Vista knowledge from the OEM team and others...

During a discussion here about debugging in Windows we got onto the topic of extensions and tricks to speed things up and cut out extra steps.

One super simple tip is to associate the .DMP memory dump files with WinDbg, this was previously posted by another Escalation Engineer who herself got it from someone else. Suffices to say that it's definitely worth passing along and can save a lot of time when going through many dumps:
http://blogs.msdn.com/tess/archive/2005/12/05/associate-windbg-with-dmp-files.aspx

First create a .reg file with the following contents (as always be very careful when modifying the registry):

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.dmp]
@="Debugger.Dump"

[HKEY_CLASSES_ROOT\Debugger.Dump]

[HKEY_CLASSES_ROOT\Debugger.Dump\DefaultIcon]
@="c:\\debuggers\\cdb.exe"

[HKEY_CLASSES_ROOT\Debugger.Dump\Shell]

[HKEY_CLASSES_ROOT\Debugger.Dump\Shell\Debug_Without_Remote]
@="Debug this Dump"

[HKEY_CLASSES_ROOT\Debugger.Dump\Shell\Debug_Without_Remote\Command]
@="\"C:\\debuggers\\windbg\" -z \"%1\" -c \"$<c:\\debuggers\\commands.txt\""

[HKEY_CLASSES_ROOT\Debugger.Dump\Shell\Debug_With_Remote70]
@="Debug this Dump with Remote:70"

[HKEY_CLASSES_ROOT\Debugger.Dump\Shell\Debug_With_Remote70\Command]
@="\"C:\\debuggers\\windbg\" -server tcp:port=70 -z \"%1\" -c \"$<c:\\debuggers\\commands.txt\""

This will give you two additional options on the context menu when rightclicking on .dmp files. First "Debug this Dump" which will open WinDbg with your dump and then run the commands in commands.txt. The second option "Debug this Dump With Remote:70" will do the same thing but also set up a remote so that your coworkers can remote in to your debugging session though port 70. (Remember to change the paths so they point to the directories where you have windbg.exe and commands.txt)

Secondly, create a file called commands.txt that contains any commands you want to run when the debugger starts. The one below sets the symbol path to the public symbols and loads sos.dll.

.sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
.load clr10\sos

Here are some additional resources to help get you started in your debugging adventures. It should be noted that whether you're an OEM working on a case with our team or you're an average beta tester. Providing memory dumps and the most basic analysis initially will definitely help get the ball rolling, any support professional or tester will greatly appreciate the extra effort.

WinDbg Tutorial: http://www.codeproject.com/KB/debug/windbg_part1.aspx
Microsoft Advanced Windows Debugging and Troubleshooting
The Old New Thing
Windbg by Volker von Einem
Joel on Software
Debugging Toolbox
Advanced .NET Debugging

Greetings Blog Readers,

My name is Ed Jolly, and I am a director in the Commercial Technical Support (CTS) organization at Microsoft. I am here to request a few minutes of your time.

We would like to learn more about blog readership through a brief survey. This is an opportunity for us to better understand what is valuable to you and what you would like to see in the future.

Below is a link that will take you to another website to complete the survey. Based on what we learn, we may request more feedback in future surveys like this.  When you open the survey, you will see a list of blogs that CTS engineers contribute to across many different products. We have not posted a listing of these blogs in the past, and I hope it helps you find other blogs that are helpful to you.

The blog survey is completely anonymous.

• Location: http://www.tsisurveys.com/mssurveys/blog/index.asp
• Availability: Until August 22. You may receive a request to complete this survey through multiple RSS feeds. You need only to complete it one time.
• Length: The survey can be a maximum of 11 questions.
• Time: Less than 5 minutes (but providing more information in the open text fields may take a minute or two extra, improving our ability to understand your needs in these blogs).

Thank you in advance for your time, participation and assistance.

Ed Jolly (edjolly@microsoft.com)

Via the Windows Home Server Team:

The team is pleased to announce that Windows Home Server Power Pack 1 has been released to manufacturing (RTM) and is now available on the Microsoft Download Center!

German, Spanish and French versions will be available on the Download Center the first week of August. Windows Home Server customers who don't download it on their own will receive Power Pack 1 via Windows Update on August 12, and Chinese and Japanese versions will RTM in early August, too. 

