Thursday, April 28, 2011

Wortell TechReady

Today the company that I work for (Wortell) hosted the first edition of a new (internally) launched event called Wortell TechReady! A great event full of technical session presented by Wortell employees about all kinds of (new) Microsoft products and services! Today, the first day of two, there were 18 sessions packed with technical content and full of awesome demos! Tomorrow a full day on SharePoint will follow!
Subjects like FIM, Lync, Exchange, Hyper-V, App-V, Office365 and many, many more subjects came by! I personally had the honor to present a breakout that contained a technical drilldown on RDS 2008 R2, my favorite subject! J
We were also happy to invite 8 external speakers today! To give you an example, technical speakers from Dell, Quest and Microsoft also presented their latest products and technologies! Michel Roth, Quests Principal Product Architect on vWorkspace presented a great session on vWorkspace, Chantal Smelik from Microsoft talked about Windows Intune and Edie van den Berge, also Microsoft, talked about the private cloud!
The feedback on the event so far has been great! This will become a frequently returning event at Wortell!
For more info on Wortell also see:
Wil je het Wortell-team komen uitbreiden, bezoek dan:

Tuesday, April 26, 2011

Two hotfixes RemoteFX

Microsoft has released two hotfixes for RemoteFX:

Article ID: 2519946 - Last Review: April 13, 2011 - Revision: 1.0
Timeout Detection and Recovery (TDR) randomly occurs in a virtual machine that uses the RemoteFX feature in Windows Server 2008 R2

Article ID: 2523676 - Last Review: April 20, 2011 - Revision: 2.0
GPU is not accessed leads to some VMs that use the RemoteFX feature to not start in Windows Server 2008 R2 SP1

Wednesday, April 20, 2011

Troubleshooting Remote Control (Session Shadowing) on Win Server 2008 (R2)

Troubleshooting Remote Control (Session Shadowing) on Win Server 2008 (R2)
Remote Control with Remote Desktop Services is the technique you can use to view and / or interact with the session of another user. Doing so helps support desks troubleshoot issues or errors that end-users experience.
But what if session shadowing fails to start? There are a number of reasons why, and a number circumstance under which, shadowing sessions doesn’t work. In this blog I’ll walk you through them.
1.       Check whether session of the user in question is allowed to be shadowed. That seems like a big “duh!”, but there are multiple places where shadowing can be disabled.

a.       The user account properties in Active Directory

b.      In the RD Session Host Configuration

 c.   In various places in a Group Policy Objects, on user- as well as on Computerobjects:

2.       The error message that you get while trying to shadow a session, could sometimes also lead you in the right direction. The error could be:

Remote control failed. Error code 7051
Error [7051]:The requested session is not configured to allow remote control.
That one’s pretty easy, on 1 of the 3 places discussed before you deny shadowing for this user.

Remote control failed. Error code 7044
Error [7044]:The request to control another session remotely was denied.
Also very obvious, the user clicked “no” when the systems asks whether he allows the shadowing (if asking for permissions is enabled of course), or the user simply did not respond.

But what about this one:
Remote control failed. Error code 2Error [2]:
The system cannot find the file specified.
Error[2] could mean that either  on 1 of the 3 places discussed before you deny shadowing for this user, or the user in question simply hits “No” when the systems asks whether he allows the shadowing (if asking for permissions is enabled of course),  or the user simply did not respond. You particularly get this error when trying to shadow a session that sits on a different RDSH server then you start the shadow from.

And then this one:
Remote control failed. Error code 120
Error [120]:This function is not supported on this system.
Error[120] is raised when you try to shadow a session from a computer that has one monitor to a computer that uses multiple monitors.

What about this one
Remote control failed. Error code 31
Error [31]:A device attached to the system is not functioning.
Error[13] is raised when you try to shadow a RD session from a Windows XP client, this is not supported.

Last but not least:
Remote Control Failed. Error Code 7050.
Error [7050]:The requested session cannot be controlled remotely.
This error means that you are logged on to the console of the server that is running Terminal Services, if you try to shadow another user's session from the console of the computer, you receive this error.

One of my personal favorites, shadowing seems to work, but I shadowed a user’s  RemoteApp. Big Oops! Because this is what the end-user could end up with:
While the admin sees this:

Why? The administrator moved the RemoteApp from its position.
Word of advice: Don’t shadow a RemoteApp Session! J
3.       To quickly see what Remote Control configurations have been made for a computer, open a PowerShell box and enter the following command:

get-wmiobject -namespace "root\cimv2\terminalservices" -class
This will result in the following (example) output:
Levelofcontrol can have the following values:

               PolicySourceLevelOfControl Indicates whether the LevelOfControl property is configured by the
               server, group policy, or by default. And can have these values

RemoteControlPolicy  is the policy the server uses to retrieve the remote control settings and can have the following values:

Hopefully this helps in finding out causes of non-functioning shadowing or remote controlling your sessions in your environment!

