Active Directory Management Gateway Service (ADMGS) Errors and McAfee Anti-Virus Software

Published January 20, 2012 Microsoft Active Directory , Powershell , Windows Server 2008 , Windows 7 , Active Directory , PeopleProvision , Windows Server 2008 R2 , Active Directory Management Gateway Service Leave a Comment
Tags: , , , , , , ,

I posted last month about an issue with the Active Directory Management Gateway Service (ADMGS) on Windows Server 2008. The ADMGS  (which runs as the Active Directory Web Services, ADWS, service) allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

I saw the following error messages when running the “import-module activedirectory” command in PowerShell.

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

I was able to diagnose the ultimate cause based on my previous post but still was receiving errors even after mucking with NTFS directory permissions for temporary .NET files. I finally had the idea to check on anti-virus software to see if that was blocking the communication. Wallah! The domain controller had anti-virus software installed (in this case it was McAfee) and as soon as I adjusted the AV software configuration the AD connection was allowed. The log entries below help pinpoint the cause.

1/19/2012        5:22:05 PM        Blocked by Access Protection rule         NT AUTHORITY\SYSTEM        C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe        C:\Windows\TEMP\t0sggpq5.dll        Common Maximum Protection:Prevent creation of new executable files in the Windows folder        Action blocked : Create

1/19/2012        5:22:07 PM        Would be blocked by Access Protection rule  (rule is currently not enforced)         NT_DOMAIN\SRS-RMRES2-02$        System:Remote        C:\Windows\SYSVOL\domain\Policies\{1C9122E4-78CD-4001-A2E7-8BBCA348C893}\GPT.INI        Anti-virus Outbreak Control:Block read and write access to all shares        Action blocked : Read

So make sure to check your AV software if you have this kind of problem…it just might be the key to a solution!

Web Active Directory Releases Replacement for Microsoft IISADMPWD for Windows IIS7

Published January 6, 2012 Active Directory , Active Directory Password , IIS , IISADMPWD Replacement , Product Releases , Tools Leave a Comment
Tags: , , , , , , ,

We officially launched our Microsoft® IISADMPWD Replacement Tool today. Our simple solution addresses several issues with previous versions of IISADMPWD and allows you to delegate Windows password changes for web applications running on IIS 7 and later. At $599 USD, the new solution provides lots of value to allow users to self manage passwords for a small price. You can get more info about the solution at http://www.webactivedirectory.com/products/iisadmpwd/.

More Information

I have blogged about the need for an IISADMPWD replacement in the past and check out the articles below to learn more about why we built this solution for IIS 7.

Handy DNS Troubleshooting Tool: MXToolBox

Published January 5, 2012 Cloud , DNS Server Comment
Tags: , , ,

I often use the Microsoft NSlookup utility to get DNS information when I’m troubleshooting DNS issues. Once in a while, though, our internal network configuration causes inaccurate results because of VPN configuration settings. Today I worked with a handy online DNS troubleshooting tool, the MXToolBox SuperTool, and came away very impressed with its speed, capability and ease of use.

The MXToolBox SuperTool allows you to query and filter record types for any domain, including NS records, MX records and even WHOIS records. You can also verify connectivity over different protocols like TCP, HTTP and HTTPS! Give the tool a try if you need DNS troubleshooting as I’ve found it quite handy and easy to use.

BlackBerry Business Cloud Services for Microsoft Office 365

Published January 4, 2012 BlackBerry , Business Cloud Services , Cloud , Office 365 Leave a Comment
Tags: , , , ,

I have been tracking Research In Motion’s (RIM) slow progress toward a hosted service that will allow BlackBerry device integration with the Microsoft Office 365 Exchange hosting service. In late October, RIM announced the new Business Cloud Services product for Office 365 and I blogged about it shortly afterward.

General availability is still slated for this month, January 2012, and RIM now has a page dedicated to the new Business Cloud Services product. I will keep an eye for the final announcement of availability and update our blog with the announcement. Remember, though, if you’re a small business or professional Office 365 subscriber, the service will not be available for you; BlackBerry Business Cloud Services is initially available only for Office 365 Enterprise plan subscribers.