As many know, Power Pack 1 provides a range of new enhancements, including support for home computers running Windows Vista x64 editions, backup of home server Shared Folders, improvements to remote access, more efficient power consumption and improved performance. Documentation for Power Pack 1 is available here.

In conjunction with the release of Power Pack 1, HP will release a software update for the HP MediaSmart Server, delivering enhanced media streaming capabilities from PacketVideo, server-side anti-virus from McAfee and compatibility with 64-bit home PCs.

Windows Home Server can now be purchased in 50 countries worldwide. And a growing ecosystem of third-party software developers have released or announced approximately 60 Add-in programs extending Windows Home Server's capabilities.

We continue to hear fantastic feedback from our customers about how Home Server is helping them protect their digital media, share it with friends and family, and access it from outside of the home. Thank you to our beta testers and partners for helping us ship Power Pack 1, and to the Home Server community as a whole for its ongoing support and enthusiasm.

Here are some additional resources as well to help you along with Windows Home Server:

WHS Team Blog: http://blogs.technet.com/homeserver/
WHS Add-ins: http://www.wegotserved.co.uk/windows-home-server-add-ins/
WHS information via MSDN: http://msdn.microsoft.com/en-us/library/cc512455.aspx
WHS community forums: http://forums.microsoft.com/WindowsHomeServer/default.aspx?siteid=50

Q: I’ve installed Windows Vista on my laptop but I do not see hibernation listed in the Shutdown options. How do I enable this?
A: During Windows Vista installation, setup looks at your current memory and if the system has 4GB or greater, Windows will not enable hibernation by default. Many OEMs work around this by enabling hibernation in their pre-install images.

For enterprise and home users, you can use the following procedure to enable hibernation:

1. Log on on to Vista with an Administrator account.
2. Click Start, type cmd in the Start Search text box.
3. Right-click cmd.exe, click Run as Administrator, and then click Continue.
4. Now you are ready to enable hibernation. Type in the following without the quotes “powercfg –h on” and press enter. 

This will enable hibernation and unlike Windows XP you will not need to limit the RAM to under 4GB by using msconfig to enable hibernation in Windows Vista.
-David Winkler

As you're probably already aware, Hyper-V was released not too long ago. There are a number of resources available to help you with your adoption and support of these new virtualization features in Windows Server 2008.

One piece of advice, when doing a clean install of Server 2008 we'd highly recommend running through and downloading all of the Windows Updates that are currently available including the RTM update of Hyper-V. When running through the add new role, Windows will install the latest package it has available in its repository, so you'll want to make sure the latest is downloaded before you install for the best experience.

Here is some additional information about the install process and where to get the updates. After you've run the updates and started using Hyper-V, you may want to take a look at this PowerShell management library which makes easy work of many Hyper-V tasks. Just paste the library into your PowerShell profile and you're good to go. Trying to debug in Hyper-V, take a look at the following post to help you along.

Finally, be sure to check out the Virtualization team blog for the most up to date information about Hyper-V and other virtualization news.

Here on the OEM team, we are often asked storage-related questions about the latest versions of Storport.sys, the iSCSI Initiator, and MPIO.                 

For easy reference, below are the latest available versions of Storport.sys, MPIO, and the iSCSI Initiator as of 6/18/2008.  Both GDR branch fixes available directly from the Microsoft Download Center and LDR branch fixes available from Microsoft Support are listed.

Please note that all updates are cumulative within the same branch, so though the below updates may not resolve a problem you are seeing, a previous fix may resolve your problem.  Look for more details on GDR fixes versus LDR fixes in David's post from 3/11/08: "What is the difference between general distribution and limited distribution releases?"

Please contact your storage vendor to discuss whether you should upgrade to the latest available Storport.sys, vendor-specific MPIO DSM, HBA drivers, etc.

