Category Archives: IT

General news about the IT business.

Printing Woes

Microsoft has graced us with a new security update that patches a flaw in the printer spooler service. So far, so ordinary. This had some unforseen consequences: deploying printers in a Active Directory domain might not work as expected anymore for certain printers, logging “0x80070bcb Specified printer driver was not found and needs to be downloaded”.
Long story short: printer drivers which are not package aware will not be installed automatically by your client OS, no matter what you do, even in a GPO. The easiest fix is getting new drivers, but that’s not even possible for all devices out there. So here is a way to get the spooler service to think the driver is package aware: open the Registry, navigate to “HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\version-x\Driver name“, and edit the PrinterDriverAttributes value. Specifically, increment whatever is there by 1. After that, restart the printer spooler service.
Run gpupdate on the affected devices, the printer should be mapped fine.

SecurePlatform to Gaia

Checkpoint switched the platform for their security products from SecurePlatform to Gaia. Sooner or later, a switch to Gaia will be necessary… Well, there are plenty of documents about this topic out there. Rejoice, people, one follows right here – valid for small installations (standalone boxes, really).

First of all, you want to get the current configuration from your box. You need to understand that this consists of 2 parts: the OS level configuration (interfaces, routing table) and the CP database (rulebase, CP settings). Checkpoint provides tools for the latter, but not for the latter.

On the OLD firewall
Preperation:
1) Download this script
2) Get the target migration tools from Checkpoint. Either from a box with the target software installed, or from their download center
3) Copy both over to the box, by any method that works for you (TFTP, FTP, USB, magic)
4) Extract the CP upgrade_tools
5) Spread some execute permissions if necessary! “chmod +x splat2gaia.sh” and “chmod +x migrate”

For the OS level configuration
1) Execute “splat2gaia.sh”
2) Copy the output somewhere safe

For the CP database
1) Execute “migrate export”
2) Copy the resulting TGZ file somewhere safe

On the NEW firewall
Preparation
1) Install a fresh Gaia image, if not already installed
2) Follow CP’s guide and finish the first time configuration wizard

Restore the OS level config
1) Get console access to the box
2) Copy the output of splat2gaia.sh over line by line, or copy it into a bash script

Restore the rule database
1) Copy the TGZ over to $FWDIR/bin/upgrade_tools
2) Execute “migrate import”

Almost done! Now, connect to the box via your newly installed SmartDashboard, and install the rule database. Only after that step will the rules be enforced!

Note: depending on how you perform the switch over to the new platform, you might get a ton of “TCP packet out of state” errors. In that case, you might want to go to general options -> stateful inspection, and disable the “drop out of state packets” for the first couple of hours of operation.

Dirty Port TT

New in our Tools section: Dirty Port Testing Tool, a tiny utility to open a TCP listener and connect to it from the same UI, simple and fast. Developed in about one hour after being increasingly frustrated with having to test dozens of ports and hosts in multiple firewall setups in a lab environment…

Exchange Public Folder Mount Error

Another Exchange specific issue: we had a problem after migrating to Exchange 2010 and then uninstalling Exchange 2003, eventhough replicas of public folders were moved to the new server. Errors would show in the Exchange System Manager, and the following message would occur:
MapiExceptionADPropertyError: Unable to mount database. (hr=0x80004005, ec=2418)

There is a excellent post on TechNet Forums about this topic. However, it does not include information for Exchange 2010, and mentions to restart the Information Store, when restarting the System Attendant is sufficient. Corrected instructions below.

Open ADSI Edit, connect to a Domain Controller, change the context to Configuration.

