of 64 MB.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To reduce the size of the Event Log

1.

Click Start, click Administrative Tools, and then click Event Viewer.
2.

In the console tree, click any Event Log that is larger than 64 MB.
3.

On the Action menu, click Properties.
4.

On the General tab, in Maximum log size, specify a log size of 64000 kilobytes or less.
5.

To put the new setting in effect, click Clear Log.

If you want to retain the information currently in the log, click Yes when a message appears asking if you want to save the original log before clearing it, and then click OK.

Cause: Directory Service Access auditing is enabled.

Solution: Disable Directory Service access auditing.
To verify that Directory Service Access auditing is enabled

1.

Click Start, click Run, and then type rsop.msc.
2.

In the details pane, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy.
3.

In the Computer Setting column, verify that it reads either Success or Failure.

If Directory Service Access is not enabled, the entry in the Computer Setting column will read No auditing.

To disable Directory Service access auditing

1.

Click Start, and then click Server Management.
2.

In the console tree, click Advanced Management, and then click Group Policy Management.
3.

Navigate to /Forest/Domains/your domain/Domain Controllers, and then right-click Small Business Server Auditing Policy.
4.

Click Edit to open Group Policy Object Editor.
5.

In Group Policy Object editor, navigate to Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy.
6.

Double-click Audit directory service access.
7.

Clear the Success and Failure boxes if they are checked.
8.

Click Start, click Command Prompt, and then type gpupdate /Force to refresh the policy setting.

Portions of a file are not backed up.

Cause: The destination of the backup has previous versions (Volume Shadow Copy Services) enabled on it, and the allocated space for previous versions does not have enough room for the entire backup file.

Solution: Either disable previous versions (Volume Shadow Copy Services) by using the Backup Configuration Wizard or choose another destination for the backup.
Note
Backing up to a volume on which previous versions are enabled will drastically reduce the number of previous versions from which users can restore.

Backup fails, reporting "A fixed drive is not a valid drive."

Cause: A timeout occured while writing the backup file to the destination.

Solutions:

* If you are backing up to a network share, ensure the UNC path you are backing up to is always accessible.

* Ensure the drivers for the media of the backup destination are up to date. Contact the manufacturer for information about updating your drivers.

* Ensure there is no excessive activity on the device you are backing up to.

Cause: The drive you are backing up to is low on disk space.

Solution: Ensure the disk to which you are backing up has adequate disk space to hold the backup.
Backup fails, reporting "Tape media not found."

Cause: No tape is in the drive.

Solution: Put a tape in the drive.

Cause: The system does not recognize the tape drive.

Solutions:

* Ensure the tape in the drive is a tape that works with the drive.

* If the tape drive is external, ensure the power of the tape drive is on.

* Ensure that the system is detecting the tape drive.

To ensure that the system is detecting the tape drive

1.

Click Start, click Administrative Tools, and then click Computer Management.
2.

In the left pane, click Device Manager.
3.

Navigate to the tape drive and double-click it to view Device status.
4.

If the device is not working properly, click Troubleshoot to fix the problem.

* Ensure the drivers for the media of the backup destination are up to date. Contact the manufacturer for information about updating your drivers.

* Be sure the tape drive is compatible with Windows Small Business Server 2003. Consult the Windows Catalog Web site (http://go.microsoft.com/fwlink/?LinkID=16906).

Backup fails, reporting error number 8007422.

Cause: Windows Management Instrumentation needs to be started in order for Windows Small Business Server Backup to determine success or failure.

Solution: Start Windows Management Instrumentation.
To start Windows Management Instrumentation

1.

Click Start, click Run, and then type Services.msc.
2.

In the details pane, right-click Windows Management Instrumentation, and then click Start.

If the problem persists, click Start, click Server Management, click the Information Center link, and then click either Community Website or Technical Support to get information about the problem.
Backup fails, reporting "End of media encountered."

Cause: The backup does not fit on the media to which you are backing up.

Solutions:

* Reduce the size of the backup by excluding folders from the backup using the Backup Configuration Wizard.

* Purchase a backup device with larger capacity.

Cause: The destination of the backup is a hard drive formatted with the FAT file system. Drives formatted with FAT support a file size of up to 4 GB. If your backup is larger than 4 GB, it exceeds the size of the destination hard drive.

Solution: Convert the drive to the NTFS file system using convert.exe. For information about using convert.exe, see article 214579, "How to Use Convert.exe to Convert a Partition to the NTFS File System," in the Microsoft Knowledge Base.

Cause: The backup does not fit on the hard drive to which you are backing up.

Solution: Increase the amount of space available on the drive for the backup.
Backup fails, reporting "An inconsistency was encountered."

Cause: You are backing up to a UNC path on the local computer that is currently being backed up.

Solution: Use the Backup Configuration Wizard to change the destination of the backup to another location. Alternately, you can use the wizard to exclude the UNC path from the backup.
Users cannot restore files because the Previous Versions tab in the My Documents Properties dialog box is missing.

Cause: If storage allocation has been enabled for deleted files, and the location to which My Documents is redirected has recently been changed, then the regularly scheduled snapshot has not occurred.

Solution: No action is required. The Previous Versions tab will appear after the next regularly scheduled snapshot occurs. By default, snapshots are scheduled to occur at 7:00 A.M. and at noon.
Note
If you have not run Client Setup on your client computer, you might need to manually install the Shadow Copy client. To manually install the Shadow Copy client, from the client computer click Start, click Run, and then type:

\\server\ClientApps\ShadowCopy\SHADOWCOPYCLIENT.MSI

Troubleshooting Internet Access
I want to switch from using my existing DHCP server, such as a router device, to using Windows Small Business Server 2003 as my DHCP server.

Cause: You must disable the existing DHCP server, install the DHCP Server service on your computer running Windows Small Business Server 2003, and then configure the DHCP scope for your network.

Solution: Using Windows Small Business Server 2003 as your DHCP server ensures that your DHCP settings are properly configured for the local network. Not all DHCP scope options for the Windows Small Business Server network can be configured for the DHCP service of all router devices.

For information about how to install and configure DHCP on your Windows Small Business Server network, open Help and Support and search for "Installing a DHCP server."
I need to modify the phone number used by my dial-up connection to connect to the Internet.

Cause: If you use a dial-up connection to connect to the Internet, the dialing is handled by the firewall on your computer running Windows Small Business Server 2003. As a result, to change the phone number used by the dial-up connection to the Internet, you must modify the connection information in the firewall settings for your computer running Windows Small Business Server 2003.

Solution: The easiest way to change the phone number used by your dial-up connection is to run the Configure E-mail and Internet Connection Wizard and add a new dial-up connection.
Note
If you do not want to modify settings defined in the last run of the wizard for a specific component, select the option to not make changes for that component. You can then bypass the associated pages for that component.

Note
Running the Configure E-mail and Internet Connection Wizard does not require the computer running Windows Small Business Server to restart. However, users will experience a temporary loss of connectivity to the Internet while necessary services are restarted.

I am having problems connecting to the server from a client computer.

Cause: The network adapter on the client computer might be configured with a static IP address. Since the server performs network services that are dependent on the IP address of the local network adapter, using a statically assigned IP address on a client computer may result in connectivity issues with these services.

Solution: Configure the client computer to use DHCP to acquire an IP address. You must use an IP address that is within the scope of your existing firewall device.

If a router provides the DHCP service, you must configure the service for your network. For more information, see Appendix C in Getting Started.
I need to change the IP address of the network adapter that connects to the Internet from dynamically assigned to statically assigned (or vice versa).

Cause: The DHCP server at your Internet service provider (ISP) has switched from using a dynamic IP address to using a static IP address.

Solution: Reconfigure the network connection.
To reconfigure the network connection

1.

On a computer running Windows Small Business Server 2003, click Start, point to Control Panel, point to Network Connections, and then click the network connection you want to reconfigure.
2.

Double-click Internet Protocol (TCP/IP), and then modify how the IP address is assigned to the network connection.

Important
If you are using a router to connect to the Internet, you must use a static IP address for the external interface (the interface that connects to your ISP) of the router. For more information, see the router manufacturer's documentation.

Troubleshooting Your Intranet
The user is prompted for credentials when trying to access the internal Web site.

Cause: The internal Web site is based on Windows SharePoint Services. To use this site, users must be members of a Windows SharePoint Services site group. A user who is prompted for credentials does not have a site group membership.

Solution: Create user accounts based on Windows Small Business Server templates. User accounts based on these templates have permission to access the internal Web site because the templates are members of the site groups by default.

For more information, open Help and Support, and search for the topic "To add a user account."
Documents on the internal Web site cannot be saved or edited.

Cause: The client computer might be running a version of Microsoft Office that is earlier than Office XP.

Solution: Upgrade the application on the client computer to Office XP or later so that the user can save or edit documents on the internal Web site.
Search is not available on the internal Web site.

Cause: The computer running Windows Small Business Server might be running Microsoft SQL Server Data Engine (MSDE). MSDE does not support full text searches.

Solution: Upgrade MSDE to SQL Server 2000 or later and add full text search components. Evaluation and Not for Resale versions of SQL Server cannot be used to upgrade MSDE.
The logon page for Remote Web Workplace appears in search engine results on the Internet.

Cause: Components of the Internet called "Web robots" automatically search and catalog documents and pages that are published to Web sites by following hyperlinks on the various pages that have been published. You may experience this problem if you are not running Windows SBS 2003 with Service Pack 1 or Windows SBS 2003 R2.

Solution: Either install Service Pack 1 for Windows SBS 2003 or upgrade your server to Windows SBS 2003 R2. By default, both of these prevent Web robots from cataloging Web sites on your server, including WWWRoot and Remote Web Workplace.

For more information about Web robots, see the Web site (http://go.microsoft.com/fwlink/?LinkId=25134).
Troubleshooting Shared Network resources
Faxes are not being received.

Cause: If no fax errors appear in the event log and you have an external modem and the fax service is running, the modem may need to be reset.

Solution: Unplug the modem, and plug it back in to reset it.
No option to route faxes to the document library ("Route to Document Library") is visible in the Fax Configuration Wizard or the Fax Admin console.

Cause: You uninstalled and then reinstalled Fax Services using Add/Remove Windows components in Control Panel.

Solution: Uninstall Fax Services using Add/Remove Windows components in Control Panel, and then reinstall the services using the Install option in Windows Small Business Server 2003 Setup.
Note
There is no option to "Reinstall" the Fax Services in Windows Small Business Server 2003 Setup.

To uninstall and then reinstall Fax Services

1.

Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
2.

In the Windows Components Wizard, clear the Fax Services check box.
3.

Click Finish to close the wizard.
4.

In the Add or Remove Programs dialog box, under Currently installed programs, click Microsoft Windows Small Business Server 2003, and then click Change/Remove.
5.

Follow the instructions until you reach the Component Selection page.
6.

To install Fax, under Action for the Fax Services, click the drop-down list, and then change the action to Install.
7.

Click Next to continue. Follow the instructions for completing Setup.

Users are unable to log on to the server following a virus scan

Cause: You may encounter this issue if a virus is detected in an e-mail message while running a virus scan or while using real-time virus scanning on a computer running Windows Small Business Server 2003. In some scenarios, services and applications do not function properly. Event log messages are logged for affected services.

Solution: Consider excluding some folders (such as e-mail and fax queues, and SQL databases) from real-time virus scanning. If the antivirus software has a "quarantine" feature, consider turning it off. For information about how to do this, visit the Web site of your antivirus software provider, or consult the online Help or user manual that came with the antivirus software.

Consult your antivirus software provider to determine whether they offer an update for the problem.
Note
A quarantine state indicates that at least one virus was found and that your system may be infected. Make sure you have the latest virus signature installed on the server, and then perform a thorough scan for viruses. If quarantine happens repeatedly, ensure that all computers on the network have antivirus software running.

Services or applications do not function properly after a virus scan

Cause: You may encounter this issue if a virus is detected in an e-mail message while running a virus scan or when using real-time virus scanning on a computer running Windows Small Business Server 2003. In some scenarios, services and applications do not function properly. Event log messages are logged for affected services.

Solution: Consider excluding some folders (such as e-mail and fax queues, and SQL databases) from real-time virus scanning. If the antivirus software has a "quarantine" feature, consider turning it off. For information about how to do this, visit the Web site of your antivirus software provider, or consult the online Help or user manual that came with the antivirus software.

Consult your antivirus software provider to determine whether they offer an update for the problem.
Note
A quarantine state indicates that at least one virus was found and that your system may be infected. Make sure you have the latest virus signature installed on the server, and then perform a thorough scan for viruses. If quarantine happens repeatedly, ensure that all computers on the network have antivirus software running.

Troubleshooting Remote Connections
Users receive a security alert when they try to connect to a secure Web site on the computer running Windows Small Business Server 2003.

Cause: This commonly appears after using the Configure E-mail and Internet Connection Wizard to create an unsigned certificate for the company Web sites. Because the certificate was issued by Windows Small Business Server rather than by a trusted certification authority, the server itself is not being authenticated as the server that you want to connect to.

Solutions:

* The session is still encrypted, so it is not possible for others to view information that you are sending. Users can click Yes to accept the unsigned certificate. If your company requires a higher level of security, consider purchasing a signed certificate from a trusted certification authority.

* If the Web site is being accessed from a private computer from which the site will be accessed repeatedly in the future, users can click View certificate to install the certificate into the certificate store of the client computer.

Important
For security reasons, users should not install the certificate if they are accessing the secure Web site from a public computer, such as an Internet kiosk.

Sound cannot be disabled on remote desktop connections through the Remote Web Workplace.

Cause: The Hear sounds from the remote computer on this computer option on the computer selection page cannot be disabled until the Remote Web Workplace Web site is added to the trusted sites zone in Internet Explorer. By default, sound will be played.

Solution: Add the Remote Web Workplace to the trusted sites zone in Internet Explorer.
To add the Remote Web Workplace to the trusted sites zone in Internet Explorer

1.

Click Start, and then click Internet Explorer.
2.

On the Tools menu, click Internet Options.
3.

On the Security tab, click Trusted sites, and then click Sites.
4.

Under Add this Web site to the zone, type the URL for the Remote Web Workplace, and then click Add.
5.

Click OK, and then click OK again.

Using Remote Web Workplace to connect a remote computer to a client computer results in an error message before the connection is established.
Note
The client computer you are connecting to must be running Microsoft Windows XP or later.

Cause: The client computer may not be turned on.

Solution: Verify that the client computer is powered on and connected to the Windows Small Business Server network.

Cause: Remote Desktop connections may not be enabled on the client computer.

Solution: Verify that Remote Desktop is enabled on the computer you are connecting to.
Note
To complete the following procedure, you must be logged on as a member of the Domain Admins security group.

To enable Remote Desktop

1.

Click Start, click Control Panel, click Performance and Maintenance, and then click System.
2.

On the Remote tab, select the Allow users to connect remotely to this computer check box.
3.

Ensure that you have the proper permissions to connect to your computer remotely, and then click OK. You must be an administrator or a member of the Remote Desktop Users group to connect remotely to your computer.