Storport.sys
Server 2003 SP2
Latest version of Storport.sys available directly from the Microsoft Download Center:
KB 943295 – http://support.microsoft.com/kb/943295
Build 5.2.3790.4163 (October 2007)

Latest version of Storport.sys available from Microsoft Support:
KB 950448 – http://support.microsoft.com/kb/950448
Build 5.2.3790.4303 (May 2008)

Vista RTM, Vista SP1, and Server 2008
Latest version of Storport.sys available from Microsoft Support:
KB 953390 - http://support.microsoft.com/kb/953390
Vista RTM - Build 6.0.6000.20845 (May 2008)
Vista SP1 - Build 6.0.6001.22190 (May 2008)
Server 2008 - Build 6.0.6001.22190 (May 2008)

iSCSI Initiator
XP and Server 2003
Latest version is 2.07 (May 2008):
http://www.microsoft.com/downloads/details.aspx?FamilyID=12cb3c1a-15d6-4585-b385-befd1319f825&DisplayLang=en

Fixes for the following issues are included in this version:

1. Data written twice when spanning tapes on an iSCSI target virtual tape drive.
2. Bugcheck in iscsiprt on getting storage device ID property.
3. iscsiexe.exe can leak memory on discovering targets.
4. Initiator leaks handles when refreshing the list of persistent targets.
5. Microsoft iSCSI MPIO DSM (MSISCDSM) leaves stale Registrations under certain conditions.
6. Persistent Reservation (PR) not propagated across paths.

MPIO
Latest version is 1.21 (May 2008)
Included with iSCSI Initiator 2.07

Fixes for the following issues are included in this version:

1. Fixed a system hang that could occur due to race condition between path recovery and new path arrival.
2. Fixed install sample to use the correct MPIO hardware identifier on Windows Server 2008
3. Fixed memory leak in MPIO.
4. Fixed a system hang that could occur during total path failure in a Cluster environment.
5. Fixed Microsoft MPIO DSM (MSDSM) to update statistics for the correct path.
6. Fixed Microsoft MPIO DSM (MSDSM) logic for retrying Persistent Reservation commands.

In this helpful how to KB from our very own Doug Iman, he decribes at great length what is required to set up dynamic boot partition mirroring on GUID partition table (GPT) disks in Windows Server 2008.

This will be increasing helpful in the future as GPT begins to replace the aging Master Boot Record (MBR). While GPT disks technically still have some level of backwards compatibility by maintaining the MBR in the very first sectors of disk, this is mainly for disk utilities and other applications. Because of various differences between these types of disks, the steps required to enable partition mirroring have changed significantly.

For the complete guide see the following KB article, 951985: http://support.microsoft.com/?kbid=951985. If you'd like to know more about GPT disks, check out the above link to Wikipedia, or the Windows and GPT informational pages here, here, and here.

Any other questions feel free to leave a comment on this post.
Cheers,
Corey

If you happen to be debugging and hit the PrtScn / SysRq key on the debugee you may have noticed that this caused the debugger to break in. In certain situations this may not be the desired, thankfully it can be changed. This behavior and the modification is described in the following MSDN article, http://msdn.microsoft.com/en-us/library/cc267412.aspx.

One important thing to note though is that this also applies to USB keyboards through the kbdhid driver:

You can disable the SYSRQ key by editing the registry. In the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters registry key, create a value named BreakOnSysRq and set it equal to DWORD 0x0. Then, restart the computer. After you have restarted the computer, you can press the SYSRQ key on the target computer's keyboard and it will not break into the kernel debugger.

Debug | Break

Click Break on the Debug menu to stop the target's execution and return control to the debugger.

In user mode, this command stops the process and its threads, enabling you to regain control of the debugger. In kernel mode, this command breaks into the target computer.

You can also use this command while the debugger is active. In this situation, the command will truncate long Debugger Command window displays.

The Break command is equivalent to pressing CTRL+BREAK or clicking the Break (Ctrl+Break) button () on the toolbar.

User-Mode Effects

In user mode, the Break command causes the target application to break into the debugger. The target application stops, the debugger becomes active, and you can enter debugger commands.

If the debugger is already active, Break does not affect the target application. However, you can use this command to terminate a debugger command. For example, if you have requested a long display and do not want to see any more of it, Break will end the display and return you to the debugger command prompt.

When you are performing remote debugging with WinDbg, you can press the Break key on the host computer's keyboard. If you want to issue a break from the target computer's keyboard, use CTRL+C on an x86-based computer.

You can press the F12 key to open a command prompt when the application that is being debugged is busy. Click one of the target application's windows and press F12 on the target computer.

Kernel-Mode Effects

In kernel mode, the Break command causes the target computer to break into the debugger. This command locks the target computer and wakes up the debugger.

When you are debugging a system that is still running, you must press the Break key on the host keyboard to open an initial command prompt.

