Latest Entries »

ICE Warning Messages

At some point of time you will troubleshoot this strange issue with AV, that’s normal.

But to help understand where your problem is there is one Key Word that I normally search for and that is “ICEWarn” , now after that word there should be a code, and below is a codes list that would really help you have better understanding of whats going on

 

ICE Protocol Warning Flags

Description

Actions for the Administrator

0x0

There were no failures or the ICE protocol was not used.

None.

0x1

TURN server is unreachable.

This flag is not expected. Administrator need to ensure that the right ports (443/3478—by default) are open on the firewall or the TURN server is running. This may result in an ICE protocol failure.

0x2

An attempt to allocate a UDP port on the TURN server failed.

This flag may be expected if the client is behind a UDP blocking firewall. This may result in an ICE protocol failure.

0x4

An attempt to send UDP on the TURN server failed.

This flag may be expected if the client is behind a UDP blocking firewall. This may result in an ICE protocol failure.

0x8

An attempt to allocate a TCP port on the TURN server failed.

This flag isn’t expected. The administrator needs to check the firewall policy, and ensure that Audio/Video Edge service is reachable. If the client is behind an HTTP proxy, the administrator needs to ensure that the proxy isn’t failing the TLS attempt. This failure may result in an ICE protocol failure.

0x10

An attempt to send TCP on the TURN server failed.

This flag isn’t expected. The administrator needs to check the firewall policy, and ensure that Audio/Video Edge service is reachable. If the remote client is behind an HTTP proxy, the admin needs to ensure that the proxy isn’t failing the TLS attempt. This failure may result in an ICE protocol failure.

0x20

Local connectivity failed. (local UDP for audio/video and local TCP for application sharing and file transfer).

This flag can occur if the direct connection between clients isn’t possible due to NAT/firewalls. This may result in an ICE protocol failure.

0x40

UDP NAT connectivity failed.

This flag can occur if the direct connection between clients isn’t possible due to NAT/firewalls. This may result in an ICE protocol failure.

0x80

UDP TURN server connectivity failed.

This flag can occur if one of the clients is behind a UDP blocking firewall/HTTP proxy. This may result in an ICE protocol failure.

0x100

TCP NAT connectivity failed.

This flag is expected. If local-to-local connectivity succeeded, the TCP NAT connectivity check may not have been tried. Or there is no direct TCP connection possible. TCP NAT connectivity failing may result in an ICE protocol failure.

0x200

TCP TURN server connectivity failed.

This flag is expected. If local-to-local connectivity succeeded, the TCP TURN connectivity check may not have been tried. Or one side didn’t have TURN server allocation. If connectivity checks were successful for the rest of the call, ignore this ICE protocol warning. Otherwise, investigate why the TCP path was not possible. TCP TURN server connectivity failing may result in an ICE protocol failure.

0x400

Message integrity failed in connectivity check request.

This flag isn’t expected. If the admin sees this flag, it indicates some security attack. This may result in an ICE protocol failure.

0x1000

A policy server was configured.

This flag is expected if there is a bandwidth policy configured on the call link. If there is a call failure with this flag, increase the allocated bandwidth on the failed link. This flag isn’t indicating any ICE protocol failure, simply that there was a bandwidth policy applied to this call.

0x2000

Connectivity check requested failed because of a memory problem or other reasons that prevented sending packets.

This flag is unexpected and may indicate that a computer is over capacity This may result in an ICE protocol failure.

0x4000

TURN server credentials have expired or are unknown.

This flag is unexpected and may indicate that Audio/Video Edge service authorization service is down. This may result in an ICE protocol failure.

0x8000

Bandwidth policy restriction has removed some candidates.

If there is an ICE protocol failure with this flag set, this indicates that the policy server topology is misconfigured. In this configuration the policy was configured to route over another connection, but the other connection failed. (Possibility of internal NATs in the org). This flag may result in an ICE protocol failure.

0x10000

Bandwidth policy restriction decreases the bandwidth.

This flag indicates that the bandwidth being used on this call isn’t optimal quality (may be using a narrow-band codec or may not be capable of HD video). This flag does not indicate any ICE protocol failure.

0x20000

Bandwidth policy keep-alive failed.

This is unexpected. The call continues but the bandwidth used by this call may not be reported properly to the Bandwidth Policy Core Service. This can occur because the policy server or the TURN server have failed. This flag does not indicate any ICE protocol failure.

