Small Business Server 2011 migration issues

Here are some of the common issues I’ve run into on back to back migrations from Microsoft Small Business Server 2003 to Small Business Server 2011:

Error: Object not found when trying to migrate mailboxes from Exchange 2003
Solution: Add the SBS 2011 computer object to the “Exchange Domain Servers” group manually. Reboot SBS 2011 to complete the process.

Error: Trying to login to Outlook Web Access results in IIS server error 500
Solution: Ensure that the Microsoft Exchange Forms-Based Authentication service is started. One way to ensure this starts in the future is to modify the service to be Automatic (Delayed).

How To: Easiest way to migrate shares from SBS 2003 to SBS 2011
Ycopy (has a easy to use GUI interface)

How To: Migrating Recipient Policies and Address Lists
Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients
Set-AddressList "All Users" -IncludedRecipients MailboxUsers
Set-AddressList "All Groups" -IncludedRecipients Mailgroups
Set-AddressList "All Contacts" -IncludedRecipients MailContacts
Set-AddressList "Public Folders" -RecipientFilter {RecipientType -eq "PublicFolder"}
Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Outlook error: Cannot open default mail folders
Option 1. Verify the MS Exchange RPC Client Access service is running
Option 2. Set-RpcClientAccess –Server server_name –EncryptionRequired $False

Unable to create VPN sessions

If you receive any of the following errors in your event log when trying to establish a VPN session or PPP session, then the fix for you is listed below. I noticed this when trying to establish a VPN session through a Netgear VPN box. I checked my event logs and found the event IDs listed below.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Remote Access Connection Manager service terminated with the following error:
The specified procedure could not be found.

Event Type: Error
Event Source: Rasman
Event Category: None
Event ID: 20063
Description:
Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified procedure could not be found.

Event Type: Error
Event Source: RemoteAccess
Event Category: None
Event ID: 20070
Description:
Point to Point Protocol engine was unable to load the C:\Program Files\Symantec AntiVirus\SymRasMan.dll module. The specified module could not be found.

Quote from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008010718082848

“To work around this problem, restore the registry string values with the following variable path to rastls.dll:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
ConfigUiPath %SystemRoot%\System32\rastls.dll
IdentityPath %SystemRoot%\System32\rastls.dll
InteractiveUIPath %SystemRoot%\System32\rastls.dll
Path %SystemRoot%\System32\rastls.dll”

Microsoft Outlook: “the account you have added is not fully configured” error

I recently discovered a fix for the rare but annoying “the account you have added is not fully configured” when attempting to add an Exchange mailbox in Outlook 2003. I discovered it by mentioning it to a co-worker who happened to know about this rare issue– which is not documented anywhere that I searched (brief Google search including Microsoft KB or Experts Exchange). I probably didn’t give it my best effort, but nonetheless, the fix was incredibly simple.

The fix is to search for mapisvc.inf and delete both instances (windows/system32 and program files/common files), then re-create the Outlook profile which will be wiped out as a result.

Preventing Spyware

You wouldn’t be reading this if you weren’t curious about spyware… I’ve shown you how to get rid of it (easily) so lets look at how to prevent it.

I’m not going to repeat myself so I won’t go into detail, but spyware has several limitations. If you don’t want to get too advanced, here are a few easy ways to prevent spyware:

1. Use Internet Explorer 8 (stop whining, it does work very well)

2. Use Google Chrome (preferred method)

3. Use Mozilla Firefox (whatever the lastest version is)

4. Don’t click on pop-ups… if you have a pop-up blocker, turn it on!

5. If it tells you that you have a virus, the thing telling you is probably the virus… stop clicking on things!

6. Download and install MalwareBytes… then do a full scan occasionally

Now for more advanced ways!

1. Set security on C:\windows\system32\drivers\etc\hosts to Everyone read-only

2. Use regedt32 to set permissions on HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN and HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to Everyone Read-Only. *** SOME SOFTWARE INSTALLS WILL NOT LIKE THIS: meaning future installations of software may fail because they cannot write to this key ***

3. Research CLEANMGR and use it’s “autopilot” function to clean temp files every time you reboot.

4. If you are in a domain environment, lock down Internet Options (specifically the proxy part)– and if you ARE in a domain environment, get a web filter… Barracuda even has its own spyware removal tool. There are some free ones out there like Untangle that even work pretty well.