Verify that Remote Desktop is enabled by creating a Remote Desktop connection from another computer on the Windows Small Business Server network, and then attempting to connect to your computer. To start Remote Desktop, click Start, point to All Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.

If you are running any firewall software on the client computer, ensure that it is not blocking access to port 3389 (the port specific to Remote Desktop Connections). For more information, see the firewall manufacturer's documentation.

Cause: The remote computer may have reached the maximum number of allowed connections.

Solution: Verify that the computer you are connecting to has not reached the maximum number of allowed connections. If you are connecting to a computer running Windows XP Professional, only one user can be connected at a time. If you are connecting to an application sharing server, connections are determined by the number of client access licenses (CALs) purchased by your company. For more information, see your administrator.

Cause: Firewall settings may be blocking port 4125.

Solution: Verify that port 4125 (the port specific to the Remote Web Workplace) is open to the Internet on the computer running Windows Small Business Server. If you ran the Configure E-mail and Internet Connection Wizard, and chose to publish the Remote Web Workplace, this is configured automatically on the server. If you have a router or firewall device that does not support UPnP, you must manually configure this device to accept Internet traffic through port 4125. For more information, see the device manufacturer's documentation.

If the computer running Windows Small Business Server is running Microsoft Internet Security and Acceleration (ISA) Server, run the Configure E-mail and Internet Connection Wizard, choose to publish the Remote Web Workplace, and ISA Server will be automatically configured to allow Remote Desktop connections.

If you are connecting from a remote computer that accesses the Internet through ISA Server, the person responsible for ISA Server must create a protocol rule allowing outbound traffic through port 4125. You must also install ISA Firewall Client on the remote computer.

Verify that your Internet service provider (ISP) is not blocking Internet traffic through port 4125.
A client computer does not appear in the Computers list after you click Connect to my computer at work.

Cause: The client computer has not been joined to the Windows Small Business Server domain.

Solution: Join the client computer to the Windows Small Business Server domain.
To join the client computer to the Windows Small Business Server domain

1.

Open Internet Explorer, and type the following URL in the address bar:

https://servername/connectcomputer (where servername is the name of the computer running Windows Small Business Server 2003).
2.

Click Connect to the network now, and follow the instructions in the Network Configuration Wizard to join the client computer to the Windows Small Business Server domain.

Cause: The client computer is not running Windows XP Professional or later.

Solution: Verify that the client computer is running Windows XP Professional or later.

Cause: You are attempting to access the Remote Web Workplace from the computer you are logged on to.

Solution: Access the Remote Web Workplace from another computer.
Note
Computers running server operating systems do not appear in the list of computers you can connect to. Application sharing servers are available through the Connect to my company’s application-sharing server link.

Links appear in and disappear from the Remote Web Workplace.

Cause: Remote Web Workplace links are dynamic, and are based on Windows Small Business Server network features that are available from the Internet. Links may also be manually disabled by your network administrator for security reasons, and they may not appear if you are accessing the Remote Web Workplace from a public or shared computer that is using an earlier browser.

Solution: This behavior is by design. If a link that you regularly use disappears, contact your administrator, upgrade the browser on the public or shared computer to the latest version, or access the Remote Web Workplace from a computer that is not public or shared.
Remote Web Workplace features are inaccessible with my Web browser.

Cause: Some browsers do not support technology required by the Remote Web Workplace. This technology may include the use of unsigned certificates, ActiveX Controls (which are required for Remote Desktop sessions), and Windows Integrated Authentication (which is required for accessing Monitoring links and your company's internal Web site).

Solution: Upgrade to the latest version of the Web browser and ensure the browser supports the noted technologies.
The connection to the Remote Web Workplace is frequently interrupted or lost.

Cause: The Remote Web Workplace contains a built-in timeout feature for security reasons. When your session has been inactive for a specified period of time, you are logged off automatically. The Remote Web Workplace will timeout after 20 minutes of inactivity by default if you use the site from a public or shared computer. If the computer is not public or shared, the timeout is 120 minutes by default.

Solution: If you would prefer the 120-minute timeout, you can access the Remote Web Workplace from a computer that is not public or shared, and clear the I'm using a public or shared computer check box on the logon page.

If you need more time, contact your network administrator. The timeout values for the Remote Web Workplace can be manually configured. However, seriously consider the security implications of a longer timeout.

Cause: If you run a backup program or antivirus scan while remote users are connected to the network, Remote Web Workplace remote desktop sessions may be disconnected. If this occurs, the error message "An Internal Error has occurred" appears, and users are returned to the Remote Web Workplace computer selection page or log on page. At this point, users can log back on to the remote computer and resume work.

Solution: A supported fix is available from Microsoft. For more information, see Knowledge Base article 821438 at the Microsoft Product Support Services Web site (http://go.microsoft.com/fwlink/?LinkId=19635).
Note
As a best practice, backups and antivirus scans should be scheduled for times when users are least likely to be logged on to a remote session.

Cause: Certain Internet connection types, such as dial-up and PPoE connections, may be subject to timeouts due to inactivity.

Solution: This is by design. Contact your Internet service provider if you require a longer timeout period.

Cause: Intermittent drops in connectivity may result from wireless or faulty network connections.

Solution: Ensure that network hardware is not resetting. See your hardware vendors documentation.
The company name on the logon page is incorrect or has changed.

Cause: The name on the logon page of the Remote Web Workplace is the company name that was specified during Windows Small Business Server Setup.

Solution: You can change this name by editing the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ RegisteredOrganization
Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note
Only names of 50 characters or less are supported.

The link in the Remote Web Workplace introductory e-mail does not work.

Cause: Some e-mail programs, such as Outlook Web Access, may block links as a security precaution. Additionally, the Web site address may not be registered or immediately available.

Solution: Type the address into your Web browser's address bar, or try the link later or from a different computer. If the site still does not appear, contact your network administrator.
Troubleshooting Client Computer Licensing
Users are unable to log on to the network or access network resources

Cause: If Small Business Server 2003 cannot validate the number of installed client access licenses (CALs), the number of available licenses will be reset to five. This can occur if Active Directory is unavailable or if the license store becomes corrupt. When this happens, you will receive an error message that will also be logged to the System event log. The following error is also recorded in the Application event log:

"No license was available for user Domain\Username using product Productname. Use Licensing from the Administrative Tools folder to ensure that you have sufficient licenses."

Solution: To correct this problem, restore the CALs from a valid license store using the Restore License Wizard, or from System backup using the Backup or Restore Wizard. Alternately, you can use the Add License Wizard to reissue them.
Note
To complete the following procedures, you must be logged on as a member of the Domain Admins security group.

To restore CALs using the Restore License Wizard

1.

Click Start, point to Administrative Tools, and then click Licensing.

Details about the currently installed CALs appear in the details pane.
2.

Click Restore Licenses.
3.

Follow the instructions to specify the file name and location of the backup file from which you want to restore the CALs.

To restore CALs using the Backup or Restore Wizard

1.

Insert the correct tape into the tape drive, or connect the removable hard drive to the system
2.

Open the Backup or Restore Wizard. To do this, click Start, click Run, type ntbackup, and then click OK.

If the Backup or Restore Wizard does not recognize the backup media, the Recognizable Media Found dialog box appears. Select Allow Backup Utility.
3.

On the Backup or Restore page, select Restore files and settings.
4.

On the What to Restore page, under Items to restore, select the files or folders that you want to restore, and then click Next.
5.

On the Completing the Backup or Restore Wizard page, review the settings. If you want to change the location to which the backup is restored or how the existing files that you are backing up are handled, click Advanced.
1. On the Where to Restore page, you can change the location to which your files are restored, or you can choose to have your files restored to a single folder.

2. On the How to Restore page, you can choose what to do with the versions of the files that already exist on your computer.

3. On the Advanced Restore Options page, if you chose to restore to the original location on the Where to restore page, ensure that the Restore junction points, but not the folders and the file data they reference check box is selected. If you chose to save to a different location, ensure that the check box is not selected.

Note
Do recover files through a Remote Desktop session.

To reissue CALs to the same server

1.

Click Start, point to Administrative Tools, and then click Licensing.

Details about the currently installed CALs appear in the details pane.
2.

In the details pane, click Add Client Licenses to open the Add License Wizard, and then follow the wizard instructions.
3.

On the Contact Method page, select whether you will use the Internet or the telephone to reissue licenses.
4.

After completing the wizard, refresh the Licensing console to verify the successful reissue of the CALs.

Windows 2000 DNS and Windows Server 2003 DNS

2009-01-20T22:53:00.000+05:30

DNS is the backbone of Active Directory and the primary name resolution mechanism of Windows 2000 and Windows Server 2003. Windows 2000 and Windows Server 2003 domain controllers dynamically register information about themselves and about Active Directory in DNS. Other Windows 2000 and Windows Server 2003 domain controllers, servers, and workstations that are part of the domain query DNS to find Active Directory-related information. If DNS is not set up correctly, domain-wide issues can occur such as replication between domain controllers. You may also be unable to log on to the domain or to join the domain from a workstation or server.

Question: What are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 domain controller?

Answer: The most common mistakes are:

* The domain controller is not pointing to itself for DNS resolution on all network interfaces.
* The "." zone exists under forward lookup zones in DNS.
* Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS.

Question: Why do I have to point my domain controller to itself for DNS?

Answer: The Netlogon service on the domain controller registers a number of records in DNS that enable other domain controllers and computers to find Active Directory-related information. If the domain controller is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different domain controller in the same domain as their alternative DNS server, preferably another domain controller in the same site. This process also works around the DNS "Island" problem in Windows 2000. You must always configure the DNS client settings on each domain controller's network interface to use the alternative DNS server addresses in addition to the primary DNS server address.

For more information about the Windows 2000 DNS "Island" problem, see "Chapter 2 - Structural Planning for Branch Office Environments" in the "Planning" section of the Windows 2000 Server Active Directory Branch Office Planning Guide at the following Microsoft Web site: http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adguideintro.mspx (http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adguideintro.mspx)

Question: What does a domain controller register in DNS?

Answer: The Netlogon service registers all the SRV records for that domain controller. These records are displayed as the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your domain name. Other computers look for these records to find Active Directory-related information.

Question: Why can't I use WINS for name resolution like it is used in Microsoft Windows NT 4.0?

Answer: A Windows 2000 or Windows Server 2003 domain controller does not register Active Directory-related information with a WINS server; it only registers this information with a DNS server that supports dynamic updates such as a Windows 2000 or Windows Server 2003 DNS server. Other Windows 2000-based and Windows Server 2003-based computers do not query WINS to find Active Directory-related information.

Question: If I remove the ISP's DNS server settings from the domain controller, how does it resolve names such as Microsoft.com on the Internet?

Answer: As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service uses the root hint servers. The root hint servers are well-known servers on the Internet that help all DNS servers resolve name queries.

Question: What is the "." zone in my forward lookup zone?

Answer: This setting designates the Windows 2000 or Windows Server 2003 DNS server to be a root hint server and is usually deleted. If you do not delete this setting, you may not be able to perform external name resolution to the root hint servers on the Internet.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
229840 (http://support.microsoft.com/kb/229840/ ) DNS server's root hints and forwarder pages are unavailable
Question: Do I need to configure forwarders in DNS?

Answer: No. By default, Windows 2000 DNS uses the root hint servers on the Internet; however, you can configure forwarders to send DNS queries directly to your ISP's DNS server or other DNS servers. Most of the time, when you configure forwarders, DNS performance and efficiency increases, but this configuration can also introduce a point of failure if the forwarding DNS server is experiencing problems. The root hint server can provide a level of redundancy in exchange for slightly increased DNS traffic on your Internet connection. Windows Server 2003 DNS will query root hints servers if it cannot query the forwarders.

Question: Should I point the other Windows 2000-based and Windows Server 2003-based computers on my LAN to my ISP's DNS servers?

Answer: No. If a Windows 2000-based or Windows Server 2003-based server or workstation does not find the domain controller in DNS, you may experience issues joining the domain or logging on to the domain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS setting should point to the Windows 2000 or Windows Server 2003 domain controller running DNS. If you are using DHCP, make sure that you view scope option #15 for the correct DNS server settings for your LAN.

Question: Do I need to point computers that are running Windows NT 4.0 or Microsoft Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the Windows 2000 or Windows Server 2003 DNS server?

Answer: Legacy operating systems continue to use NetBIOS for name resolution to find a domain controller; however it is recommended that you point all computers to the Windows 2000 or Windows Server 2003 DNS server for name resolution.

Question: What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy server or firewall?

Answer: If you are able to query the ISP's DNS servers from behind the proxy server or firewall, Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers. UDP and TCP Port 53 should be open on the proxy server or firewall.

Question: What should I do if the domain controller points to itself for DNS, but the SRV records still do not appear in the zone?

Answer: Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support Tools from the Windows 2000 Server or Windows Server 2003 CD-ROM to run Netdiag.exe.

For more information about how to check for a disjointed namespace, click the following article number to view the article in the Microsoft Knowledge Base:
257623 (http://support.microsoft.com/kb/257623/ ) The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000
Question: How do I set up DNS for a child domain?

Answer: To set up DNS for a child domain, create a delegation record on the parent DNS server for the child DNS server. Create a secondary zone on the child DNS server that transfers the parent zone from the parent DNS server.

Note Windows Server 2003 has additional types of zones, such as Stub Zones and forest-level integrated Active Directory zones, that may be a better fit for your environment.

Set the child domain controller to point to itself first. As soon as an additional domain controller is available, set the child domain controller to point to this domain controller in the child domain as its secondary.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
255248 (http://support.microsoft.com/kb/255248/ ) How to create a child domain in Active Directory and delegate the DNS namespace to the child domain

"Windows cannot unload your registry class file" error message when you log off Terminal Services

2009-01-20T22:50:00.001+05:30

When you log off Terminal Services, you may receive the following Event ID 1000 event message:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Description:
Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated. Contact your administrator.
Details:
------------------------------
Access is denied
This problem may occur after Microsoft Windows Installer installs a program on the computer.

This problem occurs because of a registry handle leak in Windows Installer. This problem was first exposed after the installation of the MS03-026 security update.

Hotfix information
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
No prerequisites are required.
Restart requirement
You must restart your computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Problems occur when the Autoenrollment feature cannot reach an Active Directory domain controller

2009-01-20T22:46:00.000+05:30

The following Event ID 15 error message entries are logged at 8-hour intervals in the application event log:
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: date
Time: time
User: N/A
Computer: computer name
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.

This problem may occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available. Therefore, the Autoenrollment feature cannot work. In an Active Directory domain that has Microsoft Windows 2000 or later domain controllers, the problem may be caused by a DNS name resolution or by network connectivity issue.
For a Microsoft Windows XP-based computer or a Microsoft Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to turn off the Autoenrollment feature in the Local Group Policy, follow these steps on the local workstation:
1. Click Start, click Run, type gpedit.msc, and then press ENTER.
2. In the left pane, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
3. Double-click Autoenrollment Settings.
4. Click Do not enroll certificates automatically.
5. Click OK.
6. Repeat steps 2 through 5, but in step 2, expand User Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
7. Close the Group Policy window.
For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller.

