Error: "An error occurred during the installation of assembly....The signature or catalog could not be verfied or is not valid"
I have received the above error on at least 2 occassions when installing hotifxes from MS. This can be frustrating, especially if you don't have access to the engineer or did not receive the hotfix directly from MS. The fix below has worked both times for me.
1) Download and install .Net 2.0 SDK for x64
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=1AEF6FCE-6E06-4B66-AFE4-9AAD3C835D3D&displaylang=en
2) Run the commands below:
cd "C:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin"
SN.EXE -Vr *
SN.EXE -Vl
3) Reboot and try the install again.
Grade: Ugh!
Tuesday, March 22, 2011
Friday, March 4, 2011
Kerberos Authentication on the CAS Array
For MS documentation in its entirety please see the link below.
The steps below are shorthand sent to me by a colleague that I used on a recent engagement. I would encourage anyone doing this for the first time to study the documentation and use a lab for your first go around.
1) Create new computer account in AD called “CASARRAY1”
2) Run Exchange Management Script .\RollAlternateserviceAccountPassword.ps1 -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$" (CAS servers here will not always include all CAS Array members, rather they should include all CAS servers that will need to authenticate requests for the associated CAS Array FQDN)
3) Set SPNs using commands below:
a. setspn -S http/webmail.contoso.com CASArray1$
b. setspn -S exchangeMDB/ outlook.contoso.com CASArray1$
c. setspn -S exchangeRFR/ outlook.contoso.com CASArray1$
d. setspn -S exchangeAB/outlook.contoso.com CASArray1$
4) Create Scheduled task to update password on computer account: .\RollAlternateServiceAccountPassword.ps1 -CreateScheduledTask "CAS Array Kerberos Password Update" -ToSpecificServers -identity "CAS1","CAS2","CAS3" -GenerateNewPasswordFor "DOMAIN\CASARRAY1$"
5) Test via Outlook client by enforcing Kerberos authentication in the mail profile (more settings->security)
6) Test by reviewing the address book service log (2011-02-05T06:04:21.072Z,139928,0,/o=Company/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username,,10.10.10.10,CAS1,ncacn_ip_tcp,GetNewDSA,,5,Self,,Kerberos
*Don't forget to restart Blackberry services (or at least test functionality) after this change.
Grade: Thanks Chica!
*Don't forget to restart Blackberry services (or at least test functionality) after this change.
Grade: Thanks Chica!
Problem configuring and testing static ports on CAS servers
Problem Description: You configure the RCA (RPCClientAccessServer) service and AB (Address Book) service to use static ports according to your hardware loadbalancer documentation or technet article. After a restart of these services you verify the server is listenting on the correct ports. When testing from an Outlook client, you notice that the Outlook client is using port 7380 for its mail (RCA) connection and the correct static port for directory (AB.)
Error: There is no error per se, but a netstat -na from a remote Outlook client (typically on a routed network) will appear to persistently bind on on port 7380, even after restart of client. Often times, local clients adjacent to the CAS will bind on the correct static port that you previously set in the registry.
Description: Port 7380 is a dead giveaway that there is a riverbed in the mix. Riverbed devices instruct
Outlook to connect over port 7380, regardless of the static port configured for RCA on the CAS.
Solution or Workaround: No solution is neccessary. Rest assured that the riverbed will use the proper static port configured on the CAS and loadbalancing should work fine. You can verify this functionality by reviewing your riverbed log.
Registry settings for Exchange 2010 SP1 RCA and AB static ports below:
HKEY_LOCL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRpc\ParametersSystem
REG_DWORD:TCP/IP Port
value:59531-60554
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters
REG_SZ:RpcTcpPort
Value:59531-60554
See Also:
http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx
http://technet.microsoft.com/en-us/library/ff625248.aspx
Grade: Who Knew?
Error: There is no error per se, but a netstat -na from a remote Outlook client (typically on a routed network) will appear to persistently bind on on port 7380, even after restart of client. Often times, local clients adjacent to the CAS will bind on the correct static port that you previously set in the registry.
Description: Port 7380 is a dead giveaway that there is a riverbed in the mix. Riverbed devices instruct
Outlook to connect over port 7380, regardless of the static port configured for RCA on the CAS.
Solution or Workaround: No solution is neccessary. Rest assured that the riverbed will use the proper static port configured on the CAS and loadbalancing should work fine. You can verify this functionality by reviewing your riverbed log.
Registry settings for Exchange 2010 SP1 RCA and AB static ports below:
HKEY_LOCL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeRpc\ParametersSystem
REG_DWORD:TCP/IP Port
value:59531-60554
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters
REG_SZ:RpcTcpPort
Value:59531-60554
See Also:
http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx
http://technet.microsoft.com/en-us/library/ff625248.aspx
Grade: Who Knew?