Web Active Directory Releases PeoplePassword and PeopleEnroll v3.2

Published January 3, 2012 Product Releases , Web Active Directory Leave a Comment
Tags: , , , , ,

Today we released a new version of our Windows self-service password reset (SSPR) solution, PeoplePassword, along with its companion automatic enrollment product, PeopleEnroll. This PeoplePassword release helps users complete their enrollment when combining enrollment data imported using PeopleEnroll with manual questions that users answer themselves. Users are prompted for the manual questions when using the PeoplePassword Recovery Center, allowing for a nicely integrated user experience.

Contact the Web Active Directory Sales Team for more information about obtaining PeoplePassword v3.2.

Diagnose Active Directory Management Gateway Service (ADMGS) Errors

Published December 15, 2011 Active Directory , Active Directory Management Gateway Service , Microsoft Active Directory , PeopleProvision , Powershell , Windows 7 , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: , , , , , , ,

I recently worked on a Windows Server 2008 system with the Active Directory Management Gateway Service (ADMGS) installed. The ADMGS allows you to use the Active Directory module for Windows PowerShell to manage AD remotely in domains where there are no Server 2008 R2 domain controllers running.

The ADMGS service (which runs as the Active Directory Web Services, ADWS, service) worked fine for several months but decided to begin having problems recently. We saw the following error message when running the “import-module activedirectory” command in PowerShell

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Needing to troubleshoot the source of the issue, I messed with the IncludeExceptionDetailInFaults attribute in the C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config file. However, this proved to be a daunting task for a number of reasons so I moved on to another solution. (View an example of setting the IncludeExceptionDetailInFaults attribute.)

Finally, I located a post that helped break this open. Adding a couple of debug keys in the <AppSettings> section of the config file allowed me to log the ADMGS error on the server and diagnose the real source of the error.

<add key="DebugLevel" value="Info" />
<add key="DebugLogFile" value="C:\Windows\Debug\adws.log" />

Use the following valid string values (not numeric values) for the DebugLevel value.This will add diagnostic info into the debug log at the DebugLogFile path you specify.

  • 0 – No logging
  • 1 – Error (this logs critical errors only)
  • 2 – Warn (this logs warning events as well as error events) – Recommended value to use unless you need full tracing
  • 3 – Info (verbose)

Once I set up debugging and restarted the ADMGS service, I got to the bottom of the problem with the error below and I can now address the permissions issue that is causing connection problems with the “import-module activedirectory” PowerShell command.

ActiveDirectoryWebServices: [xx/xx/2011 6:14:15 PM] [3] Get: Unhandled Exception System.UnauthorizedAccessException: Access to the temp directory is denied. Identity 'YOUR_DOMAIN\YourAccount' under which XmlSerializer is running does not have sufficient permission to access the temp directory. CodeDom will use the user account the process is using to do the compilation, so if the user doesnt have access to system temp directory, you will not be able to compile. Use Path.GetTempPath() API to find out the temp directory location.

November Update on RIM, BlackBerry, BES and Microsoft Office 365

Published November 4, 2011 BlackBerry , Office 365 Comment
Tags: , , , , , , , ,

I wanted to post a quick update on RIM’s new BlackBerry Enterprise Service (BES) for hosted Exchange on Microsoft Office 365, officially called BlackBerry Business Cloud Services for Microsoft Office 365. In my October post, RIM announced the final release date for the service beginning in January 2012 along with a beta program that began in October.

I signed up for the beta program on October 4 and received a pleasant auto-response email. Since then, I’ve heard nothing but crickets and have been jonesing to see when the beta program will open up for non-Fortune 500 customers. Well, new information paints a bleak picture for small companies like ours as the RIM service will be free to subscribers of Microsoft’s Office 365 Midsized Businesses and Enterprises plan but not even available to Office 365 Professional and Small Business customers.

RIM’s own press release from October 25, 2011, verifies that small business and professionals using Office 365 will not have access to the new RIM BlackBerry Business Cloud Services for Office 365, at least at the initial turnup in January 2012. Perhaps a small business offering will come later but I have yet to see anything about that.

“Research In Motion (RIM) (NASDAQ: RIMM; TSX: RIM) today announced BlackBerry® Business Cloud Services for Microsoft Office 365 – a new RIM-hosted online service for midsized businesses and enterprises that extends Microsoft Exchange Online to BlackBerry® smartphones, and allows organizations to self-manage their BlackBerry deployments in the cloud. An open beta for the service is launching today in over 30 countries.”