If the debugger is already active, Break does not affect the target computer. However, you can use this command to terminate a debugger command. For example, if you have requested a long display and do not want to see any more of it, Break will end the display and return you to the debugger command prompt.

You can also use Break to open a command prompt when a debugger command is generating a long display or when the target computer is busy. When you are debugging an x86-based computer, you can also press CTRL+C on the target keyboard to have the same effect.

The SYSRQ key (or pressing ALT+SYSRQ on an enhanced keyboard) is similar. This key works from the host or target keyboard on any processor. However, this key works only if you have opened the prompt by pressing CTRL+C at least one time before.

You can disable the SYSRQ key by editing the registry. In the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters registry key, create a value named BreakOnSysRq and set it equal to DWORD 0x0. Then, restart the computer. After you have restarted the computer, you can press the SYSRQ key on the target computer's keyboard and it will not break into the kernel debugger.

Additional Information

The corresponding key in KD and CDB is CTRL+C. For more information about other ways to control program execution, see Controlling the Target.

To that effect we'd just like to reiterate that indeed, Windows Server 2008 and Windows Vista Service Pack 1 are in fact the same code base now. This means that when you go to the System control panel, Windows will show Server 2008 RTM as having Service Pack 1 already included, this can be seen in the screen shot at left.

Now that servicing will be done against the same codebase, the first Service Pack for Server 2008 will be SP2.

The official statement can be found in KB 949607.
http://support.microsoft.com/kb/949607

There are a number of boot options that can be used in Vista and Windows Server 2008 that can be a pain to modify (or not possible if you are in a bugcheck loop), that can be done on the fly at boot time. These options are invaluable for diagnosing some problems you may experience on the system, and modifying them in the OS may involve figuring out the bcdedit syntax, the right BCD store to modify, or rebuilding and burning a new install DVD (if the problem is happening during install from media).

Some example boot switches you might want to use are:

• Adding a debug switch for any type of transport (not just the default serial option that you get in the F8 menu)
• Opting in or out of no exececute (NX)
• Capping the amount of system memory (with maxmem or burnmem)
• Limiting the number of processors (with numproc)

To modify the boot options on a Vista and Windows Server 2008 system, whether it is booting from the hard drive or DVD, you can do the following:

1. Hit the space bar repeatedly after the BIOS screen goes away.
2. On the next screen will be the Windows Boot Manager menu where you select the boot operating system.
3. On this screen hit the F10 button.
4. This will take you to the Edit Boot Parameters screen where you can edit the boot options in the same way you did with the boot.ini file in previous versions of Windows.
5. Here you can change the default values to the one-time values you want for this boot.

An example of this is to do a debug using 1394. To do this you change the default values to:

[ /NOEXECUTE=OPTIN /DEBUGPORT=1394 /CHANNEL=40 ]

And you will boot with the debugger enabled on the 1394 bus and with a channel number of 40.

Further switches and examples to come in further posts...

Want to debug the most difficult problems against the largest, most complex piece of software ever written? Are you fluent in C and assembly? Do you carry a spare debugger cable in your bag? Can you represent Microsoft in critical, time sensitive solution delivery? Writing code is easy, finding bugs in someone else’s code you’ve never seen before is a real challenge.

Want to hear more?

http://blogs.msdn.com/jobsblog/archive/2007/01/26/jobcast-life-as-an-escalation-engineer.aspx
http://blogs.msdn.com/jobsblog/archive/2007/11/21/life-as-an-escalation-engineer-part-ii.aspx

Candidate must be a strong critical thinker, and enjoy solving very difficult problems (often involving code level analysis).  Escalation Engineers within GES are frequently involved with the highest profile issues, and therefore must be able to handle both pressure and complex situations. Candidates must also have strong customer service, accurate logical problem solving and communication skills, and the ability to work in a team environment. Programming and debugging skills are required, preferably in C or C++.  Also, the ability to read and analyze network traces and solid protocol analysis is a plus. The ideal candidate may have a four year degree in C.S. or Engineering and a minimum of four years product support experience or the equivalent in work experience. Prior knowledge of the product to be supported, and other networking products and/or networking operating systems is required. If you enjoy being the problem-solver in the spotlight of critical problems, then this position will excite and challenge you.

Applicants that possess the experience, and desire will be considered and are encouraged to apply using the below link. After applying, please submit a copy of your resume to benjammc@microsoft.com.

Job Details - Microsoft Careers – job code is 209923 and can be found on the Microsoft Career page.

