Dec 22

IIS 6 – How to run 2 ssl websites on the same server (Win2003)

To run several websites on the same server using the standard ssl port (443) you need to set a host header for the ssl website. In IIS7 it is easy and can be done through the gui but in IIS6 you need to use the adsutil vbs.script .

This is how :

1. open a command prompt

2. browse to C:\intepub\AdminScripts

3. type in : cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “:443:<host header>” 

Replace <site identifier> with the identifier number for the website (Se image below) , and the <host header> with the host header that you want to use , for example


You have to run this command for each website that uses ssl port 443 on the server.

Dec 11

Task Scheduler – can’t activate “Run whether user is logged on or not”

Ran into a strange problem the other day when i was trying to set up a simple task on a Windows 2008 server.

I created a job in Task Scheduler that copied files from a network share to the local drive, and the job worked fine as long as the user was logged on.

But when trying to activate the Security option “Run whether the user is logged on or not” (see image below)task1

I got the following error:



This error message was very cryptic until i asked my friend google 🙂

Here is how you find the real answer :

Open the calculator and change to “Programmer” mode (click VIEW, PROGRAMMER).
Click on “Dec” and enter 2147943712.
Clicking on “Hex” will convert it to hexidecimal and resulting with 80070520.

The “8007” part of the code identifies it as a win32 status code, so 0520 must be the error code.

Then make sure that “Hex” is selected and enter the last three numbers, 0520 and click on “Dec” to convert to decimal resulting in 1312.

From the command line run “net helpmsg 1312”.

The net help output was: “A specified logon session does not exist. It may already have been terminated.


This is because there is a policy setting (in the local policy, that was set by GPO) that don’t allow to store passwords on the computer for network authentication (domain accounts).


Disable this setting and you are allowed to store the password and run the task whether user is logged on or not ! 🙂

I am not sure, but i think the passwords are stored as clear text on the local machine so use service accounts with limited access to network resources for this. Do not set up the task with Admin accounts 🙂


Jul 14

Search for messages in a specific timespan over multiple Exchange servers

It is not always so easy to track messages in Exchange 2013. At least not for me , i miss the old message tracker ! 🙂

Here is a command that i use frequently :

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start “07/14/2014 8:00AM” -End “07/14/2014 5:00PM” -Recipients “” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp | ft


And here is the link for more parameters :

Jul 14

Reccuring meeting rejected because there is conflicts

The default setting after installing Exchange 2013 and creating a room mailbox with automatic prossessing has settings that rejects a recurring Meeting request if there is one or more conflicts in the room calendar. 🙁

I found a good article that describes what settings you need to change so that only the specific meeting where the conflict is gets rejected and the other Meetings are accepted.

Enjoy ! 🙂

Mar 19

Domain joined server gets public firewall profile ?!

I made a strange discovery the other day , some of the fresh installed Windows 2012R2 servers at a customer site gets the Public profile on Windows firewall even if the server is domain joined.

This happens when the server is restarted and also happens on domain controllers !!!

Very annoying because the public profile disables Remote management and Remote desktop…grr…

The solution … or workaround,  is to restart  the “Network Location Awareness” service after the server is online and the firewall profile changes back to “domain”.

This is of course not a good workaround and easy to forget. But if you set the “Network Location Awareness” service to delayed startup mode the problem is solved permanently 🙂

The easiest way to do this is to use preferences in a Group Policy.
I have created a policy called NLA delayed start and linked it to OU’s where we have servers with this issue (se Picture below).


I have not seen this problem in Windows server 2012 and wonder if Microsoft did som changes to the R2 versjon that causes this ? …

Nov 27

Set up two standalone Hyper-V 2012R2 servers as replication partners

I needed to set up two physical servers, as Hyper-v servers that host replicas of eachothers Virtual machines. They do not have a shared disk resource so “Hyper-V replicas” is a way to get some safety against hardware failiures.
(I use Windows server 2012R2 standard edition because the customer wants a GUI to manage the servers)

As usual Google is my friend,  and i found a couple of articles that at least helped my accomplish this in my lab.
I am going to implement this at a customers site later on and i will update this article after that 🙂

These serveres are not joined in a domain so the replication has to be set up with certificate-based authentication.
To create certificates i use a tool called makecert.exe that is a part of Windows SDK, you can download it here : (also works for Win Server 2012) .

So lets get to the configuration:

  1. Install the Hyper-V role on both servers
  2. Edit the host file on both servers so they can find eachother (if you can’t register the names in DNS)
  3. Create Root and server certificates with the makecert tool. (see this article
    – I had to type in this commands to get it to work, copy-paste via notepad did not 🙁
    – I also edited the registry With Regedit instead of using the command i bulletpoint 5 in the article.
  4.  Configure the “Replication Configuration” in Hyper-v settings on both servers. (see this article
    – Just use certificate-based authentication instead og kerberos and remember to enable the “Hyper-v Replica HTTPS listener” rule in Windows firewall.
  5. Enable replication for the vitual machines (also explanied in the article above)

Thats it ! Easy Peasy … 🙂


Aug 28

Migrate AD CS from windows 2008 to Windows 2012 – Enterprise PKI

You probably have read through a bunch of articles on how this can be done and i hope ended up thinking that  “The Microsoft Way” ( is probably best.