After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS address in the IP properties of the workstation. To do this, follow these steps:
1. Start the Network Connections tool in Control Panel.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Type the correct DNS address in the Preferred DNS server box.
5. Click OK.

Probably a DNS misconfiguration. Is this server pointed to an internal DNS
server which supports your AD under TCP/IP properties?

7 Tuning Windows to Optimize Oracle Database

2009-01-11T16:10:00.000+05:30

http://download.oracle.com/docs/html/B13831_01/tuning.htm#i1006396

Optimize the Windows Server 2003 page file for increased performance

2009-01-11T16:07:00.000+05:30

Saving for more RAM? In the meantime, optimize your Windows Server 2003's performance by using page files--you'll free up more RAM without slowing down your server. Here's how to implement this stopgap measure while you wait to get more memory.

You've read the rule: "Add RAM to increase system performance." It's true--but often, it's not always desirable, necessary, or feasible to do so. By making a few adjustments to the way that Windows Server 2003 handles the page file, you can boost the overall performance of your server.

By default, Windows Server 2003 creates a page file on the system drive--usually C:. While this practice makes sense and provides you with the ability to create a dump file in the event of a system crash, disk performance can degrade if the page file is heavily used. That, combined with the need to go to disk all the time, can result in poor server performance.

You may also know that moving the page file off the system drive can increase performance. While this will achieve that goal, you'll also lose the ability to create a diagnostic dump file to help troubleshoot server problems.

Instead, for more efficient page file optimization that also provides a means to create a dump file, follow these tips:

1. Keep the default Windows settings for the page file on the system drive.
2. Create a second page file at least 1.5 times the size of system RAM on a less frequently used disk. Windows will automatically use the page file on the disk with the least amount of activity.

If your server is constantly paging and that paging is affecting system performance, it's time to add more RAM.

SQL Server Optimize

2009-01-11T15:53:00.000+05:30

How can Event Manager help me optimize SQL Server performance?
Server schedule issues are one of the biggest "hidden" contributors to performance degradation and a lack of reliable notifications via the native tools only compounds the issue. Event Manager provides all of the tools a DBA needs to efficiently manage complex job schedules along with Windows Task Scheduler tasks, Reporting Services reports and DTS packages, in order to minimize schedule contention and other performance problems caused by "unoptimized" schedules... and to reliably alert the DBA when there are issues requiring attention. Event Manager is not intended to replace all general performance monitoring tools and most clients use Event Manager alongside those systems since they don't provide the visual scheduling, schedule performance monitoring, and notification features that we do. The productivity benefit is that the busy DBA can reduce the time spent on mundane daily tasks and concentrate on strategic management of their SQL Server environment.

How can scheduled events impact server or application performance?
Almost every event (SQL Agent job, DTS Package, Windows Task, etc.) incurs some level of overhead in the areas of CPU utilization, memory usage, disk I/O, network I/O, locking, blocking, connections, and many others. How much and what mix is of course dependent on what the events are doing. Problems often arise when events are scheduled to run at inopportune times, or when more than one event is inadvertently scheduled to run concurrently. Both of these scenarios can cause contention for server resources and cause degraded performance on the server.

What is a "schedule conflict"?
Event Manager considers a schedule conflict to be when more than one event is scheduled to run concurrently. This can also be referred to as a "runtime overlap" or "schedule collision" condition. Event Manager automatically highlights existing conflicts in orange on the calendar, and they can be easily resolved via drag-and-drop.

In addition to jobs, what other kind of events can Event Manager monitor?
Following is a list of event sources Event Manager currently monitors:

• SQL Server Agent Jobs
• SQL Server Maintenance Plans
• SQL Server Agent Alerts
• DTS Packages
• Reporting Services Reports
• SQL Server Agent Log
• Windows Tasks
• Legacy Maintenance Plans (SQL Server 2005 upgrades)
• Legacy DTS Packages (SQL Server 2005 upgrades)

How can Event Manager help prevent resource contention?
The tools a DBA has traditionally had at his or her disposal for SQL Server schedule management have made it very difficult or impossible to avoid scheduling issues that lead to resource contention, and ultimately application performance issues. Event Manager dramatically increases the ability for DBA's to:

• View the current state of schedule activity on any server
• Capture the full impact an event or combination of events are having on server and application performance
• Quickly assess contention levels across a "shared resource" such as file storage areas, tape libraries, etc.
• Easily make scheduling changes to minimize issues caused by resource contention.

How will Event Manager help my business save money?
Event Manager users measure real savings in several ways:

• DBA productivity is increased - via a much more efficient, user-friendly interface for dealing with schedule issues and information.
• Downtime is reduced - with more reliable and informative notifications, support personnel can respond more quickly and effectively to downtime situations.
• Database performance is increased - by ensuring schedules are leveled, contention issues are minimized, thus maximizing application performance and available hardware resources.

If I already have a SQL Server monitoring tool, do I need Event Manager?
There are many good tools available for monitoring general SQL Server health. Event Manager is not meant to replace all of those tools, although it can certainly replace some of them, and can coexist alongside others. Event Manager’s focus is on three primary areas:

• providing an intuitive visual interface for event scheduling and management
• performing detailed performance monitoring related specifically to jobs or tasks
• providing reliable, detailed notifications as well as a variety of other response conditions (Execute SQL, Execute Process, Kill Task, etc.) for various event types

Event Manager is the only tool of its kind, so if your needs are in one of the above 3 areas, Event Manager will add significant benefits to your operations over and above what you are currently receiving from other tools.

How is Event Manager licensed?
In terms of our licensing model, it is pretty simple. We require a license for every SQL Server instance and Windows Task Scheduler instance that you plan to manage with Event Manager. We do not charge per CPU as is a common practice, and we only require one license for an instance running across multiple cluster nodes. Event Manager adds value on a per instance basis, so we’ve designed our licensing model with this in mind.

Does Event Manager support monitoring of clusters and how would I monitor the clusters?
Event Manager fully supports clusters and only needs to know the virtual name of the clustered SQL Server instance.

What kind of automation can I perform with Event Manager?
In addition to sending notifications for any condition, Event Manager can also take actions such as executing another job, executing a SQL statement, or executing a process on any server that Event Manager is watching.

Also, Event Manager provides advanced chaining functionality that allows you to create complex, multi-level chains of jobs and tasks across your servers, as well as queuing features to prevent multiple jobs from running concurrently.

Network Stored PST files ---- don't do it

2009-01-07T15:16:00.000+05:30

The file server in question is used for user home folder storage and users are accessing Outlook Personal Storage (.pst) files stored on the server from their client. The issue will manifest as either a server hang, or PagedPool depletion (Event ID 2020). Oftentimes the issue will occur first thing in the morning - when users are logging on and launching Outlook. In especially severe cases, the issue occurs several times daily. Sometimes the server will hang for a few minutes and then continue operating for a few minutes - and then hang again. Rinse & repeat. The users are frustrated because of slow access to their data, the server administrators are frustrated because they are tasked with fixing the problem, and upper management is frustrated because everyone else is frustrated.

If you're in this situation - there's good news ... and very bad news. The good news is that this problem is very common and is a known issue. The very bad news (from the customer's standpoint) is that PST files on a LAN/WAN is an unsupported configuration. Some customers are very surprised to hear this but Network Stored PST files have been unsupported since the days of Exchange 4.0. Microsoft KB Article 297019 goes into some detail about the effects of Network PST files:

"A .pst file is a file-access-driven method of message storage. File-access-driven means that the computer uses special file access commands that the operating system provides to read and write data to the file.

This is not efficient on WAN or LAN links because WAN/LAN links use network-access-driven methods, commands the operating system provides to send data to or receive from another networked computer. If there is a remote .pst (over a network link), Microsoft Outlook tries to use the file commands to read from the file or write to the file, but the operating system then has to send those commands over the network because the file is not on the local computer. This creates a great deal of overhead and increases the time it takes to read and write to the file. Additionally, the use of a .pst file over a network connection may result in a corrupted .pst file if the connection degrades or fails."

Let's use an example to illustrate the problem and also follow the problem through to its end result.

Let's say that a user sends an e-mail message to 500 users within the company. All of these users have their e-mail delivered directly to their PST file which is stored on the File Server. Some of these 500 users may need to extend their PST files to receive it. To extend a PST, an extra allocation on disk has to be made via NTFS. This locks out the whole volume while free space is allocated and the Master File Table (MFT) is updated. While this is happening for each user, all I/O for the other 499 users is on hold.

Allocating free space can take an extended time, especially if the disk is fragmented. Now factor in multiple users extending their PST's in the same timeframe, and significant periods of MFT lockout might be observed, which in turn is seen as inability to access any other file on the volume, resulting in queueing in the server service work queues, and sometimes SRV 2019, 2020, 2021, or 2022 events being logged. This scenario might overload the disk(s).

Setting aside the example of one email being sent to a group of users, imagine if you had a couple of hundred users who each have two or three PST files. These users have been with the company for a while, and they rarely (if ever!) delete their email from their PST files. The files continue to grow in size - let's use an average of 1 GB as the size of the PST file. Now consider that when each user launches Outlook, they make a request for two (or three) files, each of them being about 1 GB in size. Then consider what happens when 200 users all launch Outlook around the same time when they get to work. 200 x 3 x 1 = 600 GB of data being requested at the same time. That's an awful lot of Disk & Network I/O to process simultaneously. This is a very common scenario - the file server "freezing" for a few minutes at a time while it tries to service these requests.

The queuing in the server service work queues is what causes this temporary hang. The server service uses work items to handle I/O requests that come in over the network - for example: a request to extend a PST file. These work items are queued in the server service work queues, and from there they are handled by the server service worker threads. The work items are allocated from a kernel resource called Non-Paged Pool (NPP).

The server service sends these I/O requests down to the disk subsystem. If, for reasons mentioned above, the disk subsystem does not respond in time, the incoming I/O requests are queued via work items in the server work queues. Since these work items are allocated from NPP, eventually this resource runs empty. Running out of NPP causes systems to hang eventually (logging an Event ID 2019 in the process).

Digging down into this from more of a troubleshooting perspective, we can usually see issues caused by the PST files manifested in Poolmon and Perfmon captures. For example, we may see the LSwn pool tag allocation climbing in a Poolmon trace. These allocations are made by SRV.SYS. The size of the allocation is configurable via the SizReqBuf registry value. One allocation is made for each work item used by the server service. When looking at this through Perfmon, you will notice a steady decrease in the "Available Work Items" counter. If Available Work Items reaches zero, then clients may experience difficulties accessing files (any files, not just the PST files!). You may also experience 2019 errors if the problem lies with LSwn allocations (Non-Paged Pool depletion)

Another tag that highlights the issues with the PST files is the MmSt tag. This tag represents Mm section object prototype PTEs - a memory management-related structure used for mapped files. Put a different way, this is the pool tag that is used to map the OS memory used to track shared files. MmSt issues often manifest as Paged Pool depletion (Event ID 2020).

Is there any server-side tweaking that can be done to mitigate some of these effects? Yes. Is there any guarantee that this will resolve the problem completely and indefinitely? No. As an environment continues to scale up, the problem will continue to manifest itself despite all the tweaking that we can do. At some point, the tweaking itself may contribute to the problem because we've reached a point where the server simply cannot handle the workload.

Device Manager does not display devices

2009-01-07T15:13:00.000+05:30

Device Manager displays only non-Plug and Play devices, drivers, and printers when you click Show hidden devices on the View menu. Devices that you install that are not connected to the computer (such as a Universal Serial Bus [USB] device or "ghosted" devices) are not displayed in Device Manager, even when you click Show hidden devices.

To work around this behavior and display devices when you click Show hidden devices:

1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
2. At a command prompt, type the following command , and then press ENTER:
set devmgr_show_nonpresent_devices=1
3. Type the following command a command prompt, and then press ENTER:
start devmgmt.msc
4. Troubleshoot the devices and drivers in Device Manager.

NOTE: Click Show hidden devices on the View menu in Device Managers before you can see devices that are not connected to the computer.
5. When you finish troubleshooting, close Device Manager.
6. Type exit at the command prompt.

Note that when you close the command prompt window, Window clears the devmgr_show_nonpresent_devices=1 variable that you set in step 2 and prevents ghosted devices from being displayed when you click Show hidden devices.

If you are a developer or power user and you want to be able to view devices that are not connected to your computer, set this environment variable globally:

1. Right-click My Computer.
2. Click Properties.
3. Click the Advanced tab.
4. Click the Environment Variables tab.
5. Set the variables in the System Variables box.

INSTALLATION AND CONFIGURATION OF NAGIOS

2008-12-29T13:09:00.001+05:30

INSTALLATION AND CONFIGURATION OF NAGIOS
---------------------------------------------

1)tar xfvz nagios-1.0b5.tar.gz

2)cd nagios-1.0b5

3)mkdir /usr/local/nagios

4)chown nagios.nagios /usr/local/nagios

5)grep "^User" etc/httpd/conf/httpd.conf

6)/usr/sbin/groupadd nagcmd

7)/usr/sbin/usermod -G nagcmd apache
/usr/sbin/usermod -G nagcmd nagios

8)./configure --prefix=/usr/local/nagios
--with-cgiurl=/nagios/cgi-bin --with-htmurl=/nagios/ --with-nagios-user=nagios
--with-nagios-grp=nagios

9)make all

10)make install

11)make install-init (It creates the daemon script in rc.d)

12)make install-config (Creates the etc directory)

INSTALLATION OF PLUGGINS
-------------------------

1)tar xfvz nagios-pluggins-1.0b5.tar.gz

2)cd nagios-pluggins-1.0b5.tar.gz

3)./configure
--prefix=/usr/local/nagios --with-nagios-user=nagios --with-nagios-group=nagios

4)make all

5)make install

6)cd /usr/local/nagios/libexec/

There will be some files in this directory.

7)./check_ssh -h (To check ssh pluggin)

8)cd /usr/local/nagios/etc (All sample files are there remove the sample extension.)Make the necessary changes in the configuration files.

9)Now create the following cfg files

hosts.cfg
----------

# Host Definition

define host{
# Name of host template to use
use generic-host

host_name test-server1
alias subho
address 172.16.0.210
check_command check-host-alive
max_check_attempts 10
contact_groups nagios
notification_interval 120
notification_period 24x7
notification_options d,u,r
}

define host{
# Name of host template to use
use generic-host

host_name localhost.localdomain
alias sss
address 172.16.0.211
check_command check-host-alive
max_check_attempts 10
contact_groups nagios
notification_interval 120
notification_period 24x7
notification_options d,u,r

hostgroups.cfg(This file should not have the contact_groups directive)
----------------

define hostgroup{
hostgroup_name flcd-servers
alias The Free Linux CD Project Servers
members test-server1

contacts.cfg
---------------

define contact{
contact_name nagios
alias Oktay Altunergil
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,u,r
service_notification_commands notify-by-email
host_notification_commands host-notify-by-email
email oktay@localhost.localdomain

contactgroups.cfg
---------------------

define contactgroup{
contactgroup_name nagios
alias FreeLinuxCD.org Admins
members nagios

services.cfg
-------------------

# Service definition
define service{
# Name of service template to use
use generic-service

host_name test-server1
service_description HTTP
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
contact_groups nagios
notification_interval 120
notification_period 24x7
notification_options w,u,c,r
check_command check_http
}

# Service definition
define service{
# Name of service template to use
use generic-service

host_name test-server1
service_description PING
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
contact_groups nagios
notification_interval 120
notification_period 24x7
notification_options c,r
check_command check_ping!100.0,20%!500.0,60%

Added only two service for monitoring we can add many more.