Create the Folder Hierarchies under the Exchange Administrative Group

  1. Navigate to Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ <Exchange Organization> ⇒ Administrative Groups
  2. Right click on <Exchange Administrative Group> and select New Object
  3. Select msExchPublicFolderTreeContainer as class and click Next
  4. Enter the following as value: Folder Hierarchies, click Next, Finish

Create the Public Folders Tree Object

  1. Right click Folder Hierarchies and select New Object
  2. Select msExchPFTree as class, click Next
  3. Enter the following as value: Public Folders, click Next
  4. Click on More Attributes button, select msExchPFTreeType and set the value to 1
  5. Click OK, Finish

Populate the msExchOwningPFTreeBL attribute object of the PF Store

  1. Double click the newly created “Public Folders” object
  2. Double click distinguishedName, copy the value to the clipboard, click Cancel
  3. Exchange 2007: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ <Exchange Organization> ⇒ Administrative Groups ⇒ <Exchange 2007 Administrative Group> ⇒ Servers ⇒ <Affected Exchange Server> ⇒ Information Store ⇒ <Storage Group> ⇒ <Public Folder Database>
  4. Exchange 2010: open properties of Configuration ⇒ Services ⇒ Microsoft Exchange ⇒ <Exchange Organization> ⇒ Administrative Groups ⇒ <Exchange 2010 Administrative Group> ⇒ Databases ⇒ <Public Folder Database>
  5. Double click the msExchOwningPFTree attribute, paste the value that was copied to the clipboard in step 2
  6. Click OK twice

Try to mount the Store

  1. Restart the Microsoft Exchange System Attendant Service
  2. Open Exchange System Manager and try to mount the PF store

Exchange Joy

If you work in the IT industry, take a moment to think about all the hours you have spent following best practices, and what is commonly called hardening of a server system. One of the most common practices is to only run the bare minimum of services and thus reduce open ports facing the network.
Microsoft seems to have a slightly different take on this: in the official Exchange 2010 Prerequisities, admins are instructed to – amongst others – install a Windows Server Role named Web-Server. What they do not mention, though, is that this component also installs the FTP server and IIS Core components. Both of which are not needed for Exchange. If you happen to want only the minimum required installation, be sure to swap Web-Server with Web-WebServer, which omits the slack.

Mono

With the latest round of Linux distribution releases just being completed, notably Ubuntu and Fedora, it was time to give Linux another shot, along with the latest Mono version, to be able and run our projects in a free (as in speech) environment.
Seems like vbnc, the free VB compiler, has still its fair share of issues, so efforts were put into porting the vware Libraries to C#, as well as a small project that uses it: FileIndexer. All said and done, after ironing out a lot of conversion errors, both projects compile and run just fine in Microsofts .NET implementation as well as Mono. Expect both to be released rather soon, as using C# inspired me to include a few new features.

Windows Vista OEM Activation for DELL

With the recently released Service Pack 1 for Windows Vista, many people obviously want to install Windows with a slipstreamed DVD. However, somehow MS messed up the Vista servicing stack, and therefore, it is not possible to slipstream the update and create your own SP1 install media.

So what if you want to install Windows Vista Service Pack 1 as OEM installation? You may acquire a legal copy of a DVD with SP1 already applied, and make it a fully valid OEM copy all by yourself. Be aware that this procedure applies to DELL installations only, as we have no information where the othere OEMs store their certificates.

Preparations needed before you reinstall:

  • Copy the folder [SYSTEM32]\OEM to a safe place
  • Find out your Windows serial using JellyBean 2

You may wipe your Windows installation now and reinstall the operating system without a serial number. Be sure to select the correct edition of your license when installing, though!

After installing Windows without a serial number, do the following:

  • Restore the folder [SYSTEM32]\OEM from your backup
  • Start an elevated command prompt (e.g. run [SYSTEM32]\cmd.exe as Administrator)
  • Change into the [SYSTEM32]\OEM directory and type the following commands:
    • slmgr -ilc [CERTIFICATE]
    • slmgr -ipk [PRODUCTKEY]
    • slmgr -ato

Execution of each commands takes a while, so be patient and wait for a message box to pop up before you type the next command in the chain. Also, the following pathes are assumed:

  • [SYSTEM32] is the path to your system directory, typically C:\Windows\System32
  • [CERTIFICATE] is the name of your cert file you backed up before reinstalling, in this case DELL.XRM-MS
  • [PRODUCTKEY] is the key you wrote down before reinstalling

Be aware that this guide only works on DELL machines. Also, it is imperative you already have a working OEM installation of Windows Vista you can get the installation key from. We do not support piracy of any kind, and we will not hand out any certificate files or serial numbers! This is solely for people who want to install a fresh copy of Vista SP1 without waiting for the OEM to deliver new media.

