bshacklett's questions

We've recently made a change to the Internal URLs of many of our Exchange Virtual Directories. Following that change, we're seeing end-users report errors from Outlook stating that the certificate cannot be verified because it is expired.

The kicker is that the certificate showing up in these errors no-longer exists on the server. It was removed using the Remove-ExchangeCertificate Cmdlet in the Exchange Management Shell. I've also verified that it no-longer exists in the certificate store at cert:\LocalMachine\My, nor is it visible in any IIS configuration. Additionally, browsing to OWA returns the correct certificate. I don't understand how the server could possibly be serving this certificate any longer.

Is there anywhere else that this certificate could be hiding? Perhaps there is some kind of cache involved with Outlook? Any insight would be appreciated.

I have a CAS server that is expected to only be accessed from the outside. I currently have it configured with both the InternalUrl and ExternalUrl properties set to the same external URL. I'm wondering if it would be better to set InternalUrl to $null.

I understand that the InternalUrl and ExternalUrl properties have a strong effect on CAS proxying and redirection, but I haven't been able to find any documentation which will explain what happens if the InternalUrl is set to $null.

Additionally, if anyone has any recommendations on where I could find documentation or a book that would do a serious deep dive on Exchange behavior, I would be grateful.

I've got a DHCP server that's configured to "Always dynamically update DNS records". Unfortunately, it's not doing its job. The client sends an Option 81 with its FQDN and all flags at 0. The ACK back from the server does not contain Option 81, and a PTR record never appears. A records are appearing properly, for what it's worth.

I have a managed service account which needs a certificate in its personal store for decryption. I tried opening the Certificates snap-in and pointing to the service, but when I right-click on the "Personal" store the Request New Certificate option is not available. I only have Import... and Advanced Operations > Create Custom Request.

I tried creating a custom request in a number of different ways, but the certificate comes back with my user DN listed in the subject field, and the private key ends up in my current user's Certificate Enrollment Requests store.

I'd rather not abandon using a managed service account, but at this point it appears that I might have to. Any insights would be greatly appreciated.

I have a GPO that is currently being run only on client computers (XP, Vista, 7, etc.), by using a WMI filter with the following query:

select * from Win32_OperatingSystem where ProductType='1'

I would like to include Terminal Servers in this filter, but the best check for a Terminal Server appears to be in a different class (and namespace for Server 2008+). This requires a second, and possibly third, query to be added to the filter:

Select * From Win32_TerminalServiceSetting Where TerminalServerMode='1'

Unfortunately, these queries appear to AND together, resulting in the filter always evaluating to False, and I cannot find an option to change that. Is it possible to get this down to one filter with multiple queries, or will I need to create multiple filters, thus multiple GPOs?

At work, we have two forests with a two-way transitive trust between them. I need access to the Exchange management shell for an Exchange environment that resides in a different forest than my workstation resides. Currently, I am logging on to one of the Exchange servers every time I need to do any maintenance.

Is it possible to install the Exchange management shell on my workstation to manage the Exchange environment in the other forest? I know the standard install instructions don't work. I'm hoping there might be another way around it.

I'm trying to send a small string to statsd via nc inside of a read block:

while read line; do
    printf "folder.counter:value|1c" | nc -q 0 -u $host $port
done

Unfortunately, when in UDP mode, nc seems to want to wait indefinitely, even though I've specified -q 0, which the man page says will make the program exit immediately after EOF.

I've tried passing -w 1, but if the data I'm sending comes in at more than one line per second, the data buffers up, and I lose my real time stats (not to mention risking a buffer overflow of some sort).

Is it possible to do what I'm trying to do with netcat, or am I going to need to write something in language which has a statsd library?

In WinRM Service section of Group Policy, I have the option of disabling the following authentication mechanisms:

• Basic
• CredSSP
• Kerberos
• Negotiate

With concerns of security in mind, I would like to disable any authentication methods that could add extra vulnerabilities in the environment. That said, I want to do my best not to break expected functionality of the system, and understand what effect disabling authentication methods will have.

That said, what effects can I expect if I were to disable CredSSP and Negotiate? I'm hoping that Kerberos would be used for everything in an AD environment, and Basic is going to be disabled regardless.