Wednesday, March 2, 2011
Update Outlook 2003 clients with CAS Array Name?
One of the most enduring and painful shortcomings of the new RCA (RPCClientAccess) service in Exchange 2010, is it's inability to refer downlevel clients to the appropriate CAS server. If you are using Outlook 2007 or 2010, this process is handled by the autodiscover service, but what to do if you have Outlook 2003 clients? Unfortunately there are no really good options, but I will list some of what I have seen work at various customers. To the best of my knowledge, the only supported method is to deploy a PRF file (also included below) or to manually change each client. Ideally you would have created a CAS Array from the start and never had this problem. But suppose you needed Kerberos authentication pre SP1, or you just plain made a mistake?
1) Swing server. This seems like overkill, but it may be less work and easier than visiting every desktop in some scenarios. The referal mechanisms still fucntion between Exchange 2003/2007 and Exchange 2010. You could move mailboxes to a temporary Exchange 2007 server and then move them back to Exchange 2010. Keep in mind that users will have to connect at least once to the mailbox while it is homed on the Exchange 2007 server for this procedure to be effective. Also the move mailbox from 2010 to 2007 will incur downtime, but 2007 to 2010 the mailbox moveback will keep the mailbox online.
2) PRF File. http://office.microsoft.com/en-us/office-2003-resource-kit/customizing-outlook-profiles-by-using-prf-files-HA001140258.aspx
3) VBScript. In some cases, the PRF file simply doesn't work, or there is no easy way to deploy it. I have included some sample VBScript at the end of this post that should help some advanced users.
4) Exchange 2003/2007 Spoof. Don't try this one at home kids! if you feel like rolling the dice or are very desperate, you could try the following. Add host file entries on all Exchange servers and relevant domain controlllers for the CAS that is currently in the Outlook 2003 user profile 'server name' field. Remove the SPN for that CAS (this will disable Kerberos authentication temporarily). Change the A record for the CAS in DNS such that it points to the IP of an Exchange 2003 or 2007 server. When clients log on, they will connect to the old Exchange 2003 or 2007 server and get referred to the CAS Arry name. Once you are confident that most clients have had their Outlook profiles updated, undo the changes and add the SPN back in.
Sample VBScript
Const ServerName = <CAS Array FQDN>
Const ServerHex = <CAS Array FQDN in Hex>
Dim defaultProfile
defaultProfile = GetDefaultProfile("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\DefaultProfile")
WriteRegistryFileAndMerge defaultProfile, ServerName, ServerHex
Function GetDefaultProfile(RegistryKey)
Dim WshShell
Dim strReturn
Set WshShell = CreateObject("Wscript.Shell")
If Len(RegistryKey) Then
strReturn = WshShell.RegRead(RegistryKey) 'Check parm value
If Err.Number = 0 Then
GetDefaultProfile = strReturn
On Error GoTo 0
Exit Function
Else
Err.Clear
End If
End If
Set WshShell = Nothing
GetDefaultProfile = strReturn
On Error GoTo 0
End Function
Function WriteRegistryFileAndMerge(ProfileName, name, binary)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set file = objFSO.CreateTextFile("profile_merge.reg", True)
file.WriteLine("Windows Registry Editor Version 5.00")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\04ed552946e5ea48a65bcb2f19db0409]")
file.WriteLine("""001e660c""=" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\13dbb0c8aa05101a9bb000aa002fc45a]")
file.WriteLine("""001f662a""=hex:" & binary)
file.WriteLine("""001e6602""=""" & name & """")
file.WriteLine("""001e6612""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteLine("""101e6613""=hex:" & binary)
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\aa1c0662f29b1c42aa3d30610610f421]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\efa40b5e07b9204abdc646aa5e83a6be]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\ff83a0e41446294d95bda883831cb0a9]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.Close()
Set file = Nothing
Set WshShell = CreateObject("Wscript.Shell")
WshShell.Run "regedit /s profile_merge.reg", 1, True
Set WshShell = nothing
End Function
Grade: Why Did I Do That?
1) Swing server. This seems like overkill, but it may be less work and easier than visiting every desktop in some scenarios. The referal mechanisms still fucntion between Exchange 2003/2007 and Exchange 2010. You could move mailboxes to a temporary Exchange 2007 server and then move them back to Exchange 2010. Keep in mind that users will have to connect at least once to the mailbox while it is homed on the Exchange 2007 server for this procedure to be effective. Also the move mailbox from 2010 to 2007 will incur downtime, but 2007 to 2010 the mailbox moveback will keep the mailbox online.
2) PRF File. http://office.microsoft.com/en-us/office-2003-resource-kit/customizing-outlook-profiles-by-using-prf-files-HA001140258.aspx
3) VBScript. In some cases, the PRF file simply doesn't work, or there is no easy way to deploy it. I have included some sample VBScript at the end of this post that should help some advanced users.
