Ivan Lučić - my blog

Windows Installation very slow –> simple solution

Platforms:

• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2

Problem:

Extremely slow Windows installation on your brand new machine.

Cause:

If you have no floppy drive installed in your computer, check if it’s still enabled. Some BIOS versions have problems with detecting a non-existing floppy drive and report it to the OS as present.

However the Windows XP setup seems not to be so sensitive.

Solution:

Enter the BIOS and set the floppy drive to “none”. Don’t ask.

Skype 3.0 for Windows Mobile finally released

Features:

• Call phones and mobiles at low rate (worldwide)
• Free Skype-to-Skype calls
• Free instant messaging

New features:

• Send files Skype-to-Skype
• Send SMS at much lower rate

For the best call quality, Skype recommends you sign in to Skype from a WiFi connection. You can also sign in from a 3G (UMTS) connection, but check first if your provider is blocking VoIP connections.

Requirement: Phone with Windows Mobile 5, 6, 6.1 and probably 6.5

Current version: 3.0.0.256

Release date: June 29, 2009

Download: http://www.skype.com/download/skype/windowsmobile/

Deutsch (German): http://www.skype.com/intl/de/download/skype/windowsmobile/

DFS & Access-based enumeration (ABE)

Platform: Windows Server 2008 Enterprise x64 English SP2

DFS Namespace type: Domain-based

In my current file-server environment I’m using the Access-based enumeration on all global file shares. ABE allows filtering folders visible to a user based on his NTFS access rights.

Additionally I’m using the Distributed File System (DFS), so I tried to join these both features.

Windows Server 2008 has the ABE feature already integrated. Everything you need to do is to activate it within the share’s properties (Server Manager –> Roles –> File Services –> Share and Storage Management –> your share –> properties):

On Windows Server 2003 you have to install the Windows Server 2003 Access-based Enumeration interface to be able to activate the ABE. After the installation you will find a new tab named “Access-based Enumeration” in your folder’s properties (if the folder is already shared):

(now first the wrong way to setup the DFS with ABE)

In my domain forest the fileservers are distributed in several sub domains. So I created a namespace in the root domain (on all root DC’s) to have one global entry point for all of the company file-data. The namespace is called “\\myrootdomain.local\DATA”. Inside of the namespace I created folder-links to several file-servers. In the next step I turned on the ABE for the DATA file share on every namespace-holder (DC). Additionally I configured the NTFS Security for all links on each node manually. First all links were visible for all users because of the inherited object security from the root drive. So I turned it off on each link separately, copied the permission entries, deleted the domain user entries and added the universal security groups (appropriate to the domain) for DFS with read only access to the links.

First tests were successful, but a few days later the links would lose the custom settings. The NTFS inherited security was enabled again – probably activated by the Windows Dfs Service. In some cases the ABE settings was changed as well.

…so I searched for the solution…and here is the right way:

First I checked the ABE support with DFS, and it’s really supported by the Windows Server 2008, but the namespace must be running in Windows Server 2008 mode. Slow-clickers (I’m not :)) would read it while creating the namespace:

Also you have to set this checkbox while creating the namespace for this feature to be supported. Otherwise the namespace would run in Windows 2000 Server mode, like here:

If you have already created the namespace you will have to recreate it. During the recreation you will possibly not be able to check the “2008 mode”, it could be grayed out. The reason for that is the requirement to have the Active Directory running in Windows Server 2008 domain functional level (not the whole forest). This against requires all DC’s in this domain (not forest) to run Windows Server 2008.

Again, the Windows Server 2008 domain functional level is only required in the domain where the namespace servers are located.

Raising the domain functional level to “Windows Server 2008”:

1. Check all DC’s running Windows Server 2008 and be sure that you are not planning to add a Windows 2000 or 2003 DC in the future to this domain.
2. Raise the domain functional level to “Windows Server 2008” (Active Directory Users and Computers –> right click on your domain –> Raise domain functional level…)
3. Wait for AD replication or replicate manually

Now restart the Windows Dfs Service on all Namespace nodes and you will be able to create and run the namespace in 2008 mode, like here:

Next: ABE and NTFS security configuration

Before you begin to configure these settings (ABE, NTFS) manually – please don’t do it on the conventional way (folder/share properties) – this way is not supported, the settings would not be replicated. Windows Server 2008 supports only the command-line administration of these features. The Administration within the GUI will not be supported until Windows Server 2008 R2.