5. Change your DNS to OpenDNS servers (http://opendns.org/) by setting it manually on your NIC or where ever you get DHCP from (at home this would be your “Linksys” router)

6. Set these registry keys to everyone read-only as well HKEY_CLASSES_ROOT/.exe and HKEY_CLASSESROOT/exefile

Dealing With Spyware

Let’s face it… I’ve never had spyware and I look at porn, and browse the web for hours at a time… whats your problem? 🙂 All kidding aside, spyware is a real problem. I’m sure everyone reading this at some point or another has had or dealt with fake antivirus software that just will NOT go away! Luckily for you I do this for a living and understand the limitations of spyware and how to deal with it. Coders are lazy people… they do just enough to get things to work and patch/update as problems arise rather than spending a few extra days to plan out every possible scenario and code it into their program– I suppose if Microsoft tried that… well… lol

Current spyware has several limitations:

  • Unable to cross user profiles (possibly due to Windows Vista/7 and UAC… limiting coders options to the current user). While this is not a REAL limitation, when you code a program to mass infect, you have to make it as compatible as possible. Sticking around in the current user’s profile makes the software very compatible.
  • Relies on reboots/triggers to activate. Usually spyware will associate itself with .exe (exefile) in the registry, other times it will load as a hook… because of this it has more limitations. One of these triggers is setting Internet Options to use a proxy… the proxy is the spyware usually as a service or as a DLL hook
  • It can’t effectively control where you go in explorer.exe (Windows shell) or it would potentially block itself…
  • It usually can’t block regedit because it makes changes to the registry… or it would potentially block itself…
  • To deal with antivirus and AWESOME programs like MalwareBytes… it has to remain anonymous. Thus, its very easy to spot 130e9rjfm312rja.exe in a folder or in task manager
  • If you are lucky enough to be in a domain environment, it can’t stop domain admin from another PC using PSTOOLS! 🙂

I think you get the point, so here’s what I am going to do for you today… I’m going to teach you… how to count….all the way… to schffifty schvive. Actually… I’m going to show you how to solve 99% of spyware problems.

Problem: You have spyware!

Solution: Taking what we know into account, the first thing you should do is create a new user and set a good password. If you anticipate having lots of spyware problems, leave the account in place when we are done. In almost all verisons of windows, its the same process to add a new user

1. Start

2. Control Panel

3. User Accounts

4. Add a new user (administrative user, not standard user)

5. Call it… swsvc or AntiSpyware or.. Joe (me) and everytime you get spyware you can login as me (Joe)

6. Create a password… preferably a pass-phrase. A pass-phrase is at least 14 characters… you can use your phone number spelled out, i.e. “four eight zero five five five one two three four”

7. Reboot

When the computer comes back up, login as the new user you created. If you are lucky, the spyware hid itself in an obvious place and we can delete it before we continue. Once you are logged in, click Start, click Run (or use Windows key + R) and launch “regedit” then navigate to LOCAL MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN

This is usually how the spyware starts everytime you reboot. Check for items that have a path starting with \users\<your username>\appdata\local or \documents and settings\<your username>\. These paths usually end up somewhere in a temp folder with a random lettered/numbered executable.

Honestly though, you can probably delete everything under Run and be safe. Most of that stuff is your quick launch, antivirus tray icon (not the service), adobe quick launch, java update, etc. Once that is done, browse to USERS>long string of numbers>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION>RUN. There are going to be quite a few “SIDs” which are the long string of numbers, but y0u won’t find that path if it isn’t a valid user. So take the time and explore them all. Delete anything “weird” under Run.

Just for the heck of it, Windows Vista/7 users should open up My Computer and browse to \users\<their username>\appdata\local\ and look inside temp and microsoft for folders that have random letters and numbers. XP users will do the same, except use \documents and settings\<their username>\application data\ or \documents and settings\<their username>\local settings\.

Once you’re done looking, whether you find anything or not, goto Start > Control Panel > Internet Options > Connections tab > LAN Settings button and clear all the check boxes.

Next step is to download the greatest tool ever made, MalwareBytes. Here is a link: http://download.cnet.com/3001-8022_4-10804572.html?spi=cd39b95079d2256cc6dc1fc880e6e8d0&part=dl-10804572

MalwareBytes is small, compact, FREE… it doesn’t have bloat-ware or annoying ads… and it WORKS! It is your typical Next>Next>Finish type of installation. No tricks… At the very end  of the install leave “Update” and “Launch” checked.

After it updates and opens up, close it. — yea… lol. You could have unchecked “Launch” but let’s face it… we’re already worn out trying to search for this article.

In Vista/7 we have to right click MalwareBytes and “Run as Administrator” or it will not search other user’s profiles.

Once its loaded, do a full scan on C:\ … and wait… depending on how many files (usually 100,000 per hour if you have a decent PC) you might have to wait a while.

Once the scan is completed, it will have undoubtedly found your spyware. Remove all of it and reboot. Login as your regular user and verify the spyware is gone. You will have to double check Internet Options again (as noted above) and verify the same things. If you don’t, internet might not work right away.

Side notes:

Under rare circumstances, spyware will associate itself with .exe and exefile in the registry. If you open up regedit, navigate to HKEY_CLASSES_ROOT\.exe, default should be set to exefile. If it is not, it is probably set to scefile or something else. In any case, browse to HKEY_CLASSES_ROOT\exefile or scefile or whatever is there, and check the load options (SHELL>OPEN>COMMAND) and see if it provides you with a strange path.  Command default should be set to “%1 %*”

Also a rarity, once in a while the spyware will infect your hosts file. This file is located at C:\windows\system32\drivers\etc\hosts. The easiest way to open this file, is to have notepad open, and drag/drop it into notepad. It should have ONE entry (two if you have IPv6):

127.0.0.1       localhost
::1             localhost

If you can’t figure this out, or something isn’t working and you haven’t removed your spyware… leave a comment with the exact steps and messages you get and I will surely (inb4 don’t call me Shirly) try to answer your questions. If you are in the Phoenix area, I can always come over and fix your problems for a nominal fee.

