Tuesday, December 18, 2012

Root Certificates Update from December 2012 breaks dot1x authentication

Oh No, I can't Authenticate on dot1x!!!

Ran updates on our domain controllers this morning, installed everything like usual, because I'm trusting like that.  Anyway, after the reboot of our DCs no computers were able to authenticate on the network!  After some digging and research of the event logs I noticed a forum thread was pretty active Titled: Root Certificates Optional Windows Update December 2012 - KB931125 triggers Event ID 36885 - SCHANNEL


I followed the recommendation given by user Michael DAngelo, and used Method 3 to modify the registry of the DC's. http://support.microsoft.com/kb/2464556


To set this registry entry, follow these steps:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type SendTrustedIssuerList, and then press Enter to name the registry entry.
  6. Right-click SendTrustedIssuerList, and then click Modify.
  7. In the Value data box, type 0 if that value is not already displayed, and then click OK.
  8. Exit Registry Editor.
Immediately after putting in the value it started to work.

Event Logs on Domain Controllers

Error Schannel 36887 The following fatal alert was received: 47.

Warning Schannel 36685 When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: DOMAIN\COMPUTERNAME$
Account Name: host/computername.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: domain.local/OU/COMPUTERNAME

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00000000000
Calling Station Identifier: 00000000000

NAS:
NAS IPv4 Address: 172.16.2.2
NAS IPv6 Address: -
NAS Identifier: 172.16.2.2
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 2

RADIUS Client:
Client Friendly Name: radiusserver
Client IP Address: 192.168.1.4

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: 802.1x-Wireless
Authentication Provider: Windows
Authentication Server: DC2.domain.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 266
Reason: The message received was unexpected or badly formatted.

Event Logs on Radius Proxy

Warning IAS 2

User host/COMPUTERNAME.domain.local was denied access.
 Fully-Qualified-User-Name = <undetermined> 
 NAS-IP-Address = 172.16.2.2
 NAS-Identifier = 172.16.2.2
 Called-Station-Identifier = 000000000000
 Calling-Station-Identifier = 000000000000
 Client-Friendly-Name = AccessPoints-172.16.2.0/24
 Client-IP-Address = 172.16.2.2
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
 Proxy-Policy-Name = Dot1x_Proxy
 Authentication-Provider = RADIUS Proxy 
 Authentication-Server = 192.168.1.7
 Policy-Name = <undetermined> 
 Authentication-Type = <undetermined> 
 EAP-Type = <undetermined> 
 Reason-Code = 112
 Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request. 

For more information, see Help and Support Center at 

Tuesday, November 20, 2012

Moving WSUS WID Database in Windows Server 2012

I can not guarantee this will work for you, but here is what I did when a coworker installed the WSUS database to the wrong drive. This post also assumes you know what you are doing, and are able to use SQL Management Studio 2012.


  1. Install SQL Server Management Studio 2012 (You can try Management Studio for 2008 or 2008 R2 I recieved an error when I tried initially)
  2. Run SQL Management Studio 2012 as Administrator
  3. Connect to Server Name \\.\pipe\Microsoft##WID\tsql\query (old versions used to be \\.\pipe\Microsoft##SSEE\sql\query this has changed in Server 2012 WSUS 4)
  4. Select Windows Authentication and login
  5. Expand Databases
  6. Right Click SUSDB
  7. Hover over Tasks
  8. Select Detach (Management Studio for 2008 might give you an error here)
  9. Select the Drop Connections checkbox
  10. Click OK
  11. Move the SUSDB.mdf and the SUSDB_log.ldf to the new location.
  12. Back in SQL Server Management Studio right click on Databases
  13. Select Attach
  14. Click Add
  15. Navigate to the new SUSDB.mdf location and select the mdf that is in the new location.
  16. Verify the mdf and the ldf are showing in their location properly.
  17. Click OK
  18. Verify the SUSDB database has attached and is not read-only, (if it is listed as SUSDB (Read-Only), verify the permissions on the folder and files you moved are the same as the permissions of its original location).
  19. Once reattached you should now be good to go. If things look iffy, restart Update Services/IIS Admin/WID Services, or reboot.

http://technet.microsoft.com/en-us/library/hh852349.aspx

Thursday, November 8, 2012

Installing Office 2013 Key Management Service Host on Server 2012

This installation is documented for installation using the Office Professional Plus 2013 Key Management Service Host ISO provided though the Volume Licensing Service Center, also assuming that the Volume Activation Services have been properly installed and configured on Windows Server 2012.