The following steps must be done once only. The settings will be pushed to the other servers!

1. Enable the ABE (ABDE - Access Based Directory Enumeration) for the namespace using the dfsutil.exe:

Check the state with the following command:

2. Set the NTFS Security like the following:

Remove all security settings:

Disable object inheritance:

Set access rights for the Domain Admins (Full) and the DFS security group (more than read-only is not necessary here):

And here the sample for the other links:

You can verify the results within the windows folder properties security tab but always set the NTFS security with the dfsutil.exe.

The used security groups should also be used to set the root-folder security on the linked file-servers shares. Additionally check if the ABE is enabled there also (How-to? See top of the blog).

In most cases the share on your file-server holds folders named according to company’s departments. Best practice is to create a universal security group for every folder in the root of this share and set the permissions on them. Better you create one group for write- and another one for read-access and set the NTFS settings for these groups, one with modify and the other one with read permissions. Then make all of these folder access groups as member of the company’s DFS security group to have automatically access to the share and the DFS.

Now, users (better whole department (global) security groups) have only to be a member of the selected folder security group’s (R or RW) to have access through all DFS levels. The NTFS permissions must be never touched again - the administration can completely be done via the Active Directory.

Finally map a network drive to “\\yourdomain.local\DATA” - one for the whole domain forest! ;)

DFS Namespace Management: Error - The server you specified already hosts a namespace with this name

Platform: Windows Server 2008 Enterprise x64 English SP2

Namespace type: Domain-based

In my last post about the DFS (DFS Namespace Management: The namespace cannot be queried. The RPC server is unavailable.) I have explained how to delete a corrupted namespace from the Active Directory. Anyway the recreation of the same namespace would not work on hosts which have already hosted this namespace.

Thereby you would probably get the following error: “The server you specified already hosts a namespace with this name. Please select another namespace name or another server to host the namespace.”

Additionally to the namespace deletion in the domain follow the following steps to manually remove the remaining namespace parts on your DFS host:

1. Run “dfsutil.exe diag viewdfsdirs c: RemoveReparse” to remove all DFS folders from this host (it’s not possible to remove only a part of them, so be sure). If your DFSRoot was not placed on the c: drive, replace the parameter “c:” with the proper drive letter.
2. Delete the following three registry keys/values:
   1. HKLM\SOFTWARE\Microsoft\Dfs\Roots\Domain\YourOldNamespace
   2. HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\YourOldNamespaceShare
   3. HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\YourOldNamespaceShare
3. Reboot your Windows Server. The restart of the both services Dfs (DFS Namespace) and LanmanServer (Server) is not sufficient enough.
4. Delete the namespace folder in the DFSRoot.

bing vs. Google vs. Yahoo! (very cool)

So far there was no simple way to compare search results of the big three.

Blind Search allows you to send your search query to all of them at the same time. The result will be returned in three (random ordered and neutral formatted) columns with no search engine assignment. As next you compare the results and vote for the “column” with the best result to get the assignment. Exciting & very cool!

Link: http://blindsearch.fejus.com/

Result of my three (not really representative) searches:

2 –> bing (Wow!)

1 –> Yahoo!

0 –> Google

Please comment your results! ;)

ps: You will wonder if the results are not always the same like the search results on your search engine directly. Cause is the fixed US localization of Blind Search. Your client localization is not being passed through.

DFS Namespace Management: The namespace cannot be queried. The RPC server is unavailable.

Platform: Windows Server 2008 Enterprise x64 English SP2

Namespace type: Domain-based

See also (recently published): DFS Namespace Management: Error - The server you specified already hosts a namespace with this name

Problem:

You are trying to manage or delete a domain-based DFS namespace once hosted on an old (or crashed) machine. In doing so you get the following error: “The namespace cannot be queried. The RPC server is unavailable.”

Error when trying to delete the namespace (right-click before connecting):

Error when trying to connect:

Resolution:

Delete the namespace using ADSI Edit and dfsutil.exe.