0x40000

Bandwidth policy allocation failure.

This flag is indicating that the policy server rejected the client to use a media path through two Audio/Video Edge services (relay to relay). This may result in an ICE protocol failure.

0x80000

No TURN server configured.

This flag is indicating that there was no TURN server configured or there is a Domain Name System (DNS) resolution failure, resulting in a communication issue between the client and the TURN server. This may result in a protocol ICE failure.

0x100000

Multiple TURN servers configured.

This flag is expected. This is indicating that there were multiple TURN servers configured (due to DNS load balancing). This flag does not indicate any ICE protocol failure.

0x200000

Port range exhausted.

This is indicating that the administrator manually configured ports on the client or the media server. A/V needs a minimum of 20 ports per call to start the call. Application sharing/file transfer needs a minimum of 3 ports. The port range being exhausted may result in an ICE protocol failure.

0x400000

Received alternate server

.

This is indicating that the TURN server is overloaded or preventing new connections. This may result in an ICE protocol failure if the alternate server isn’t running

0x800000

Pseudo-TLS failure.

This is indicating that the HTTP proxy is performing deep Secure Sockets Layer (SSL) inspection and failing the connection with the TURN server. This is not supported by Microsoft and may result in an ICE protocol failure.

0x1000000

HTTP proxy configured.

This is indicating that the HTTP proxy is configured This flag does not indicate any ICE protocol failure.

0x2000000

HTTP proxy authentication failed.

This is indicating that the HTTP proxy failed the authentication. This isn’t expected and indicates that the HTTP proxy didn’t recognize the user’s credentials or authentication mode. This may result in an ICE protocol failure.

0x4000000

TCP-TCP connectivity checks failed over the TURN Server.

This is indicating that TURN TCP-TCP connectivity check was tried and it failed. The failure indicates that port 443 was not opened on the firewall. If one of the TURN servers was 2007 A/V Edge Server. The administrator needs to open ports from 50,000 through 59,999 TCP to all external Audio/Video Edge services in the environment. This flag isn’t expected and may result in an ICE protocol failure.

0x80000000

Use candidate checks failed.

This is indicating that after receiving some packets the client didn’t receive the rest of the packets. This may happen on a client because of a third Winsock layered service providers (LSPs). These LSPs should be removed. This flag isn’t expected and may result in an ICE protocol failure.

Find and manage updates in one place for the Microsoft Forefront family of products and related technologies.

This page tracks all updates to all supported versions of:

  • Forefront Client Security
  • Forefront for Exchange Server
  • Forefront for SharePoint
  • Forefront for Office Communications Server
  • Forefront Server Security Management Console
  • Antigen
  • Forefront Unified Access Gateway (UAG)
  • Forefront Threat Management Gateway (TMG)
  • Internet Security and Acceleration (ISA) Server
  • Intelligent Application Gateway (IAG)

http://technet.microsoft.com/en-us/forefront/ff899332.aspx

In many times you face an issue with your Lync either in voice or video or anything else. Normally lync would throw a SIP code with a header.

Below is an RFC which explains those codes in details incase you ever run into something new or expand your existing knowledge

http://tools.ietf.org/html/rfc3261#section-21

The Microsoft Lync 2010 Adoption and Training Kit provides a one-stop shop for resources for IT pros, project managers, help desk agents, and trainers. The kit provides:

  • A workbook that provides step-by-step guidance for each phase of the rollout and adoption process
  • Adoption and training resources, such as primers, email templates, and templates for a custom Lync 2010 intranet site to help organizations successfully roll out Lync
  • Modular, reusable, rebrandable, and in most cases, customizable user education and training materials, including frequently asked questions, Quick Start guides, how-to videos, Work Smart guides, and training videos
  • Buzzworthy applications such as IM an Expert and learning tools such as the Lync How-to that you can use to generate user excitement and drive the adoption of Lync

This can be found here

http://lync.microsoft.com/Adoption-and-Training-Kit/Pages/default.aspx 

When it comes to Microsoft Lync 2010 user education and training, the strategy and resources that offer the best return on investment vary depending on the user profile and the Microsoft Lync Server 2010 workload or Lync 2010 product

and that is here

http://lync.microsoft.com/Adoption-and-Training-Kit/training/Pages/default.aspx

If you have current print servers running Windows 2003 and would like to migrate it to 2008 R2 this is what you need to do:

 

1- On the Windows Server 2008 R2 Box, Open the printer management console (Assuming You have the Print Server Role Installed”

image

image

 

2- Right Click on Print Management, then choose Migrate Printers

image\

3- Choose Export Configuration

image

 

4- Type in the Name of the 2003 Server

image

 

Choose A file Location and Save the configuration file

5- Now on choose the Migrate Printers again but this time choose Import Configuratio n

image

6- Choose the File you just saved from 2003

image

7- Review the Screen and press next

image

 

8- Choose the local server, press next

image

 

9- Select Your Desired Options

image

 

10- Sit back while import is done

image

 

11- Profit !!! Smile

image

Z-Hire Employee Provisioning App

Z-Hire automates the IT account creation process for Exchange mailbox, and Active Directory and Lync accounts. With just a click of the button, your Exchange mailbox, and Active directory and Lync accounts will be created simultaneousy. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT accounts with the option for custom scripts. Z-hire will increase your account deployment time by 600%, without the need for complicated and expensive identity management solutions. Some of the features include:

Environment Auto discovery (AD/Exchange/Lync)
– Support for Active Directory, Exchange and Lync 2010 accounts
Template based deployment (allows consistency for all user accounts)
– Active Directory account creation with major attributes
– Active Directory group selection
– Lync 2010 account creation supporting all policies
– Faster performance (compared to previous version)
– Best of all, it’s freeware!

You Can get it from here or from my shared box

http://www.zohno.com/productsandservices.html

The Certificate Expiration Alerter helps IT departments monitor the expiration status of all certificates issued by an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends an email notification with information about the certificate.

This allows the IT administrator to proactively take action and renew the certificates before they expire and prevent possible service downtimes. This article explains how to use this tool:

http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx

The tool can be downloaded from my shared box folder on the right side. called CertExpAlerter.zip

Most of the applications nowadays relies on IIS and you could face a lot of issues with access authentication and authorization.

Luckily Microsoft have a very nice tool you can use to help you diagnose and get to the root cause of the issue.

the tool is called Authentication and Access Control Diagnostics 1.0 and can be downloaded from here

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18421 (X86)

http://www.microsoft.com/download/en/details.aspx?id=8614 (X64)

The AuthDiag tool is designed to help you when you see either of the following error messages:

  • 401.1 logon failed
  • 401.3 ACL

The AuthDiag tool can also help you when you experience Kerberos problems.

And this is a sample of what this tool can help you do

http://support.microsoft.com/kb/871179

I was faced with that issue today on a client side.

Trying to install an OS Image onto a laptop, The client would obtain a DHCP IP, would receive a TFTP Reply and the WinPE would download and start.

Now the issue was after obtaining the policy, it would say that “The task sequence failed to run because the packages could not be found on the distribution point”.

Well I checked that the package is updated on the distribution point, I checked that the Data Access tab is set to Copy the content to a package share on the DP as below

image

Well, I have also read it might be caused by the boundaries, so I checked

Now the thing was that the client have defined another site , and assigned the subnet I was booting from to this site. But this subnet was not defined to use a specific site server as a boundary.

So I went ahead and configured a IP Range as a boundary and added that to the Boundary Group and Voila, Computer booted.

While it is supported to do that, its against best practices to install the CA role on a domain controller for the following reasons:

1- If you are to decommission that Domain Controller, you will have to go through the procedure of moving the CA from it first before decommissioning.

2- If you are to upgrade the version of the CA , this will require the upgrade of the OS of that domain controller, and that will require a decommission for this to take place.

3- In an Event of failure on that specific DC for any reason, restoration of the full functionality of DC and CA will be lengthy, Which could affect certification validity due to downtime.

4- Administration of certain CA functions require local administrator, and this becomes an issue on a Domain Controller.

5- If you have to publish your CRLs externally, that DC will be internet facing and this poses a very big security risk.

 

You might wanna take a look at these posts below that discusses the same:

1- This link to verify local admin privileges needed. Refer to Roles and Activities http://technet.microsoft.com/en-us/library/cc732590.aspx

2- Please go through these posts for additional reasons on why not to have it on a dc, please see Sander’s reply

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ce9df65f-cf58-4c84-a969-3cd67d1c0042

http://www.networksteve.com/forum/topic.php/Remove_Certification_Authority_from_old_(in_use)_domain_controll/?TopicId=1969&Posts=9