Basically when you modify this particular group policy setting it changes the local policy on the machine. Manage out capabilities in Direct Access require the internal source user and computer account to authenticate IPsec connections to the DA client. This particular policy setting controls what accounts have access to system services on the DA computer. If the source computer account does not have this access then IPsec authentication will fail. The default setting for this is the only supported one currently for DA, by default this includes – Administrators, Backup Operators, Everyone, Users

Hope this helps others resolve a peculiar difficult to determine issue!

Ash

Related posts:

1. RDP over Direct Access A customer has requested recently that they want to be...
2. How to Configure the Network Access Account in SCCM 2012 Just a quick guide on where to configure the Network...
3. ADFS 2.0 401 Unauthorized Access We had an issue recently when setting up CRM 2011...

Related posts brought to you by Yet Another Related Posts Plugin.

So troubleshooting I made sure i had applied permissions correctly on the template, not that i should receive an error message like the one i was getting but good place to start. Checked access to the template file share, fine. Checked AD RMS server was exporting the templates correctly, fine but I did notice something else in checking this ..

I opened one of the templates in an XML editor and noticed that the licensing cluster URL contained a :443, then checking in the AD RMS console this was the case in the licensing URL there too. The trouble with this is that the CLC certificates are attempted to be matched with the RAC’s using the RMS URL, if they are different (certification has no :443 and licensing has :443) you hit an error.

To resolve this issue follow these steps (Note: While following these steps you will remove the SCP temporarily, users will not be able to protect or consume new content during this period so be careful!):

1.)  Open the ADRMS  console and Right Click on the Server name, and go to Properties.

2.) Go to the ‘SCP’ tab and remove the SCP.

3.) Go to the Cluster URLs tab, and check the box for ‘Extranet URLs’ (If you have Extranet URL’s configured then ensure the :443 is not present and move on)

4.) Enter anything into both boxes and click Apply.

5.) Uncheck the ‘Extranet URLs’ box, and hit Apply, then OK.

6.) Close the ADRMS Console and re-open it.

7.) Right Click on the server name>Properties>SCP Tab, and register the SCP.

8.)Check your RMS settings now and make sure that no :443 exists in any of the cluster URLs.

9.) Go to Regedit and create this key on each cluster in the server

HKLM/Software/Microsoft/DRMS

Reg_Sz:GICURL
Value: https://adrms.yourdomain.com/_wmcs/certification/certification.asmx

11.) Go to an Administrative command prompt and run IISRESET on each server in the cluster

12.) Go to client PC and delete the %localappdata%MicrosoftDRM folder.

13.) In the ADRMS console right click the Administrative Template and select “Archive this Rights Policy Template”

14.) Select Manage Archived Rights Policy Templates and Right click the template and select Copy, give it a different name

15.)Right click the copy and select “Distribute this Rights Policy Template”

Once these steps are completed you should be able to go back into your application and apply protection using the Administrative Template! Yay!

HTH

Ash

Related posts:

1. A server-side seed operation has failed. Error: An error occurred while performing the seed operation, which may indicate a problem with the source disk. Error: An error occurred while attempting to access remote resources. Error: An error occurred while processing a request on server ‘SERVER’. Error: Database ‘catalog’ was not active on source server While running Exchange 2010 SP1, We recently came across the...
2. How to Enable the New Error pages after updating to TMG SP2 With TMG SP2 Microsoft have released a new error page...
3. Disabling ActiveSync on Exchange 2010 We had a query from a customer recently , asking...

Related posts brought to you by Yet Another Related Posts Plugin.

The solution had two AD RMS servers using a HLB for redundancy, both servers were installed and joined to the same RMS cluster with no problems. However when the HLB was introduced we couldn’t protect content. Also we couldn’t reach the certification cluster URL (https://ADRMS.yourdomain.com/_wmcs/certification/certification.asmx) IE would just time out eventually.

To cut a long story short after checking all the usual things such as SCP, connectivity, Load Balancer config, DNS etc. it turns out that AD RMS doesn’t like cookie encryption on the HLB! Once we disabled cookie encryption clients were getting load balanced as expected and able to protect content

(note: This particular HLB was F5 BIG-IP)

Ash

Related posts:

1. AD RMS – Changing Certification Pipeline to use SSL after initial install Just a quick post showing how to change the certification...
2. Diskpart during an OSD Task Sequence Whilst at a customer recently I had a requirement to...
3. NET announces support for Pure-IP SIP Trunks Pure-IP seem to be going from strength to strength. Not...

Related posts brought to you by Yet Another Related Posts Plugin.

Error 25070.Error connecting to database FIMSynchronizationService. Invalid class string

Doh! Silly me, with the databases homed on a remote SQL server the SQL Native Client must be installed on the FIM server. I had forgotten to do this, after doing so the update completed without issue

Related posts:

1. A server-side seed operation has failed. Error: An error occurred while performing the seed operation, which may indicate a problem with the source disk. Error: An error occurred while attempting to access remote resources. Error: An error occurred while processing a request on server ‘SERVER’. Error: Database ‘catalog’ was not active on source server While running Exchange 2010 SP1, We recently came across the...
2. Issue installing TMG update 1 “Setup cannot read the Registry Value ProductID” We had an issue recent where we could install Software...
3. Exchange2010 Management Console error “Connecting to remote server failed with the following error message:...

Related posts brought to you by Yet Another Related Posts Plugin.

1. Open IIS on the AD RMS server and edit the bindings, add a binding for HTTPS selecting the certificate to use making sure the name matches your cluster URL.

2. Remove the HTTP binding from the list and do an IIRESET.

3. Close and reopen the AD RMS console and ensure in the centre console both URL’s are using HTTPS.

4. If the SCP has already been published in Active Directory you will need to re-publish it so that clients discover the new HTTP’s certification pipeline.

