14 March 2014

What are "Schannel" errors and how to stop logging them

With certain Microsoft products, such as Exchange and Lync you see your evelogs filling up with "Schannel" errors; event id: 36888 The following fatal alert was generated: 51. The internal error state is 1306.

The event it self doesnt give out a lwhole lot of information but here is an explanation for it from technet:

When you enable Schannel event logging on a computer that is running Microsoft Windows NT Server 4.0, Microsoft Windows 2000 Server, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2008, or Microsoft Windows Server 2008 R2, detailed information from Schannel events can be written to the Event Viewer logs, in particular the System event log. This article describes how to enable and configure Schannel event logging. 

The internal error state is 1203 - From a support forum: "This event is seen on windows 2008 R2 running IIS. If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged. This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site
The error 1203 indicates invalid ClientHello from the client. This is by design and you can ignore this warning."

If your System eventlog is filling up with "Schannel" errors, and you want to stop this behavior, you can do the following.

Enable /disable logging

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note This registry key is present already in Windows 2000 and XP Professional.
  1. Start Registry Editor. To do this, click Start, click Run, type regedt32, and then click OK.
  2. Locate the following key in the registry:
  3. On the Edit menu, click Add Value, and then add the following registry value:
    Value Name: EventLogging
    Data Type: REG_DWORD
    Note After you add this property, you must give it a value. See the table in the "Logging options" section to obtain the appropriate value for the kind of events that you want to log.
  4. Exit Registry Editor.
  5. Click Start, click Shut Down, click to select Restart, and then click OK to restart the computer. (Logging does not take effect until after you restart the computer).

Logging options

The default value for Schannel event logging is 0x0000 in Windows NT Server 4.0, which means that no Schannel events are logged. In Windows 2000 Server and Windows XP Professional, this value is set to 0x0001, which means that error messages are logged. Additionally, you can log multiple events by specifying the hexadecimal value that equates to the logging options that you want. For example, to log error messages (0x0001) and warnings (0x0002), set the value to 0x0003.
Collapse this tableExpand this table:

0x0000                  Do not log
0x0001                  Log error messages
0x0002                  Log warnings
0x0004                  Log informational and success events


12 March 2014

How to renew Lync Edge server "webserver" certificate

Once a year it's time to do this, and probably just like me, you think how did i do this last year.
So to never forget, or to look it up each year, here goes:

1. Inside your Lync environment, click on Start -> All Programs -> Microsoft Lync Server 2010 -> Lync Server Deployment Wizard.

2. Click on Install or Update Lync Server System.

3. Under Step 3, click on Run Again.

4. Select the certificate you would like to renew and click on Request.
5. Click Next.
6. Select Prepare the request now, but send it later (offline certificate request), and click Next.

7. Select where you want the request to be saved and click Next.
8. Click Next in the Certificate Template window.
9. Specify a name you want to use for identifying this certificate, and select "Mark the certificate's private key as exportable".

10. Enter the organization and organization unit name, as well as geographical location on the next window.
11. Next window will list Subject Names what will be included in the certificate, click Next.
12. If you are requesting a certificate for an Edge server,you will be able to select your SIP domain, click Next.
13. In this window, you will have to enter all of the Subject Alternate Names used in your Lync environment. For example lync.domain.com, edge.domain.com, dialin.domain.com, meet. domain.com etc.

14. Verify your information and click next.
15. Click Next to generate the request then click Finish.
16. Now that you have your CSR request file, send it over to your SSL provider or your local PKI environment. When you get your new certificate files, right click on each one and select Install Certificate.
17. Go back to your Lync Certificate wizard and click on Assign. Look for the friendly name you created in step 9, and select it. Click next until your certificate is assigned.
18. Restart Lync services and they should start right up. Check for any error logs in the Event Viewer.

If you plan on using the same certificate on your other Lync servers, you will have to use the Microsoft Management Console Certificate Snap-in to export and import the certificate to other servers. Now repeat from step 16.

Source 1
Source 2

05 March 2014

VSS Writer showing retryable error and how to reset them

When backups fail with exchange, one of the first things i look for are the VSS writers.
These writers create a snapshot function for Windows and third party backup products.

If the status shown is "Retryable error", "Waiting for completion" and a status other than "Stable" things might go wrong.
I say might because the error shown is the writers last state, not the actual state.