10)../bin/nagios -v nagios.cfg (For checking the configuration)

11)Running Nagios Manually as a Daemon
/usr/local/nagios/bin/nagios -d
Note that you must specify the path/filename of the main configuration file (i.e.
/usr/local/nagios/etc/nagios.cfg) on the command line.

12)/etc/rc.d/init.d/nagios restart

13)chkconfig nagios on

To start the web interface
-------------------------------
1)Add the following lines in httpd.conf file

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin/"

Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Alias /nagios "/usr/local/nagios/share/"

Options None
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

2)Issue the following commands

htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

To add more than one user

htpasswd /usr/local/nagios/etc/htpasswd.users

3)# service httpd restart

4)check from the browser

http://172.16.0.211/nagios/index.html

For the REMOTE HOSTS (tO BE INSTALLED ON THE REMOTE HOSTS)
-----------------------------------------------------------

1)Download the NRPE tar ball and unpack it

#tar xzf nrpe-2.8.tar.gz

#cd nrpe-2.8

2)Compile the NRPE addon.

#./configure
# make all

3)Install the NRPE plugin (for testing), daemon, and sample daemon config file.

#make install-plugin
#make install-daemon
#make install-daemon-config

4)Install the NRPE daemon as a service under xinetd.

#make install-xinetd

5)Edit the /etc/xinetd.d/nrpe file and add the IP address of the monitoring server to the only_from directive.

only_from = 127.0.0.1

6)Add the following entry for the NRPE daemon to the /etc/services file.

nrpe 5666/tcp # NRPE

7)Restart the xinetd service.

#service xinetd restart

8)Test the NRPE daemon locally

#netstat -at | grep nrpe

The output out this command should show something like this:

tcp 0 0 *:nrpe *:* LISTEN

9)/usr/local/nagios/libexec/check_nrpe -H localhost

You should get a string back that tells you what version of NRPE is installed, like this:

NRPE v2.8

NRPE PLUGGIN IN THE NAGIOS SERVER
--------------------------------------

1)Extract the NRPE source code tarball.

# tar xzf nrpe-2.8.tar.gz
# cd nrpe-2.8

2)Compile the NRPE addon.

#./configure
# make all

3)Install the NRPE plugin.

# make install-plugin

4) Test communication with the NRPE daemon

Make sure the check_nrpe plugin can talk to the NRPE daemon on the remote host.

#/usr/local/nagios/libexec/check_nrpe -H

You should get a string back that tells you what version of NRPE is installed on the remote host, like this:

NRPE v2.8

How to MS Cluster ?

2008-12-18T16:13:00.000+05:30

reate a Windows Server 2003 Two-Node Cluster
Page 1
Introduction
This step-by-step guide provides instructions for installing Cluster Service on servers running the Windows 2003 Enterprise Servers operating system. The guide describes the process of installing Cluster Service on cluster nodes. It is not intended to explain how to install cluster applications. Rather, it guides you through the process of installing a typical, two-node cluster itself.
A server cluster is a group of independent servers running Cluster service and working collectively as a single system. Server clusters provide high-availability, scalability, and manageability for resources and applications by grouping multiple servers running Windows 2003 Enterprise Server.
The purpose of server clusters is to preserve client access to applications and resources during failure and planned outages. If one of the servers in the cluster is unavailable due to failure or maintenance, resource and applications move to another available cluster node
For cluster systems, the term high availability is used rather that fault-tolerant, as fault tolerant technology offers a higher level of resilience and recovery. Fault-tolerant servers typically use a high degree of hardware redundancy plus specialized software to provide near-instantaneous recovery from any single hardware or software fault. These solutions cost significantly more than clustering solutions because organizations must pay for redundant hardware that waits idly for a fault. Fault-tolerant servers are used for applications that support high-value, high-rate transactions such as check clearinghouses, Automated Teller Machines (ATMS), or stock exchanges.
While Cluster service does not guarantee non-stop operation, it provides availability sufficient for most mission-critical applications. Cluster service can monitor applications and resources, automatically recognizing and recovering from many failure conditions. This provides greater flexibility in managing the workload within cluster, and improves overall availability of the system.
Cluster service benefits include:
High Availability – With Cluster service, ownership of resources such as disk drives and IP address is automatically transferred from failed server to surviving server. When a system or application in the cluster fails, the cluster software restarts the failed application on a surviving server, or disperses the work from the failed node to the remaining nodes. As a result, users experience only a momentary pause in service.
Failback – Cluster service automatically re-balances the workload in a cluster when a failed server comes back online.
Manageability – You can use the Cluster Administrator to manage a cluster as a single system and to manage applications as if they were running on a single server. You can move applications to different servers within a cluster by dragging and dropping cluster objects. You can move data to a different server in the same way. This can be used to manually balance server workloads and to unload servers for planned maintenance. You can also monitor the status of the cluster, all nodes and resources from anywhere on the network.
Scalability – Cluster services can grow to meet rising demands. When the overall load for a cluster-aware application exceeds the capabilities of the cluster, additional nodes can be added.
This document provides instructions for installing Cluster service on servers running Windows 2003 Enterprise Server. It describes the process of installing the Cluster service on cluster nodes. It is not intended to explain how to install cluster applications, but rather to guide you through the process of installing a typical,

Checklists for Cluster Server Installation
This checklist assists you in preparing for installation. Step-by-step instructions begin after the checklist.
Software Requirements
Microsoft Windows Server 2003 Enterprise installed on all computers in the cluster.
A name resolution method such as Domain Name System (DNS), DNS dynamic update protocol, Windows Internet Name Service (WINS), HOSTS, and so on.
An existing domain model.
All nodes must be members of the same domain.
A domain-level account that is a member of the local administrators group on each node. A dedicated account is recommended.
Hardware requirements
The hardware for a Cluster service node must meet the hardware requirements for Windows 2003 Enterprise Server. These requirements can be found at the Product Compatibility Search page.
Cluster hardware must be on Cluster Service Hardware Compatibility List (HCL). The latest version of the Cluster Service HCL can be found by going to the Windows Hardware Compatibility List and then searching on Cluster.
Two HCL-approved computers, each with the following:
A boot disk with Windows 2003 Enterprise Server installed. The boot disk cannot be on a shared storage bus described below.
Boot disks and shared disks must be on separate SCSI channels (SCSI PathID); separate adapters (SCSI PortNumber) are not required. Thus, you can use a single multi-channel SCSI or Fibre Channel adapter for both boot and shared disks.
Two PCI network adapters on each machine in the cluster.
And HCL-approved external disk storage unit that connects to all computers. This will be used as the clustered disk. A redundant array of independent disks (RAID) is recommended.
Storage cables to attach the shared storage device to all computers. Refer to the manufacturers’ instructions for configuring storage devices.
All hardware should be identical, slot for slot, card for card, for all nodes. This will make configuration easier and eliminate potential compatibility problems.
Network Requirements
A unique NetBIOS name.
Static IP addresses for all network interfaces on each node.
Note: Server Clustering does not support the use of IP addresses assigned from Dynamic Host Configuration Protocol (DHCP) servers.
Access to a domain controller. If the cluster service is unable to authenticate the user account used to start the service, it could cause the cluster to fail. It is recommended that you have a domain controller on the same local area network (LAN) as the cluster is on to ensure availability.
Each node must have at least two network adapters—one for connection to the client public network and the other for the node-to-node private cluster network. A dedicated private network adapter is required for HCL certification.
All nodes must have two physically independent LANs or virtual LANs for public and private communication.
If you are using fault-tolerant network cards or network adapter teaming, verify that you are using the most recent firmware and drivers. Check with your network adapter manufacturer for cluster compatibility.
Shared Disk Requirements
An HCL-approved external disk storage unit connected to all computers. This will be used as the clustered shared disk. Some type of a hardware redundant array of independent disks (RAID) is recommended.
All shared disks, including the quorum disk, must be physically attached to a shared bus.
Note: The requirement above does not hold true for Majority Node Set (MNS) clusters, which are not covered in this guide.
Shared disks must be on a different controller then the one used by the system drive.
Creating multiple logical drives at the hardware level in the RAID configuration is recommended rather than using a single logical disk that is then divided into multiple partitions at the operating system level. This is different from the configuration commonly used for stand-alone servers. However, it enables you to have multiple disk resources and to do Active/Active configurations and manual load balancing across the nodes in the cluster.
A dedicated disk with a minimum size of 50 megabytes (MB) to use as the quorum device. A partition of at least 500 MB is recommended for optimal NTFS file system performance.
Verify that disks attached to the shared bus can be seen from all nodes. This can be checked at the host adapter setup level. Refer to the manufacturer’s documentation for adapter-specific instructions.
SCSI devices must be assigned unique SCSI identification numbers and properly terminated according to the manufacturer’s instructions. See the appendix with this article for information on installing and terminating SCSI devices.
All shared disks must be configured as basic disks. For additional information, see the following article in the Microsoft Knowledge Base:
237853 Dynamic Disk Configuration Unavailable for Server Cluster Disk Resources
Software fault tolerance is not natively supported on cluster shared disks.
All partitions on the clustered disks must be formatted as NTFS.
Hardware fault-tolerant RAID configurations are recommended for all disks.
A minimum of two logical shared drives is recommended.

Cluster Installation
Installation Overview
During the installation process, some nodes will be shut down while others are being installed. This step helps guarantee that data on disks attached to the shared bus is not lost or corrupted. This can happen when multiple nodes simultaneously try to write to a disk that is not protected by the cluster software. The default behavior of how new disks are mounted has been changed in Windows 2003 Server from the behavior in the Microsoft® Windows® 2000 operating system. In Windows 2003, logical disks that are not on the same bus as the boot partition will not be automatically mounted and assigned a drive letter. This helps ensure that the server will not mount drives that could possibly belong to another server in a complex SAN environment.
Although the drives will not be mounted, it is still recommended that you follow the procedures below to be certain the shared disks will not become corrupted.
Use the table below to determine which nodes and storage devices should be turned on during each step.
The steps in this guide are for a two-node cluster. However, if you are installing a cluster with more than two nodes, the Node 2 column lists the required state of all other nodes.

Several steps must be taken before configuring the Cluster service software. These steps are:
Installing Windows Server 2003 Enterprise Edition or Windows Server 2003 Datacenter Edition operating system on each node.
Setting up networks.
Setting up disks.
Perform these steps on each cluster node before proceeding with the installation of cluster service on the first node.
To configure the cluster service, you must be logged on with an account that has administrative permissions to all nodes. Each node must be a member of the same domain. If you choose to make one of the nodes a domain controller, have another domain controller available on the same subnet to eliminate a single point of failure and enable maintenance on that node.
Installing the Windows 2003 Operating System
Refer to the documentation you received with the Windows Server 2003 operating system package to install the system on each node in the cluster.
Before configuring the cluster service, you must be logged on locally with a domain account that is a member of the local administrators group.
Note: The installation will fail if you attempt to join a node to a cluster that has a blank password for the local administrator account. For security reasons, Windows Server 2003 prohibits blank administrator passwords.
Setting Up Networks
Note: For this section, power down all shared storage devices and then power up all nodes. Do not let both nodes access the shared storage device at the same time until cluster services is installed on at least one node and that node is online.
Each cluster node requires at least two adapters – one to connect to a public network and one to connect to a private network consisting of cluster nodes only.
The private network adapter establishes node-to-node communications, cluster status signals and cluster management. Each node’s public network adapter connects the cluster to the public network where clients reside.
Note: To eliminate possible communication issues refer to Knowledge Base (KB) article Q258750 – Recommended Private “HeartBeat” Configuration on a Cluster Server.
Verify that all network connections are correct, with private network adapters connected to other private network adapters only, and public network adapters connected to the public network. The connections are illustrated in Figure 7 below. Run these steps on each cluster node before proceeding with shared disk setup.

Teaming Network Adapters
Perform these steps on the first node in the cluster. Please note that the following screens assume an HP interface. If you are setting up a Dell, please refer to appendix H. To provide for network redundancy, HP provides a utility to group network adapters in teams, which can provide for fault tolerance and/or load balancing.
1.To open the HP Network Configuration Utility, click on the Icon located in the system tray, as shown in the figure below.

2.The HP Network Configuration Utility property window will open and show the installed network adapters

3.Select the appropriate adapters for the Private Network Team by clicking on the adapter names.
4.On the Teaming Setup selection box, select Team. The utility will perform the necessary configuration and change the properties of the team as shown below.
5.Repeat the process for the Public Network Team as in steps 3-4.

6.Highlight the network Team and then click on the Properties button. The following screen is displayed.

7.Ensure that the Team Type Selection is set to Network Fault Tolerance Only (NFT), then click OK
8.Repeat steps 5-8 for the Public Network Team
Configuring the Private Network Adapter
1.Right-click My Network Places and then click Properties.
2.Right-click the Private Network Team icon
3.Click Status. The Private Network Team Status window shows the connection status, as well as the speed of connection. If the window shows that the network is disconnected, examine cables and connections to resolve the problem before proceeding. Click Close.
4.Right-click Private Network Team again, click Properties, and click Configure.
5.Click Advanced. The window shown in the figure below should appear

6.Network adapter on the private network should be set to the actual speed of the network, rather then default automated speed selection. Select your network speed from the drop-down list. Do not use and Auto-select setting for speed. Some adapters may drop packets while determining the speed. To set the network adapter speed, click on appropriate option such as Media Type or Speed.
All network adapters in the cluster that are attached to the same network must be identically configured to use the same Duplex Mode, Flow Control, Media Type, and so on. These settings should remain the same even if the hardware is different.
7.Right click My Network Places
8.Right Click the Private Network Team and select Properties

9.Click Transmission Control Protocol/Internet Protocol (TCP/IP)
10.Click Properties

11.Click the radio-button for Use the following IP address and type in the address that has been assigned by the system administrator.
12.Type in a subnet mask, which has been assigned by the system administrator
13.Click the Advanced radio-button and select the WINS tab. Select Disable NetBIOS over TCP/IP.

14.Click OK to return to the previous menu.