Coding Horror

There are a lot of interesting articles on slashdot.org, at least for the nerds that read it. For those who do not, get started with it.
Today, there has been a new post about coding style and general misunderstandings. One that could not possibly fit any better with reality. At least the reality over here at vware, nicely illustrated in this picture. Someone obviously took a lesson at this very project and the webpage.

Free Software

In modern computing, you are likely to be using GPL or MIT licensed programs, especially as a developer. While huge companies are propagating digital rights management, software patents, and are inforcing copyrights, free software represents the spirit of the early days in computing: sharing information free of charge and royalties.
Free Software gives everyone the right to look at program source code, to use and modify it, for as long as the “rights” are retained. It is an extremely intimidating concept, especially for developers wanting to add content to already available programs, without the need to request features and go through a long line of support lines. This enables hundreds of developers to work together, share and modify each others ideas, and create applications for all major operating systems.

Sounds like a coders’ dream come true. There is just one major drawback: ease of use. Not the ease of use for the end user, but of the development tools.

On Windows, Microsoft’s own Visual Studio is one of the major development platforms, or integrated development environments (IDE). Nowadays, C# or Visual Basic are available for rapid application development (RAD) with the .NET Framework. This is where Visual Studio truly lives up to the marketing fuzz: hardly any development environment is so comfortable to use and yet powerful in features. Dead easy visual designers for data sets and dialogs along with templates. Comfortable text editing, indenting and formatting inclusive. Even Stop-Edit-Run debugging in the case of Visual Basic, without the need to recompile the whole project. A invaluable time saver for the average developer.

The popular development environment for software created with “free” tools which are portable mostly consists of a whole bunch of tools: vi/vim/emacs for editing, gcc for compiling, gdb for debugging. This so called toolchain is then complemented by a host of libraries, such as zlib, and a toolkit such as GTK+, wxWidgets, etc. Each one of them is highly configurable and highly flexible, cross-compiling and other features not even mentioned. But they are incredibly difficult to get started with! vi probably has more keyboard commands and shortcuts than the average human brain can store, gcc compilers ship without any infrastructure to actually create a program (libraries, headers, examples), and gdb is very difficult to set up and use.
This is not to speak of the wealth of libraries and dependencies one needs to create something meaningful, all of which have to be gathered seperately. Different versions of libraries may not work with different versions of executables, patching headers to make specific versions work with new compilers or recent code bases is common practice.

In my humble opinion, a lot of users would love to support the Free Software movement. Everyone involved with this very project here at vware would love to give back to the community. If it was not for all the time you lose getting into it, where you could do something meaningful (like actually developing an application).

Service Pack Slipstream

Some time ago, Service Pack 1 for Visual Studio 2005 was released. It weighs in at about 430MB of data, and depending on the installed features, may take more than one hour to install on a decent machine.
This, by itself, may be annoying, but not actually a show stopper. What is really mean is the slack that the Windows Installer leaves on your harddisk after installing a patch that large. You might want to take a look at the directory Installer in the Windows directory. After installing the service pack, the Windows Installer “backs up” easily 1GB of data there. So, for clean installations, anybody who is not into masochism might want to slipstream the patch data into the installer.

There is a nice post at the MSDN blog site on how to do that here.
One might wonder why the Windows Installer behaves that way, and obviously, it does that to support re-configuration of the installed software package. The simplest method to do that seems to be this one, but one wonders if there is no better way to handle this. At least, there is no better way to clutter your system drive with data you are most likely never going to need. Over and out from someone with a 4GB sized Installer directory.