  1. Download the Office Professional Plus 2013 Key Management Service Host ISO from the Microsoft Volume Licensing Service Center.
  2. Copy it to the 2012 KMS server.
  3. Right click the ISO and select Mount.
  4. Run PowerShell as Administrator and navigate to the mounted ISO's root directory.
  5. Run cscript kms_host.vbs
  6. While it runs, it will open Volume Activation Tools
  7. Click Next at the Volume Activation Tools introduction screen.
  8. Select your Activation Method, enter in the FQDN if required and click Next.
  9. Click the radio option to Install your KMS host key and enter in your KMS host key.
  10. Click Commit
  11. At the info box click yes to install the new product key.
  12. Verify Activate Product is selected and click Next
  13. In the Select Product drop down you will see Office 15, VOLUME_KMS channel selected already.
  14. Choose your Activation method and click Commit.
  15. Click Yes at the This will activate the KMS host info box.
  16. View the configuration, verify it has succeeded, and click Next.
  17. If there are any options you would like to change in the configuration do so and click Commit.
  18. Click Yes to overwrite existing KMS configurations.
  19. It will then restart the Software Protection licensing service.
  20. If you are done click Close.
  21. Verify the PowerShell window indicates a successful completion, press ENTER to close.

Friday, September 14, 2012

10 Reasons Why You Should Train and Certify Your IT Staff

Is your staff begging you for training?  Are they at the point in their career they need to become certified?  Are you asking yourself, "Why should I train my staff"?  There are many benefits your business can see through training your staff members.  Whether your are a university, small business, large enterprise, solution provider, or technology reseller, you have an IT team behind you in one way or another.  They allow you to send your emails, surf the web, secure you, back you up, get from point A to point B, or they are implementing a product or service you are selling.  The truth is, your IT team needs to have the knowledge to meet your needs, and the only way to get it, is for them to learn it.  My hope is, is that you will train your staff on a regular basis and certify them.  Here are ten reasons why you should train and certify your staff.

10. Increase Your Business' Confidence

Nothing hurts an IT department more than your end users/customers thinking that the IT team just hides in a room with the lights off, praying for things to not break.  Since everything is done electronically, your business, employees and customers need to have the confidence that their data is being handled by true technology experts.   As your employees begin to earn their certifications, post them on your department webpage, a wall in a well trafficked area in your office, buy the shirts, and let people know your team are "Certified Experts".  Spread the word!  It is a great accomplishment!  A well trained team will more likely have their solutions optimized to best practice, configured correctly, and will have less downtime.  Having a secure, optimized and highly available environment will keep your employees, end users and customers confident that their data is protected and being handled properly.
When it comes to selling a product or a service you want your team to be held to the highest confidence by your customer.  Whether it is implementing a SAN solution or simply installing an application.

9. Prove That You Value Your Team

This turns into a touchy subject for many supervisors.  Do we pay for our team to go to training?  Do we pay for them to get certified?  Do we encourage them to get certified?  What if they leave after we spent ALL of that money training and certifying them. My answer is: Invest in your employees and they will return the favor!  Don't be scared that if they get certified they will go find another job somewhere else.
Think about it this way.  If they take the time to self study and to certify on their OWN time and dime, why do you think they are doing it on their own? Probably to improve their resume.
Invest in your team and they will return the favor, either by making the changes or moving on.  If they move on, is it that big of a deal?  If it is, require them to sign a contract to reimburse for the training at a prorated amount.  If they do leave, do you need to increase the pay of your employees. If they can simply go somewhere else to do the same thing, but for more money, something is wrong.  Start with checking how you invest in your employees.  Again, actively INVEST in your employees or they WILL find someone that can.  Take a note from this Dilbert comic: Please, don't marinate in your own stench...