4) Exchange 2003/2007 Spoof. Don't try this one at home kids! if you feel like rolling the dice or are very desperate, you could try the following. Add host file entries on all Exchange servers and relevant domain controlllers for the CAS that is currently in the Outlook 2003 user profile 'server name' field. Remove the SPN for that CAS (this will disable Kerberos authentication temporarily). Change the A record for the CAS in DNS such that it points to the IP of an Exchange 2003 or 2007 server. When clients log on, they will connect to the old Exchange 2003 or 2007 server and get referred to the CAS Arry name. Once you are confident that most clients have had their Outlook profiles updated, undo the changes and add the SPN back in.
Sample VBScript
Const ServerName = <CAS Array FQDN>
Const ServerHex = <CAS Array FQDN in Hex>
Dim defaultProfile
defaultProfile = GetDefaultProfile("HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\DefaultProfile")
WriteRegistryFileAndMerge defaultProfile, ServerName, ServerHex
Function GetDefaultProfile(RegistryKey)
Dim WshShell
Dim strReturn
Set WshShell = CreateObject("Wscript.Shell")
If Len(RegistryKey) Then
strReturn = WshShell.RegRead(RegistryKey) 'Check parm value
If Err.Number = 0 Then
GetDefaultProfile = strReturn
On Error GoTo 0
Exit Function
Else
Err.Clear
End If
End If
Set WshShell = Nothing
GetDefaultProfile = strReturn
On Error GoTo 0
End Function
Function WriteRegistryFileAndMerge(ProfileName, name, binary)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set file = objFSO.CreateTextFile("profile_merge.reg", True)
file.WriteLine("Windows Registry Editor Version 5.00")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\04ed552946e5ea48a65bcb2f19db0409]")
file.WriteLine("""001e660c""=" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\13dbb0c8aa05101a9bb000aa002fc45a]")
file.WriteLine("""001f662a""=hex:" & binary)
file.WriteLine("""001e6602""=""" & name & """")
file.WriteLine("""001e6612""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteLine("""101e6613""=hex:" & binary)
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\aa1c0662f29b1c42aa3d30610610f421]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\efa40b5e07b9204abdc646aa5e83a6be]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.WriteBlankLines(1)
file.WriteLine("[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\" & ProfileName & "\ff83a0e41446294d95bda883831cb0a9]")
file.WriteLine("""001e660c""=""" & name & """")
file.WriteLine("""001f662b""=hex:" & binary)
file.WriteLine("""001e6614""=""/o=<organization>/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=" & name & """")
file.Close()
Set file = Nothing
Set WshShell = CreateObject("Wscript.Shell")
WshShell.Run "regedit /s profile_merge.reg", 1, True
Set WshShell = nothing
End Function
Grade: Why Did I Do That?
Exchange 2010 Install Fails
Problem Description: Installation of Exchange 2010 fails with error below
Error: [ERROR] Active Directory operation failed on <domain controller.> This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152392, #1:
0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 83fbc060 (msExchRMSComputerAccountsLink)
[08/16/2010 15:32:29.0661] [2] [ERROR] A value in the request is invalid.
[08/16/2010 15:32:29.0677] [2] Ending processing.
Description: This error occurrs when the Exchange 2010 installation fails to successfully add the local computer account to the required Universal Security Groups in the Forest Root OU "Microsoft Exchange Security Groups." Specifically, the local computer account must be added to the "Exchange Trusted Subsystem" and "Exchange Servers" Security Groups.
Solution or Workaround: An easy workaround is to manually add the local computer account to these Security Groups prior to install. If you want to dig into Active Driectory for root cause, you should start with examining your Sites and Services configuration along with replication and install account permissions.
Grade: Bummer!
Error: [ERROR] Active Directory operation failed on <domain controller.> This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152392, #1:
0: 000020B5: DSID-03152392, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 83fbc060 (msExchRMSComputerAccountsLink)
[08/16/2010 15:32:29.0661] [2] [ERROR] A value in the request is invalid.
[08/16/2010 15:32:29.0677] [2] Ending processing.
Description: This error occurrs when the Exchange 2010 installation fails to successfully add the local computer account to the required Universal Security Groups in the Forest Root OU "Microsoft Exchange Security Groups." Specifically, the local computer account must be added to the "Exchange Trusted Subsystem" and "Exchange Servers" Security Groups.
Solution or Workaround: An easy workaround is to manually add the local computer account to these Security Groups prior to install. If you want to dig into Active Driectory for root cause, you should start with examining your Sites and Services configuration along with replication and install account permissions.
Grade: Bummer!
Subscribe to:
Posts (Atom)