More general info:


Tuesday, April 19, 2011

The case about the incorrect office icon in the taskbar while using RDP is now fixed!

If you have been using Remote Desktop Services (RDS) 2008 R2 or a RDP session to Windows 7 (although I've seen it less in Win7) you must be familiar with case:

You open up a RDP session to a Windows Server 2008 R2 RDS server, open up for example outlto ook 2010 and you find that the icon for PowerPoint now appears on the task bar! This issue was inconsistent, sometimes it showed up sometimes it didn’t.

Microsoft has released a fix for this issue last week, here it is:

According to Micrsoft this issue occurs because of a timing issue in the Shell32.dll module.

Thursday, April 14, 2011

Having extensible-extention-error or ma-extention-error while provisioning Live@EDU? Here's how to get the detailed errors in FIM2010

In a scenario where you are using Forefront Identity Manager 2010 (FIM) to provision mailboxes to Live@EDU (Microsoft’s Cloud e-mailservice for education) you must have seen the following error before when you did an export or EDIDS on your Live@EDU Management agent.
“Error: extensible-extention-error” or “ma-extention-error”

When you click on the details you’ll get the following information:
Microsoft.MetadirectoryServices.ExtensibleExtensionException: System.TypeInitializationException: The type initializer for 'Microsoft.Exchange.GALSync.Common.XMAEventLog' threw an exception. ---> System.Security.SecurityException: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.
Which tells us absolutely nothing about why the export to Live@EDU failed. When you look at the eventlog (application) you’ll see event id 6801 being raised which is basically the same error and still tells us nothing about why the export failed:
Why is this occurring? FIM 2010 is unable to actually write the error to the eventlog. Why? Because it doesn’t know which .dll to use to write to the eventlog. This is somewhat related to the fact that the Management Agent for Live@EDU that is used today was originally written for Identity Lifecycle Manager 2007 (ILM).
Now, what do we do to fix this? Quite simple!
1.       Create a .reg file and enter the following content

Windows Registry Editor Version 5.00

"EventMessageFile"="\"C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions\\res\\Microsoft.Exchange.GALSync.EventLog.dll\""
"CategoryMessageFile"="\"C:\\Program Files\\Microsoft Forefront Identity Manager\\2010\\Synchronization Service\\Extensions\\res\\Microsoft.Exchange.GALSync.EventLog.dll\""

Make sure that the paths to the .dll match your environment and that the .dll is actually there.

2.       Run the .reg file on the machine that runs your FIM Sync Service
This should let FIM 2010 know what .dll to use to actually write a usefull error to the eventlog (that it receives from Live@EDU) and also where this .dll resides.

3.       Now restart the service FIMSynchronizationService

4.       (Re)start your export run profile (or EDIDS if you prefer so).
That’s it!
From now on, when for some reason FIM could not add, delete or update a mailbox in Live@EDU, we get the actual error from Live@EDU inside FIM2010 as well as inside the eventlog.

In this case the cause was simple, an account with the same liveID already existed. But you can imagine this can be very useful for finding out causes that aren’t too obvious.
From what I believe, add this to your default installation instructions when combining FIM2010 and Live@EDU!

Tuesday, April 12, 2011

Certificate Revocation List's in combination with the RD Gateway

Nice blog today by the Microsoft RDS team on Certificate Revocation List's in combination with the RD Gateway.

The RD Gateway client will, by default, not check whether the certificate that is used on the RD Gateway server is revoked or not. To enable the clients to check if the certificate is revoked or not and only proceed the connection if it's not, you can run the following command on client:

reg add "HKCU\Software\Microsoft\Terminal Server Gateway\Transports\Rpc" /v CheckForRevocation /t REG_DWORD /d 1

The publishing and maintenance of the CRL is an integral part of the public key infrastructure (PKI) and is external to RD Gateway. Please do not enable certificate revocation checking on RD Gateway clients until you have confirmed that your infrastructure can support this; otherwise, even the basic connection to an end resource through the RD Gateway server will not work. This is the reason why certificate revocation checking is disabled by default on the RD Gateway client, and the recommendation is to turn it on as a security best practice only after ensuring that the CRL is accessible from the Internet.


Friday, April 8, 2011

RSA Authentication Manager 7.1 BUG

RSA Authentication manager 7.1 has a nasty bug in it that I ran into recently. When running RSA Authentication Manager 7.1 on Windows it creates 1 or 2 .sql file every minute containing SQL Statements. They build up very quickly and are not removed by RSA by default. In time this could lead into serious issues like i.e. one or more of the RSA services might not be able to (re)start anymore!

