Cannot Open ADUC on Server 2000/2003

I encountered an issue where an Exchange 2003 System Attendant service would not start.  Consequently, the Information Store service could not be started either.

The root of the problem was that Active Directory was not functioning properly.

When attempting to open Active Directory Users and Computers (ADUC), I got an error stating “naming information cannot be located” and “library not registered”.

A few quick google searches revealed that something had happened to my activeds.tlb file and that I would need to re-register it.

The article I found was:

This worked like a charm and all my services were back up and running in no time.

In case that article is inaccessible, here is the important part:

    1.  Start a text editor such as Notepad.
    2.  Copy the following text, and then paste it into Notepad:

    Windows Registry Editor Version 5.00
    @="Active DS Type Library"

    3.  Click File, click Save As, and then save the file.  Use a file name that is similar to the following:


    Note that the file name extension must be .reg

    4.  Click Start, click Run, type regedit, and then click OK.
    5.  Click Registry, click Import Registry File, locate the registry file that you saved in step 3, and then click Open.
    6.  Click OK, and then quit Registry Editor.

    Click File, click Save As, and then save the file. Use a file name that is similar to the following:


    Note The file name extension must be .reg.

    Problem Installing Network Policy Server

    I recently had an issue installing Network Policy Server (NPS) in Windows Server 2008.

    This was a brand new server, deployed from a known-good VMware template several days before.  The only software on it was the Symantec Endpoint Protection Manager Console, which required IIS.

    I tried to add the NPS component of the Network Policy and Access Services role so that I could use this server for radius authentication for Cisco network switches.

    It kept failing!  I tried several things. Rebooted the server, tried installing available Windows Updates, with no change.

    Finally, a comment on this blog lead me to what appeared to be an answer.  I disabled the World Wide Web (WWW) Publishing Service, and the NPS install completed successfully!

    Afterwards, I rebooted the server to verify that both the NPS and WWW services would start, but the NPS service would not start and returned this error:

    Text of error: “Windows could not start the Network Policy Server service on Local computer.  Error 0x80072740: Only one usage of each socket address (protocol/network address/port) is normally permitted.”

    After a bit of googling, I discovered that NPS and the Symantec Endpoint Protection Manager (SEPM) do not play nicely together.  This is due to the fact that SEPM also uses radius (port 1812), which conflicts with NPS.  While it is possible to change the port that SEPM uses for radius, I opted to just install NPS on another server, and it has worked just fine since.

    Problems Running Batch Files in Windows Server 2008

    When running a batch file in Server 2008 by double-clicking on it, any commands that are executed use limited permissions due to the built-in User Account Control (UAC) which is enabled by default.  Also, Server 2008 won’t ask you if you want to run with admin rights when you run the batch file, or if it comes across any commands which might need elevated privileges.  Those commands will quietly fail.  Isn’t that helpful?

    You could spend hours troubleshooting your commands thinking they are faulty when it is just as simple as a privilege issue on the batch file that you ran.

    Bottom line, if you are testing a batch file, right-click on it and choose “Run as Administrator”.  This will give the batch file full rights.

    Adding Static ARP Table Entries in Windows Vista and Server 2008

    Due to security settings in Vista and Server 2008 (and presumably, Windows 7), you may have trouble adding a static ARP entry to the ARP table.

    Yes, you may still have trouble even if you run the command prompt (cmd.exe) as Administrator.

    Commonly, and the error I have gotten, you will see something like:

    “The ARP entry addition failed.”

    If that occurs, you can try this method instead.  Not as quick, but it should work.

    1. Run the command prompt as Administrator
    2. Type netsh -c “interface ipv4”
    3. The prompt will change to “netsh interface ipv4>”
    4. Type the following:

    add neighbors “Local Area Connection” “” “00-00-00-00-00-00”

    …and replace Local Area Connection with the name of your connection.  Obviously, replace the x’s and 0’s with your IP and MAC address, respectively.

    ‘Trust’ Command Can Recover a RAID on an HP MSA2000 SAN

    This week, I was in the unenviable position of troubleshooting and recovering a RAID5 array which had TWO failed disks.  If you know how RAID5 functions, then your heart probably already fell into your stomach and you are checking your own backups right now. 🙂   That’s right.  A RAID5, which requires a minimum of three disks, can survive the failure of a single disk, but not two.  So, when I got a call and the problem description included the words “blinking yellow lights on two of the disks”, I knew there was going to be trouble.  I tried the standard stuff, like reseating the drives and rebooting the SAN first, but those had no effect.

