This was verified by checking the logs. I tried many, many things to resolve it, including making sure "Network Service" had full control over the 14-hive, per this blog and setting up Network Service using the aspnet_regiis -SampleKeys, etc. I even disabled the UAC (see my earlier post for an explanation).

No dice.

The resolution lay, as you may be suspecting, in messed up perms on the RSA folder, specifically C:\Program Data\Microsoft\Crypto\RSA\MachineKeys. I had checked to the RSA level and Administrators had full perms (I was logged on as with an Administrative account) but I had not taken the next step and checked MachineKeys.

Turns out that that folder had removed all perms from Adminstrators. I ended up having to take ownership of the folder and give Admins full perms again. Sure enough - it worked...

As a bonus it DID fix my Search problem (I was getting "The search request was unable to connect to the Search Service.").

Maybe.

Step 1 - open up the Sql Server Configuration Manager and click on 'Sql Server Services in the left pane. You will see that the SQL Server Agetn is Stopped and has its 'Start Mode' set to Manual.

Step 2 - double click on the Sql Server Agent in the right tab and its properties will appear. Click on the 'Start' button to begin it running.

Step 3 - now click on the 'Service' tab and change the Start Mode to Automatic. This will ensure that if your server restarts this service will start as well (and hence you will get your Maintenance plans.

Just a quick note that foxit software's instructions on adding a pdf icon apply to Sharepoint 2010 just like they did to MOSS 2007: http://www.foxitsoftware.com/pdf/ifilter/installation.html. The only difference is that you do this in hive 14 not hive 12 (ie Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Template\).

There are many nice things to like about x07's Management Shell, but one of the best is pipelining. In short what pipelining does is allow you to feed the results from one cmdlet into another. As you can imagine that increases your capability exponentially. It is called pipelining because you use the pipe (|) symbol to separate the cmdlets.

Let us say, for example, that you want to grant a Full Access perms to the mailbox Bob.Marley for Lenny.Scott:

Get-Mailbox Bob.Marley | Add-MailboxPermission -User 'myDomain\Lenny.Scott' -AccessRights FullAccess

What if you want to give Lenny.Scott Full Access to ALL maillboxes:

Get-Mailbox | Add-MailboxPermission -User 'myDomain\Lenny.Scott' -AccessRights FullAccess

What if you want to give Lenny.Scott Full Access to only the mailboxes in the Sales Database:

Get-MailboxDatabase myX07Server\Sales | Get-Mailbox | Add-MailboxPermission -User 'myDomain\Lenny.Scott' -AccessRights FullAccess

The above example shows how you can pipeline into another pipeline. However, if you really wanted to do this you might use the Add-ADPermission cmdlet:

Get-MailboxDatabase myX07Server\Sales | Add-ADPermission -User 'myDomain\Lenny.Scott' -AccessRights GenericAll

This capability is stunning in its power, which should also be a little terrifying. 

Use With Caution...

I was setting up a Man in the Middle webservice to intercept a message coming in so that I could do some processing of it on the side. Don't worry, it was our webservice. My process is fairly simple:

1. accept the submitted object
2. forward the object to the old web service
3. do what I wanted with the info

Step #2 appears fairly straightforward, and for the most part it is.

1. Create a (new) Web Service.
2. Expose the same public WebMethods.
3. Add a 'Web Reference' to the (old) Web Service
4. Create a new Web Service object of the old Web Service
5. Pass the received object onward

The problem that occurs is that because the (new) Web Service has to be all-inclusive it creates its own object type. While this is acceptable in .Net (since it goes by .net classnames) this gets all out of whack in the XML. This is because the XML uses a different namespace process - and since the (new) Web Service uses the same object as the (old) Web Service, albeit with a different .net namespace one of the things that it includes as an Attribute is the XML namespace. So

• The two classes have different .net namespaces
• The two classes have the exact same XML namespace

The compiler does not catch this because it is only looking at the .net namespace. So it will give you all sorts of helpful suggestions.

However....

There is a simpler way to do it. Basically, since you KNOW that the incoming and outgoing objects are the same, you are simply going to override the class that the Web Reference uses to tell it to use the original class.

If you initially open up the Web Reference to your (old) Web Service you are not going to see the file you need. You need to go up to the File Menu and select Project, Show All Files.

Now you will see the file that you want over in the Solution Exploerer -> Reference.cs.

Open that puppy up and make the necessary changes, just remember to wipe out the (new) objects that will be in there. All you want to leave are the methods, and those should now be passing the classes from the (old) Web Service.