RSA will release a new Service Pack (SP4) in Q4 of 2011 and advises customers the following workarround until that time:

Shortterm solution:
  • reboot the machine in safe mode
  • rename the c:\windows\temp to c:\windows\temp_old
  • create a fresh new c:\windows\temp
  • reboot in normal mode
Longterm solution:
  • create a standard plain text cmd file named, for example, 'cleanup.cmd', and add to it the following lines: del c:/windows/temp/dbmgmt*.sql
  • save the file
  • launch windows scheduler and have the cmd file run once a day
You might also decide to apply 7.1 SP3 hotfix rollup 6, which rolls out an emergency fix for this bug. However, RSA recommends you to use the mentioned workaround and wait for SP4.

Wednesday, April 6, 2011

Quest Software explains partnership with Microsoft on Desktop Virtualization

Last week a cool and funny (short) video got released by Quest Software explaining their partnership on Desktop Virtualization with Microsoft.

"...Many of the technologies in vWorkspace have been built to integrate with, and add value to, Microsoft technologies - and have been for a while now. Technologies in vWorkspace have been adding value to Microsoft RD Session Host (formerly known as Microsoft Terminal Services) for almost a decade now. Also, in addition to deep integration with App-V (Softricity back then) since around 2005, Quest with vWorkspace was the first desktop virtualization vendor to support Hyper-V back in 2008 followed by sophisticated integration with System Center Virtualization Machine Manager in 2009. The value-add for Microsoft customers doesn’t stop there. For almost ten years now Quest has embraced and extended the RDP protocol – including RemoteFX- with Quest vWorkspace EOP to deliver the best possible user experience for LAN and WAN and across a multitude of platforms, both client and server. The symbiosis continues with our upcoming vWorkspace 7.2 MR1 that unlocks the full potential of the technologies that are delivered in Microsoft Windows Server 2008 R2 and Microsoft Windows 7 Server Pack 1..."

Tuesday, April 5, 2011

RemoteFX on Remote Desktop Session Host (RDSH) servers.

RemoteFX has been officially launched recently. When you search for info on RemoteFX it is usually talked about in relationship to VDI. But what about RemoteFX on Remote Desktop Session Host servers? A post by Microsoft’s RDS team answers most commonly asked questions on this topic.

Q: Does RemoteFX work on RD Session Host?
Answer: RemoteFX is a collection of features that enhance the user experience in Remote Desktop Services deployments. The advanced bitmap acceleration of RemoteFX works for VDI on Remote Desktop Virtualization Host (RD Virtualization Host) servers as well as for session delivery on RD Session Host servers running Windows Server 2008 R2 SP1. Other features of RemoteFX, specifically virtualization of graphics processing units (GPUs) and broad support for USB devices, are specific to virtual machine delivery through Remote Desktop Services in a VDI environment.

Q: What are the key benefits of using RemoteFX with RD Session Host?
A: Using RemoteFX on RD Session Host servers allows you to use RemoteFX enabled thin clients and zero clients to connect to the server. It also reduces the bandwidth required for displaying bitmap-intensive applications (such as Flash, Silverlight, and Windows Presentation Foundation applications) on a full desktop

Q: Do any features of RD Session Host not use RemoteFX?
A: RemoteApp programs do not use RemoteFX because they need drawing orders, so RemoteApp programs use Remote Desktop Protocol (RDP) 7. No user action is required to use RDP 7 for RemoteApp programs. Also, Aero® "glass" remoting is disabled when using RemoteFX on RD Session Host servers. When RemoteFX codec is used on RD Session Host, the display driver is RDP's XPDM driver, which does not support 3D rendering.

Q: Can I virtualize an RD Session Host server and use RemoteFX with it?
A: Yes, but this RD Session Host server will not virtualize the GPU of the server even if a GPU is present.

Q: Can a virtualized RD Session Host server use a GPU at all?
A: Yes. Windowed DirectX apps will still work on RD Session Host servers if a GPU is present; however, the GPU will not be virtualized in each session.

Q: How can I learn more about using RemoteFX on an RD Session Host server? How can I tell that it's working? How do I configure the settings?
A: For answers to these and other related questions, see the Step-by-step guide to deploying RemoteFX on an RD Session Host server. For a complete list of all RemoteFX resources, see this blog entry.

Q: How can I evaluate Windows Server 2008 R2 with SP1?
A: You can download a 180-day evaluation of Windows Server 2008 R2 SP1, or, if you already have Windows Server 2008 R2, you can download the stand-alone SP1.