GoDaddy issued certificates are not trusted by the Sony P1i phone and so if you are using a GoDaddy issued digital certificate for ActiveSync on one of these phones you will be prompted to accept the certificate at each sync. As this kills the purpose of push email sync you will want to stop the prompt.
You do this by installing the GoDaddy trusted root certificate. On any Windows computer that works when connecting to a website protected with your GoDaddy certificate run mmc.exe and add the Certificates snap-in, selecting the local user option. Browse to Trusted Root Certification Authorities and click on the Certificates node. Find and right-click the Go Daddy Class 2 Certification Authority and choose All Tasks > Export. Export the certificate as a DER encoded binary X.509 (.CER) file to a folder on that computer.
Email that file to the owner of the Sony P1i and sync the phone to download their email (confirming the prompt that we want to remove). Open the email and download the attachment. Once the attachment is downloaded (which might involve syncing again and confirming the certificate prompt) open the attachment. The phone will install the certificate into its certificate store. No more prompts!
Labels: 2003, 2007, activesync, exchange, mobile phones, pki
permalink posted by Brian Reid : 7:06 PM
0 comments 
This rather imposing message is found if you try to force replication between to Active Directory Domain Controllers when one of the controllers machine account password is out of sync with the password as stored on the other domain controller.
I have seen this a number of times on Virtual PC or Virtual Server Active Directory deployments with more than one DC in the virtual environment.
So, how do you fix it:
- On the DC that is broken (the one that when using replmon reports the error above) set the Kerberos Key Distribution Center Service to manual and stop the service.
- From a command prompt on the broken DC enter the following:
netdom resetpwd /s:name_of_working_DC /ud:domain\user /pd:*
where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password. - Upon pressing Enter, if the command fails then restart the broken DC and repeat the above command (this restart clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored).
- Upon successful completion of the command in step 2 restart the broken DC. You must do this even if done already in step 3.
- Check that replication is working, and if so restart the Kerberos Key Distribution Center Service and set the service back to automatic.
This is a summary of Microsoft Knowledgebase Article 325850, with some more specific detail mentioned.
Labels: 2003, 2007, active directory, error, exchange, kerberos, virtual pc, virtual server
permalink posted by Brian Reid : 4:06 PM
0 comments
Blog updated 22nd February 2008
As Microsoft plan to release Update Rollups for Exchange Server 2007 every six to eight weeks (see
KB937194), I will use this blog entry to list the current latest update:
The latest version of the Exchange 2007 update is Update Rollup 6 for Exchange Server 2007 - this can be downloaded
from here (64 bit and 32 bit versions now available).
Microsoft plan to do these releases rather than issue hotfixes as the method of engineering Exchange has changed since the previous versions, and KB937194 (see earlier) describes why this is. Each update rollup contains all the previous updates, so you only need to deploy this patch and not any earlier patches as well.
If you have not yet installed Exchange 2007 yet, copy this patch to the
Update folder on your installation point and it will get slipstreamed into the installation automatically upon running Setup.
Note that unlike updates #3, #4 and #5, a 32bit version of this update is not currently available.
Labels: 2007, exchange, hotfix, update
permalink posted by Brian Reid : 3:28 PM
0 comments
A new feature in digital certificates is the Subject Alternative Name property. This allows you to have a certificate for more than one URI (i.e. www.c7solutions.com and www.c7solutions.co.uk) in the same certificate. It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IP address.
A number of commercial companies now sell certificates with the Subject Alternative Name field set, but this article describes how to use the Exchange Server 2007 command line to create certificate requests for other web sites that can be uploaded to Microsoft Certificate Server (which does not support this property in its own web pages) to create certificates for web servers such as IIS (which also do not support this property in the requests that they make).
The command that you need to run is via PowerShell, and specifically via the Microsoft Exchange Server 2007 extensions to PowerShell. So start up the Microsoft Management Shell and enter the following (replacing your domain names as indicated:
New-ExchangeCertificate -GenerateRequest:$true -Path c:\newCert.req -DomainName www.domain.com,sales.domain.com,support.domain.com -PrivateKeyExportable:$true -FriendlyName "My New Certificate" -IncludeAcceptedDomains:$false -Force:$true
The DomainName property is set to each URL that you want the certificate to be valid for, with the first value in the string being the value for the Subject field and all the values each being used in the Subject Alternative Name field.
Once you have executed the command above you will have a file with the name set in the Path property. This file can be opened in Notepad and used in Microsoft Certificate Services:
- Browse to your Microsoft Certificate Services URL and click Request a certificate
- Click advanced certificate request
- Click submit a certificate...
- Copy and paste the entire text of the certificate request from notepad into the Saved Request field on this page and select Web Server as the Certificate Template. Click Submit.
- With a default installation the Web Server template value will not be present and that needs to be enabled by your Certificate Services administrator for your user account
- With the default installation of Certificate Services, the certificate will now be ready to download. Click Download certificate (or Download Certificate Chain if the end server does not trust your issuer) to save your certificate to the computer.
- Install the certificate on to the same computer that you issued the request from (this is a very important step), and then you can export the certificate and import it on your web server or firewalls.
To install the certificate, run the Import-ExchangeCertificate powershell command on the same computer as the request was issued from (this is a very important, it must be on the same computer). This is a simpler command to run that the creation of the request above.
The syntax of this command is (where the filename is the name of the file downloaded above):
Import-ExchangeCertificate c:\newCert.cer
To export the certificate to your web server or firewall you need to open the local computer certificate store in the Microsoft Management Console - run mmc, add a snap-in and choose Certificates, Computer account. You will find your certificates under the Personal store. You can right-click these certificates and export them (with the private key) to a .pfx file. This file can then be imported using the MMC tool on the web server or firewall ready for importing using an mmc with the certificates/computer account snap-in load into it.
Labels: 2007, certificates, exchange, iis, microsoft, pkcs, powershell, web
permalink posted by Brian Reid : 9:26 AM
0 comments
I need a place to store useful Powershell commands for the administration of Exchange Server 2007, so I thought I would add them here:
Upgrading Exchange OrganisationPlace Replicas of Public Folders on New Exchange Serverget-publicfolder -recurse Set-PublicFolder -Replicas:"server\public folder
database","server\public folder store (server)"
Enable ActiveSync Policy for Windows Mobile 2003 Smartphones and Pocket PC'sNew-ActiveSyncMailboxPolicy "Windows Mobile 2003 Users" -AttachmentsEnabled:$false -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$false -DeviceEncryptionEnabled:$false -AllowNonProvisionableDevices:$true -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$false -UNCAccessEnabled:$false
Enable ActiveSync Policy for Windows Mobile 5 Smartphones and Pocket PC'sNew-ActiveSyncMailboxPolicy "Windows Mobile 5 Users" -AttachmentsEnabled:$true -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$true -DeviceEncryptionEnabled:$false -MinDevicePasswordLength:4 -MaxInactivityTimeDeviceLock:00:15:00 -MaxDevicePasswordFailedAttempts:8 -AllowNonProvisionableDevices:$false -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$true -UNCAccessEnabled:$true
Set ActiveSync Policy Against All Users for a Given Policyget-mailbox Set-CASMailbox -ActiveSyncMailboxPolicy:"Name Of Policy"
Labels: 2007, exchange, powershell, upgrade
permalink posted by Brian Reid : 8:53 AM
0 comments
Archive
March 2005
July 2005
February 2006
May 2006
November 2006
March 2007
May 2007
June 2007
August 2007
April 2008
May 2008
June 2008
September 2008
October 2008
November 2008
January 2009
February 2009
March 2009
April 2009
May 2009
June 2009
July 2009