Posts in Category: System Administration

Test Mail Server for Inbound TLS 

Here's how to test if a mail server supports TLS using a windows pc:

  1. nslookup
    > set q=mx
  2. The results:   MX preference = 100, mail exchanger =   MX preference = 300, mail exchanger =   MX preference = 200, mail exchanger =   MX preference = 400, mail exchanger =
  3. > exit
  4. telnet 25
  5. After connected type:
  6. If you see this in the output, the mail server supports inbound TLS communication:
Posted by Brian 09/10/2010 Categories: Diagnostic SMTP System Administration TLS

Event 29: Kerberos Key Distribution Center 

While looking through our new Windows 2008 Domain Controller’s event logs, I noticed this unusual error:

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Event ID: 29
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Description: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

After a little research, I found a knowledgebase article 967623 on Microsoft’s site.

How Microsoft explains this error message is so amusing to me….

This is by design behavior.
The Kerberos-Key-Distribution-Center (KDC) service repeats this check in order to see if there is an existing, workable certificate or if a new one is present. In this case the error handling does not take into account a non-CA environment.

Basically in a nutshell, if you are not using CA, you can ignore this error message.

Posted by Brian 11/09/2009 Categories: Support System Administration Windows

DCdiag fails for NCSecDesc test on Windows 2008 Domain Controllers 

Ran into this error this morning while running DCdiag on one of our Windows 2008 Domain Controllers.

Starting test: NCSecDesc
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        ......................... Contoso-DC1 failed test NCSecDesc

After a little research (967482, Known Issues for Installing and Removing AD DS & Ravindra Pamidi's Blog) I found the cause of this issue is:

If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

So here’s Microsoft’s resolution to the issue:

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So here we are again… another warning message because I’m not using a “feature” of the product!

Additional Note:

This bug is for any Windows Server 2008 domain controller with Active Directory installed in Windows 2003 mode, ie a default Windows 2008 domain.

That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

Posted by Brian 11/07/2009 Categories: Support System Administration Windows

Windows Server 2008 x64 – Issue installing 32bit printer drivers 

I ran into this little issue today while migrating our network printers to our new Windows Server 2008 x64 print server.

While installing 32 bit drivers for a Color LaserJet 3800, I received this error message:
”The specified location does not contain the driver for the requested processor architecture.”

After some quick research I found this little kicker…
The 32bit and 64bit driver names must match. HP Color LaserJet 3800 PCL6 driver is not the same driver as HP Color LaserJet 3800 PCL 6.

You might not be able to extract some printer drivers without installing them. If this is the case, log on to a client computer that uses the same processor architecture as the printer drivers that you want to add to the print server, and install those printer drivers. Then use Print Management from the client computer to connect to the print server, and add the additional drivers from the Additional Drivers dialog box. Windows automatically uploads the drivers from the client computer to the print server.

Posted by Brian 11/04/2009 Categories: System Administration