I understand that RIM has its bread-and-butter market in the large enterprise. I also understand that RIM has proven it has no interest in small businesses like ours (or even large enterprises judging from the amount of lag between the Office 365 launch and the BlackBerry cloud service to replace BES) and we have chosen to move our services elsewhere. We cancelled our BlackBerry data service last week with our service provider and will be moving to an Android or iOS platform in February.

I will continue to keep folks up to date on this issue and it will be interesting to watch RIM continue to decline in influence as it ignores the customer service market and further alienates its customer base.

Customer Service: My Call is *Not* Important to You

Published November 1, 2011 Customer Service , Ethics Leave a Comment
Tags: ,

I was working my way through a call tree with a large American-based company today and finally found the magic option to talk to a real live person. As I was holding for “the next available customer service representative,” I periodically heard a message from a friendly voice saying something like “Your call is important to us. Please wait for the next available customer service representative.” This went on for several minutes until I did get to talk to a representative.

Here’s my issue with this approach to “customer service.” My call *is not* important to you or you wouldn’t put me through a heinous call tree and then put me on hold for 10 minutes.

I feel like a company is lying to me when I hear this insulting message of “Your call is important to us.” Just go ahead and tell the truth: Your shareholders demand every red cent of profit possible so you cut out most of your customer service overhead and now I as the customer am stuck with shoddy service. It’s okay, though, because everyone else is doing it and Americans have become accustomed to this approach.

As time passes, I suspect more and more people will demand real customer service and begin pushing back on shoddiness. It’s okay to treat your customers well…you might even retain customers through thin times if you treat them like real people.

Edit 64-bit File with a 32-bit Editor on Windows 2008 64 or R2

Published October 31, 2011 Windows Explorer , Windows Server 2008 , Windows Server 2008 R2 Leave a Comment
Tags: , , , , , ,

I worked recently on a project where I needed to make a change to an IIS 7.5 configuration file on Windows Server 2008 R2. While trying to edit the file, I kept getting an error message trying to use my default text editor, TextPad.

C:\Windows\System32\inetsrv\config\administration.config was not found.
File Not Found

File Not Found

I also noticed that Windows Explorer rendered the files on the file system with some strange lock icons I don’t recall seeing before.

Strange File Lock Icons

Strange File Lock Icons

After several attempts to open the files for editing in TextPad, I began searching the interwebs looking for an answer and stumbled across a post that helped me break through. Rick Strahl mentions an issue using a 32-bit application to edit certain files in the System32 folder.

Since all Server 2008 R2 flavors run as a 64-bit OS, I decided to try using the native Notepad installation instead of my 32-bit TextPad editor. Wallah! The file opened just fine and I was able to make my changes and move along once I got past the annoyances of Notepad…but I digress. ;-)

So remember that if you see a strange lock icon or you try to use a 32-bit editor to open files on a 64-bit platform, things may not work out. Try opening the file in Notepad to see if that will work to get you by while you get a 64-bit editor installed.

Custom HTTP Error Handling in IIS 7

Published October 28, 2011 Development , IIS Leave a Comment
Tags: , , , ,

Sometimes you need very precise control over the HTTP error responses returned by IIS 7. IIS 7 provides methods to hook into the response stream in the integrated pipeline and many IIS 7 settings are actually contained in configuration files like Web.config and machine.config.

If you have custom text you want to return for an HTTP status code then don’t forget about the existingResponse attribute of the httpErrors element. This attribute tells the custom error module what to do when the response text is not blank. You can choose to replace the custom text (existingResponse=”Replace”), pass the text through (existingResponse=”PassThrough”) or automatically decide the right thing to do (existingResponse=”Auto”).

The following Web.config snippet for an IIS 7 web application shows how to pass through text from a custom error module running in the web application in response to HTTP 401.1 errors.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpErrors errorMode="Custom" existingResponse="PassThrough">
            <remove statusCode="401" subStatusCode="1" />
        </httpErrors>
    </system.webServer>
</configuration>

Next Page »

Slipstick Systems Outlook and Exchange Solutions Center
Utilities, how to's and other solutions for Microsoft Outlook and Microsoft Exchange users, administrators and developers

Share this blog

Facebook Twitter More...

Enter your email address to subscribe to WebActiveDirectory blog via email.

Join 239 other followers

Web Active Directory Products

Download PDF product data sheets:
Follow

Get every new post delivered to your Inbox.

Join 239 other followers