Configuring the Public Network Adapter
Perform these steps on the first node in the cluster.
Right-click My Network Places and then click Properties.
Right-click the Local Area Connection 1 icon
Click Status. The Local Area Connection 1 Status window shows the connection status, as well as the speed of connection. If the window shows that the network is disconnected, examine cables and connections to resolve the problem before proceeding. Click Close.
Right-click Local Area Connection 1 again, click Properties, and click Configure.
Click Advanced. The window shown in the figure below should appear

Network adapter on the private network should be set to the actual speed of the network, rather then default automated speed selection. Select your network speed from the drop-down list. Do not use an Auto-select setting for speed. Some adapters may drop packets while determining the speed. To set the network adapter speed, click on the appropriate option such as Media Type or Speed.
All network adapters in the cluster that are attached to the same network must be identically configured to use the same Duplex Mode, Flow Control, Media Type, and so on. These settings should remain the same even if the hardware is different.
Click Transmission Control Protocol/Internet Protocol (TCP/IP)
Click Properties
Click the radio-button for Use the following IP address and type in the address that has been assigned by the system administrator.
Type in a subnet mask, which has been assigned by the system administrator
The window should now look like the figure below:

Rename the Local Rear Network Icons
It is recommended to change the names of the network connections for clarity.
1.Right-click the Private Network Team icon
2.Click Rename
3.Type Private Cluster Connection into the textbox and press Enter.
4.Repeat steps 1-3 and rename the public network adapter as Public Cluster Connection.

5.The renamed icons should look like those in the figure above. Close the Networking and Dial-up Connections window. The new connection names automatically replicate to the other cluster servers as they are brought online.
Verifying Connectivity and Name Resolution
To verify that the private and public networks are communicating properly, perform the following steps for each network adapter in each node. You need to know the IP address for each network adapter in the cluster. If you do not already have this information, you can retrieve it using the ipconfig command on each node.
1.Click Start, click Run and type cmd in the text box. Click OK
2.Type ipconfig /all and press Enter. IP information should display for all network adapters in the machine.
3.Type ping ipaddress where ipaddress is the IP address for the corresponding network adapter in the other node.
To verify name resolution, ping each node from a client using the node’s machine name instead of its IP number. (Requires workstation setup to be completed)
Verifying Domain Membership
All nodes in a cluster must be members of the same domain and able to access the domain controller and DNS server. They can be configured as member servers or domain controllers.
1.Right-click My Computer, and click Properties.
2.Click Computer Name tab. The System Properties dialog box displays the full computer name and domain.
3.If you are using member servers and need to join a domain, you can do so at this time. Click Change and follow the on screen instructions for joining a domain.
4.Otherwise click the OK button.
Setting Up a Cluster User Account
The Cluster service requires a domain user account under which the Cluster Service can run. This user account must be created on the primary domain controller before installing Cluster Services, because setup requires a user name and password. This user account should not belong to a user on the domain.
1.Click Start, point to Control Panel, point to Administrative Tools, and click Active Directory Users and Computers.
2.Click the + to expand the domain (If not already expanded)
3.Click Users
4.Right-click Users, point to New, and Click User
5.Type in the cluster name as shown in the figure below and click Next.

6.Set the password settings to User Cannot Change Password and Password Never Expires. Click Next and then click Finish to create this user.
7.Right-click Cluster in the left pane of the Active Directory Users and Computers snap-in. Select Properties from the context menu.
8.Click the Member of tab
9.Click Add
10.Type Administrator
11.Click OK
12.Click Administrators and click OK. This gives the new user account administrative privileges on this computer.
13.Close the Active Directory Users and Computers snap-in.
Setting Up Shared Disks
Warning: Make sure the Windows 2003 Enterprise Server and the Cluster service are installed and running on one node before starting an operating system on another node. If the operating system is started on other nodes before the Cluster service is installed, configured and running on at least one node, the cluster disks will probably be corrupted
To proceed, power off all nodes. Power up the shared storage device are then power up node one.
About the Quorum Disk
The quorum disk is used to store cluster configuration database checkpoints and log files that help manage the cluster.
Create a small partition [A minimum of 50 MB to be used as quorum disk. Generally it’s recommended a quorum disk to be 500 MB.
Dedicate a separate disk for a quorum resource. As failure of the quorum disk would cause the entire cluster to fail
Configuring Shared Disk
1.Make sure that only one node is turned on.
2.Right click My Computer, click Manage, and then expand Storage.
3.Double-click Disk Management.
4.If you connect a new drive, then it automatically starts the Write Signature and Upgrade Disk Wizard. If this happens, click Next to step through the wizard.
Note: The wizard automatically sets the disk to dynamic. To reset the disk to basic, right-click Disk n (where n specifies the disk that you are working with), and then click Revert to Basic Disk.
5.Right-click unallocated disk space.
6.Click New Partition.
7.The New Partition Wizard begins. Click Next.
8.Select the Primary Partition type. Click Next.
9.The default is set to maximum size for the partition size, change to 500MB. Click Next. (Multiple logical disks are recommended over multiple partitions on one disk.)
10.Use the drop-down box to change the drive letter. Use a drive letter that is farther down the alphabet than the default enumerated letters. Commonly, the drive letter Q is used for the quorum disk, then R, S, and so on for the data disks. For additional information, see the following article in the Microsoft Knowledge Base:
318534 Best Practices for Drive-Letter Assignments on a Server Cluster
Note: If you are planning on using volume mount points, do not assign a drive letter to the disk. For additional information, see the following article in the Microsoft Knowledge Base:
280297 How to Configure Volume Mount Points on a Clustered Server
11.Format the partition using NTFS. In the Volume Label box, type a name for the disk. For example, Drive Q, as shown in Figure 15 below. It is critical to assign drive labels for shared disks, because this can dramatically reduce troubleshooting time in the event of a disk recovery situation.

If you are installing a 64-bit version of Windows Server 2003, verify that all disks are formatted as MBR. Global Partition Table (GPT) disks are not supported as clustered disks. For additional information, see the following article in the Microsoft Knowledge Base:
284134 Server Clusters Do Not Support GPT Shared Disks
Verify that all shared disks are formatted as NTFS and designated as MBR Basic.
Verify Disk Access and Functionality
1.Start Windows Explorer.
2.Right-click one of the shared disks (such as Drive D:\), click New, and then click Text Document.
3.Verify that you can successfully write to the disk and that the file was created.
4.Select the file, and then press the Del key to delete it from the clustered disk.
5.Repeat steps 1 through 4 for all clustered disks to verify they can be correctly accessed from the first node.
6.Turn off the first node, turn on the second node, and repeat steps 1 through 4 to verify disk access and functionality. Assign drive letters to match the corresponding drive labels. Repeat again for any additional nodes. Verify that all nodes can read and write from the disks, turn off all nodes except the first one, and then continue with this white paper.
Configure the First Node
Note: During installation of Cluster service on the first node, all other nodes must either be turned off, or stopped prior to Windows 2003 booting. All shared storage devices should be powered up.
1.Click Start, click All Programs, click Administrative Tools, and then click Cluster Administrator.
2.When prompted by the Open Connection to Cluster Wizard, click Create new cluster in the Action drop-down list, as shown in the figure below and click OK.

3.Verify that you have the necessary prerequisites to configure the cluster, as shown in the figure below. Click Next.

4.Type a unique NetBIOS name for the cluster (up to 15 characters), and then click Next. In the example shown in Figure 18 below, the cluster is named MyCluster.) Adherence to DNS naming rules is recommended. For additional information, see the following articles in the Microsoft Knowledge Base:
163409 NetBIOS Suffixes (16th Character of the NetBIOS Name)
254680 DNS Namespace Planning

5.If you are logged on locally with an account that is not a Domain Account with Local Administrative privileges, the wizard will prompt you to specify an account. This is not the account the Cluster service will use to start.
Note: If you have appropriate credentials, the prompt mentioned in step 5 and shown in the figure below may not appear.

6.Because it is possible to configure clusters remotely, you must verify or type the name of the server that is going to be used as the first node to create the cluster, as shown in the figure below. Click Next.

Note: The Install wizard verifies that all nodes can see the shared disks the same. In a complex storage area network the target identifiers (TIDs) for the disks may sometimes be different, and the Setup program may incorrectly detect that the disk configuration is not valid for Setup. To work around this issue you can click the Advanced button, and then click Advanced (minimum) configuration. For additional information, see the following article in the Microsoft Knowledge Base: 331801 Cluster Setup May Not Work When You Add Nodes

7.The figure below illustrates that the Setup process will now analyze the node for possible hardware or software problems that may cause problems with the installation. Review any warnings or error messages. You can also click the Details button to get detailed information about each one.

8.Type the unique cluster IP address (in this example 172.26.204.10), and then click Next.
9.As shown in the figure below, the New Server Cluster Wizard automatically associates the cluster IP address with one of the public networks by using the subnet mask to select the correct network. The cluster IP address should be used for administrative purposes only, and not for client connections.

10.Type the user name and password of the cluster service account that was created during pre-installation. (In the example in the figure below, the user name is “Cluster”). Select the domain name in the Domain drop-down list, and then click Next.

11.Review the Summary page, shown in the figure below, to verify that all the information that is about to be used to create the cluster is correct. If desired, you can use the quorum button to change the quorum disk designation from the default auto-selected disk.
The summary information displayed on this screen can be used to reconfigure the cluster in the event of a disaster recovery situation. It is recommended that you save and print a hard copy to keep with the change management log at the server.
Note: The Quorum button can also be used to specify a Majority Node Set (MNS) quorum model. This is one of the major configuration differences when you create an MNS cluster

12.Review any warnings or errors encountered during cluster creation. To do this, click the plus signs to see more, and then click Next. Warnings and errors appear in the Creating the Cluster page as shown in the figure below.

13.Click Finish to complete the installation. The figure below illustrates the final step.

Note: To view a detailed summary, click the View Log button or view the text file stored in the following location:
%SystemRoot%\System32\LogFiles\Cluster\ClCfgSrv.Log
6.2 Validate Cluster Installation
Use the Cluster Administrator (CluAdmin.exe) to validate the cluster service installation on Node 1.
To validate the cluster installation
1.Click Start, click Programs, click Administrative Tools, and then click Cluster Administrator.
2.Verify that all resources came online successfully, as shown in the figure below.

Note As general rules, do not put anything in the cluster group, do not take anything out of the cluster group, and do not use anything in the cluster group for anything other than cluster administration.
Configuring Second Node
Installing the cluster service on the other nodes requires less time than on the first node. Setup configures the cluster service network settings on the second node based on the configuration of the first node. You can also add multiple nodes to the cluster at the same time, and remotely.
Note: For this section, leave node 1 and all shared disks turned on. Then turn on all other nodes. The cluster service will control access to the shared disks at this point to eliminate any chance of corrupting the volume.
1.Open Cluster Administrator on Node 1.
2.Click File, click New, and then click Node.
3.The Add Cluster Computers Wizard will start. Click Next.
4.If you are not logged on with appropriate credentials, you will be asked to specify a domain account that has administrative rights over all nodes in the cluster.
5.Enter the machine name for the node you want to add to the cluster. Click Add. Repeat this step, shown in the figure below, to add all other nodes that you want. When you have added all nodes, click Next.

6.The Setup wizard will perform an analysis of all the nodes to verify that they are configured properly.
7.Type the password for the account used to start the cluster service.
8.Review the summary information that is displayed for accuracy. The summary information will be used to configure the other nodes when they join the cluster.
9.Review any warnings or errors encountered during cluster creation, and then click Next.
10.Click Finish to complete the installation.
Post Installation Configuration
Heartbeat Configuration
Now that the networks have been configured correctly on each node and the Cluster service has been configured, you need to configure the network roles to define their functionality within the cluster. Here is a list of the network configuration options in Cluster Administrator:
Enable for cluster use: If this check box is selected, the cluster service uses this network. This check box is selected by default for all networks.
Client access only (public network): Select this option if you want the cluster service to use this network adapter only for external communication with other clients. No node-to-node communication will take place on this network adapter.
Internal cluster communications only (private network): Select this option if you want the cluster service to use this network only for node-to-node communication.
All communications (mixed network): Select this option if you want the cluster service to use the network adapter for node-to-node communication and for communication with external clients. This option is selected by default for all networks.
This white paper assumes that only two networks are in use. It explains how to configure these networks as one mixed network and one private network. This is the most common configuration. If you have available resources, two dedicated redundant networks for internal-only cluster communication are recommended.
To configure the heartbeat
1.Start Cluster Administrator.
2.In the left pane, click Cluster Configuration, click Networks, right-click Private, and then click Properties.
3.Click Internal cluster communications only (private network), as shown in the figure below

4.Click OK.
5.Right-click Public, and then click Properties
6.Click to select the Enable this network for cluster use check box.
7.Click the All communications (mixed network) option, and then click OK.

Heartbeat Adapter Prioritization
After configuring the role of how the cluster service will use the network adapters, the next step is to prioritize the order in which they will be used for intra-cluster communication. This is applicable only if two or more networks were configured for node-to-node communication. Priority arrows on the right side of the screen specify the order in which the cluster service will use the network adapters for communication between nodes. The cluster service always attempts to use the first network adapter listed for remote procedure call (RPC) communication between the nodes. Cluster service uses the next network adapter in the list only if it cannot communicate by using the first network adapter.
1.Start Cluster Administrator.
2.In the left pane, right-click the cluster name (in the upper left corner), and then click Properties.
3.Click the Network Priority tab, as shown in Figure 31 below.

4.Verify that the Private network is listed at the top. Use the Move Up or Move Down buttons to change the priority order.
5.Click OK
6.5 Configuring Cluster Disks
Start Cluster Administrator, right-click any disks that you want to remove from the cluster, and then click Delete.
Note: By default, all disks not residing on the same bus as the system disk will have Physical Disk Resources created for them, and will be clustered. Therefore, if the node has multiple buses, some disks may be listed that will not be used as shared storage, for example, an internal SCSI drive. Such disks should be removed from the cluster configuration. If you plan to implement Volume Mount points for some disks, you may want to delete the current disk resources for those disks, delete the drive letters, and then create a new disk resource without a drive letter assignment.
Quorum Disk Configuration
The Cluster Configuration Wizard automatically selects the drive that is to be used as the quorum device. It will use the smallest partition that is larger then 50 MB. You may want to change the automatically selected disk to a dedicated disk that you have designated for use as the quorum.
Configure the Quorum Disk
1.Start Cluster Administrator (CluAdmin.exe).
2.Right-click the cluster name in the upper-left corner, and then click Properties.
3.Click the Quorum tab.
4.In the Quorum resource list box, select a different disk resource. In the figure below, Disk Q is selected in the Quorum resource list box.

5.If the disk has more than one partition, click the partition where you want the cluster-specific data to be kept, and then click OK.
For additional information, see the following article in the Microsoft Knowledge Base:
Q280353 How to Change Quorum Disk Designation
Creating a Boot Delay
In a situation where all the cluster nodes boot up and attempt to attach to the quorum resource at the same time, the Cluster service may fail to start. For example, this may occur when power is restored to all nodes at the exact same time after a power failure. To avoid such a situation, increase or decrease the Time to Display list of operating systems setting. To find this setting, click Start, point to My Computer, right-click My Computer, and then click Properties. Click the Advanced tab, and then click Settings under Startup And Recovery. Set the first node to 15 seconds and the second node to 30 seconds

Test Installation
There are several methods for verifying a cluster service installation after the Setup process is complete. These include:
Cluster Administrator: If installation was completed only on node 1, start Cluster Administrator, and then attempt to connect to the cluster. If a second node was installed, start Cluster Administrator on either node, connect to the cluster, and then verify that the second node is listed.
Services Applet: Use the services snap-in to verify that the cluster service is listed and started.
Event Log: Use the Event Viewer to check for ClusSvc entries in the system log. You should see entries confirming that the cluster service successfully formed or joined a cluster.
Cluster service registry entries: Verify that the cluster service installation process wrote the correct entries to the registry. You can find many of the registry settings under HKEY_LOCAL_MACHINE\Cluster
Click Start, click Run, and then type the Virtual Server name. Verify that you can connect and see resources.
Test Failover
Verify Resources will Failover
1.Click Start, click Programs, click Administrative Tools, and then click Cluster Administrator, as shown in the figure below.