    Most of the time, in a situation like this, the next step is to rebuild the array with new disks and restore from backup.  In this case, there was no recent backup of some of the data.  I needed another option.

    Since this was an HP MSA2012FC disk enclosure, I had a possible method of bringing the failed array back up by way of the ‘trust’ command in the command-line interface.

    The trust command enables an offline virtual disk to be brought online for emergency data collection.

    From HP documentation on the trust command:


    Enables an offline virtual disk to be brought online for emergency data collection
    only. It must be enabled before each use.

    Caution – This command can cause unstable operation and data loss if used
    improperly. It is intended for disaster recovery only.

    The trust command re-synchronizes the time and date stamp and any other
    metadata on a bad disk drive. This makes the disk drive an active member of the
    virtual disk again. You might need to do this when:

    ■ One or more disks of a virtual disk start up more slowly or were powered on after
    the rest of the disks in the virtual disk. This causes the date and time stamps to
    differ, which the system interprets as a problem with the “late” disks. In this case,
    the virtual disk functions normally after being trusted.

    ■ A virtual disk is offline because a drive is failing, you have no data backup, and
    you want to try to recover the data from the virtual disk. In this case, trust may
    work, but only as long as the failing drive continues to operate.

    When the “trusted” virtual disk is back online, back up its data and audit the data to
    make sure that it is intact. Then delete that virtual disk, create a new virtual disk,
    and restore data from the backup to the new virtual disk. Using a trusted virtual disk
    is only a disaster-recovery measure; the virtual disk has no tolerance for any
    additional failures.

    The most important points here are 1) You should audit any data recovered from a ‘trusted’ virtual disk because it may be corrupted, and 2) This will only work if the failed disk is still actually spinning and just ‘fell out of the array’; won’t help if the disk is completely dead.

    I was very fortunate, in that both of the disks were not completely dead, so the trust command worked.  I was able to copy almost all of the data off of the array.  Although, even in my case, data which had been modified several days prior to the failure had been corrupted.  It was still better than a 3 week old copy of the data, which was the alternative.

    This command is obviously no substitute for good, verified and tested backups.  But it sure came in handy in a pinch!

    Troubleshooting Email Flow (Inbound)

    There are many things that can throw a wrench in the mail delivery process.  Before you start troubleshooting, you need to have a grasp of the actual problem, not just what was reported to you.  Do not take the word of a non-technical person at face value when they tell you that ’email is down for everyone’.  That can have a number of different meanings.  You need to ask some questions before you start.

    • What is the scope of the problem?
    • How many people are affected?  Almost as importantly, is there anyone who seems UNaffected and can still receive mail?
    • Are users able to send mail between each other inside the company but not send or receive to/from people outside?
    • When did it start?
    • Are there any error messages or common symptoms that the affected users are seeing?
    • Are people at outside companies getting any kind of bounceback message when trying to send email to addresses on the affected domain?  See if you can have a copy of one of these bouncebacks forwarded to you if at all possible.
    • What was changed?  Besides the obvious, that it was working and is now not, something may have been changed.  Ask anyone whom you know may have been working on the affected mail server or domain name within the last day or so.  Changes to DNS records? firewall rules? spam filter device or spam filtering software on the server? etc.  A lot of the time, finding out what was changed will point you toward the cause of your problem.

    I would also say that if you are working on a problem for any given mail server or client, you should understand how their mail delivery is configured.  If not, you should have someone on hand who does.

    On to troubleshooting…

    I generally like to take an ‘outside coming in’ approach.  I start from the perspective of a mail server out on the Internet trying to deliver mail to the domain for which there is a problem and work my way to the destination mailbox.  Here are some of the things that should be checked.

    1. MX records. First, you should know what the MX records SHOULD be under normal circumstances.  Then, you can use online tools such as MXToolbox or to find out what the MX records are currently.  If the primary MX record is ‘’, ping that address from outside the network that contains the affected mail server and see what IP address is resolved.  Keep that IP address handy for the next step.

    2. Check the firewall. Are there access and NAT rules in place to allow SMTP traffic to come through the firewall to the appropriate server?  What is the external address of the mail server or spam filter as configured on the firewall?  Does it match the IP address you found in step 1?

    3. Is the server or spam filter listening on TCP port 25? From outside the network, run a “telnet <mail server external IP address> 25” command.   Do you get a response?  Keep in mind that firewall rules may only allow incoming SMTP connections (port 25) from specific IP addresses on the outside.  Therefore, if this test fails, that doesn’t necessarily mean that you have found the problem.  Try to telnet to port 25 on the server or spam filter from a computer on the same network to see if it responds.