8. Optimize Your Company's Infrastructure

A company's infrastructure is only as good as the person's/team's knowledge that put it in.  If you have a staff member, just throwing stuff into production, because everyone else uses it or they heard it was cool and wanted to try it, STOP THEM!  Don't let them put anything into production without learning about it first, and then ensure it is labbed up in an isolated environment to work out the bugs and to document it.  It sucks when you get into a position, that has all these little "free and cool" applications, barely functioning, on 20 different servers, and now you are responsible for managing it all.  Without any documentation.
By putting things into production without the knowledge to back it, it will not be optimized.  It will be shoddy, limping along, and likely on the verge of failing.  Send your people to training, so they can learn about what they are doing before they even think of implementing a solution into production.  Don't get your company stuck with an environment that is running on banana peels, when training will allow for optimization of the software or hardware.

7. Stay Current With Technology

Is your business still running Windows Server 2000 or Server 2003 across the board, maybe Exchange 5.5, 2000 or 2003?  Why is that? Windows Server 2008 and Exchange 2010 have been out for years!  Do you know that you are behind the times and Server 2012 is now out, with Exchange 2013 peaking over the horizon?!  Are your Cisco products still running CatOS? Train your staff to help get your company up-to-speed on the latest technology.  Take advantage of the latest features now available in the new releases. Staying behind on technology does nothing for your company but allow for more security vulnerabilities and a "going nowhere" staff. Those complex and confusing solutions that were put in ages ago could be running very smoothly, but think about it, really.  With the latest advances in technology, things have become increasingly simple, more secure, and definitely faster.  Your company and staff suffer by keeping old technology running.  Make the move, train your employees, implement new technologies, and certify your staff.  Give them a testing environment to play with the new technologies, to make sure it will work, and to make sure it can integrate into your production environment.

6. Improved Project Management

When a member of your staff knows their systems and solutions from the inside out, any future projects led by that team member will be significantly improved and timelines will be reduced.  Take into consideration the time they spent studying for their certifications, or even the time they spent at training.  They learned new advances in technology, they may have even heard or have been informed on other pieces of technology through conversations with classmates, or by a topic covered in class.  With that knowledge in the back of their minds, when it comes time to implement a new project, present the solution to administration, or to research a new technology, they will have a head start and be able to get the ball rolling with confidence.  When it comes to implement the project, would you rather have a knowledgeable staff ready to go, or a staff that is scrambling day-to-day, trying to figure out what they are going to do.

5. Better Customer Support

Your customers need the best support they can get. Provide it to them.  With a trained and certified staff, who has optimized their environment, implemented high-availability solutions, and implemented best practices.  Your customer calls will drop significantly.  A well trained team will also help cut down the time it takes to troubleshoot and remediate any issues that do happen to crop up.  Once your staff is trained and fixing issues with ease, they will have plenty of downtime to research and make improvements where needed.  With the improved customer support, the complaint department should now be able to find other things to complain about. :)  Give the customers an advantage, prove to the customer why they chose you over the competition.

4. Less Downtime

There is no doubt that when a system is installed according to best practices, it will run optimally and as intended by the solution provider.  Whether it is redundant core switches, firewalls, file shares, Client Access Array's, or DAG's, a well trained staff member will implement these solutions to make life easier for them and the helpdesk.
Imagine your own environment, if a single server fails, what will happen?  Will there be people knocking at your door demanding the service be restored instantly?  Probably.  All of this can be avoided to the utmost extent by training your personnel and valuing their input and recommendations to make your environment run smoothly. Many solutions out there offer some type of high-availability option, some take additional configuration steps for it to run optimally.  By not learning about and implementing these HA solutions, you can get in some deep goop at the point of failure.  When a staff member knows the capability of their systems and solutions, it will be installed and configured to meet the business goals.

3. Influence a Dynamic Learning Environment

You want your staff members to be the best they can be at their job.  By pushing them to attend training, learn new technologies, and get certified, your company will stay on the leading edge of technology and continue to grow and provide the best solutions for your customers. Make continuous learning the top priority when it comes to your employees.  Show your employees you want them to keep learning, don't view learning as a burden, view it as an opportunity.  Keep your staff passionate about their jobs, keep their brains moving, keep the juices flowing, keep your business moving forward. Encourage ideas, inspire growth, and implement the best solutions.

