Microsoft Forefront Client Security Setup Wizard fails on “Install Collection Server Component”

If you see the following cryptic errors when trying to install FCS, then the chances are you need to install the .Net Framework 1.1 AND SP1.



[06/04/2010 10:47:11] Task (Install Collection Server Component)
The following process failed.
Process: C:\Windows\system32\msiexec.exe
Exit code: 1603
Number of tasks completed: [06/04/2010 10:47:12]

Event IDs 1030 and 1058 on Server 2003 Domain Controller

I logged onto a production domain controller this morning and checked the event logs to be confronted with this:


Event ID 1030 and 1058 every 5 minutes, looking into the detail for these events I can see its a replication issue for one of the GPOs.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1030
Date:		29/03/2010
Time:		04:01:29
Computer:	DC01
Windows cannot query for the list of Group Policy objects.
Check the event log for possible messages previously logged by the
policy engine that describes the reason for this.

For more information, see Help and Support Center at

The slightly more informative 1058 showed

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1058
Date:		29/03/2010
Time:		04:06:30
Computer:	DC01
Windows cannot access the file gpt.ini for GPO CN={3A7AC061-A26C-4154
The file must be present at the location <\\DOMAIN.LCL\SysVol\DOMAIN.LCL
\Policies\{3A7AC061-A26C-4154-8CF5-01D5754E5C2C}\gpt.ini>. (Access is denied. ).
Group Policy processing aborted. 

For more information, see Help and Support Center at

There was no visible cause for the errors, DFS had just got it’s knickers in a twist somehow and was not resolving the DFS share for the domain correctly.

The resolution was fairly simple, running the “dfsutil /purgeMUPCache” command seems to have resolved it for now. The /PurgeMUPCache command clears the MUP Cache (duh!) which holds info about DFS and other shares on the client system.

Technet says: “Clears the client MUP cache, preventing confusion about the current provider when such names conflict. Except for a temporary performance hit, this command has no other adverse effects. This command does not affect any DFS metadata. If this command is not run, and the namespace is not accessed, the obsolete cache entry eventually expires.”

There are plenty of other causes for these errors, if your server is multi-homed (multiple NICs) then check that your “public” NIC is at the top of the adaptor bindings.

My DC is now running happily, no 1030 or 1058s.

MCITP: Server Administrator and MCITP: Enterprise Administrator

I’m pleased to say that yesterday I took and passed two Microsoft Certified IT Professional exams, the Server Administrator (70-646) and the Enterprise Administrator (70-647). Hopefully I can take a bit of a break from study and write a few more technical posts here now!

70-649: TS: Upgrading Your MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist

| 08/03/2010 | Tags: , ,

I’m pleased to announce that I’ve passed the 70-649, which gives me the following MCTS certifications:

Windows Server 2008 Active Directory, Configuration

Windows Server 2008 Applications Infrastructure, Configuration

Windows Server 2008 Network Infrastructure, Configuration

Next I’ll be looking at the 70-647 to get the full MCITP: Enterprise Administrator (I already took the 70-620 exam for my MCSE).

Creating a Windows Server 2008 Microsoft Cluster Service SQL Active/Passive Cluster on a single ESXi 4.0 Server

Configuring the Virtual Environment and Virtual Machines

Note – this configuration will work for ESXi 4 upwards due to the server 2008 MSCS requirement for persistent SCSI-3 reservations.

The first step is to create a new vSwitch for the host-only cluster heartbeat network, don’t assign any network adaptors to the switch as it’s going to be local only.

Create a new virtual machine with a single hard disk. For the purposes of this test, I’ve assigned 2 vProcessors, 1GB RAM, 30GB drive for the OS, 1 vNIC in the default vSwitch0.

Add a second vNIC and assign it to the cluster network vSwitch created in step 1.

Install Windows Server 2008 R2 Enterprise and all the Windows Updates, for the example I’ve named it SQLCluster01.

Clone the server and rename the new one to SQLCluster02. In ESXi you can’t clone, so shut down the first server, copy the files to a new folder and right click the VMX file to add it to the inventory. When you boot it the first time VMware will ask if it’s been moved or copied – select copied.

Create a disk for use as the Quorom, this needs to be shared and since I’m using ESXi with local storage only it must be “eagerzeroedthick”. To do this I have to use the unsupported mode in ESXi (Alt+F1, type unsupported and then your root password) and use the vmkfstools command to create it (vmkfstools –c <size> –d eagerzeroedthick –a lsilogic /vmfs/volumes/<datastore>/<folder>/<disk>.vmdk)

Add the new disk to SQLCluster01 using a new SCSI virtual controller (different from the current controller, e.g. my first HD is on SCSI 0:1, the Quorum is on SCSI 1:0)

Check that the new SCSI controller is set to LSILogic (it is for Server 2008 by default) and set the SCSI Bus Sharing to Virtual.

Add the Quorum disk to the second virtual machine, using the same settings.

Edit the .vmx file for both servers, adding in the following lines (edit for your SCSI controller):

scsi1:0.mode = “independent-persistent”
scsi1:0.shared = “TRUE”

Create a disk for some shared storage for the cluster too, it will be needed for the DTC application as well as the SQL server – in a production environment you may want to separate logs and data, but for my test, I’m just adding another two 10GB disks. Use the same process as for creating the Quorum disk.


Fixing “Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server.” on Outlook Mobile Access under Server 2003

So I was testing the configuration on my Exchange 2003 server in preparation for the roll out of some Windows Mobile devices when I recieved the following error:

Outlook(R) Mobile Access is supported only on Microsoft(R) Exchange Server 2003. Currently your mailbox is stored on an older version of Exchange server. Please contact your system administrator for additional assistance.

"That's odd", I thought, "I only have Exchange Server 2003 in my organisation, how can I have an older version of Exchange?" It turns out that this has nothing to do with the version of Exchange you are using. I have set up my Exchange OWA to require SSL (see previous article on SSL and Integrated Authentication) and apparently this can cause issues for OMA.

The Microsoft-Server-ActiveSync and Outlook Mobile Access virtual directories
cannot access the contents of the user's mailbox if the Exchange virtual
directory is configured to require SSL. The Microsoft-Server-ActiveSync and
Outlook Mobile Access virtual directories only try to connect with the Exchange
virtual directory over TCP port 80 (HTTP), not over TCP Port 443 (HTTPS).

To resolve this, you need to follow these steps from MSKB 817379

1. Open Exchange Manager.
2. Expand Administrative Groups,
expand the first administrative group, and then expand Servers.
3. Expand the server container for the Exchange Server 2003 server
that you will be configuring, expand Protocols,
and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, clear the
Enable Forms Based Authentication check box, and
then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE,
and then press ENTER to restart Internet Information Services

 Additionally, you must use Internet IIS Manager
to create this virtual directory for Exchange ActiveSync and Outlook Mobile
Access to work. If you are using Windows Server 2003, follow these steps:

1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is as

Web Sites\Default Web Site\Exchange
3. Right-click the Exchange virtual directory, click All Tasks, and then click Save
Configuration to a File
4. In the File name box, type a name.
For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default
Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog
box, click Browse, locate the file that you
created in step 4, click Open, and then click
Read File.
7. Under Select a configuration to import
, click Exchange, and then click OK.

A dialog box will appear that states that the
"virtual directory already exists."

8. In the Alias box, type a name for
the new virtual directory that you want Exchange ActiveSync and Outlook Mobile
Access to use. For example, type exchange-oma.
Click OK.
9. Right-click the new virtual directory. In this example, click
exchange-oma. Click Properties.
10. Click the Directory Security
11. Under Authentication and access
, click Edit.
12. Make sure that only the following authentication methods are
enabled, and then click OK:

Integrated Windows
13. On the Directory Security tab,
under IP address and domain name restrictions,
click Edit.
14. Click the option for Denied access,
click Add, click Single
and type the IP address of the server that you are
configuring, and then click OK.
15. Under Secure communications, click
Edit. Make sure that Require
secure channel (SSL)
is not enabled, and then click OK.
16. Click OK, and then close the IIS
17. Click Start, click Run, type regedit, and then
click OK.
18. Locate the following registry subkey:

19. Right-click Parameters, click to
New, and then click String
20. Type ExchangeVDir, and then press
ENTER. Right-click ExchangeVDir, and then click

NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article,
ActiveSync does not find the key when it locates the exchange-oma folder.

21. In the Value data box, type the
name of the new virtual directory that you created in step 8. For example, type
/exchange-oma. Click OK.
22. Quit Registry Editor.
23. Restart the IIS Admin service. To do this, follow these steps:

a. Click Start, click Run, type services.msc, and
then click OK.
b. In the list of services, right-click IIS
Admin service
, and then click Restart.

I’ve achieved my MCSE

Well, I've been away with my friends at Firebrand again and guess what…MCSE Windows Server 2003!

  • 70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
  • 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure
  • 70-298 Designing Security for a Microsoft Windows Server 2003 Network