    4.  Check the spam filter queue and logs. Oftentimes, a separate spam filtering device or server running spam filtering software will be the entry point for mail into your network.  If you have already checked and verified that this device is at least accepting requests on port 25, now go look and see if there is a queue on it that is filling up with mail.  In addition, check any logs which are available.  Can you tell if this device is accepting, processing, then delivering mail to the destination Exchange/Sendmail/Postfix server?

    5. Check SMTP queue on the mail server itself. If you have verified that mail is coming in past the firewall, past the spam filter, what is happening to it on the next step in its journey?  Presumably, at this point, mail is going to a Hub Transport/SMTP or even a mailbox server, after passing through the spam filter.  Look in the Queue Viewer (Exchange) or other SMTP logs.  Are there messages stuck in a queue waiting to be delivered?  If so, are there any specific error messages in the queue stating the reason for the problem?  Look in the message tracking logs.

    6. Check services/processes. Are the Microsoft Exchange services running, such as the Transport and/or SMTP services?  Or if using Sendmail or Postfix, are the processes running?  Sometimes, even if they are running, restarting the services/processes that deal with receiving mail can correct a problem.

    7. Check logs in Windows/Linux for errors. For Exchange server itself, any diagnostically useful errors will be in the application log.  However, keep in mind that Exchange (and mail flow in general) relies heavily on DNS functioning properly.  So, you may have many errors that point to an Exchange problem, but it may just be a symptom of an underlying DNS or Active Directory issue.

    8. Check the destination mailbox store (Exchange) or individual mailbox. Is the mailbox store online?  Is the mailbox full and not able to accept mail?   If you find that the mailbox store is offline, there is a whole other set of troubleshooting steps to deal with that problem!

    Although this seems like a lot of things to go through, someone who really knows the mail delivery infrastructure for a domain/network can go through them all in about 20 – 30 minutes.  Of course, depending on the answers to some of your pre-troubleshooting questions, you may be able to nail the problem more quickly than that.

    Good luck!

    Merging snapshots in Microsoft Hyper-V R1 and R2

    When you create a snapshot in Hyper-V, it freezes the original VHD files and creates a new file with a .avhd extension that is a ‘differencing disk’.  All changes are written to the AVHD file and the old VHD is only used as read-only.

    When you delete the snapshot in Hyper-V, the AVHD file is not removed.  For that, you have to shut the VM down, at which point Hyper-V will automatically begin merging the AVHD file with the VHD.  Depending on the configuration of your disks, where the snapshot files are stored, and the size of the snapshot files, the merge process can be very quick or take a long time.

    You should use snapshots very sparingly in a production environment anyway, but you might need to do one before a patch/software install.

    By the way, VMware merges snapshots while the VM is running, without requiring any downtime.

    Outlook Macro to Move Messages to Another Folder

    First, this is not something I created, but that I have found very useful.  Credit goes to the original author at ‘Chewy’s Blog‘.

    But before you go running off and create a macro with this in Outlook, I have a few caveats for you:

    • When you use a macro made from this code to move a message, it changes the timestamp on the message to the time you move it.  If you need to see the actual time a message was sent or received, you have to open the message and look at the sent/received time there.
    • This moves the selected message, not necessarily the message you have open in the foreground.  This is and important distinction, and I’ll give you a scenario.  Let’s say you create a button for the macro using this code, and you put the button in the quick access toolbar which shows up in your actual message window.  You might assume that if you click the button for this macro in the message window, that it moves the message you are looking at to your specified folder.  And it might, if that happens to be the message that is selected in Outlook.  However, if you open a message window and have it open for a while and go back to Outlook and you have selected a different message, when you come back and click the macro button, it will move the message you have selected in Outlook.  Then, if you click the button and the message doesn’t go away you might think you missed it and keep clicking.  This will keep moving messages in your inbox to the specified folder and you might not even see it happening if Outlook is behind the message you are looking at.  So, be careful.  Don’t put a button for this macro in your message (quick access) menu.

