When trying to deploy a Windows 7 image from WDS I was confronted by the above error. The error occurred whilst trying to deploy different Windows 7 images to different computers and laptops.

After routing through log files and the internet I was starting to get a little frustrated. At this point I thought that I would try using the install.wim that comes on the Windows 7 CD to see what happens. Whilst browsing the sources folder on the CD I noticed the boot.wim file. Now, although I have never needed to add multiple boot.wim files for the assorted OS’ I already deploy off this WDS Server I thought I would add the boot.wim (right-click Boot Image in WDS and select ‘Add Boot Image’. I labelled the new boot.wim file to ‘Windows 7 Deploy’ on import and then chose this option when PXE booting the Laptop.

Hey presto, it now works without any errors.

Hopefully this will save someone the headache I received getting to this point.

Good luck

Neil

I recently hit a problem with CWA being published behind TMG, CWA was accessible internally from a terminal server but would throw the above error when login was attempted via TMG’s reverse proxy. 

The solution (for me – there is a fair bit written about this involving SPNs which were not the issue in this case), was to enable anonymous authentication on the AuthMainCommandHandler.ashx file (within the /cwa directory) within IIS & all is well again, it is reported that this issue only occurs on Server 2008 & is an issue with the site creation wizard.

My colleague Simon also hit this issue publishing CWA behind UAG, so worth checking.

Any RMS protected content can only be consumed or created within the trust boundaries of the domain. It is sometimes desirable to be able to share protected content with other external parties (Partners etc) so what do you do then? Well there are a number of options available, of which the main three used are:

TUD – or Trusted User Domain is primarily used when a company with an RMS infrastructure wants to share protected content with another organization with their own RMS infrastructure. In order to do this a traditional Active Directory trust must first be in place, we can then export the SLC public key of the RMS cluster from the domain wanting to consume content and import it on the RMS cluster in the domain wanting to share content. This of course can be replicated both ways so that both sides can open RMS protected content from the other.

TPD – or Trusted Publishing Domain is usually used in one of two scenarios, one where an AD RMS cluster is being decommissioned and replaced. An example might be where forests are being merged and one cluster is taking over the functions of the others. The other scenario might be when a cluster has to issue licenses for content protected by clusters in another forest (can be used for cross forest RMS protected content exchange) To implement this trust you must export the private key of the cluster you are wanting to consolidate and import it into the TPD section of the remaining AD RMS cluster, this is so use licenses can still be acquired for content protected by the decommissioned cluster.

AD FS support for AD RMS – This is an extremely good feature for collaboration with multiple forests where partners do not have their own AD RMS infrastructure or even don’t have directories based on AD. To implement this solution AD FS must be configured and a federation trust must be in place. You then in AD FS usually create a new claims aware application entry for AD RMS certification URL, you can then define which claims to accept (for AD RMS this is UPN then email) you then do the same for the licensing URL. You must also make sure to add the server role for AD RMS Identity Federation Support and enable federated identity support in the AD RMS console. There are some registry key changes that have to be made on the trusted domain machines (the side without AD RMS) so that the home realm discover works correctly but this can be done via GPO’s*. You will then be able to send and receive RMS protected content from this entity even though they do not have AD RMS implemented!

• *Registry Key – HKLM/Software/Microsoft/
• Create registry key: MSDRM
• Under this create another registry key: Federation
• Under this add a string value named: FederationHomeRealm
• with a value of: urn:federation:YourDomain.com

So as you can see there are many options for expanding your RMS protection outside the boundaries of your domain or forest. Hope you find this useful!

Just a quick PowerShell script to show you tapes that are offsite ready in your tape library. If you save the below into notepad and save it as a PS1 file then run from DPM management shell this should work with no errors

$AllLibraries = get-dpmlibrary -dpmservername servername

$AllTapes = Get-Tape -DPMLibrary $AllLibraries

$outfile = “c:DPMScriptsOffsite-Ready-Tapes.txt”

“DPM Offsite Ready Tapes” | out-file $outfile

$AllTapes |sort-object location | Where-Object {$_.isoffsiteready} | format-table location, barcode ,isoffsiteready | out-file -append C:dpmscriptsOffsite-Ready-Tapes.txt

This PowerShell will output the information needed to a text file in the following location “C:dpmscriptsOffsite-Ready-Tapes.txt “ which will look like below

DPM Offsite Ready Tapes

Location                Barcode                        IsOffsiteReady

——–                   ——-                          ————–

Slot 1                    AIS783L3                    True

Slot 2                    YB2417L3                   True

Daniel Davies

Just a quick powershell script to make your tape drive be marked as free. If you save the below into notepad and save it as a PS1 file then run from DPM management shell this should work with no errors