2.Right-click the Disk Group 1 group, and then click Move Group. The group and all its resources will be moved to another node. After a short period of time, the Disk F: G: will be brought online on the second node. Watch the window to see this shift. Quit Cluster Administrator.

Exchange Server 2003

2008-12-07T22:57:00.000+05:30

Using the recovery storage group feature in Microsoft® Exchange Server 2003, you can mount a second copy of an Exchange mailbox database on the same server as the original database, or on any other Exchange server in the same Exchange administrative group. You can do this while the original database is still running and serving clients. The recovery storage group can also be useful in disaster recovery scenarios. This guide provides information on how to determine if a recovery storage group is useful in your deployment, how to set up a recovery storage group, and how to troubleshoot common problems.
How to Add the ..\exchsrvr\bin Directory to Your Windows Server 2003 System Path
Topic Last Modified: 2005-05-09
This topic explains how to add the Exchange \bin directory to your system path so that the tools in \bin are available from any command prompt.
Procedure
To add the ..\exchsrvr\bin directory to your Windows Server 2003 system path
1. Open System Properties. To open System Properties, click Start, right-click My Computer, and then click Properties.
2. Click the Advanced tab.
3. Click the Environment Variables button.
4. In the System Variables box, scroll down to the variable "Path."
5. Click Path to select it, and then click Edit.
6. In the Variable Value box, add a semicolon (;) to the end of the string.
7. After the semicolon (with no spaces) type the full path of ..\exchsrvr\bin.
8. Add a semicolon at the end of the path variable.
The default path is C:\program files\exchsrvr\bin
9. Click OK to close Edit System Variable, click OK to close Environment Variables, and then click OK to close System Properties.
10. Close any command shells that are open.
11. Open a new command shell. Click Start, click Run, type cmd, and then click OK. You should now be able to run any tool in the \bin directory from any command prompt on that server.

troubleshoot startup problems in Windows Server 2003

2008-12-07T22:51:00.000+05:30

How to troubleshoot start up problems in Windows Server 2003
SUMMARY
This article describes general procedures that you can use to troubleshoot startup problems in Windows Server 2003.

A successful Windows start up includes of the following four phases:
• Initial phase
• Boot loader phase
• Kernel phase
• Logan phase
If a problem occurs during one of these phases, Windows may not start correctly, and you may experience one of the following problems:
• The computer stops responding (hangs).
• You receive an error message.
If a start up problem occurs after you click Microsoft Windows Server 2003 on either the boot loader menu or when you receive the "Please select the operating system to start" message, files that the operating system needs may be missing or damaged. Windows provides a variety of options that you can use to troubleshoot this issue, including Safe mode, the Recovery Console, and an Automated System Recovery.
Back to the top
How to Start the Computer by Using the Last Known Good Configuration
If the start up problem occurs immediately after you make a change to the computer (for example, after you install a new driver), try to start the computer by using the Last Known Good Configuration feature.

When you use the Last Known Good Configuration feature, you start your computer by using the most recent settings that worked. This feature restores registry information and driver settings that were in effect the last time the computer started successfully. Use this feature when you cannot start Windows after you make a change to the computer (for example, after you install or upgrade a device driver).

To start the computer by using Last Known Good Configuration, follow these steps:
1. Click Start, and then click Shut Down.
2. Click Restart, and then click OK.
3. When you see the message Please select the operating system to start, press the F8 key.
4. Use the arrow keys to select Last Known Good Configuration, and then press ENTER.

Note NUM LOCK must be off before the arrow keys on the numeric keypad will function.
5. If you are running other operating systems on the computer, click Microsoft Windows Server 2003 in the list, and then press ENTER.
Notes
• By selecting Last Known Good Configuration, you can recover from problems such as a newly added driver that may be incorrect for your hardware. This feature does not solve problems caused by corrupted or missing drivers or files.
• When you select Last Known Good Configuration, only the information in registry key HKLM\System\CurrentControlSet is restored. Any changes you have made in other registry keys remain.
If you can start your computer by using Last Known Good Configuration, the last change that you made to the computer (for example, the installation of a driver) may be the cause of the incorrect startup behavior. Microsoft recommends that you either remove or update the driver or program, and then test Windows for correct startup.
Back to the top
How to Start the Computer in Safe Mode
When you start the computer in Safe mode, Windows loads only the drivers and computer services that you need. You can use Safe mode when you have to identify and resolve problems that are caused by faulty drivers, programs, or services that start automatically.

If the computer starts successfully in Safe mode but it does not start in normal mode, the computer may have a conflict with the hardware settings or the resources. There may be incompatibilities with programs, services, or drivers, or there may be registry damage. In Safe mode, you can disable or remove a program, service, or device driver that may prevent the computer from starting.

To troubleshoot startup problems in Safe mode, follow these steps:
1. Click Start, and then click Shut Down.
2. Click Restart, and then click OK.
3. When you see the message Please select the operating system to start, press F8.
4. In Windows Advanced Option Menu, use the arrow keys to select Safe Mode, and then press ENTER.

Note NUM LOCK must be off before the arrow keys on the numeric keypad will function.
5. If you are running other operating systems on the computer, click Microsoft Windows Server 2003 on the list that is displayed, and then press ENTER.
6. Do one of the following:
• If the computer does not start in Safe mode, try starting the computer by using the Recovery Console. If you still cannot start the computer, look for possible hardware problems, such as defective devices, installation problems, cabling problems, or connector problems. Remove any newly added hardware, and then restart the computer to see if the problem is resolved.
• If the computer starts in Safe mode, go to the next section to continue to troubleshoot the startup issue.

To Use Event Viewer to Identify the Cause of the Startup Problem
View the event logs in Event Viewer for additional information that may help you to identify and diagnose the cause of the startup problem. To view events that are recorded in the event logs, follow these steps:
1. Do one of the following:
• Click Start, point to Administrative Tools, and then click Event Viewer.
• Start the Event Viewer snap-in in Microsoft Management Console (MMC).

2. In the console tree, expand Event Viewer, and then click the log that you want to view. For example, click System log or Application log.
3. In the details pane, double-click the event that you want to view.

To copy the details of the event, click Copy, open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.
4. To view the description of the previous event or the next event, press the UP ARROW key or the DOWN ARROW key.
To Use System Information to Identify the Cause of the Startup Problem
The System Information tool displays a comprehensive view of the computer's hardware, the system components, and the software environment. Use this tool to help identify possible problem devices and device conflicts. To do this, follow these steps:
1. Click Start, and then click Run.
2. In the Open box, type msinfo32, and then click OK.
3. Look for problem devices or device conflicts. To do so:
a. In the console tree, expand Components, and then click Problem Devices.

Note any devices that are listed in the right pane.
b. In the console tree, expand Hardware Resources, and then click Conflicts/Sharing.

Note any resource conflicts that are listed in the right pane.
c. If you identify a problem device, perform the appropriate action (for example, remove, disable, or reconfigure the device, or update the driver), and then restart the computer in normal mode.

You can use Device Manager to remove or disable devices and their drivers. For more information about Device Manager, see the Use Device Manager to Identify the Cause of the Start up Problem section of this article.

If the computer starts correctly, that particular device may be the cause of the start up problem.

If you disabled a device to resolve the problem, make sure that the device is listed on the Windows Server 2003 Hardware Compatibility List (HCL), and that it is installed correctly. Also, contact the manufacturer to report the behavior and to obtain information about possible updates that can resolve the startup problem.For information about how to contact computer hardware manufacturers, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
65416 (http://support.microsoft.com/kb/65416/) Hardware and software vendor contact information, A-K

60781 (http://support.microsoft.com/kb/60781/) Hardware and software vendor contact information, L-P

60782 (http://support.microsoft.com/kb/60782/) Hardware and software vendor contact information, Q-Z
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

4. If no device conflicts or problem devices are reported by the System Information tool, look for programs that start automatically when Windows starts. To do so, follow these steps:
a. In the console tree, expand Software Environment, and then click Startup Programs.

Programs that start automatically when Windows starts are listed in the right pane.
b. Disable the programs, and then restart the computer.

For information about how to disable the program, see the program documentation or contact the manufacturer.
c. If you disable the startup programs, and the startup problem is resolved, enable the programs again, one at a time.

Shut down and restart the computer each time you enable a program, and note if the incorrect startup behavior occurs. If the behavior occurs, the last program that you enabled may be causing the incorrect startup behavior.

To View the Safe Mode Boot Log File
To troubleshoot startup issues, view the boot log file, Ntbtlog.txt, and then make a note of the drivers and services that did not load when you started your computer in Safe mode.

This log file is located in the %SystemRoot% folder (by default, this is the Windows folder). The log file lists devices and services that load (and do not load) when you start the computer in Safe mode. You can use a text editor such as Notepad to open and view the log file.

Use the list of drivers and services that did not load at startup to help identify the possible cause of the startup problem.

Note Some startup problems may occur early in the startup process. In this scenario, Windows may not save the boot log file to the hard disk.

To Use Device Manager to Identify the Cause of the Startup Problem
Device Manager displays a graphical view of the hardware that is installed on your computer. Use this tool to resolve any possible device conflicts or to identify incompatible devices that may be the cause of the startup problem.

To start Device Manager, follow these steps:
1. Click Start, right-click My Computer, and then click Manage.
2. Expand System Tools, and then click Device Manager.

The devices that are installed on your computer are listed in the right pane. If a symbol is displayed next to a device, there may be a problem with the device. For example, a black exclamation point (!) on a yellow field indicates that the device is in a problem state.

Note To disable a device in Device Manager, right-click the device, and then click Disable.
3. Investigate possible device conflicts. To do so, double-click the device in the right pane, and then click the Resources tab.

If a device conflict exists, it is listed under Conflicting device list.

Note the Use automatic settings check box. If Windows successfully detects a device, this check box is selected, and the device functions correctly. However, if the resource settings are based on Basic Configuration n (where n is any number from 0 to 9), you may have to change the configuration. To do so, either click a different basic configuration from the list or manually change the resource settings. WARNING This procedure may require that you change the computer's complementary metal oxide semiconductor (CMOS) settings and the basic input/output system (BIOS) settings. Incorrect changes to the BIOS of the computer can result in serious problems. Change the computer's CMOS settings at your own risk.

If Windows cannot resolve a resource conflict, verify that the computer is configured to permit Windows to enumerate the devices in the computer. To do so, enable the Plug and Play OS setting in the Setup tool of the computer's BIOS. To change the computer's BIOS settings, see the computer documentation or contact your computer manufacturer.
4. If you identify a problem device, disable it, and then restart the computer in normal mode.

If the computer starts correctly, the device that you disabled may be the cause of the startup problem.

Make sure that the device is listed on the Windows Server 2003 Hardware Compatibility List (HCL) and that it is installed correctly. Also, contact the manufacturer to report the behavior and to obtain information about possible updates that can resolve the startup problem.
For additional information about how to configure devices in Device Manager, click the following article number to view the article in the Microsoft Knowledge Base:
323423 (http://support.microsoft.com/kb/323423/) How to use Device Manager to configure devices in Windows Server 2003
Back to the top
How to Use System Configuration Utility
System Configuration Utility (Msconfig.exe) automates the routine troubleshooting steps that Microsoft Product Support Services technicians use when they diagnose Windows configuration issues. You can use this tool to modify the system configuration and troubleshoot the problem by using a process-of-elimination method.

You must be logged on as Administrator or as a member of the administrative groups to use System Configuration Utility. If your computer is connected to a network, network policy settings may prevent you from using the utility. As a security "best practice," consider using the Run as command to perform these procedures.

Note Microsoft strongly recommends that you do not use System Configuration Utility to modify the Boot.ini file on your computer without the help of a Microsoft support professional. Doing so may render your computer unusable.

To Create a Clean Environment for Troubleshooting
1. Click Start, click Run, type msconfig in the Open box, and then click OK. (To use the Run as command, type runas /user:administrator Path\msconfig.exe in the Open box, and then click OK. )
2. Click the General tab, click Diagnostic startup - load basic devices and services only, click OK, and then click Restart to restart your computer.
3. After Windows starts, determine whether the problem still occurs.
To Isolate Problems by Using System Startup Options
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the General tab, and then click Selective Startup.
3. Click to clear the following check boxes:
Process SYSTEM.INI File
Process WIN.INI File
Load System Services
You will not be able to clear the Use Original BOOT.INI check box.
4. To test the software loading process, make sure the Load Startup Items check box is selected, and then click OK.
5. Restart the computer when you are prompted to do so.
To Isolate Problems by Using Selective Startup Options
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the General tab, and then click Selective Startup.
3. Click to clear all the check boxes under Selective Startup. You will not be able to clear the Use Original BOOT.INI check box.
4. Click to select the Process SYSTEM.INI File check box, click OK, and then restart the computer when you are prompted.

Repeat this process and select each check box one at a time. Restart your computer each time. Repeat the process until the problem occurs.
5. When the problem occurs, click the tab that corresponds to the selected file. For example, if the problem occurs after you select the Win.ini file, click the WIN.INI tab in System Configuration Utility.
To Isolate Problems by Using the Startup Tab
The Startup tab lists items that load at startup from the Startup group, Win.ini load= and run=, and the registry.
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the Startup tab.
3. Click to clear all check boxes.
4. To start troubleshooting, click to select the first check box, click OK, and then restart the computer when you are prompted.

Repeat this process and select each check box one at a time. Restart your computer each time. Repeat the process until the problem occurs.
To Troubleshoot System Services
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the Services tab.
3. Make a note of any services that are not selected.

IMPORTANT Do not skip this step. You will need this information later.
4. Click Disable All, click OK, and then restart your computer.
5. Click Start, click Run, type msconfig in the Open box, and then click OK.
6. Click the Services tab.
7. Click to select the check box of a service to turn it on, and then click OK.
8. Restart your computer, and see if the problem occurs.
9. Repeat steps 5 through 8 for each service until the problem occurs. When the problem occurs, you will know that the last service you turned on is causing the problem. Make a note of this service, and go to step 10.
10. Click Enable All, click to clear the check box next to the faulty service, click to clear the check boxes of any other services you made note of in step 3, click OK, and then restart your computer.

As a workaround, you can leave the faulty service turned off (not selected). Contact the manufacturer of the faulty service for more assistance.