2. Eliminate Mistakes

When you think about it, how much downtime, customer issues, nights and weekends worked, have been the product of a mistake made by the IT team.  It happens all of the time.  One of the biggest influences of system downtime is human error.  Whether it was mistakenly deleting a connector, wiping a switch config, deleting a user account, unchecking a box, or formatting a critical disk, these mistakes cost the business time and money, and it will cost people their jobs.  Mistakes will not necessarily be eliminated, but there will be that knowledge in the staff to make the right choice, to take extra the time and think a thought through, rather than just clicking around or unplugging something inadvertently.
Let your business be the poster child of WHAT to do. Don't make the mistake of denying training to your team. Take advantage of the time you have now and train them before it's too late.

1. Improve Your Business' Reputation

By combining all of these together your business will provide better solutions, be more productive, allow faster turn around time, and provide your end users and customers with a high quality product.  Don't let your business be affected by downtime, unhappy customers, unhappy staff, old technology, or an overall lack of functionality.  Improve and enhance your business' reputation, give your staff the knowledge and skill set they need to meet the company mission. A smooth operating business, keeps the staff and customers looking at the future of the company.
Think of your IT department as a human backbone, it really is.  Keep it strong, keep it moving, and keep it adjusted.  If you don't, you can expect to see headaches, soreness, inflammation, cramps, and stiffness.  Everything will start falling apart from there.  Exercise it!

Overall

It all really comes down to investing in your IT team and valuing the work they do for you.  The results will reflect directly within the environment, and align with your business goals.  Thank your employees for their hard work and investment they have given the business. Invest in them in return. It's for the best.

A well maintained machine runs smoothly.  A poorly maintained machine, grinds, scrapes, seizes, overheats, and fails.  Please, oil your machines routinely to avoid break down.

Wednesday, September 5, 2012

Putting a Value on IT Certifications - Part 3 "Certified Rockstar"

Finding and Creating Your Value

The true value of your IT certification comes from what YOU do to create the value. You can put your certifications to good use and be a complete rockstar, or you can get certified and do nothing but flaunt around your signature block, resume and office's wall of pride.  Please, use it for good and be the rockstar. Do it to prove to yourself and others, that YOU ARE THE EXPERT, and not just a name with a list of acronyms at the end.  In short, be intelligent, don't be arrogant.

I've had several people ask me if I am going to be looking for a new job now that I have all these Microsoft Certifications.  The answer?  No. I still have A LOT of work to do!  Sure, I can go anywhere and get a significant salary increase, but why leave this place hanging when I can do so much more to help with my newly acquired knowledge!  First on my list, start identifying what needs to be fixed.

Identifying the Problems

We constantly have our binoculars out scanning the horizon for new technologies and thinking of ways to implement them to help our students, faculty and staff. On the other hand, we also need to make sure we put the binoculars down once and a while and see what is happening in our own environment.

Here are a few items that have come up that need to be tackled ASAP. Fixing these issues will definitely increase our value as a University.

Lack of Datacenter Redundancy

As an Enterprise Administrator, my professional life is contained within my datacenters, its applications and hardware and how it meets customer demands.  That being said, it had better run and run well or I won't have a personal life.

One thing our datacenter was lacking was application and hardware redundancy, we had SAN replication going on between sites and Domain Controller replication going, but other high demand applications were lacking in redundancy.  Our website, SQL databases, and Exchange Servers were stand alone systems.  Each of them are in very high demand, so rebooting them anytime before 2:00 AM is out of the question unless it is an absolute emergency.

Lack of Technical Knowledge Held by Students, Faculty and Staff

When I started as a student at the University, we had two Information Technology related Associate Degree programs, one in Network Administration and the other in Web Design.  About seven years ago, they were removed entirely.

Since the removal of pretty much our only technology directed fields, our office, in particular, has had to hire technicians with very little computer experience.  We are getting student technicians that are on track to graduate with Biology, English, and Wellness degrees.  Training them, pretty much from the ground up, is an ongoing occurrence.