AutoEnrollment & MMC Enrollment

Enrollment Dependencies:

• The Certificate Template has been published to the Certification Authority.
• If Service Pack 1 has been installed on the CA and the CA is on a DC:
  • Verify that the CERTSVC_DCOM_ACCESS group contains, Domain Users, Domain Computers, and Domain Controllers.
• If Service Pack 1 has been installed on the CA and the CA is a member server in a Windows 2000 domain.
  • Verify that the Windows Server 2003 Schema Extensions have been installed.

AutoEnrollment Dependencies:

• Client machine must be Windows XP or higher.
  • Certification Authority has been installed on a Windows Server 2003 Enterprise Edition server.
  • User/Computer has Read, Enroll, and AutoEnroll permissions on the certificate template.
  • The Group Policy for the Domain/OU containing the User/Computer has been configured for Autoenrollment.

Debug Logging Options

Client Settings:

• By default, errors/failures and successful enrollments are logged in the Application event log on the client machine.
• To enable enhanced logging of the Autoenrollment processes set the following values:
  • User AutoEnrollment
    HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel"; set value to 0.
  • Machine AutoEnrollment
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

For information on available event log messages, see the following:
Troubleshooting (Certificate Autoenrollment in Windows Server 2003)
http://technet2.microsoft.com/WindowsServer/en/Library/8b1e8736-1574-44a0-802f-974f7aeedd9c1033.mspx?mfr=true

Certification Authority Settings

• Enable Certificate Services Debug Logging by running the following commands on the CA:
  certutil.exe -f -setreg ca\debug 0xffffffff
  Net Stop Certsvc && Net Start Certsvc
• The following log files will be created:
  %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
  %SystemRoot%\certutil.log (Certutil.exe)
  %SystemRoot%\certreq.log (Certreq.exe)
  %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
  %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

Simultaneous Netmon Trace from both the client and the CA.

• Filter the trace on LDAP and RPC traffic.
• The client queries Active Directory for a list of available CAs and certificate templates that they are granted read and enroll permissions to.
• The client then makes an RPC bind to the ICertRequest DCOM Interface on the CA using Kerberos authentication.

Common Problems - Scenario #1: Clients are Not Autoenrolling and No Errors are being Reported in the Application Event Log

• Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard.  You May get the following error at the beginning of the wizard:
  
• This error typically, means:
  • We could not contact the Active Directory 
    • Use normal Active Directory troubleshooting methods.  i.e. verify networking connectivity and name resolution.
  • We do not trust the Enrollment Certification Authority
    • The Enrollment Certification Authority is located at:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
    • The Enrollment CA’s Certificate must be installed in the Trusted Root Certification Authority on the client if it’s a Root CA.
    • If the Enrollment CA is a subordinate CA then the Root CA certificate must be installed in the Trusted Root Certification Authority and the Enrollment CA should be installed in the Intermediate CA Store on the client.
    • All certificates are downloaded during Group Policy processing so make sure that Group Policy is applying to the client.
  • We do not have permissions to the Certification Authority.
    • Open the Certification Authority snap-in and right click on the CA name and select Properties.
    • Go to the Security tab and make sure that Authenticated Users, or the appropriate group, have "Read" and "Request Certificates" permissions.
  • We do not have permissions to any Certificate Templates.
    • To verify the templates that the machine has access to run the following command:
      Certutil -Template
    • To verify the templates that the user has access to run the following command:
      Certutil –user -Template
    • Verify that the CA can issue the template in question:
      Certutil –templateCAs <Template Name>

Common Problems - Scenario #2: Errors are being reported in the Client Application Event Log

Source: AutoEnrollment
Event IDs: 7,13,15

• Description
  • Automatic certificate enrollment for Haybuv\User1 failed to contact Active Directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
• Resolution
  • Verify network connectivity and name resolution.
    
    
• Description
  • Automatic certificate enrollment for local system failed to contact a directory server (0x80072751). A socket operation was attempted to an unreachable host. Enrollment will not be performed.
• Resolution
  • This error most often occurs when a user is logged on to a machine with cached credentials and is offline. If the machine is not offline verify network connectivity and name resolution.
    