Steps:

1. DFS Server: Remove the affected namespace from the DFS Management display.
2. DC: Use ADSI Edit to connect to the “Default naming context” of the affected domain, browse to CN=System, CN=Dfs-Configuration and delete the namespace entry.
3. DC: Wait for AD replication or replicate the changes manually.
4. DFS Server: Use dfsutil to flush all DFS caches. To do this start cmd.exe as Administrator and run the following three commands:
   • dfsutil cache domain flush
   • dfsutil cache referral flush
   • dfsutil cache provider flush

Now the namespace should not be listed when you run the “Add Namespaces to Display…” action and you should be able to create a new namespace with the old name.

Remote WMI: "Error: Access Denied" / "Win32: Access is denied", RSoP: "Error: Could not connect"

PROBLEM:

You are using Group Policy Inventory (GPInventory.exe) to gather some information about the machines in your network (mostly Windows XP).

Thereby you get some really incredible results:

"Error: Access Denied" on WMI (Windows Management Instrumentation) queries:

"Error: Could not connect" on RSoP (Resultant Set of Policy) queries:

With the above clients (that you cannot establish connection with), the remote connection over WMI Control should also fail with the following error: "Win32: Access is denied" [german] "Win32: Zugriff verweigert" [/german]:

[german]

[/german]

If you want to test it, you can find that control here:

Control Panel -> Administrative Tools -> Computer Management -> Connect to another computer... -> choose your client & click OK -> Services and Applications -> WMI Control -> Properties

[german] Systemsteuerung -> Verwaltung -> Computerverwaltung -> Verbindung mit anderem Computer herstellen... -> Client wählen & OK klicken -> Dienste und Anwendungen -> WMI-Steuerung -> Eigenschaften [/german]

Whatta...!?! What happens here? Everything seems to be fine:

• you are logged in as a domain administrator
• all the clients are domain members and you are admin on these machines as well
• there is no firewall active between the machines in your network (XP firewall is off)
• there are no errors in the event log and all the services are running properly
• WMI Control connect locally (on the clients) works anyway

CAUSE:

DCOM (Distributed COM) seems to be deactivated on your client(s).

RESOLUTION:

Activate it, what else ;)

But beware of worms and viruses, many of them are based on this technology. Activate this setting only in internal (secure) networks, behind the firewall and your AntiVirus wall.

Activate the firewall on mobile clients, especially in the Standard Profile Policy. If the firewall ist activated in the Domain Profile, you can add management exceptions like the following:

How to configure Windows Firewall in Windows XP Service Pack 2 to allow remote administration tools that use WMI, RPC, or DCOM

[german] Konfigurieren der Windows Firewall in Windows XP Service Pack 2, um Remoteverwaltungstools zuzulassen, die WMI, RPC oder DCOM verwenden [/german]

Steps for manual DCOM activation:

1. Control Panel -> Administrative Tools -> Component Services (short: run dcomcnfg.exe)
2. Component Services -> Computers -> My Computer -> Properties -> Default Properties
3. Check "Enable Distributed COM on this computer"
   1. 
4. OK
5. Restart the machine

[german]

Schritte für manuelle Aktivierung des DCOM:

1. Systemsteuerung -> Verwaltung -> Komponentendienste (kurz: dcomcnfg.exe ausführen)
2. Komponentendienste -> Computer -> Arbeitsplatz -> Eigenschaften -> Standardeigenschaften
3. Häkchen bei "DCOM (Distributed COM) auf diesem Computer aktivieren" setzen
   1. 
4. OK
5. Maschine neu starten

[/german]

On the Windows Vista and the PDC Beta of Windows 7,  the Component Services are not located in the Administrative Tools anymore.

To start them anyway, do one of the following (this works in XP/2003 as well):

• Start the Management Console (mmc.exe) and add the Component Services Snap-in
• simply run dcomcnfg.exe
• or run comexp.msc

I haven't searched for group policy setting to activate DCOM, but you are welcome to publish it within your comment ;)

PDC: Windows 7 Software Logo Program Requirements

Microsoft just published the preview version of the Windows Seven Software Logo Program for Client Technical Requirements document. All interested developers should take a look at this.

Finally to get the Logo all software must support x64 versions of Windows!