Many of our technicians are all freshly out of High School, with little experience, that causes a problem when we have a more complex issue arise with a customer computer.  Who do we send, who's been here the longest? Do we escalate it up the chain to our most experienced server admin, who hasn't done technician duties for ages?  Our Faculty and Staff need to be serviced by quality work.  We also need to provide all of our students, faculty and staff with a proper technical learning environment.

Something needs to be done to ensure everyone knows what they are doing when it comes to technology and how to do it the right way.

Applying the Certifications to Resolve the Problems


Improving Datacenter Operations

Being certified has given me the confidence to really dig in and try to make our Datacenter optimized.  It used to be a mess, but has now been totally revamped and virtualized.  Having the advanced and expert knowledge of our infrastructure and the software we support has allowed me to add redundancy across the board.  This includes implementing Exchange 2010 DAGs, DFS replication,  Load Balanced Web Farm and SQL Clusters across two sites.

By implementing failover clusters, load balanced services, SQL Clusters, Client Access Arrays, and Database Availability Groups we have significantly improved and optimized our Datacenter availability at our two sites.


Training the Students, Faculty and Staff

Microsoft IT Academy - I'm currently working on a proposal to enroll our University in the Microsoft IT Academy program. This will help our Faculty and Staff with their professional development, and also provide the opportunity to start having more technology related classes at the university.

Let me tell you a secret, being a teacher has always been a dream of mine. Although I am not yet a Microsoft Certified Trainer, it is one of my goals to attain within the next 12 months.  Transferring knowledge to students and seeing them succeed in the end will help me both fulfill and continue my career goals and fulfill one of my personal dreams.

The plan: Enroll --> train our Faculty and Staff --> train our students.  It could be that simple, logistically. In reality, not so simple.
The obstacles: Staffing and $$$. I'm the only certified person able to teach Microsoft classes. Since we no longer have any technology classes, we have only one faculty member, not certified, that teaches MS Office. Will there be any demand for the classes or will it be a waste of time? Who is going to pay for it all?

One day my hope is to get over 90% of our Students, Faculty and Staff, Microsoft certified. The end result is intended to be a more technology converged personnel.

It is time to get the ball rolling.


In the End

Value your work, your employees and your image as a professional. Train and Certify your team, as often as you can.  Keep your professionals up-to-date on all technology aspects and you will keep your customers happy.
Imagine the possibilities attainable with your business, university or other environment that has a certified staff.  If you present yourself, your business, and your work, as being completed by experts and professionals, your end product will be held with the utmost value.

In the end, you will be the certified rockstar.

See Also:

Putting a Value on IT Certifications - Part 1

Putting a Value on IT Certifications - Part 2

Friday, August 31, 2012

Putting a Value on IT Certifications - Part 2 "A Change of Mind"


A Change of Mind - "Certification Baby Steps"

You know, after being in the IT environment for over 12 years, I didn't have anything tangible to prove to anyone what experience I held.  I could tell them over and over again an extensive list of experience, but in the end, would anyone really want to believe me? I wouldn't!  We've hired employees that baffled us with BS, no, wait..., "Experience", and they couldn't back up their resume FULL of "experience". At least if they held a certification we could have held them accountable for what they could do.

The First Step - Set My Goals

I began to think even more about the value of certifications and what I needed to do to make myself understand there is a reason to be certified.

The following are my reasons to become MCITP Enterprise Administrator certified:
  • Boost Confidence
  • Validate my knowledge, skills, and abilities in a measurable, quantifiable manner
  • Find out what I didn't know, learn it, and add it to my IT arsenal
  • Improve our Server Infrastructure
  • Prepare our IT Infrastructure for new software releases
  • Pass my knowledge onto others
  • Show that our University is and can be current with the latest technology
  • Show our Faculty, Staff, and Students that we have a knowledgeable "Expert" staff
  • Have more background and influence when it comes to project decision making
  • Prove to my employer that I am a value to the University
  • Prove to myself that I am a valuable asset to the University
  • To expand my IT knowledge and to become the best System Expert I could be.

The Second Step - Training

At this point I knew I wanted to become a Microsoft Certified IT Professional: Enterprise Administrator, at any cost.

