Internet File Blocking on Server 2008 and Windows 7

We’ve got a client who recently upgraded their Windows Server 2008 Remote Desktop Services box from Office 2003 to Office 2010.  In doing so, they ran up against Internet File Blocking which Office 2010 seems to take seriously, where Office 2003 ignored it.

In a nutshell, any file you download from an “insecure” location, like say, your email, gets a tag injected in its Alternate Data Stream marking it as potentially unsafe, so when you try to open it using Office 2010, you get this helpful dialog:


File permissions are fine and disk space and memory is plentiful, so what’s the glitch?  It’s the alternative data stream, a hidden feature of NTFS that allows, well, alternate data to be stored along with your file; so in our case, every downloaded file has a Zone Identifier in its ADS, and Office will hemorrage with an unhelpful dialog if it comes across something.  Internet Explorer at leasthas the decency to tell you the score:


So, the question is how does one open these files in Office?

One way is to right click on the file, go into the properties tab and click the UNBLOCK button


But that can get tedious.

You can use SYSINTERNALS’s streams.exe file to strip the ADS out of a bunch of files.

Or, you can turn the behavior off, which is what we did for our client.

A quick trip to the Google brought us to Dixin’s Blog (which is where we cribbed the “file properties” screenshot from) and the steps are laid out very clearly there.

In a nutshell, go to Group Policies and edit or create a policy to enable a single setting in User Configuration > Administrative Templates > Windows Components > Attachment Manager > Do Not Preserve Zone Information in File Attachments.  

Log off and log back on, and you’re good to go.

(We also forced the “Notify Antivirus Programs When Opening Attachments” setting, just to be on the safe side).

Anyway, you should really just go read the article over at Dixin’s Blog and read Understanding The Internet File Blocking and Unblocking, it’s much better than this one.  Lots of screenshots and explanatory text in an easy to read manner.



ADO Problems (Error 430) with VB6 on Windows 7

Lot of numbers in that heading. 🙂

We’ve made the move to Windows 7 and we love it.  However, we haven’t really made the move to VB.NET.  I still like developing in VB6; I know that makes me a little bit of a relic, but I don’t do that much development these days to justify the investment in fully ramping up on VB.NET.

So, I had to tweak a legacy application I wrote which reads an email from a POP3 mailbox and writes the contents into a database.  The program is maybe 30 lines long, and it’s a dream thanks to the w3JMail library and ADO.

I revised the program, ran it on my Windows 7 machine, and all was right in the world.  I went to deploy it back to the Windows 2003 server where it lives, and I was hit with Error 430 errors: “Class does not support Automation or does not support expected interface”

So, after adding line numbers to the code, I was able to track the error down to the line

Set objConn = New ADODB.Connection

That seemed weird.  I tried a bunch of different ADO libraries and nothing.  Then I stumbled upon a MSKB article, with the longest, most specific title I’ve seen in recent memory: “An ADO application does not run on down-level operating systems after you recompile it on a computer that is running Windows 7 SP 1 or Windows Server 2008 R2 SP 1 or that has KB983246 installed

Long story short, if you’re running Win7 SP1 or Win08R2 SP1, then .NET breaks ADO and you need to register some new type libraries on your local machine and then recompile using those type libraries, NOT the usual ADO libraries.

The KB article shows you how to do it easily enough. Put the files where they tell you.  I had to manually navigate to the folders for some reason, but once I did, they registered up like a charm and my programs ran again.

SBS 2003 to 2011, Post Mortem

There’s been good response to my earlier post (really, July?!?) about upgrading a client’s server from SBS 2003 to SBS 2011 — people want to know how the story ended.  So, forgive me for taking so long to finish up.  So, this will be short of details since I didn’t take notes and am relying on memory.

TL;DR – Did a clean install. Recreated users, shares and printers.  Export mailboxes to PSTs.  Copied data over.  Reimported mailboxes. Got on with my life.

For the second run at upgrading the server, I had a few new tools at my disposal.

First, was a virtual copy of their server.  Since their server was already virtualized, I just stopped VMWare, made a copy of the VM and took it back to my office.  I loaded it up on a little Vostro 200 I had laying around (the server was amazingly peppy, all things considered) and then figured I’d do 99% of the migration off-site and then drop the box in and copy what was left of the data and mailboxes over.

I made the smart move and took GHOST images of the new box at every juncture, so I could “easily” roll back.  (Granted, the roll back takes 15 minutes, but it’s waaaaay better than having to sit thru the unpacking of files every time something goes wrong.)

I will say it took an inordinate amount of time to get the right drivers to get the Dell T310 work with Sysinternals’ ERD Commander 5.0 (Microsoft version; not the pre-buyout version with Firefox in it…) but it was worth it.

Let’s say I rolled back more than a few times.  Learning a little more each time; or sometimes just doing everything identically, but having it work the second time around.