Note You might be able to determine more quickly which service is causing the problem by testing the services in groups. Divide the services into two groups--select the check boxes of the first group, and clear the check boxes of the second group. Restart your computer, and then test for the problem. If the problem occurs, the faulty service is in the group with the selected check boxes. If the problem does not occur, the faulty service is in the group with the cleared check boxes. Repeat this process on the faulty group until you have isolated the faulty service.
To Troubleshoot the System.ini File
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the SYSTEM.INI tab.
3. Make a note of any items that are not selected. You might have to expand some items (such as [drivers]) to determine if any sub-items are not selected.

IMPORTANT Do not skip this step. You will need this information later.
4. Click Disable All, click OK, and then restart your computer.
5. Click Start, click Run, type msconfig in the Open box, and then click OK.
6. Click the SYSTEM.INI tab.
7. Expand all items in the list, click the check box of an item to turn it on, and then click OK.
8. Restart your computer, and see if the problem occurs.
9. Repeat steps 5 through 8 for each item until the problem occurs.

When the problem occurs, you will know that the last item you turned on is causing the problem. Make a note of this item, and then go to step 10.
10. Click Enable All, click to clear the check box next to the faulty item, click to clear the check boxes of any other items you made note of in step 3, click OK, and then restart your computer.

As a workaround, you can leave the faulty item turned off (not selected). If possible, contact the manufacturer of the faulty item for more assistance.

Note You might be able to determine more quickly which System.ini item is causing the problem by testing the items in groups. Divide the items into two groups--select the check boxes of the first group, and clear the check boxes of the second group. Restart your computer, and then test for the problem. If the problem occurs, the faulty service is in the group with the selected check boxes. If the problem does not occur, the faulty service is in the group with the cleared check boxes. Repeat this process on the faulty group until you have isolated the faulty System.ini item.
To Troubleshoot the Win.ini File
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. Click the WIN.INI tab.
3. Make a note of any items that are not selected. You might have to expand some items (such as [OLFax Ports]) to determine if any sub-items are not selected.

IMPORTANT Do not skip this step. You will need this information later.
4. Click Disable All, click OK, and then restart your computer.
5. Click Start, click Run, type msconfig in the Open box, and then click OK.
6. Click the WIN.INI tab.
7. Expand all items in the list, click the check box of an item to turn it on, and then click OK.
8. Restart your computer, and see if the problem occurs.
9. Repeat steps 5 through 8 for each item until the problem occurs.

When the problem occurs, you will know that the last item you turned on is causing the problem. Make a note of this item, and then go to step 10.
10. Click Enable All, click to clear the check box of the faulty item, click to clear the check boxes of any other items you made note of in step 3, click OK, and then restart your computer.

As a workaround, you can leave the faulty item turned off (not selected). If possible, contact the manufacturer of the faulty item for more assistance.

Note You might be able to determine more quickly which Win.ini item is causing the problem by testing the items in groups. Divide the items into two groups--select the check boxes of the first group, and clear the check boxes of the second group. Restart your computer, and then test for the problem. If the problem occurs, the faulty service is in the group with the selected check boxes. If the problem does not occur, the faulty service is in the group with the cleared check boxes. Repeat this process on the faulty group until you have isolated the faulty Win.ini item.
To Troubleshoot the Boot.ini File
Only system administrators and advanced users should try to change the Boot.ini file. Steps for troubleshooting Boot.ini are beyond the scope of this article.

For additional information, search the Microsoft Knowledge Base. To do this, visit the following Microsoft Web site:
Microsoft Product Support Services
http://support.microsoft.com (http://support.microsoft.com/)
To Reset System Configuration Utility to Normal Startup
To reset System Configuration Utility to normal startup, follow these steps:
1. Click Start, click Run, type msconfig in the Open box, and then click OK.
2. On the General tab, click Normal Startup - load all device drivers and services, and then click OK.
3. Restart your computer.
Back to the top
How to Use the Microsoft Windows Recovery Console
The Recovery Console is a command-line tool that you can use to repair Windows if the computer does not start properly. You can start the Recovery Console from the Windows Server 2003 CD or at startup if the Recovery Console was previously installed to your computer.

Use the Recovery Console if you used the Last Known Good Configuration startup option and it was not successful and you cannot start the computer in Safe mode. Microsoft recommends that you use the Recovery Console method only if you are an advanced user who can use basic commands to identify and locate problem drivers and files.

To use Recovery Console, follow these steps:
1. Insert the Windows Server 2003 installation CD in your CD-ROM or DVD-ROM drive, and then restart the computer.
2. When you are prompted during text-mode setup, press R to start the Recovery Console.
You can use the Recovery Console to:
• Access the drives on your computer.
• Enable or disable device drivers or services.
• Copy files from the Windows Server 2003 installation CD or copy files from other removable media. For example, you can copy a file that you need that was deleted.
• Create a new boot sector and a new master boot record (MBR). You might have to do this if there are problems starting from the existing boot sector.
To Confirm That Your Hard Disk or File System Is Not Damaged
To confirm that your hard disk or file system is not damaged, start your computer from the Windows Server 2003 CD, start the Recovery Console, and then use the Chkdsk command-line utility. This may solve your problem.

IMPORTANT Microsoft recommends that only advanced users or administrators use the Recovery Console. You have to know the password for the Administrator account to use the Recovery Console.

For additional information about how to test and repair a damaged hard disk by using Chkdsk, see the "Using the Recovery Console and Using the Recovery Console Command Prompt" sections in the following article:
307654 (http://support.microsoft.com/kb/307654/) How to install and use the Recovery Console in Windows XP
Note If Chkdsk reports that it cannot access your hard disk, you may have a hardware failure. Examine all cable connections and any jumper settings on your drive. Contact a computer repair professional, or the manufacturer of your computer for more assistance.

If Chkdsk reports that it cannot fix all hard disk problems, your file system or MBR may be damaged or no longer accessible. Try using the appropriate Recovery Console commands, such as Fixmbr and Fixboot, contact a data recovery service, or repartition and then reformat your hard disk.

WARNING: If you repartition and reformat your hard disk, you lose all information on the disk.

IMPORTANT For more assistance, contact your computer manufacturer or a Microsoft Product Support Services professional. Only qualified personnel should try to repair your computer. If the computer repair is performed by non-qualified personnel, this may nullify your computer's warranty. For additional information about how to Use Recovery Console, click the following article numbers to view the articles in the Microsoft Knowledge Base:
326215 (http://support.microsoft.com/kb/326215/) How to use the Recovery Console on a Windows Server 2003-based computer that does not start
Back to the top
How to Use Automated System Recovery
To recover from a system failure by using Automated System Recovery (ASR), follow these steps:
1. Make sure you have the following on hand before you start the recovery procedure:
• Your previously created ASR floppy disk.
• Your previously created backup media.
• The original operating system installation CD.
• If you have a mass storage controller and you are aware that the manufacturer has supplied a separate driver file for it (different from the driver files that are available on the Setup CD), obtain the file (on a floppy disk) before you start this procedure.

2. Insert the original operating system installation CD into your CD-ROM or DVD-ROM drive.
3. Restart your computer. If you are prompted to press a key to start the computer from CD, press the appropriate key.
4. If you have a separate driver file as described in step 1, press the F6 key to use the driver as part of Setup when you are prompted.
5. Press the F2 key when you are prompted at the start of the text-only mode section of Setup.

You are prompted to insert the ASR floppy disk that you previously created.
6. Follow the on-screen instructions.
7. If you have a separate driver file as described in step 1, press F6 (a second time) when you are prompted after the system restarts.
8. Follow the on-screen instructions.
Notes
• ASR does not restore your data files. See Windows Help for more information about backing up and restoring your data files.
• If you are restoring a server cluster in which all nodes failed and the quorum disk cannot be restored from backup, use ASR on each node in the original cluster to restore the disk signatures and the partition layout of the cluster disks (quorum and nonquorum). For more information about backing up and restoring server clusters, see Windows Help.
To Create an ASR Disk Set by Using Backup
To use ASR, you must have an ASR disk set. To create an ASR disk set, follow these steps:
1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

By default, the Backup or Restore Wizard starts, unless it is disabled. You can use the Backup or Restore Wizard to create an ASR disk set by answering All information on this computer in the What do you want to backup? section. Otherwise, you can go to the next step to create an ASR disk set in Advanced Mode.
2. Click the Advanced Mode link in the Backup or Restore Wizard.
3. On the Tools menu, click ASR Wizard.
4. Follow the instructions that appear on your screen.
Notes
• You need a blank 1.44 megabyte (MB) floppy disk to save your system settings and media to contain the backup files. If your computer does not have a floppy disk drive, perform an ASR backup on the computer without the floppy disk drive. Copy the Asr.sif and Asrpnp.sif files that are located in the %SystemRoot%\Repair folder to another computer with a floppy disk drive, and then copy those files to a floppy disk.
• To perform this procedure, you must be a member of the Administrators or Backup Operators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security "best practice," consider using the Run as command to perform this procedure.
• This procedure backs up only those system files that you must have to start your system. You must back up your data files separately.
• After you create the ASR set, label this floppy disk and the backup media carefully and keep them together. To use the backup media, you must have the floppy disk that you created with that set of media. You cannot use a floppy disk that you created at a different time or with a different set of media. You must also have your Setup CD available at the time you perform ASR.
• Keep the ASR set in a secure location. The ASR set contains information about your systems configuration that might be used to cause damage to your system.
• If you are backing up a server cluster, run the Automated System Recovery Wizard on all nodes of the cluster, and make sure that the Cluster service is running when you start each ASR backup. Make sure that one of the nodes on which you run the Automated System Recovery Preparation Wizard is listed as the owner of the quorum resource while the wizard is running.
Back to the top
How to Repair Your Installation of Windows
You may be able to repair a damaged Windows Server 2003 installation by running Windows Setup from the Windows CD.

To repair your installation of Windows, follow these steps:
1. Insert the Windows Server 2003 CD in the CD-ROM or DVD-ROM drive.
2. If the Windows CD displays the What would you like to do? menu, click Exit.
3. Turn off your computer, wait ten seconds, and then turn your computer back on.
4. If you are prompted to start your computer from the CD, do so.

Note You must be able to start your computer from the Windows Server 2003 CD-ROM to run Windows Setup. Your CD-ROM or DVD-ROM drive must be configured to do so. For information about how to configure your computer to start from the CD-ROM or DVD-ROM drive, see the documentation that is included with your computer, or contact your computer manufacturer.
5. After Setup starts, press ENTER to continue the setup process.
6. Press ENTER to select the option To set up Windows now, press ENTER. Do not select the Recovery Console option.
7. Press F8 to accept the licensing agreement.

Setup searches for previous installations of Windows.
• If Setup does not find a previous installation of Windows Server 2003, you might have a hardware failure.

Hardware failures are beyond the scope of this article. See a computer hardware specialist for more help or try the Hardware troubleshooter. For more information about the Hardware Troubleshooter, see the Windows Server 2003 Help topic "Using Troubleshooters."
• If Setup does find a previous installation of Windows Server 2003, you may receive the following message:
If one of the following Windows Server 2003 installations is damaged, setup can try to repair it. Use the up and down arrows to select an installation. To repair the selected installation, press R. To continue without repairing, press ESC.
Select the appropriate Windows Server 2003 operating system installation, and then press R to try to repair it.
• Follow the on-screen instructions to repair the installation.

Notes
• You might have to change the boot drive sequence in your BIOS settings to successfully start your computer from the Windows Server 2003 CD. Contact the manufacturer of your computer, or see your manufacturer's documentation, for more information.
• If you cannot start your computer from the Windows Server 2003 CD, you might have a CD-ROM or DVD-ROM drive failure or other hardware failure.

Hardware failures are beyond the scope of this article. See a computer hardware specialist for more help or try the Hardware troubleshooter. For more information about the Hardware Troubleshooter, see the Windows Server 2003 Help topic "Using Troubleshooters."
• After you repair your Windows Server 2003, you may be required to reactivate your copy of Windows Server 2003.

Repairing Exchange Databases

2008-12-07T22:47:00.000+05:30

Exchange

2008-12-07T22:40:00.000+05:30

Store Features	*Exchange 2000 or Exchange 2003 Standard Pre-SP2**	Exchange 2003 Standard /w SP2	Exchange 2000 or 2003 Enterprise

# of Storage Groups	1 + 1 RSG**	1 + 1 RSG**	4 + 1 RSG**
# of Stores	1 Mailbox store and 1 Public Folder Store per Storage Group	1 Mailbox store and 1 Public Folder Store per Storage Group	5 per Storage Group
Store Size Limit	16GB per Store	75GB per Store	16TB per Store

Table 1

* Any Exchange 2000 service pack level
**RSG = Recovery Storage Group

Storage Groups and Databases

A Storage Group will contain one or more Mailbox and Public Folder stores, depending on the version and the needs of the organization. Mailbox stores contain the user and system mailboxes and the Public Folder Store contains the Public Folders and their contents. For most organizations, a single Storage Group, with one Mailbox Store and one Public Folder Store is more than enough, however as the database grows in size, splitting one large database into multiple smaller databases can ease the management of backups.

A default Exchange installation will create a Storage Group that contains a Mailbox Store and a Public Folder Store. Each Mailbox Store is made up of a database set that contains two files:

Priv1.edb is a rich-text database file that contains the email messages, text attachments and headers for the users e-mail messages
Priv1.stm is a streaming file that contains multi-media data that is formatted as MIME data.

Similarly, each Public Folder Store is made up of a database set that also contains two files:

Pub1.edb is a rich-text database file that contains the messages, text attachments and headers for files stored in the Public Folder tree.
Pub1.stm is a streaming file that contains multi-media data that is formatted as MIME data

For every EDB file there will be an associated STM file.

Exchange utilizes what Microsoft terms a single-instance message store. This single-instance message store works on a per database basis. What does this mean? If an e-mail message is sent to multiple mailboxes that are all in the same database, the message is stored once and each mailbox has a pointer to the message. The transaction is also logged in the transaction logs for the Storage Group that contains the database. However, if the e-mail message is sent to multiple mailboxes that are located in different databases, the message is copied to each database and written to the transaction logs for each Storage Group that contains the database with a copy of the message.

For example, if I send 10 users a 1MB email message and all the mailboxes are located in the same database, one copy of the message is written to the database and each mailbox points to this message which will consume 1MB of disk space in total. If the 10 recipients are located in two different databases, each database will get a copy of this message which will consume 2MB of disk space. As you can see this is a much more efficient use of space as opposed to the alternative of 10 1MB messages using up 10 MB of disk space.

Aside from the database files, Storage Groups also contain system files and transaction logs. There are two system files, Tmp.edb which is a temporary database where transactions are processed, and E##.chk. The E##.chk file maintains the checkpoint for the Storage Group. The ## represents the Storage Group number with the First Storage Group file called E00.chk. This checkpoint file keeps track of the last committed transaction. If you are ever forced to perform a recovery, this file contains the point at which the replaying of transaction logs starts.

Transaction Logs

The transaction logs are some of the most crucial files when it comes to a working Exchange server. Microsoft Exchange Server uses transaction logs as a disaster recovery method that can bring a Exchange database back to a consistent state after a crash. Before anything is written to the EDB file, it is first written to a transaction log. Once the transaction has been logged, the data is written to the database when convenient.