I've got an Ubuntu server running statsd, collectd and Graphite. I'm looking to collect data from Windows servers via WMI. I don't see an official plugin for WMI or WBEM/CIM on Collectd's web site. Is there a third party plugin available, or some kind of translation layer I might be able to put in place?

When one of our users attempts to log into OWA while their account is locked out, they receive a message stating that their username or password was incorrect. Is it possible to configure OWA so that it tells them if their account has been locked out?

I've configured a redirect to point from anything in the root directory to /racktables/. When I actually go to http://host/, however, I am redirected to http://host/racktables, which, of course, redirects back to http://host/racktables ad infinitum.

Entry from web.config: <httpRedirect enabled="true" destination="/racktables/" exactDestination="true" childOnly="true" />

Is it possible to get IIS to honor this redirect exactly, or will I have to create a redirect in the default document at the root of the site? It seems like that would be a fairly significant oversight on Microsoft's part.

I manage an AIX box at work using PuTTY. I'm using ksh in vi-mode. When I press the Delete key (not backspace) the case of following characters is toggled instead of the character under the cursor being deleted. I'm not necessarily looking to change the behavior, as this is a very important server and I just don't want to make unnecessary changes, but I would like to understand why it's happening.

Steps to reproduce.

1. Type some text:

   root:common> ls -al

2. Move the cursor over the dash. ([esc] hhh)
3. Press the Delete Key. ([del])
4. Strange things happen:

   root:common> ls -AL

Expected behavior: The character under the cursor is deleted.

Actual behavior: Following characters have their case toggled.

I'm working towards disabling Netbios over TCP/IP for my organization. I've created a reservation for my MAC address. I can see that the reservation becomes active when I renew my IP address. I set option 001 under the Microsoft Options vendor class and the Default BOOTP class with a value of 0x2. When I renew my IP address, the DHCP server never adds this option to the DHCP Offer or DHCP ACK.

How do I need to configure the options in order to get this functioning properly?

I need to filter a GPO so that it only applies if an application is installed. From what I can see, I should be able to do this either with WMI or with GPP item level targeting. Is there a performance difference between the two? If it makes a difference, there are three items in GPP that will have targeting applied (I'm assuming this means three queries vs one when using WMI filtering).

I have an Active-Directory integrated stub zone that appears to be functioning properly (zone data is populated on every DC). It is stored in the DomainDNSZones partition, but I do not see any dnsNode objects in its container. I was previously under the impression that any DNS zones that are domain-scoped would store all of their zone information here, but I see that there must be more to it than that. Where else could the zone data be loaded from?

We have a domain controller that was virtualized a while back; this caused issues with replication that we're now seeing fallout from. I've moved the PDC Emulator and other fsmo roles to a new DC and we're working on decommissioning the virtualized DC.

In the meantime, I'm trying to resolve an issue with group policy processing. Some workstations, when attempting to process policy, are resolving "domain.local" to the IP address of the virtualized/malfunctioning DC. When they try to download GPOs from this DC, they are not available due to replication issues. What I'd like to do is safely remove this DC from the list of DFS servers that serve this domain (\domain.local\sysvol). Is there a safe way to do so? This will only be a temporary band-aid until we are able to decommission the malfunctioning DC.

I'm open to alternative suggestions as well.

I'm having a bit of trouble connecting to my virtual machine host, which is an Ubuntu server running KVM/Libvirt. I can connect to the server using an Ubuntu client and I can connect via virsh on a Fedora 16 client. Unfortunately, connecting via virt-manager fails with the error: "unable to open a connection to the libvirt management daemon".

Almost every time I've had to change the print processor for a printer, it's because it's set to something other than WINPRINT/RAW. Granted, fax software sometimes makes use of other print processors, but most of the time it seems as though the WINPRINT/RAW processor is the best way to go. Can anyone shed some light on the history and need for different print processors? For instance, when different processors are needed and what types of symptoms can be seen if the wrong processor is being used?

For those of you out there using Racktables, how do you handle DHCP scopes? I haven't been able to find a way to show the IP addresses as allocated.

I'm toying with an idea for a script that would update a computer's details in Active directory with its make and model information. Ideally, I'd like this script to access AD via its computer account, which means I'd need to have the script run as "NT Authority\NetworkService". Is this something that's possible? Alternatively, could I impersonate NetworkService in the script/executable?