This guide came in handy:

After doing this dance for a couple days, it got to a point where I was fed up with the roadblocks and things not working right (like migrated uses not showing up in the users applet).  From an email I sent to my partner at midnight the night before we were supposed to be on site, where I make the call to punt:

“OK, I’ve had it. Every time I think I got it, there’s some fucking error somewhere. I assume its in the old box somewhere — a remnant of the P2V or something. So, fuck the migration. Their environment isn’t so hard that we can’t just do a clean install from scratch, remake the 10 users and the 4 shares and just be done.  Can you come down tomorrow since we’re going to have join the machines to a new domain? I think the biggest challenge is going to be exporting/importing [the owner’s] 8GB PST. I’ll have all the users set up and the groups and most of the data copied over, so it’ll just be joining the computers to the new domain and importing the mail.”

From there, it was a dream — everything worked just fine.  We had one machine exporting people’s PST files for later import.

(WARNING: You lose Single Instance Storage when you do it this way, so your Exchange store will be bigger than it was due to duplication of attachments, etc. This may not be right for you.  YMMV.)

At about 1:30 AM we were ready to move the new server into the copy room where it was going to stay.  The server asked to apply 59 updates, and like idiots, we let it, and that’s where it all went to shit.

The reboot happened and then nothing but “Applying Updates, Stage 3 of 3…”

After an hour of staring at that screen, I sent my partner home.  No sense have two of us stuck in graybar land.

After two hours, I started Googling solutions to the problem.  Eventually I was able to start the server and get to safe mode where I could edit some XML files and cross my fingers and wait more.

After another hour, I just left.  It was almost 4 in the morning by that point, so I got a room at a nearby motel (to save myself the 65 minute each way commute to the client office) and crashed hoping to get back onsite before everyone showed up at 8.

As I wrote in my post-mortem email to Brian at 11:20 AM:

Subject: What a fucking mess

Everything works and nothing works,

Ended up staying at the local Days Inn and crossed my fingers that the thing would roll back while I slept, and when I came back at 8:15, we were at CTRL+ALT+DEL so it seems to be OK,m tho it lists all 59 updates as pending. There’s a possibility they’ll never take. (Fun!)

“Where are my contacts!?!” (nickname) – bring them over and all the nicknames for the internal people are all wrong, so the mail bounces.  NK2Edit to the rescue.

Scanner set up.

Abacus’ DRM is driving me up a fucking wall.

Some documents that people were working on last night never made it over — feels like there wasn’t a sync done, and since we generally deleted the offline files from the workstations to eliminate the error we were getting at logoff sync… DOH. Happily, it seems they were able to recreate them with little effort, so it was an inconvenince, but not a show-stopper.

People don’t like to use their address books, I find — they really REALLY rely on their NK2 files — so when doing any sort of migration, don’t overlook them.  NK2Edit is the greatest tool in the world.

I hate DRM.  I think it only hurts legitimate users, pirates get past it with little effort, so it only serves to create issues for paid users at the worst possible times — like when people need to use their time and billing systems and the support center isn’t open for another hour or two…

The document sync issue wasn’t something we thought was an issue — we made sure offline files were all sync’d up, but users reported some documents didn’t copy over, and I’m not sure what else to attribute it to.

In the time since we did this, the 59 updates did in fact take and the server didn’t fall apart or fail.


Sometimes it’s quicker to upgrade…

Visited a client today who was complaining of computer sluggishness among other issues, so I check the Microsoft Security Essentials and it says it’s a few days out of date, but a manual attempt at updating failed with an error.  So, of course, I worry about infection getting in the way of doing updates, but it occurs to me he’s still on MSSE 1.x and I upgrade him to 2.x and all is well, he can take updates again.  Yay.

Then I see the Windows Update shield, and I open it up much to my horror:

118 UPDATES?!?

So, at 2:05 PM, I clicked “AGREE” on a licensing agreement, and off we go…

I have a thread going over on Facebook…

JK (me): Shall we take bets as to how long this will take to run?

AF: I’ll take the over on 5 reboots.

JS:  i am guess it will take 6 hours total. 5 hours and 45 minutes of annoying pop ups. 15 minutes of actual updating

JK: 2:10 – 2 security updates done… 0 reboots.

JK: ‎2:16 – 10 down, 0 reboots

JC: Don’t forget Genuine Advantage.

JK: That’s always last, isn’t it?

JK: 2:36 19 down… 0 reboots.  (Net Framework installs take the longest.)

JK: 2:46 Update 22. Net Framework 1.1 SP1; see you in an hour. 🙂


Upgrading SBS 2003 to SBS 2011

So, we’re at a client’s and we have to do a migration from SBS 2003 to SBS 2011.

We’re relying on Microsoft’s instructions to get us through the night.

It’s 7:31 pm on a Friday night.  The air conditioning in the office has been turned off, so it’s a bit sultry.  I prepped the source server last night — just made sure its service packs and patches were up to date.  Now that I’m on site, I’m ready to make my answer file.

To do so, we need to install some tools from the SBS 2011 install media (which happily Dell included).

Sadly, the pre-requsites to using the tool don’t run on Windows XP, and this is an XP shop.