Until a transaction is committed to the database, it is available from memory and recorded in the transaction logs. This is why you will see store.exe use up to 1GB of memory after the Exchange server has been in use for a while. After an Exchange server is brought back up after a crash, the checkpoint file points to the last committed transaction in the transaction logs which are then replayed from that point on. This form of write-ahead logging is important for you to know.

There are four types of transaction logs:

E##.log is the current transaction log for the database. Once the log file reaches 5MB in size it is renamed E#######.log and a new E##.log is created. As with the checkpoint file the ## represents the Storage Group identifier. While the new E##.log file is being created you will see a file called Edbtmp.log which is a template for Exchange server log files.
E#######.log are the secondary transaction logs. They are numbered sequentially starting with E0000001.log using the hexadecimal numbering format and are 5MB in size.
Res1.log is a reserved log file that is limited to 5MB in size. When the disk has run out of space, transactions are written to this log file while you work on clearing up space on the disk.
Res2.log is another reserved log with the same function as Res1.log.

Transaction logs can grow at a fast pace as each and every transaction is recorded to the log files. There are two ways to manage this growth with the recommended method being a regular full backup of the Information Store. Upon successful backup, the transactions are committed to the database and then purged.

The other method is to enable circular logging. Circular logging is disabled by default as it only allows you to recover Exchange data since the last full backup. With circular logging enabled the transaction logs are purged as the transactions are committed to the database. If you have to restore from backup, the transaction logs will not be replayed and all transactions since that backup will be lost.

The two reserved log files, Res1.log and Res2.log, are used to “save” 10MB of space on the disk in case there is no more free space. When the disk runs out of free space, the transactions are logged to the reserve logs as the Information Store shuts down gracefully. You will not be able to restart the Information Store service until you clear up some disk space.

Best Practices

As with anything there are some best practices you can follow in order to maintain a healthy Information Store.

Locating the Exchange program files, SMTP queues, transaction logs and database files on separate disk arrays is ideal. If budget constraints will not allow for this, locating the program files, transaction logs and SMTP queues on separate partitions on one disk array and the database files on a separate disk array will still offer some performance increases at a reduced cost.
All files should be located on redundant disk arrays. RAID 1 is the minimum recommended level, with RAID 5 offering an increase in performance and RAID 10 offering the best performance but at an increased cost.
Perform regular, full backups of the Information Store to commit the transactions and flush the log files. This can be done with the native Windows backup tool, NTBackup, or a third party solution. Even if you live on the wild side and do not keep backups of your data, it is important to do this to prevent the disk from filling up with log files and running out of space.
Do not use circular logging. As mentioned circular logging will not allow you to replay the transaction logs limiting you to recovering only the data from the latest full backup set.

The Information Store is the most critical component of Exchange Server 2000/2003 and a proper understanding of its structure is important to know for anyone tasked with managing and maintaining an Exchange server.

How to Improve PC Performance.

2008-07-28T21:53:00.000+05:30

How to Improve PC Performance.

Tip No. 1

CLEAN UP YOUR WINDOWS REGISTRY

This is an essential, but often overlooked, task to improve PC performance. In fact most PC users are unaware of the necessity to regularly clean the Registry as Microsoft does not include a cleanup tool in any version of Windows.

Every time a program is installed it makes changes to the Windows Registry - a huge internal database of Windows' settings. Virtually all Windows programs, and Windows itself, store a massive array of information inside the database. These thousands of entries control the behavior and appearance of virtually everything on your system.

Changes to your PC system are not always handled correctly in the Registry, leading to conflicts and the slowing down of your PC. Over time this leads to a bloated and possibly, corrupted Registry. Reasons for this include:

- frequently installing or uninstalling programs
- removing a program which leaves traces behind
- leftover entries from a hardware uninstall
- unused drivers on your system
- Spyware or similar programs that reappear every time you reboot

You can edit the Registry manually using a Windows program called Regedit, but this is really a job best left for hardened PC experts.

Thankfully, programs are available that can clean up your Registry automatically to help improve PC performance, such as "Registry Optimizer '06". This scans your Registry, looks for entries that are redundant or invalid and lists them so that they can be corrected with one mouse click. As an added bonus, to improve PC performance, it runs automatically in the background every time you start your PC. You even get a complimentary PC Windows Health Check.

Improve PC Performance Tip no. 2

EMPTY THE RECYCLE BIN (Frequency = Weekly)

Regularly empty Windows' Recycle Bin.

This will release hard drive space and help improve PC performance.

When you choose to delete a file, rather than removing it completely from your computer, Windows first puts it into the Recycle Bin. This gives you a second chance, as it means you can restore flies from the Recycle Bin back to their original place on your computer.

To ensure optimum PC performance, empty your Recycle Bin weekly (or even daily). To do so, right-click the Recycle Bin icon on your desktop, and choose Empty Recycle Bin.

Improve PC Performance Tip no. 3:
REMOVE PROGRAMS (Frequency = Monthly)

Installing programs is easy - but once you have, it's just as easy to end up leaving them languishing, forgotten, on your hard disk.

Most programs come with their own uninstaller. You'll find this under the program's entry in All Programs, from the Start menu.

If the program doesn't come with its own uninstaller, open Control Panel from the Start menu, and double-click Add/Remove Programs. Your PC will pause briefly while it gathers a list of all the programs you have installed.

Once it has done so, find the program you'd like to get rid of, click it and then select Change/Remove.

Be aware that some programs leave uninstalled traces all over the Windows Registry! Therefore, to improve PC performance after an uninstall, it's essential to clean the Registry.

Improve PC Performance Tip no. 4:
RUN DISK CLEAN UP (Frequency = Monthly)

Windows' Disk Clean Up is a fantastic built-in utility that automates regular maintenance tasks to improve PC performance, such as deleting Temporary Internet files, Setup log files, etc.

To start Disk Clean Up, double-click My Computer, right click on your 'C:' drive and then select Properties. Now click Disk Cleanup. Your computer will then spend a few moments analysing itself.

When it has completed the audit Windows will give you a list of areas where it has found files to cleanup. To clean an area, put a tick in the box next to it. To leave something intact, such as Temporary files, just remove the tick next to the item and click OK.

Your computer will then begin the removal process to improve PC performance - this can take some time.

Improve PC Performance Tip no. 5:
DISK DEFRAGMENTATION (Frequency = Quarterly)

When Windows stores programs on your PC hard disk it saves fragments of files in the nearest empty spaces.

This slows down your PC as it has to spend time hunting down the fragments and piecing files together.

There is a simple cure - running the Windows program Disk Defragmenter. This gathers together the fragments of programs and puts them back in the right order.

This makes it far easier for your hard disk to find what it's looking for, enabling programs and files to load more quickly - a sure-fired way for improving PC performance.

To defragment your hard disk click Start, All Programs, Accessories, System Tools and then Disk Defragment. When the program has loaded, click Defragment.

The process can take well over an hour. Because defragmenting your hard disk takes such a long time, you really don't want to go through the process too often.

Defragment your hard disk every 3 months or so - this way you'll get the best results and optimize the performance of your PC.

Improve PC Performance Tip no. 6:
EMPTY THE PREFETCH CACHE (Frequency = Quarterly)

To improve the time it takes to load programs, Windows guesses which files are likely to be needed next and loads them into a pool or 'cache'.

This process is called prefetching, and it generally works well. Overtime, though, the prefetch cache can become clogged with files you no longer need - and that can slow down Windows' startup.

To clear Prefetch, choose Run from the Start menu, and enter Prefetch into the text box that appears. When you've done that, you'll be confronted by a window filled with icons. Press Alt+A to select them all and press Delete.

The cache will quickly refill with links and files that Windows really needs. As a result, your system will feel more responsive and benefit from a PC performance speed up.

So there you have it, 6 sure-fired PC performance tips to revitalize your PC. Now you know how to improve PC performance - simply follow these steps and repeat them regularly.

What is inetinfo.exe?

2008-07-14T22:33:00.000+05:30

Inetinfo.exe is a user-mode component that hosts the IIS metabase and that also hosts the non-Web services of IIS including the FTP service, the SMTP service, and the NNTP service. Inetinfo.exe depends on IIS Admin service to host the metabase.

inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.

2008-07-11T12:47:00.000+05:30

	LAN	WAN
Definition:	LAN (Local Area Network) is a computer network covering a small geographic area, like a home, office, or group of buildings	WAN (Wide Area Network) is a computer network that covers a broad area (i.e., any network whose communications links cross metropolitan, regional, or national boundaries
Example:	Network in an organisation can be a LAN	Internet is the best example of a WAN
Ownership:	Typically owned, controlled, and managed by a single person or organization	WANs (like the Internet) are not owned by any one organization but rather exist under collective or distributed ownership and management
Technology:	Tend to use certain connectivity technologies, primarily Ethernet and Token Ring	WANs tend to use technology like ATM, Frame Relay and X.25 for connectivity over the longer distances
Data transfer rates:	LANs have a high data transfer rate	WANs have a lower data transfer rate as compared to LANs
Geographical spread:	Have a small geographical range and do not need any leased telecommunication lines	Have a large geographical range generally spreading across boundaries and need leased telecommunication lines
Connection:	one LAN can be connected to other LANs over any distance via telephone lines and radio waves	Computers connected to a wide-area network are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites
Set-up costs:	If there is a need to set-up a couple of extra devices on the network, it is not very expensive to do that	In this case since networks in remote areas have to be connected hence the set-up costs are higher

Sharepoint - Can not add the user because a user with that name already exists

2008-07-11T12:40:00.000+05:30

Q." How to add the user?

In Share point - Go to - Site Settings - Site Administration Under Site Collection Administrator - View Site Collection user information and delete the user from there. Then add the user back

You cannot remove the owners from the list of Web site collection administrators. " cannot delete myself as the owner of a site collection Symptom When you try to delete the owners of a Web site collection, you may see one of the following messages: You cannot delete the owners of a Web site collection. You cannot remove the owners from the list of Web site collection administrators.

You cannot remove your own account from the Site Collection Administrators group. Contact another site collection administrator or the server administrator and request that your name be removed from the Site Collection Administrators group.

Goto the central site administration and change the site collection owner (be sure to add an email address for the site collection owner)

Troubleshooting Disks and File Systems

2008-06-01T13:46:00.000+05:30

CHKDSK

CHKDSK.exe is a command-line tool that verifies the logical integrity of a file system on a MS Windows OS volume. If file system structures become damaged, MS Windows OS automatically schedules CHKDSK to run the next time the computer is restarted. At any time, you can manually run CHKDSK at the command prompt or from Windows Explorer or My Computer.

The CHKDSK Process on NTFS Volumes

When you run CHKDSK on NTFS volumes, the CHKDSK process consists of three major stages, and optional fourth and fifth stages. CHKDSK displays its progress for each stage with the following messages:

CHKDSK is verifying files (stage 1 of 3)... File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)... Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)... Security descriptor verification completed.

The following describes each of the CHKDSK stages.

Stage 1: CHKDSK verifies each file record segment in the master file table

During stage 1, CHKDSK examines each file record segment in the volume’s master file table (MFT). A specific file record segment in the MFT uniquely identifies every file and directory on an NTFS volume. The percent complete that CHKDSK displays during this phase is the percent of the MFT that has been verified.

Stage 2: CHKDSK checks the directories in the volume

During stage 2, CHKDSK examines each of the indexes (directories) on the volume for internal consistency and verifies that every file and directory represented by a file record segment in the MFT is referenced by at least one directory. CHKDSK also confirms that every file or subdirectory referenced in each directory actually exists as a valid file record segment in the MFT, and it checks for circular directory references. CHKDSK then confirms that the time stamps and the file size information associated with files are up to date in the directory listings for those files.

The percent complete that CHKDSK displays during this phase is the percent of the total number of files on the volume that are checked. For volumes with many thousands of files and folders, the time required to complete this stage can be significant.

Stage 3: CHKDSK verifies the security descriptors for each volume

During stage 3, CHKDSK examines each of the security descriptors associated with each file and directory on the volume by verifying that each security descriptor structure is well formed and internally consistent. The percent complete that CHKDSK displays during this phase is the percent of the number of files and directories on the volume that are checked.

Stages 4 and 5 (optional stages): CHKDSK reads every sector on the volume to confirm stability

CHKDSK performs stages 4 and 5 if you specify the /r parameter when you run CHKDSK. The /r parameter confirms that the sectors in each cluster are usable. Specifying the /r parameter is usually not necessary because NTFS identifies and remaps bad sectors during the course of normal operations, but use the /r parameter if you suspect the disk has bad sectors.

During stage 4, CHKDSK verifies all clusters in use; during stage 5, CHKDSK verifies unused clusters.

The percent complete that CHKDSK displays during stage 4 is based on the percent of used clusters that are checked. The percent complete that CHKDSK displays during stage 5 is the percent of unused clusters that are checked. Used clusters typically take longer to check than unused clusters, so stage 4 lasts longer than stage 5 on a volume with equal amounts of used and unused clusters. For a volume with mostly unused clusters, stage 5 takes longer than stage 4.¹

During stages 1 and 3, the percent complete indicator advances relatively smoothly, although some unevenness might occur in the rate at which these phases progress. For example, file record segments that are not in use require less time to process than do those that are in use, and larger security descriptors take more time to process than do smaller ones. Overall, the percent complete is a fairly accurate representation of the actual time required for that phase.

The duration of stage 2 varies because the amount of time required to process a directory is closely tied to the number of files or subdirectories listed in that directory. Because of this dependency, the percent complete indicator might not advance smoothly during stage 2, though the indicator continues to advance even for large directories. Therefore, do not use the percent complete as a reliable representation of the actual time remaining for this phase.

If you use the /f or /r parameter on a large volume (for example, 70 GB) or on a volume with a very large number of files (in the millions), CHKDSK can take a long time to complete. The volume is not available during this time because CHKDSK does not relinquish control until it is done. If a volume is being checked during the startup process, the computer is not available until the CHKDSK process is complete.

CHKDSK does not include parameters that let you cancel the CHKDSK process; however, when you run CHKDSK you can specify parameters that shorten the process. For more information see complete article at Microsoft Technet.

To run CHKDSK from My Computer or Windows Explorer

1. In My Computer or Windows Explorer, right-click the volume you want to check, and then click Properties.

2. On the Tools tab, click Check Now.

3. Do one of the following:

• To run CHKDSK in read-only mode, click Start.

• To run CHKDSK by using the /f parameter, select the Automatically fix file system errors check box and then click Start.

• To run CHKDSK by using the /r parameter, select the Scan for and attempt recovery of bad sectors check box and then click Start. Because NTFS also identifies and remaps bad sectors during the course of normal operations, it is usually not necessary to use the /r parameter unless you suspect that a disk has bad sectors.

Red Hat Supported Software

2008-05-02T23:03:00.000+05:30

Global Filesystem
Directory Server
Certificate Server
Red Hat Application Stack
JBoss Middleware Application Suite