    A few instructions:

    1. Go to Tools –> Macro –> Macros… to create it.
    2. Name the Macro “MoveSelectedMessagesToFolder”
    3. Delete what shows up in the macro window by default and copy/paste the following code in the window
    4. Replace the folder name which is “_Reviewed” in this example, to whatever folder to which you want to move messages
    5. Create a toolbar button for the macro (

    And here is the code:

    Sub MoveSelectedMessagesToFolder()

    On Error Resume Next

    Dim objFolder As Outlook.MAPIFolder, objInbox As Outlook.MAPIFolder
    Dim objNS As Outlook.NameSpace, objItem As Outlook.MailItem

    Set objNS = Application.GetNamespace(“MAPI”)
    Set objInbox = objNS.GetDefaultFolder(olFolderInbox)
    Set objFolder = objInbox.Folders(“_Reviewed”)
    ‘Assume this is a mail folder

    If objFolder Is Nothing Then
    MsgBox “This folder doesn’t exist!”, vbOKOnly + vbExclamation, “INVALID FOLDER”
    End If

    If Application.ActiveExplorer.Selection.Count = 0 Then
    ‘Require that this procedure be called only when a message is selected
    Exit Sub
    End If

    For Each objItem In Application.ActiveExplorer.Selection
    If objFolder.DefaultItemType = olMailItem Then
    If objItem.Class = olMail Then
    objItem.Move objFolder
    End If
    End If

    Set objItem = Nothing
    Set objFolder = Nothing
    Set objInbox = Nothing
    Set objNS = Nothing

    End Sub

    Setting Client Permissions on Exchange 2007 Public Folders

    By ‘public folder’, I mean any of the objects you see in your folder list in Outlook underneath “All Public Folders”.  It can be a calendar, contact list, task list, among others.

    The best, easiest way to manage permissions on public folders in Exchange is through Outlook.  However, getting it set up so you can do that is not the most intuitive process.

    To be able to set permissions on a public folder, you must be the owner of it.  Even if you are a domain/enterprise/schema admin, if you don’t own the public folder, you will not be able to modify the permissions of the folder via Outlook.  You must give your account ownership of the public folder first.  The way to do that is through the Exchange Management Shell.

    Here is the command you will need to run:

    Add-PublicFolderClientPermission -Identity <PublicFolder> -User “Username” -AccessRights <Right>

    And for example, let’s say you have a calendar called “Company Calendar” directly under ‘All Public Folders’, and you want to give ownership of it to John Doe (username ‘jdoe’).  The command would be:

    Add-PublicFolderClientPermission -Identity “\Company Calendar” -User “jdoe” -AccessRights Owner

    and if, underneath All Public Folders, the company calendar is in another folder called Calendars, you would run the following instead:

    Add-PublicFolderClientPermission -Identity “\Calendars\Company Calendar” -User “jdoe” -AccessRights Owner

    There are other permissions you can set besides ‘Owner’, such as ‘Publishing Editor’, etc., with this command.  However, if your goal is to be able to manage the PF permissions from Outlook, just give ownership with this command then go to Outlook to set the remaining permissions.

    Here is an article on Technet for more information on configuring public folder permissions:

    Cisco PIX/ASA Causes SMTP Banner Corruption

    Traffic inspection rules on a Cisco PIX or ASA firewall will sometimes cause the SMTP banner to appear corrupted.

    When testing access to your mail server from outside, you may notice that the SMTP banner looks like this:

    This is just a symptom of the problem, which is that the SMTP traffic inspection rule is interfering with the SMTP data stream.  Another symptom would be to see email messages destined for this server seemingly stuck in the SMTP queue on a server outside the network.  This can ultimately cause delayed and undeliverable mail, especially for larger messages, such as those with attachments.

    The resolution for this problem is to disable the traffic inspection rule for SMTP/ESMTP on the Cisco PIX or ASA firewall.

    On a PIX, this can be done from the command-line using the “no fixup protocol SMTP 25” command.  It can also be disabled from the PIX Device Manager (PDM).

    On an ASA, it’s a little different.  From the command line (assuming your policy map is named “global_policy” and your class is named “inspection_default”):

    CiscoASA(config)#policy-map global_policy
    CiscoASA(config-pmap)#class inspection_default
    CiscoASA(config-pmap-c)#no inspect esmtp 

    From the Adaptive Security Device Manager (ASDM):

    1.       Go to Security Policy –> Open the inspection rule:

    2.       Go to the Rule Actions tab and uncheck the box next to ‘ESMTP’

    3.       Test from outside the PIX/ASA again by telnetting to port 25; your SMTP banner should now look like this (I have masked the name of the server for privacy).

    That’s it.  I have made it standard practice to just disable this inspection rule on all Cisco ASA firewalls that I deploy to avoid problems.

    Posted via email from Aaron Johnstone