Disappearing E-mail Text

Problem: Random e-mails (most notably distribution group e-mails) are delivered to users with stripped bodies, i.e. no text inside the e-mail.

I was not sure where to start with this, so I began my search in the obvious places… Microsoft Message Tracking and the spam filter. Well… for one, the company was not using a smart-host and this was happening on internal e-mails, so I could rule out the spam filter. I attempted to troubleshoot using message tracker, but of course it would only tell me the e-mail was delivered.

I patched and configured the server until I was blue in the face to make sure all the bugs were removed. The server was configured identically to most 2003 servers I’ve come across. The server had Eset anti-virus (non-Exchange version) which we upgraded… uninstalled… replaced… nothing resolved the issue.

Finally, I did some research on CommVault and NetVault (both running on the server, unsure of job status because at the time I did not have access to the backup software as I was an outside consultant only given specific access. On a whim I disabled both and had them do several tests… all of which worked successfully.

Internally they made the decision to discontinue the use of one of the backup solutions on the Exchange server.

Resolution: Don’t use two  log-based backup solutions on an Exchange server. I imagine both solutions had some sort of continous backup technology where they were constantly monitoring and backing up logs, causing the e-mail text to be misplaced.

Is your e-mail broken? Blame Cisco.

Just a few things you may eventually come across:

Getting an NDR stating #500 Firewall Error# is usually the fault of Cisco IOS. Chances are you have the ip inspect command set for smtp/esmtp. Removing this resolves the error (which may be inconsistent and difficult to replicate on demand).

Fixing Fake AntiVirus spyware infections is very easy in a domain environment through the use of PSLIST/PSKILL from the PSTOOLS package that Microsoft has available through Sysinternals. It appears that most fake antivirus programs associate themselves with the “exefile” class and redirect .exe to a “scefile” class where it loads its own executable as a wrapper. If by chance you can still run regedit (some block it… others don’t) you can remove the wrapper from the key in regedit and then set permissions on the key to read only for everyone. This will allow you to download and install MalwareBytes and/or ComboFix. Other times regedit is blocked and you will have to locate the file itself (almost always in the user’s temp files) and set permissions to deny full control to everyone and end the task. If you are looking for AntiVirus software that works well in preventing this type of spyware infection, either Symantec Endpoint (11.0.5 is latest release) or Microsoft Forefront Client Security seem to work very well.

20-20 Worksheet: The file format was not recognized

A while back I was troubleshooting an error for a user running 20-20 Worksheet on a Windows XP machine. The user was one of many running the program, but had a specific issue opening sif files that no one else had.

If she attempted to open a sif file, she would get the file format was not recognized. Other users would attempt to open the same file and they would not have errors.

Like most technicians… I don’t have the patience to call other companies for technical support. So I sent 2020 customer support an e-mail and while I waited I decided to do it on my own.

I quickly downloaded process monitor and excluded all the crap. I opened the sif file and magic! It couldn’t find a few registry entries (HKCU/Software/Classes/CLSID and HKCR/CLSID). I went to a machine that was working and exported the missing keys and it fixed the problem.

Problem: Opening a .sif file within 20-20 Worksheet produced a “The file format was not recognized” error message.
Resolution: Import missing registry keys

…the best part is the e-mail correspondence between myself and “technical support”

“Great,

What registry key did you import into her machine that fixed it?? And where in the registry did you find this key?

Thanks

Sincerely, 20-20 Technical Support Team”

Windows Vista Fax and Scan – Access denied to My Documents

I came across what I thought to be a very common issue… but the solution ended up being rather odd (and out of compulsiveness, I just happened to stumble upon it).

When presented with an access denied error and users accessing their My Documents folders via redirection, my first inclination is to check permissions. I did notice some rather strange permissions on the folders, so I set them to owner/system/administrator full control with inherit and re-applied them to all subfolders. I then set the owner of the files to the user. This did not resolve the problem.

Ultimately… my obsessive behavior of deleting that damned desktop.ini file resolved the problem. After I deleted the desktop.ini file, magically it started working. This left me confused, and laughing, initially.

Apparently the desktop.ini file is what changes “My Documents” to look like “Joe’s Documents.” I thought this would just be interpreted as an alias. If I am on the server and I saw “Joe’s Documents” I could still type My Documents in the path and reach the same destination. Apparently Vista’s Fax and Scan doesn’t make that distinction and decided that it would use alias path to connect– I don’t know why Microsoft failed to accommodate this problem, it seems like it shouldn’t make a difference.

Problem: Vista’s WFS cannot access My Documents
Solution: Delete desktop.ini