$LIB = Get-DPMLibrary –DPMServerName servername
$Tape1 = Get-Tape -DPMLibrary $LIB
$Tape2 = Get-RecoveryPoint -Tape $Tape1
foreach ($rp in $Tape2)
{
Get-RecoveryPoint -Datasource $rp.Datasource | out-null
Write-host “Removing recovery point $($rp.RepresentedPointInTime) from tape”
Remove-RecoveryPoint -RecoveryPoint $rp -ForceDeletion -Confirm:$false
}

Set-Tape -Tape $Tape1 –Free

Write-Host  “This Tape is now free”

You will then see the Tape in the drive marked as Free in the DPM Console

Daniel Davies

Just a quick powershell script to produce a text file of every recovery point on the tapes that are currently in the DPM tape library . If you save the below into notepad and save it as a PS1 file then run from DPM management shell this should work with no errors

Add-PSSnapin “Microsoft.DataProtectionManager.PowerShell”
$AllLibraries = get-dpmlibrary -dpmservername servername
$AllTapes = Get-Tape -DPMLibrary $AllLibraries
$outfile = “c:DPMScriptsDPM-Tapes-Report.txt”
“DPM Tapes Report” | out-file $outfile
Foreach ($tape in $AllTapes)
{$tape| FL | out-file –append $outfile
$tape| get-recoverypoint | fl | out-file -append $outfile }

This script will output the file to the following location “c:DPMScriptsDPM-Tapes-Report.txt“ and will give the following output.

DPM Tapes Report

Location         : Slot-20
Tape label       : Dummy – Primary-LT-1Years-Copy0-00000030
Library          : Hewlett Packard MSL G3 Series library  (x64 based)
Tape barcode     : YB23534643
Offsite Ready    : False
Protection Group : Dummy

Name        : SystemState
Backup Time : 01/03/2010 20:05:59
Datasource  : ComputerSystemState on computer test
Location    : Media

Name        : SystemState
Backup Time : 01/03/2010 20:07:22
Datasource  : ComputerSystemState on computer test2
Location    : Media

Name        : SystemState
Backup Time : 01/03/2010 20:05:59
Datasource  : ComputerSystemState on computer test3
Location    : Media

Name        : SystemState
Backup Time : 01/03/2010 20:12:38
Datasource  : ComputerSystemState on computer test4
Location    : Media

Daniel Davies

Richard Hicks has a great blog entry on this at http://tmgblog.richardhicks.com/2010/03/20/migrating-from-isa-to-tmg/ so I won’t go into detail on the overall process. However, there are a couple of gotchas to be aware of, although these aren’t anything to do with TMG itself.

First, as you are probably moving from Server 2003 to Server 2008, the number of trusted commercial Certificate Authorities has been trimmed down – if you are importing an SSL certificate from one of the less well known authorities,  the root CA may not be trusted. The import will succeed, TMG will allow you to specify the cert in publishing rules, but the results can then be unpredictable. Note that if you do have to add the root CA to your trusted CA store after TMG has been configured to use the SSL certificate, it is worth rebooting the server – without a reboot, TMG registers no errors, but client devices may display untrusted cert errors.

Therefore, when you import SSL certificates onto the TMG server, verify three things:

• The certificate is in the local machine’s Personal store
• 
• The certificate has a matching private key
• 
• The certificate path is fully validated
• 

Second, if you are planning a TMG to ISA migration, you will probably be moving to new hardware, as it will have to be a side by side migration. This obviously means that the MAC addresses of all your NIC’s are going to change, so talk to your networking guys – at the very least, you will probably need ARP tables on the relevant routers/switches to be flushed at the point you actually swap cables, otherwise you  may end up with the situation I was in, where TMG was up and running with no errors, but no traffic for publishing rules on addresses other than the native IP address of the external NIC ever hit TMG, which was definitely a head scratcher for a while .

HTH

Recently had an issue with our internal RMS infrastructure where users were not able to RMS protect any documents, email etc. Going through some troubleshooting I found that clients were not going through the bootstrapping process correctly and therefore were not getting the needed XrML RMS certificates …..

So I was able to browse to the certification and license pipelines no problems, AD RMS server was contactable, was seeing the traffic hit the server in the IIS logs some with 403 and 404 errors…Resolution??

If you go to internet options >> Advanced >> Security and then uncheck the two options:

Check for the publishers certificate revocation

Check for the server certificate revocation

Then try and RMS protect content then suddenly bootstrapping process works, you get your certificates and all is good!

The reason for this is if your AD RMS certification and licensing pipelines are using an internal CA to issue a certificate for HTTPS and your client machines cant reach the CRL distribution point it will not allow you to connect! The quick fix is to uncheck the two options specified above and go through the bootstrapping process, you will then be able to protect and consume RMS content. However the correct fix is to ensure the CRL distribution is correct for your CA and accessible for your AD RMS clients