Lync 2010 - NTLM protocol failed with error SEC_E_UNSUPPORTED_FUNCTION

2 Replies

If you receive this error inside of the Lync Server event log on your Front End server:

User authentication with NTLM protocol failed with error SEC_E_UNSUPPORTED_FUNCTION. This indicates a potential mismatch between security policy settings on the client and server computers.

Cause: This error can occur if the settings in "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" policy on the client computer are not the same as the settings in the "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" policy on this server. By default, the "Require 128-bit encryption" setting is disabled for computers running Windows Server 2008, Windows Vista, Windows Server 2003, Windows 2000 Server, or Windows XP. For computers running Windows 7 or Windows Server 2008 R2, this setting enabled by default.
Resolution:
Ensure that the "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" policy settings on the computers from which users log on are the same as "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" policy settings on this server.

Here is the fix:
1. Open up Group Policy Editor (Start->Run->gpedit.msc) (Or if you are on a domain, open up group policy editor on the domain controller)
2. Expand Local Policies under Computer Configuration
3. Select Security Options
4. Scroll Down and find the following policies:

  • Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
  • Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

5. Change both policies to have "Require 128-bit encryption" checked

Reboot the machine(s)

How to extend a hard drive in Windows Server 2003, 2008, Windows 2000 and XP

Leave a reply

Copied right from Microsoft's KB, here is how to extend a partition/disk.

  • At a command prompt, type diskpart.exe.
  • Type list volume to display the existing volumes on the computer.
  • Type Select volume volume number where volume number is number of the volume that you want to extend.
  • Type extend [size=n] [disk=n] [noerr]. The following describes the parameters:
    • size=n
      • The space, in megabytes (MB), to add to the current partition. If you do not specify a size, the disk is extended to use all the next contiguous unallocated space.
    • disk=n
      • The dynamic disk on which to extend the volume. Space equal to size=n is allocated on the disk. If no disk is specified, the volume is extended on the current disk.
    • noerr
      • For scripting only. When an error is thrown, this parameter specifies that Diskpart continue to process commands as if the error did not occur. Without the noerr parameter, an error causes Diskpart to exit with an error code.
  • Type exit to exit Diskpart.exe.

When the extend command is complete, you should receive a message that states that Diskpart successfully extended the volume. The new space should be added to the existing drive while maintaining the data on the volume.

The original KB article can be found here: http://support.microsoft.com/kb/325590

Steps to recover a deleted/corrupted Exchange 2010 Server

Leave a reply
Did you nuke your Exchange server or "accidentally" delete it?  Fortunately, Microsoft has a way to revive it!  Here are the steps as mentioned in the following KB article: http://technet.microsoft.com/en-us/library/dd876880.aspx
  1. Reset the computer account for the lost server. For detailed steps, see Reset a Computer Account.
  2. Install the proper operating system and name the new server with the same name as the lost server. Recovery won't succeed if the server on which recovery is being performed doesn't have the same name as the lost server.
  3. Join the server to the same domain as the lost server.
  4. Install the necessary prerequisites and operating system components. For details, see Exchange 2010 System Requirements and Exchange 2010 Prerequisites.
  5. Log on to the server being recovered and open a command prompt.
  6. Navigate to the Exchange 2010 installation files, and run the following command:
    Setup /m:RecoverServer
  7. After Setup has completed, but before the recovered server is put into production, reconfigure any custom settings that were previously present on the server.

How To Install VMWare Tools v4 on Ubuntu 12.04 LTS Server

Leave a reply

Today I was faced the challenge of installing VMware Tools on a Ubuntu server via command line.  I stumbled accross a step-by-step tutorial on the exact steps to accomplish this task.  I am reposting for archival purposes, but all credit goes to @justinschier from http://ghosttx.com/2012/03/how-to-install-vmware-tools-v4-on-ubuntu-11-10-server/

Written: March 13, 2012
Last Updated: April 27, 2012
Tested With: Ubuntu 12.04 LTS Server, Ubuntu 11.10 Server

All the guides I found on the Internet, including VMWare’s website were outdated in some way, so I decided to write a guide of my own. I just went through these steps from start to finish on a fresh server and had no problems.

  1. Use Install VMWare Tools option in VMWare Client/Console to attach media
  2. Update the server
    sudo apt-get update
    sudo apt-get upgrade
  3. Create the mount point
    sudo mkdir -p /media/cdrom
  4. Mount the ISO
    sudo mount /dev/cdrom /media/cdrom

    You should see the message: mount: block device /dev/sr0 is write-protected, mounting read-only

  5. Change Directory
    cd /media/cdrom
  6. Copy the tar file to your /tmp directory
    sudo cp VM*.tar.gz /tmp
  7. Install Build tools if necessary
    sudo apt-get install linux-headers-server build-essential
  8. Change Directory
    cd /tmp
  9. Unmount the ISO
    sudo umount /media/cdrom
  10. Expand the tar
    sudo tar xzvf VM*.tar.gz
  11. Change Directory
    cd vmware-tools-distrib
  12. To prevent a potential error in the install script on Ubuntu 11.10, create a special directory
    Unable to create symlink “/usr/lib64/libvmcf.so” pointing to file ”/usr/lib/vmware-tools/lib64/libvmcf.so/libvmcf.so”.

    sudo mkdir /usr/lib64
  13. Run the Install Script. The -d flag automatically answers the default to all questions. To customize it, just omit the -d.
    sudo ./vmware-install.pl -d
  14. Reboot
    sudo reboot

Let me know if this worked for you!

Also, please follow me on Twitter: @justinschier

Show hard drive size in Linux via command line

Leave a reply

If you have ever wanted to view how big your hard drive/partition sizes are in Linux, but only have access to the command line interface, here is the command to do it:
df
df -H (This will show the partition sizes in MB, GB, TB, etc.)
fdisk -l | grep Disk (This will show the physical disks and their corresponding sizes)

Common PowerShell Commands for Office 365

Leave a reply

Here are some commands that are handy to use for Office 365.

#Assign user credentials to variable "LiveCred"

$LiveCred = Get-Credential

#Connect to your Cloud-hosted Exchange using the credential stored in #LiveCred

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

#Import Cmdlets

Import-PSSession $Session

#Close your session

Remove-PSSession $Session

#Grant Bob Barker calendar (or any folder) rights to Adam Sandler's. The field within " " can be either the user principal name or primary alias
#Possible   rights:  Ownder, Publishing Editor, Editor, Author, Contributor, Reviewer, Custom
#Note: practice-wise (for your own mental check), the account being given access is normally to the right of the account to which you are assigning the right.

Add-MailboxFolderPermission -Identity "The.Dude:\Calendar" -AccessRights PublishingEditor -User "Test Guy"

#View permissions on a folder

Get-MailboxFolderPermission -Identity "The Dude:\Calendar"

#View all accounts that have mailbox access beyond SELF

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false}

#The export to a file version of above

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

#Grant user Send-as to identity

Add-RecipientPermission <identity> -AccessRights SendAs -Trustee <user>

#View all boxes that have Send-as attributes on them

Get-RecipientPermission | where {($_.Trustee -ne 'nt authority\self') -and ($_.Trustee -ne 'null sid')}

Powering off an unresponsive VM in ESXi

Leave a reply

Today I had an issue with a VM not wanting to power off. I found an excellent article from http://markvansintfiet.wordpress.com/2010/07/28/forcefully-kill-a-virtual-machine-in-esxi/ that I am reposting in case the website ever goes down.

One day you’ll run into a  not responding virtual machine that won’t power off in the vSphere client. If you don’t want to reboot your ESXi host, here is how to forcefully kill the bastard leaving all other virtual machines peacefully running.

Method 1: Use the vmware-cmd command in the vSphere command-line interface (CLI)

  1. Download and install vSphere command-line interface(http://www.vmware.com/download/download.do?downloadGroup=VCLI40)
  2. CD to C:\Program Files (x86)\VMware\VMware vSphere CLI\bin>
  3. List Virtual Machines
    vmware-cmd.pl -H <ESXi host name> -l
  4. Get state:
    vmware-cmd.pl -H <ESXi hostname> “<vmx file path>” getstate
  5. Kill Virtual Machine:
  6. vmware-cmd.pl -H <ESXi hostname> ”<vmx file path>” stop hard

When method 1 fails move to method 2.

Method 2: Find the VM’s process identifier and forcibly terminate it (or use SSH if you are lazy and don't mind opening security holes)

  1. List active virtual machines: vm-support -x
  2. On the ESXi console, press Alt-F1.
  3. Type the word unsupported and press ENTER
  4. Type root password and press ENTER
  5. Look up the VM process pgid: ps –g | grep
    (The number you are looking for is the one that is right before and after mks: and vcpu)
  6. Kill the process: kill -9 <pgid, the number you just found>
  7. Wait a minute and check if the machine is not running anymore: vm-support -x

Troubleshooting Enterprise Voice Calls in Lync

Leave a reply

While setting up Lync, I found that I was unable to place any voice calls.  I fired up event viewer, and saw the following errors:

Response Data:
101  Progress Report
ms-diagnostics:  12006;reason="Trying next hop";source="mycomputer.mydomain.local";PhoneUsage="Outoing";PhoneRoute="Outgoing";Gateway="123.234.1234.234";appName="OutboundRouting"

504  Server time-out
ms-diagnostics:  1038;reason="Failed to connect to a peer server";WinsockFailureCode="10061(WSAECONNREFUSED)";WinsockFailureDescription="The peer actively refused the connection attempt";Peer="mycomputer.mydomain.local";Port="5070";source="mycomputer.mydomain.local";OriginalPresenceState="0";CurrentPresenceState="0";MeInsideUser="Yes";ConversationInitiatedBy="0";SourceNetwork="0";RemotePartyCanDoIM="No"

After doing some searching, I found that the reference to Port="5070" usually points to issues with the mediation server.  So I opened up services and it turns out I had never installed the mediation service role.  Once installing the mediation server role and starting the service, the errors vanished!

The trust relationship between this workstation and the primary domain failed -- The legend of Netdom

Leave a reply

So today, my Certificate Authority decided it was too good for my Sandbox Domain and wanted to do its own shindig.

Unfortunately, you cannot leave a domain and rejoin it back since it's a CA.  However, before you start backing up your CA and wipping out your Windows Server 2008 R2 disk, give this a shot:

1. Login to the machine as local admin that is presenting the "The trust relationship between this workstation and the primary domain failed" error.

2. Open up a commmand prompt as Administrator

3. Execute the following command: netdom resetpwd /s:nameofyourdcserver /ud:domain\User /pd:*

Hurray!  You should be back in business now without even having to reboot! 🙂

 

You can find more info about how the tool works behind the scenes from here:http://support.microsoft.com/kb/325850

 

Force Directory Synchronization With Office 365

1 Reply

1. Go to the machine with Microsoft Online Directory Sync installed.
2. Navigate to %programfiles%\Microsoft Online Directory Sync
3. Double click on DirSyncConfigShell.psc1
4. Execute the following PowerShell command: Start-OnlineCoexistenceSync
5. Awww yeah, you just syncrhonized your AD environment with the cloud.