At first it's necessary to match these criteria:

1. Include business and technical owners for all submissions
2. Opt in to receive communications from Microsoft about their products
3. Include a copy and license of the software for compatibility testing purposes
4. Along with Microsoft agree to a 30-90 day resolution policy for all issues identified in market with logo'd products
5. Ensure the application adheres to all policies and passes all requirements in this document

Three additional policies:

1. Comply with Anti-spyware Coalition Guidelines
2. Do not modify Windows Resource Protection (WRP) protected resources
3. Ensure ongoing quality - in short, fix crash reports over time

 And finally 10 technical requirements:

1. Install and uninstall cleanly
2. Install to the correct folders by default
3. Support x64 versions of Windows
4. Follow User Account Control (UAC) Guidelines
5. Do not load Services and Drivers in Safe Mode
6. Digitally Sign Files
7. Do not prevent an installation or application from launching because of OS version checking
8. Prevent unnecessary reboots
9. Support multiuser sessions
10. Minimize application failures

Vista SP2 Beta1 - Download over WU

WARNING: This is a Beta1 version of the Vista SP2, only for testing purposes!

1. create a batch file with the following content:

2. run the file as administrator

3. run windows update

4. good luck ;)

Sony Ericsson XPERIA X1 - the maybe best Windows Mobile phone?? ..it will be released this month!! :)

The shipping will be started in the UK, Germany and Sweden (30th September). In other countries by the end of the year. 

Highlights:

• 3" WVGA-Touch-TFT (800x480, 65536 colors)
• QWERTY/QWERTZ slide keyboard
• 3.2 MP cam with flash, video (VGA, 30 fps)
• second cam for videocall at the front
• 16.7 mm "thin"
• Windows Mobile 6.1 Professional
• Quad-band
• EDGE/HSDPA/HSUPA
• A-GPS
• WLAN b/g
• Bluetooth v2.0 (A2DP) - no IR
• RDS FM radio
• Vibration
• no accelerometer
• 528 MHz CPU
• 384 MB RAM
• 512 MB internal storage (max. 400 available)
• microSD slot (HC compatible)
• miniUSB 2.0
• 3.5 mm audio jack
• Batt: Li-Po 1500 mAh
• Stand-by: up to 35 days!!
• Talk time: up to 10h
• Colors: Solid Black or Steel Silver

News source: http://www.gsmarena.com/sony_ericsson_xperia_x1_coming_in_only_three_weeks_time-news-587.php

Product site: http://www.sonyericsson.com/x1

EU price comparison without contract: http://geizhals.at/eu/a313867.html

Finally - The first SQL Server 2008 release candidate - download for everyone

Yesterday Microsoft published the SQL Server 2008 as Release Candidate 0

Platforms: x86, x64, IA64

Available languages: English, French, German, Italian, Japanese, Korean, Spanish, Chinese - Simplified and Traditional

Download link: http://www.microsoft.com/downloads/details.aspx?FamilyID=35f53843-03f7-4ed5-8142-24a4c024ca05&DisplayLang=en

RC0 readme: http://www.microsoft.com/downloads/details.aspx?FamilyID=298c5443-cc7c-4c22-8d73-fb70c96b5b04&DisplayLang=en

Site with download links for TechNet and MSDN users: http://msdn.microsoft.com/subscriptions/cc526022.aspx

Vista SP1 available for download (release)

WOW! ;)

As MSDN/Technet subscriber we are finally able to download the release of the Vista SP1!

Available are packages for 32 and 64-bit Systems in English, French, German, Japanese and Spanish.

File details:

Title: Windows Vista Service Pack 1 (x86, x64) - DVD (English, French, German, Japanese, Spanish)
Filename: de_en_es_fr_ja_windows_vista_service_pack_1_x86_x64_dvd_X14-38128.iso
Size: 1.13 GB

Title: Windows Vista Service Pack 1 (x86) - EXE (English, French, German, Japanese, Spanish)
Filename: de_en_es_fr_ja_windows_vista_service_pack_1_x86_72327.exe
434.5 MB

Title: Windows Vista Service Pack 1 (x64) - EXE (English, French, German, Japanese, Spanish)
Filename: de_en_es_fr_ja_windows_vista_service_pack_1_x64_72328.exe
Size: 726.5 MB

Download it here directly under "Top Subscriber Downloads":

http://msdn2.microsoft.com/en-us/subscriptions/default.aspx

The integrated full install of Vista with SP1 will be available to the end of the month.