I began to study and read Microsoft Training Kits, online articles, and anything else server related I could get my hands on. I implemented Windows Server 2008 R2 across the board to our external DNS servers, Domain Controllers, DHCP, Certificate Authorities, etc, but now needed to take advantage of what they were there for.  Through much research, labbing, testing, and implementing, I covered nearly everything that was going to be covered on several of the tests.  Moving all of your domain, network, CAs, and app servers to 2008 R2 over the course of a year is definitely a learning experience.  I made the server infrastructure I inherited from my predecessor my own.

Although I had performed all these upgrades, read through these books and articles, I still did not have the confidence needed to attempt to take any of the Microsoft tests.  I knew I was still missing some things I needed to learn MORE before I took the next step. Conveniently, the University asked for requests for "One-Time Money Allocation".  I thought, hey, I could use some training, our office hasn't had training for quite some time.

Last year I began investigating Live Classroom training centers.  I didn't want to train while sitting at my desk at work, with headphones and a microphone.  I wanted to see my instructor and talk to them actively without having the "virtual barrier".  I also wanted something that would be beneficial, something I could learn and take home, and something that was worth the cost.

That is when I found Mountain View Systems, LLC in Fort Collins, Colorado.  Talk about a godsend! James Carrion, their lead instructor for MCITP/MCSA/MCSE certifications is a Microsoft Certified Master!  Mountain View Systems, immediately moved to the top of my prospective trainers list.  After working with the incredible Rebekah Behr, I was enrolled in the MCITP Enterprise Admin class and on my way to be certified.  The training was an intense 16 day boot camp, and I have never learned so much in my life about how to optimize and implement all server roles into a Windows environment.  I thought I had a good understanding about Microsoft, but James brought everything else into light for me.  He would take the most complex scenarios, and present them to us in easy to understand ways. Throughout the 16 days I took the five Microsoft Exams required for the MCITP: Enterprise Administrator on Windows Server 2008 and passed them all averaging 875 out of 1000 my lowest score being 815 on the 70-647 exam.

Anthony Carrion, Rebekah Behr and James Carrion at Mountain View Systems treat their customers like royalty and it was the most incredible training experience I have ever received. I am one SATISFIED customer!

Rebalancing and Hitting the Ground Running - Implementing My Newly Acquired Knowledge

Once the boot camp was completed and I was officially an MCITP: Enterprise Administrator and MCSA: Windows Server 2008, my confidence level was boosted extremely high and my entire perspective on certification has continued to change. I have met my goals and have began to make more.

At work, even though I was already the in-house "Expert" before becoming certified, I now have a greater feeling of accomplishment, productivity, expertise with my position. I have significantly improved our University server infrastructure and have began to pass the knowledge on to my coworkers.

I know that the job I have done and the tasks I plan for and perform are going to work as I now have the experience, confidence and training to back them up.


Next: Putting a Value on IT Certifications - Part 3


Putting a Value on IT Certifications - Part 1


Putting a Value on IT Certifications - Part 1 "Certification Denial"

Becoming certified in anything IT, well... those that have a big name and are widely popular and in demand, e.g., Cisco, Microsoft, ITIL, PMI, and (ISC)2, has been a need and definite positive influence for any job seekers in the IT market.  Each certificate can help classify you in a higher pay scale, open up options for a lead engineer/expert, security officer, or management position at many companies.  Your possibilities are endless, that is, if you can back up what you've proven on the test.

Certification Cheaters Ruined Me! - "Certification Denial"

Until recently, I had been extremely anti-cert, meaning, I didn't value the knowledge held by someone with an IT certification.  To me, you can know your stuff inside and out better than anyone that is certified.

To give you a little bit of background on why I have always been a bit hesitant and negative about IT certifications and their overall value, let me explain.

I started working for the University in 2002 as a student employee. We had a "certified professional" on staff, certified MCSE in Windows NT 4.0, who had been with the University a couple of years before I arrived.    There were times that I had to show him how to do basic things within Windows NT, even analyzing the event logs.  Talk about a disappointment of having an "MCSE" on staff and them not being able to perform basic server operations! He did not live up to what I expected of MCSE status, that is for sure.