To check the status in a command box:

vssadmin list writers

To check the status in Powershell:

& vssadmin list writers | Select-String -Context 0,4 '^writer name:' | ? {
  $_.Context.PostContext[2].Trim() -ne "state: [1] stable" -or
  $_.Context.PostContext[3].Trim() -ne "last error: no error"


vssadmin list writers | fl name,state,last*

All show this output:

PS C:\> vssadmin list writers | fl name,state,last*
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Writer name: 'Task Scheduler Writer'
   Writer Id: {d61d61c8-d73a-4eee-8cdd-f6f9786b7124}
   Writer Instance Id: {1bddd48e-5052-49db-9b07-b96f96727e6b}
   State: [1] Stable
   Last error: No error

Writer name: 'VSS Metadata Store Writer'
   Writer Id: {75dfb225-e2e4-4d39-9ac9-ffaff65ddf06}
   Writer Instance Id: {088e7a7d-09a8-4cc6-a609-ad90e75ddc93}
   State: [1] Stable
   Last error: No error

Writer name: 'Performance Counters Writer'
   Writer Id: {0bada1de-01a9-4625-8278-69e735f39dd2}
   Writer Instance Id: {f0086dda-9efc-47c5-8eb6-a944c3d09381}
   State: [1] Stable
   Last error: No error

To resolve the error and get back to a healthy writer state, you could do one of the following:

  • Restart your server
  • Reboot the corresponding service (see the table below)

VSS WriterService NameService Display Name
ASR WriterVSSVolume Shadow Copy
BITS WriterBITSBackground Intelligent Transfer Service
COM+ REGDB WriterVSSVolume Shadow Copy
DFS Replication service writerDFSRDFS Replication
DHCP Jet WriterDHCPServerDHCP Server
FRS WriterNtFrsFile Replication
FSRM writersrmsvcFile Server Resource Manager
IIS Config WriterAppHostSvcApplication Host Helper Service
IIS Metabase WriterIISADMINIIS Admin Service
Microsoft Exchange Writer
Microsoft Exchange Writer
Microsoft Exchange Information Store
Microsoft Exchange Replication
Microsoft Hyper-V VSS WritervmmsHyper-V Virtual Machine Management
NTDSNTDSActive Directory Domain Services
OSearch VSS WriterOSearchOffice SharePoint Server Search
OSearch14 VSS WriterOSearch14SharePoint Server Search 14
Registry WriterVSSVolume Shadow Copy
Shadow Copy Optimization WriterVSSVolume Shadow Copy
SPSearch VSS WriterSPSearchWindows SharePoint Services Search
SPSearch4 VSS WriterSPSearch4SharePoint Foundation Search V4
SqlServerWriterSQLWriterSQL Server VSS Writer
System WriterCryptSvcCryptographic Services
TermServLicensingTermServLicensingRemote Desktop Licensing
WMI WriterWinmgmtWindows Management Instrumentation

I will be trying to get a script to check, report and restart the corresponding service for this.
Stay tuned.

03 March 2014

Edge server marks relayed sent item as spam

We had a case of "WTF", why is it doing this?
A message sent by a server in the DMZ relayed through an Edge server had the servername in the header address:

Return-Path: noreply@company.com
Received-SPF: Fail (sr-XXXX.company.lan: domain of noreply@company.com does
not designate 333.333.888.130 as permitted sender)
receiver=sr-XXXXX.company.lan; client-ip=333.333.888.130;


In combination with Forefront protection for Exchange 2010 this led to unwanted spam and messages being bounced at the receiving side.

After searching some fora we came up with this solution:

Add the originating sending server to the whitelist in the Exchange whitelist on both Edge servers.

After this the mail header should look like this:

Received: from SR-XXXXX.company.com.dmz (333.333.888.131) by mx03.company.com
(333.333.888.25) with Microsoft SMTP Server id; Fri, 28 Feb 2014
07:45:22 +0100
Received: from mail pickup service by SR-XXXXX.company.com.dmz with Microsoft
SMTPSVC;      Fri, 28 Feb 2014 07:45:21 +0100
MIME-Version: 1.0
From: Company <noreply@company.com>
To: <email@domain.com>
Date: Fri, 28 Feb 2014 07:45:21 +0100
Subject: Some text
Content-Type: multipart/related; type="text/html";
Message-ID: <SR-XXXXX0het1ULbDlB00018788@SR-XXXXX.company.com.dmz>
X-OriginalArrivalTime: 28 Feb 2014 06:45:21.0601 (UTC) FILETIME=[A6B60B10:01CF3450]
Return-Path: noreply@company.com