    
• Description
  • Automatic certificate enrollment for local system failed to enroll for one HAYBUV IPSEC certificate (0x800706ba). The RPC server is unavailable.
• Resolution
  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request.  Troubleshooting includes:
    • Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard.
    • Check network connectivity to all of the available Certification Authorities listed in the Enrollment services object listed in the AD:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com
    • Verify that the Certificate Services service is running on the Certification Authority.
    • Verify that you can ping the Certificate Request Interface by running the following command:
      Certutil –Ping –Config CAMachineName\CAName
      Note that you can run the following command to get the Config string of the available Certification Authorities:
      Certutil –Dump
  • The Certutil –Ping command runs under the context of the user.  If the command works for the user but the AutoEnrollment failure errors for the computer account, then open a command prompt under the machine account and then re-run the ping command.
  • If the ping command fails for either the user or the computer:
    • Verify that Dcom is Enabled on the Certification Authority.
      For more information, see the following:
      How to disable DCOM support in Windows
      http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
    • Check for firewalls and proxy settings.
    • Check for Checkpoint Firewalls which have issues with RPC traffic from a Windows Server 2003 SP1 server.  For more information, see the following:
      Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computer
      http://support.microsoft.com/kb/899148
    • Use Portqry to verify that the appropriate RPC ports are opened.  For more information, please see the following:
      PortQryUI - User Interface for the PortQry Command Line Port Scanner
      http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en
      
      
• Description
  • Automatic certificate enrollment for local system failed to renew one HAYBUV IPSEC certificate (0x8009400f). An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
• Resolution
  • By default, the Windows Server 2003 certification authority allows only 20 concurrent sessions to the CA database.  To increase the maximum number of sessions to 30, which is the highest limit tested with the Windows Server 2003 certification authority:
    Certutil -setreg DBSessionCount 30
    Net Stop Certsvc && Net Start Certsvc
  • This behavior typically occurs when a CA has been introduced to the environment and clients are in the initial Autoenrollment phase.
    
    
• Description
  • Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
• Resolution
  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request.  Troubleshooting includes:
    • If SP1 is installed on the Certification Authority, verify that DCOM permissions are set correctly per the following article:
      Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
      http://support.microsoft.com/kb/903220/
      
      
• Description
  • The certificate request failed.  The revocation function was unable to check revocation because the revocation server was offline.
• Resolution
  • The client does not a valid Certificate Revocation List (CRL) from the issuing CA.  Therefore, verify that all Certification Authorities in chain have valid Certificates.  To test, run the following command against the issuing Certification Authority certificate:
    Certutil –Verify –Urlfetch <Issuing CA Certificate>

How Certificate Services Works
http://technet2.microsoft.com/WindowsServer/en/library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx?mfr=true

Hi, my name is Bob Newhouse and I will be discussing managing group policy with Windows Vista.  To start we have added approximately 700 new group policies in Windows Vista and Server 2008\Vista, increasing the granularity of what you can do with group policy.  For a  complete listing of the Windows 2008 group policies see Microsoft's Group Policy settings in Windows 2008.

Group Policy no longer uses the Winlogon process but has as its own service.  We no longer rely on Userenv Debug logging to gather information.  In Windows 2008\Vista Group Policy runs under a SVChost process and group policy events now appear in a separate Group Policy operational log found under Application and Service Logs\Microsoft\Windows\Group Policy in your event viewer.  The operational log provides a centralized location for group policy events.  This makes it somewhat easier to diagnose a problem with group policy.

One of the biggest features of Vista is the ability to do multiple local group policy processing.  In earlier versions of Windows if you used a local group policy, it would apply to anyone who logged onto a client machine.  This meant having to jump through hoops to stop it from applying to Administrators and other users that you did not want it to apply to.  With multiple local group policies, you can create a group policy and apply it to the local computer (everyone affected), an administrator\non-administrator group or a user on the local machine or a remote machine.  Windows applies Local Group Policy objects first, then the Administrators or Non-Administrators Local Group Policy objects, and finally the user-specific Local Group Policy objects. This feature is a significant improvement for applying group policy without affecting everyone who logs on.  For conflict resolution, the last writer wins.  If you make the same change to computer, and a user, then the user setting will take effect.