Happy coding!

There appears to be an issue with w08r2 when it comes to using Hyper-V. When attempting to launch your VM you might encounter the error: The application encountered an error while attempting to change the state of %yourVM%.

The solution seems very simple (thanks to this post) which is that you need to give 'Authenticated Users' the 'List folder / read data' permission at the root of the drive that contains the Virtual Machines (and you ONLY need to do it at that level, not the ones below).

Why this solves the problem I do not know, but here are the steps (with some pictures) to walk you through the process:

1 - Open up the root of the drive's properties and choose the Security tab. Click on the Advanced button

2. Click on 'Change Permissions'

3. Click on 'Add', Type in 'Authenticated Users' and hit the OK button, you should see the screen below. Change the "Apply to:" to be "This folder only" and put a check in to the "List folder / read data" check box. Click 'OK'

4. Make sure NOT to check the 'Replace all child objects...' checkbox. Check your settings, and click OK. Click OK to close the Properties screen for the drive and you should be good to go.

When clustering two servers together you may still want to set up private network connections. If you do hook a crossover cable and give it a different set of IPs from your domain you may find that the private network does not working. Pinging will return no responses. What you may have run into is that the Windows Firewall is interpreting your little private network as being 'Public' and so is block all communications in.

The solution depends on what flavor of w08 you are running. If you are running w08 you can go into the "Network and Sharing Center" and customize the network to be "Private" which will allow communication through. If you are running w08r2 it is not so simple. You have to go into Windows Firewall and explicitly tell it NOT to apply "Public" rules to the adapter you are using for your private network. 

Because a picture is worth a thousand words:

Windows 2008 (non-R2)

Windows 2008 R2

When are Domain Admins NOT Domain Admins?

I stumbled across some strange errors when using the UAC as a Non-Default Admin (NDA). When logged in as an NDA and not the Built-In Administrator Account (BIAA) I ran into permission issues with the User Access Control (UAC) turned on. It appeared as if the w08 box (and w08r2) could not enumerate Domain Admins membership then the UAC is turned on. Even when I gave Domain Admins Full Control of a folder (or a drive) it would not recognize membership therein.

More info (than you might want) on that at my entry here: http://www.myfriedmind.com/techBlog/2009/10/14/UACAndDomainAdminsPermissionsIssueOnWindows2008.aspx.

This is the follow up to that, after I got a hold of MSoft. I called in and even though it was the middle of the night for the gentleman on the other end of the line (he was in India) he was very coherent and helpful. Or perhaps, helpful is not the right word since I found the solution that Msoft suggests rather, ummm, absurd. This should not reflect on him at all, he was great, it is just the, ummm, solution that is whacky.

After some testing with me he did verify that I was right and that the issue was with the Domain Admins membership enumeration. He then did some research and located this article: http://technet.microsoft.com/en-us/library/cc772207(WS.10).aspx.

This lays out what is triggering the issue, how w08 (and Vista) handle Admin Approval Mode (AAM). Again, you can read my earlier post for more background if you want. Basically, Domain Admins, unlike ALL OTHER USERS, are given two tokens. They have the full access token (like everyone else) and a second access token referred to as the filtered access token. This filtered access token has the administrative powers removed. Explorer.exe (ie the root of all) is started with the filtered access token, and thus everything is started with it.

Think of it is as RUNAS in reverse. Rather than being a Domain Admin you are reduced to peon status. It is, in effect, kryptonite.

The solution that MSoft gave was very simple – do not use the Domain Admins account. At least for file and folder permissions. Create a TOTALLY NEW group and assign the people that you would normally have as Domain Admins in there. Then give THAT group the permissions that you want.

You know, that answer still makes me chuckle. What a stupid, stupid solution. Here's why

1. It does not actually do the AAM thing. It does not ask me for consent, credentials, whatever I have it set to. It just says NO when I try to access a folder. No discussion. So UAC is not actually doing its job here.
2. I can access the share of the drive or the folder if I do it via shared drives. It is only an issue if I am logged on directly to the box. I really get using UAC to prevent malicious software install, but to stop me from opening a folder??? So now I need to be the Domain Admins to log on to the server, but something completely different to access a folder.
3. It has no affect on the Built-In Administrator Account.

I already have a group that I want to use for file and folder permissions or sensitive areas. The Domain Admins. And with good reason, because they are the DOMAIN ADMINS!!!!!!!! Now I have to track two groups. All because the UAC will not play well with others.

Here is my solution –> Hey UAC! Buh-bye!!!!!