However, I’ve got two Dell Inspiron 560s ready to be dropped down and they have Windows 7 on them, so let me unbox one and get it powered up so I can get the server migration started.

(I had planned on installing the workstations when the data was migrating… looks like I get a jump on it…)

I’ll be back once I’m unboxed…

 7:56 – Machine unboxed, Facebook notified of liveblogging, OOBE completed, waiting for my desktop customizations and personal settings to be applied. Backup of source server in progress.

8:22 – Machine joined to domain, Migration Assistant installed and waiting for backup to finish…

8:31 – Backup can take 7 hours.  Uh-oh.  Wait!  The server is running in a VM!  There was a hardware failure which precipated this migration so we brought the old box back up in a VM.  (Pretty slick apart from a couple licewnsing activation gotchas.  “DRM — Screwing the honest since 1998.”) So, I can just take a snapshot and roll back if anything goes horribly wrong! Score! Back on schedule!

8:37 – Migration Assistant found some issues…

9:08 – Issues persist.  Odd ones  that aren’t true – the remote registry service IS running, but the migration assistant refuses to believe it…

9:51 – Ran some more hotfixes on the server after SBS BPA suggested it.

10:16 – Re-read some documentation.  Last night, I read that (what I thought was) the migration assistant needed to be run on a workstation, not the server.  That does not seem to the case.  I’ve spent the last hour chasing down ghosts.

10:20 – Running the MA on the SBS server worked right out of the box.  FML.  Wasted all this time due to my stupid brain.  Stupid, stupid brain.

LESSON 1: Run the Migration Tool ON THE SOURCE SERVER.

10:42 – Answer file created, copied to USB key, USB key in destination server and the install is now running on the destination server.  Right out of the box, the new Dell server runs thru its little preinstall and then dumps you at a screen that says “Basic or Migration Install?”  I choose Migration, it reads the answer file like magic, and we’re off to the races.

I created the answer file to not be unattended. I like clicking NEXT when I do my server installs – just to make sure everything is right one last time before committing.  Good thing too, since I misspelled the domain name on the credentials section of the answer file…

Now we wait what may be 30 minutes for Windows to expand its installation files…

10:53 – Server just rebooted itself…

10:54 – Seemed to apply some updates, back to waiting for expanding files… and in the time it took me to type this, it started rebooting again… and we wait some more…

11:02 – Finally, motion!  The bar on the screen started moving across.  I guess all the updates are done… more waiting…

11:03 – I guess it connected to the domain because a printer mapping came up and failed due to an incompatible driver… more waiting…

11:31 – 80% of the way thru the bar.  “Up to 30 minutes,” indeed!”  Luckily, the new workstations (before decrapifying) have the WildTangent games on them.  They’re usually the first things to go, but right now, I’m glad they’re here…

11:43 – 90% of the way thru… when does the 6 hour “migrating data from old server” start?

11:44 – No sooner than I type that, then Explorer starts putting up its “Customizing Browser Customizations…” dialog, and the SBS Setup program quits with an error.  Swell.  (Looks at logs… might it have something to do with time synchronization?!?)

12:12 – Fantastic.  The source server got hung up (a backup started: LESSON TWO – STOP TASK SCHEDULER) and the clock stopped advancing, which caused Kerberos errors, and then the only way to recover is TO START OVER.  So, rebooted both servers, booted off the DVD on the destination server, reformatted the partitions and am now sitting thru the whole thing again.  Sloppy… but this is why we flat-rate server installs… my mistakes are my own and come out of my end, not the client’s.

12:41 – We’re back at where we were at 10:42.  Lost almost 2 hours ot the minute.  Dang.  Worst part, is I don’t have a key to the building, so I’m trapped here.  Can’t even go out for a bite and come back…

1:08 – Server install fails with “JoinDomain_DCPROMO Failed…” – turns out the initial failed install got as far as seizing all the roles from the other server and was already in the domain.  So, instead of trying to reverse everything I did, I just reverted to the snapshot from 8:31.

1:22 – Snapshot still had the anti-virus installed and didn’t have the migration assistant run, so we’re waiting for the post-AV, pre-MA reboot.  *sigh* I’ll be pretty good at this when I finally get it done… tho I am ECSTATIC that the server is a VM and all it took was the snapshot to roll it back.  I don’t know what I would have done (likely a clean install, then a manual migration of mail and a visit to all workstations to rejoin them to the domain) if I didn’t have that capability…

4:19 – Been a while.  Had to give two it more tries.  Both failures.  This last time, I logged in to the domain once as the new user they want you to create to act as the migration account, and maybe that was the charm, because now — seven hours after we started — I can proceed to STEP FOUR of the 19 Step Migration document…

8:34 AM – Looked good for a while, then it didn’t.  The Migration Wizard on 2011 isn’t as automated as one might hope, and in my bleary eyed state, I made some missteps and by the end, nothing seemed right, so I punted.  Old server restored from snapshot and I will take another run at this soon, once I catch up on some sleep and more reading in the migration guide.