To use this feature:

1. Start an MMC console.
2. Add a Snapin.
3. Select the Group Policy Object Editor.
   
4. For the Local machine you can click Finish.
5. For a User or Group select Browse.
   
6. Click on the User Tab or Computer tab (depending on what settings you are editing).
   
7. Highlight the User or Administrator or Non-Administrator Group orComputer you want to apply the policy to.
8. Click OK then Finish then OK
9. Modify the group policy as needed.
10. Run gpupdate /force

In a domain environment, we still apply local group policy (following the local group policy rules), site group policy, domain group policy and OU group policy.  You can find a Step-by-Step Guide to Managing Multiple Local Group Policy Objects here.  It has some different scenarios that you might like to test out before implementing.
GPMC was added with Vista when it first released and will be removed with SP1.  After SP1 it will be available for download.

References:
Vista Group Policy FAQ
What's New in Group Policy in Windows Vista
Windows Vista Managment and Operations

Windows Vista has a new tool for investigating and configuring Power Management features. For this discussion, I'll focus on PowerCFG -LastWake feature that is new for Windows Vista. This tool can help diagnose individual, corporation, and Original Equipment Manufacturer (OEM) issues with machines returning from a sleep state. In Windows XP there was no easy way to determine who woke the machine, it was mostly trial and error. So for Vista, LastWake was created to make it easier to assist in identifying what actually woke the machine.

From my personal experience, I have the machine set to never sleep in the Control Panel Power Management settings as I wanted this to be manual. I would then set my desktop to a S3 sleep state when I left the room as my contribution to being green. Many times I found my desktop up and running upon my return. When I upgraded to Windows Vista, my machine continued to wake up on its own. With the new PowerCFG tool, I decided to try and see if I could identify what woke my computer.

Before leaving for work, my machine was placed into S3. When I got home, my machine was on and running waiting for me to log in. After logging in and opening a command window, I typed in the following command:

powercfg -lastwake
Wake History Count - 1
Wake History [0]
Wake Source Count - 1
Wake Source [0]
Type: Device
Instance Path: PCI\VEN_8086&DEV_27C8&SUBSYS_01A81028&REV_01\3&172e68dd&0&E8
Friendly Name:
Description: Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 2
7C8
Manufacturer: Intel

From this example, my USB Host Controller sent the signal to wake the computer. But who actually woke the machine? To find this out I queried for devices that are armed for wake. Three devices were returned by the query.

powercfg -DEVICEQUERY  wake_armed
Microsoft USB IntelliMouse Explorer
HID Keyboard Device (003)
High Definition Audio Controller

By opening Device Manager and selecting View menu and choosing Device by Connection, I found the USB Host controller with the label _27C8. Opening that, I found it was my desktop mouse as it is the only device plugged into the USB controller that has the ability to wake my machine up. Upon further investigation, it turned out to be our house cats. They would use the desk as a launching pad to the window's ledge and sometimes they would step on the mouse pad on their way to the window. My resolution to this dilemma was to open Device Manager, locate the mouse and its Power Management settings, and simply uncheck "Allow this device to wake the computer".

From the OEM support perspective, this tool can help identify issues with custom devices. In one recent case, an OEM had a customer where if they manually placed the machine to sleep using an extra button on the laptop, the machine would wake shortly after. PowerCFG listed the following results:

powercfg /lastwake
Wake History Count - 1
Wake History [0]
Wake Source Count - 1
Wake Source [0]
Type: Device
Instance Path: ACPI\PNP0x0x\2&XXXXxXXX&2
Friendly Name:
Description: ACPI Sleep Button
Manufacturer: (Standard system devices)

When I heard about this, I asked them to remove the key from the keyboard for cleaning. Once it was reattached, the problem went away, so we only had a sticky key issue.

For the network administrator, this tool can help diagnose why machines are resuming when connected to a network. Protocols like router ARP packets can trigger Wake-On-LAN events. One such experience proved that the network card was waking the machine. The administrator was not interested in whom or what was waking the machine; they just wanted it set so only the administrators could do this. So after PowerCFG showed the NIC was responsible, we went into Device Manager and opened Power Management properties under the network adapter. We then set it to "Allow this device to wake the computer". We then followed up by setting "Only allow management stations to wake the computer", which gives the administrators control over this behavior in their domain by using a magic packet to wake a computer.

These are just a few examples of using PowerCFG, and there are a great many other uses available to explore: one just needs to do PowerCFG /? to see the possibilities.

If you would like to keep abreast of how Microsoft continues to innovate in power management please check our environmental website at   http://www.microsoft.com/environment.

David Winkler
OEM Support Team