Sources:

http://blogs.technet.com/technetplussubscriptions/archive/2008/02/14/technet-plus-vista-sp1-available-for-download.aspx

http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/11/windows-vista-sp1-availability-for-technical-customers.aspx

Changes made on windows service properties, by editing the registry, would not take an effect until system is restarted

Few days ago I tried to change some windows service properties by directly editing the registry keys. Amongst others I tried to allow some service to interact with the desktop on my Windows XP machine.
Under “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyService” I added 256 (Hex 100) to the “Type” value. Then I started the service and nothing happened. The reg key was still there and the check-box under the Service properties was checked, but the service was still not interacting with my desktop, hmm.
I unchecked the box and reapply the same settings again, restarted the service and then it worked.
It seems that this registry keys are not watched, probably they will be read only once at the start of system / service-manager.
I have not tried it yet but I think under Windows 2000 and Server 2003 you can expect the same behavior.
(I heard that Vista doesn’t make your life any easier at all with service-desktop-interacting due to security issues and interacting might not even work when allowed. I will cover this topic at the next time, till then enjoy XP.)
The question is: “What is behind this GUI “Apply” button except the setting of the reg-keys?”
Possibly something like: “Hey dear WinAPI, look at this key, I have just changed it” or one of my methods below.
I don’t know what is behind this button, but here I will show you four methods of how you can change this setting and point out their pros and cons.
Ahead I'm sorry because of shitty formatted C# Code, therefore I attached the code files for download.

Note that allowing your service to interact with the desktop can be dangerous.
Microsoft’s Caution:
In most cases, it is recommended that you not change the Allow service to interact with desktop setting. If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user's desktop. A malicious user could then take control of the service or attack it from the interactive desktop.

Method 1: Using the mouse ;)
-Run: services.msc
-Go to properties of your service, tab: “Log On”
-Choose “Local System account” (Lokales Systemkonto) and check the box “Allow service to interact with desktop” (Datenaustausch zwischen Dienst und Desktop zulassen)
-Apply it and restart your service

Pros:
-click, click... fast for one machine

Cons:
-nothing for networks

Method 2: Change the registry key by using the registry editor, some script or from your code.
Pros:
-simple
-easy to set with several scripting technologies

Cons:
-machine restart required

C# example:

Method 3: Using the WMI
Pros:
-simple
-works with remote machines

Cons:
-x

C# example:

Method 4: Using the Windows API
Pros:
-Cool hardcore solution
-faster than other methods but not really important in this case

Cons:
-very complex, except you copy my method ;)

C# example:

The Call

The calls to the three static methods looks like the following:

My hint: Use WMI, method 3!

Interesting talk (Video): Tandy Trower about Microsoft Robotics

Here you can watch an interesting talk about the robots, the idea "a robot in every home" and the Microsoft Robotics. This video is very long, over an hour. The real (english) presentation begins at minute 2:30 ;)

VMware Workstation: Guests hardware not detected properly after upgrading to WS 6.0

Yesterday I have upgraded my VMware Workstation from the version "5.5.3 build-34685" to "6.0.0 build-45731".
I started my machines and everything was looking fine but the machine’s Virtual Machine Hardware Compatibility was still "Workstation 5".
Then I installed the updated VMware Tools and upgraded the VM's Virtual Hardware to "Workstation 6" (Menu: “VM” -> “Upgrade or Change Version...” -> “Next” -> “Workstation 6” -> “Next” -> “Alter this virtual machine” -> “Next” -> “Finish” -> “Close”).
After I booted my Windows VM, all new hardware has been detected but the "Game Port for Creative" (Deutsch: "Gameport für Creative"). It appeared with a yellow exclamation mark in the Device Manager.
The device has following status:
"This device cannot find enough free resources that it can use. (Code 12)
If you want to use this device, you will need to disable one of the other devices on this system."
Deutsch:
"Für dieses Gerät sind nicht genügend Ressourcen verfügbar. (Code 12) Wenn Sie dieses Gerät nutzen möchten, müssen Sie ein anderes Gerät mit Anschluss an den Computer deaktivieren."

Resolution:
Shut down your machine and downgrade the Virtual Machine Hardware Compatibility to "Workstation 5" again and then upgrade it to "Workstation 6" without starting the machine between these two changes!
All the glitches will be gone next time you start your machine.