Since I had to help him with his two servers, I had admin access to them as well. When it came time to have him stay or go, I was tasked to break something on it as long as it was easily fixable.  It was an easy fix in my eyes, simply check a box in the options of an application he was supposed to be the expert on and it's fixed.  It took him over a week to figure it out and he was certified in it! Long story short, he is no longer with us.

The second and probably most disappointing was an Instructional Designer we had from 2003 to 2005.  I just checked, and still listed on his resume are the following certifications: Microsoft Certified Systems Engineer (MCSE), Microsoft Certified Trainer (MCT), Certified Novell Engineer (CNE), Enterprise Certified Novell Engineer (ECNE), Novell Authorized Instructor (NAI).  Seriously, this guy knows absolutely NOTHING about computers! He also is a Doctor of Philosophy in Education (PhD).  What ticked me off the most when he came down to our office and asked that we format a floppy disk because he couldn't figure it out. Other strange things... he wanted to receive his spam messages (we had no right to block them in his eyes), he would wear sweatpants and t-shirts to meetings with faculty and staff, and play his ukulele on a rock outside of one of the buildings. Some students would even toss him change when walking by, based on the fact that he looked like a transient in the clothes he was wearing. My guess? He could teach and learn the certs from a book without needing real world experience, besides that he knew nothing besides what the book said or directed him to say.

Continuing on, I've had coworkers who studied only brain dumps, then pass the test without having all the experience that should be reflective of the cert.

So, pretty much, from the official start of my IT career, the way I perceived a Microsoft Certified Professional was ruined. They way I viewed it was, you can be a good test taker, book smart, and study dumps to pass any IT certification exam.

I now have a change of mind. :)

Next: Putting a Value on IT Certifications - Part 2

Putting a Value on IT Certifications - Part 3

Tuesday, February 14, 2012

RESOLVER.ADR.Ambiguous; ambiguous address


When sending to an external mail contact, we use Live@edu, the message would get caught in the queue or bounce back immediately.  The queue viewer reported the following.


Last Error: 420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address
Queue ID: HTServer\Submission
Recipients:  IMCEAEX-_O=ORG_OU=OU_cn=Recipients_cn=First+2ELast@forest.domain.name

After it timed out the NDR reported the following:

IMCEAEX-_O=ORG_OU=OU_cn=Recipients_cn=First+2ELast@forest.domain.name
#550 4.4.7 QUEUE.Expired; message expired ##

Sometimes our end users would receive:
There is a problem with the recipient's e-mail system. More than one user has this e-mail address. The recipient's system administrator will have to fix this. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator and then try resending the message after the problem has been resolved.

First thing I tried, from experiencing this in the past was to check for duplicate SMTP Addresses in our domain then in our forest using and LDAP query:
(&(objectCategory=*)( proxyaddresses=smtp:first.last@domain.name))

For the life of me I could not find any duplicates in our domain or in our forest.  This led me to look into the address given earlier that indicated the forest name and not the domain name.  Thanks to the resources linked to at the end of this post, after some research and a lot of pointing to Exchange 2003 issues, I thought to take a look at the student's LegacyExchangeDN within Attribute Editor in AD, it looked correct for our domain.  I then did an LDAP query against the LegacyExchangeDN against the entire forest to see if another string existed that matched the student:
(LegacyExchangeDN=/O=ORG/OU=OU/cn=Recipients/cn=First.Last)

The search pulled up two accounts, both were the same person, just enrolled as a student in each domain. 

Normally mailboxes/users are are created in Exchange, Exchange checks to see if the LegacyExchangeDN exists, if it does exist in the organization a different one is created based on the account properties.  However, the way our programmer has programmed the user load process, it does not integrate with Exchange..  

 The SamAccountName for our domain users is First.Last, where for the other domain it is FInitialMInitialLastRandom#. 

All attributes are created for the account in an external service, not tied in with Exchange, then applied to Active Directory to finish the account creation.  Since Exchange does not have any part of the load process, it does not check for existing LegacyExchangeDN's. So.  The way our programmer fixed his creation process was to add a site specific suffix to all mail user Legacy Exchange DN's.  This way it would be unique to our university and our AD will check for conflicts before being created.


Resources: