I don’t think this problem/solution is much different in older versions.
Problem: when you send a link from Communicator client to another, the link isn’t clickable, has a _ (underbar) in front of it, or both. Results may be different on different computers. It’ll look like this
_http://www.google.com
Solution: Two things are happening here that are not related. The first is the OCS Server (and Edge Server) have the URL Filter enabled, which are adding the _ underbar to all links. Also called “Intelligent IM Filter”. You need to tone that filter down or disable all together to your liking. If users are coming in through an Edge Server, they will follow the Filter settings of the Edge Server they are using, which seams to supersede the Front End Server (my guess is the most restrictive wins). So be sure to set it on both servers separately. Results were instant in new IM’s.
The other issue is the lack of a clickable hyperlink. If you disable the URL Filters above, the underbar goes away but links are still not blue and underlined. To fix this you need to apply a GPO or set a local registry setting to allow Communicator to make hyperlinks clickable:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator\
new DWORD EnableURL=1
After that exit and restart Communicator.
In both of these cases they are secure by default, which is great; but even years after this features release over several versions their use and configuration are still a mystery to most starting out.
Published on
Oct 1, 2009 in
Microsoft, Networking and Security, Solution Writeups and Tech.
Tags: activesync, email, exchange, firewall, isa, Microsoft, timeout, windows mobile.
They were getting random prompts for passwords in ActiveSync on Windows Mobile 6.0 and 6.1. They had Exchange 2007, and ISA Server 2006, but this problem showed up months after Exchange was migrated to 2007. It seemed random. The error on ActiveSync was the generic:
please log in access was denied 0×85010002
In the ISA Monitoring you would see a denied connection on your ActiveSync rule with this status:
12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).
I first thought this was the HTTP session timeout that changed with a Exchange 2003 service pack when Direct Push came out back in 2005. I remembered that setting and looked under the ISA Web Listener for ActiveSync on the Connections tab>Advanced>“connection timeout”. The wizard had correctly set it to 1800 seconds (30 minutes). No dice.
I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA). ISA is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).
Tom and the forums at isaserver.org confirmed my suspicion. The forms auth timeout was indeed affecting ActiveSync. To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked.
On trying to remove a old server from the directory (2003 server in a 2003 forest) I received this error
Failed to configure the service NETLOGON as requested “the wait operation timed out.”
The root problem was that this domain controller had a DNS entry to another domain controller that no longer existed. It was trying to contact it but couldn’t. Removing that entry and running dcpromo.exe again solved it.
What if you want to take your simple 2 NIC “Internal/External” firewall and add a DMZ to it on the fly? We recently tried this on a production firewall no less and hoped it would work. It did after a few bumps.
The big problem with changing your Network Template is that ISA wants’ to slick your config and start over, so you’ll end up with two options: Try to make a 3 NIC config work in your original design by adding in networks and network rules, or applying a new network template and then bringing your config back in via import. After failing the former (likely my lack of skills), we chose the later.
Mileage may very, but here’s some notes on what we did:
- Obviously you need the 3rd NIC installed first.
- Add the Subnets to the new NIC’s IP config for your DMZ aka “Perimeter” network in Windows.
- Export your firewall config, including all settings, make a copy of the XML file, and open for editing.
- We’re going to remove the network section of the XML file to prevent issues later. Once you’ve chosen a new network template, you’ll want to import the config back in, minus the network related stuff (which is what the network template will change for you).
- Search the XML file for the open and closing NetConfig tags:
- <fpc4:NetConfig StorageName="NetConfig" StorageType="1">
- </fpc4:NetConfig>
Remove everything between these two tags and save the file.
Run through the network template wizard for 3-leg perimeter. If clicking finish generates errors, work through them and come back to try again. Our single error was because we had web listeners using HTTP compression, so we removed all objects from “General > Define HTTP Compression > Return Compressed Data” and added them back in later after re-import.
Once template wizard works, notice the lack of rules in your firewall policy and missing objects. About now your thinking “OMG you screwed me!”, so import your augmented config and they should all be back.
You’ll likely have a few dupe firewall rules if you chose a template firewall policy other then “block all”. Sort your rules by the various columns to look for dupes. We had dupes for “Allow Internal Routing” and “VPN Clients to Internal Network”.
Lastly go through your rule list and ensure the From/To columns are filled in. You’ll want to restart the firewall service at this point to be sure it can start properly, and if it fails it’s likely a rule that won’t work in the new network config. Check event logs for hints. We had several rules we deleted and recreated based on new network names.
I just posted that in R2 Microsoft plans to provide a true Recycle Bin for AD objects that were deleted, but until then the best we’ve got is Windows Server 2008 Active Directory.
After hours of researching “how do AD snapshots in 2008 help me recover a deleted object(s), it’s attributes, and referring objects (i.e. groups pointing back to the deleted user)?” I was disappointed.
From what I can tell, the answer is: built in tools allow for no additional automation over 2003 AD, other than using cut and paste to restore attributes from the snapshot to live AD (after you’ve reanimated the object in live AD).
You may be able to mount AD snapshots, and even view them with Users and Computers and other AD tools, but you really can’t DO ANYTHING with that data So I went searching for how others were solving this.
Here’s one of a few tools that tries to automate the process of finding the tombstoned object in your live AD, find it’s old info in a snapshot, and dumping that data back in to the reanimated object in AD:
Jorge from dirteam.com talks about it, basically describing my realization in greater detail