Well , in a way it is,  but i had success doing only some of the steps in the migration guide. I can not guarantee this will work for you but this solution did not cause any downtime and the new CA stated issuing certificates immediately.

Here is my way:

I had a single forest,single domain  with a Enterprise PKI deployed on a domain controller (OldCA)  running windows 2008. The domain level is also windows 2008.
This DC had to be denoted and removed because it was running on old hardware. At the same time we planned to upgrade all DC’s to windows 2012.
The OldCA autoenrolled computer certificates to all computers and had issued certificates to several servers, most critical was the Lync2010 enviroment.

I wanted to migrate the Root CA (OldCA) to a new Domain Controller running win 2012 (NewCA). I did not want to use the same server name on the NewCA as the OldCA had (this is not recommended by Microsoft and i struggled with finding articles that confirmed this was possible).

First i used some of the steps from the Microsoft Guide to Backup the Configuration of the OldCA:
(detailed info about the steps:

1. Publish CRL with an extended validity period – right-click “Revoked Certificates” to check the period. (to publish a new CRL, right-click and choose Alltasks –>publish)

2.Backup CA database

3. Copy the backup and Certificate file to the new server (and the registry export if you do step 4)

4. (optional) Export the registry settings from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration ,right-click configuration and choose “export”. (i do this in case i have to restore everything back on the OldCA if the migration does no succeed)

Then , Install the Active Directory Certificate Services on the NewCA. (before you do this, make sure you have installed critical updates)

1. From Server manager –> Add roles and services

hen the install is finished click “Configure Active Directory on the destination server”


Configure AD CS 

UPDATE: Although it is possible to just stop Certificate Services on the OldCA, i recomend that you uninstall it. Then you wont get any trouble with denmoting the OldCA (if it is a DC)

1. Before you proceed with the configuration , stop and disable the Certificate service on the OldCA.
stopoldca1 stopoldca2

2. Proceed with the configuration

NB ! Use an AD account with “Enterprise Admin” rights.

When finished check AD CS is OK by opening the “Certification Authority” tool


As you can see , the NewCA is up with the same CAname as the OldCA but it has a different server name (distinguished name) in AD.

To make sure it can issue certificates you can log on to a computer in the domain and use the “Certificates” snap-in in MMC to request a new certificate or renew an already issued certificate.




I did not restore the database from the OldCA on to the NewCA which means that you cant see which certificates that are issued from the OldCA. I will try to do a restore in my lab environment to see if it is possible.

Good luck with your migration ! 🙂

I tried the restore procedure from the MS Guide and it worked fine in my lab. But i have not tried this in a live environment… if i do i will update this article.

Also remeber to “Reenroll all Certificate holders” on the Templates , especially the computer certificate. (When you move a CA the CRL location will also change and holders of certificates from the OldCA cant find the CRL, because they dont ask AD where the CA is, they only use information from the issued certificate.

Jul 04

Migrate from Exchange 2007 to 2010 – Remove public folder error (Internet Newsgroup)

When trying to Remove the publicfolder replicas from a Exchange 2007 server i could not remove one public folder called Internet Newsgroup.

As far as i understand this is a heritage from legacy versions of Exchange. This was intended to be used for a local NNTP source, where an org could have a local copy of some select newsgroups for their users to view.

To delete this folder and to be able to uninstall Exchange 2007 i had to use Adsiedit and delete the public folder record.


  1. Open Adsiedit.msc from run command
  2. Connect to your server (right-click on ADSI Edit, then Connect). Select Configuration for the well known Naming Context
  3. Expand to CN=Services,CN=Microsoft Exchange,CN=your organization name,CN=Administrative Groups,CN=Exchange Administrative Group,CN=Servers/CN=Your MailBox Server. Expand it and then locate Information Store.
  4. Locate particular storage group where is Public Folder Store. On the right pane, delete the public folder record under the storage group.

Make sure that you have moved all your replicas to the new Exchange server before you do this !

Jun 30

Exchange 2007- Information Store and System Attendant does not start.

A customer of mine had  a peculiar the other day 🙂

In a mixed enviroment with Exchange 2007 and 2010 the System attendant and Information store did not start on the 2007 server after a reboot..

In the event log we got this very describing message “The Microsoft Exchange Information Store service terminated with service-specific error 0 (0x0).” , event ID 7024.

Normally this has to do with permissions to registry keys or permissions on objects in AD (you can find a lot of solutions on this on google). But i checked all permissions and they where OK.

Further back in the eventlog i found som error messages caused by a skew in time. these messages was triggered by “The Microsoft Exchange Active Directory Topology service”.

Ran win32tm /resync and checked that time was the same as on the domain controller.
Rebooted with no luck 🙁 …

The solution was :

1. Stop all Exchange services.
2. Start “The Microsoft Exchange Active Directory Topology service” first.
3. Start “Information store” and “System attendant” + (other Exchange services incase SA doesnt start them)

I do not know if the error occured because of a skew in time between the DC and Exchange or if it was just  a coincidence. The reboot after the timesync should have brought the services up in that case.

Anyway, it worked and in a couple of days we are going to decommision that 2007 server 🙂

Jun 20

Removing registry key in .reg file

I have done a bit of application packaging and small scripts for installing these applications.
Doing this i needed to completely delete som Registry keys added by a .reg file.

This is simple enough if you have the reg file that first did create the key. Just add a – infront of the key and run the regfile again 🙂





Older posts «