Good Luck!

Ash

Related posts:

1. Problem deploying Lync Monitoring Server Reports Whilst running the SSRS on the Archive/ Monitoring Server I...
2. Out of Band Management console issues – SCCM Whilst recently implementing out of band management for a customer,...

Related posts brought to you by Yet Another Related Posts Plugin.

When you deploy the FIM Service and FIM Portal it actually installs two .wsp’s which style the SharePoint site in accordance to the FIM Portal functionality. Sometimes after initial installation these features are not enabled by default. To enable them navigate to Central Administration > Site Actions > Site Settings > Site Features and select Activate on both ILM2 Pages and FIM Password Reset Pages

You should then be able to navigate to the url locally and remotely and see the normal FIM Portal page

Hope this helps some headaches as there arent too many pointers as to why this happens

Thanks,

Ash

Related posts:

1. TMG 2010 SP2 Released Just to let you know TMG 2010 SP2  has been...
2. How to Configure CRM 2011 for IFD and publish via TMG or UAG Scenario We have a CRM server that we need to...

Related posts brought to you by Yet Another Related Posts Plugin.

Error: Unexpected error refreshing Server Manager: Exception from HRESULT:0x800F0818d

This issue occurs when corrupt .mum or .cat files are present after the extraction and installation process of windows updates.

To reolve this we need to complete a few steps

1. Download and run the Microsoft Update Readiness Tool from http://support.microsoft.com/kb/947821 once it has run check the log in C:WindowsServicingPackagesCheckSUR.log

2. You should see errors resembling:
CBS MUM Corrupt 0×00000000 servicingPackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum Expected file name Package_for_KB978601_server~31bf3856ad364e35~amd64~~6.0.1.0.mum does not match the actual file name

and further down

Unavailable repair files:
servicingpackagesPackage_for_KB978601~31bf3856ad364e35~amd64~~6.0.1.0.mum

3. There may be more than one problematic update so make a note of all of them, you will then need to download these KB’s and unpack them using the following commands:

Expand -F:* UpdateKB978601.msu C:Directory

This then shows a cat file which also needs to be unpacked:

Expand -F:* UpdateKB978601.CAB C:DirectoryCAB

4. You will need to grab the two files, one extension .mum and one extension .cat, then rename them making sure they are exactly as was displayed in the CheckSUR.log file. You will then need to copy them into the C:WindowsServicingPackages directory overwriting the existing ones.

These steps should resolve the issues and you should be able to add/remove Roles and Features again

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

First of all open ADUC and select view and make sure Advanced Features is checked

Next right click the OU that you need to remove the delegated permissions from and select properties and then the security tab

Here you should be able to see the user/group that you originally delegated permission to. In order to revoke these delegated permissions simply remove them from the ACL

HTH

Ash

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Error:
Couldn’t find object "UserAccount". Please make sure that it was spelled correctly or specify a different object. Reason: The recipient UserAccount isn’t the expected type.

Exchange Management Shell command attempted:
new-DistributionGroup -Name ‘test’ -Type ‘Distribution’ –OrganizationalUnit ‘OU’ -SamAccountName ‘test’ -Alias ‘test’

The reason for this is that when creating a Distribution Group it tries to add the mailbox of the user creating it as the manager of the Distribution Group and usually the Admin account that creates the Distribution Groups will not be Mailbox enabled.

To get around this you can use the New-DistributionGroup cmdlet with the ManagedBy Parameter:

new-DistributionGroup -Name ‘test‘ -Type ‘Distribution’ –OrganizationalUnit ‘YourDomain/Distribution Groups’ -SamAccountName ‘test’ -Alias ‘test’ –ManagedBy ‘MailboxEnabledAccount’

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

TUD – or Trusted User Domain is primarily used when a company with an RMS infrastructure wants to share protected content with another organization with their own RMS infrastructure. In order to do this a traditional Active Directory trust must first be in place, we can then export the SLC public key of the RMS cluster from the domain wanting to consume content and import it on the RMS cluster in the domain wanting to share content. This of course can be replicated both ways so that both sides can open RMS protected content from the other.

TPD – or Trusted Publishing Domain is usually used in one of two scenarios, one where an AD RMS cluster is being decommissioned and replaced. An example might be where forests are being merged and one cluster is taking over the functions of the others. The other scenario might be when a cluster has to issue licenses for content protected by clusters in another forest (can be used for cross forest RMS protected content exchange) To implement this trust you must export the private key of the cluster you are wanting to consolidate and import it into the TPD section of the remaining AD RMS cluster, this is so use licenses can still be acquired for content protected by the decommissioned cluster.

AD FS support for AD RMS – This is an extremely good feature for collaboration with multiple forests where partners do not have their own AD RMS infrastructure or even don’t have directories based on AD. To implement this solution AD FS must be configured and a federation trust must be in place. You then in AD FS usually create a new claims aware application entry for AD RMS certification URL, you can then define which claims to accept (for AD RMS this is UPN then email) you then do the same for the licensing URL. You must also make sure to add the server role for AD RMS Identity Federation Support and enable federated identity support in the AD RMS console. There are some registry key changes that have to be made on the trusted domain machines (the side without AD RMS) so that the home realm discover works correctly but this can be done via GPO’s*. You will then be able to send and receive RMS protected content from this entity even though they do not have AD RMS implemented!

• *Registry Key – HKLM/Software/Microsoft/
• Create registry key: MSDRM
• Under this create another registry key: Federation
• Under this add a string value named: FederationHomeRealm
• with a value of: urn:federation:YourDomain.com

So as you can see there are many options for expanding your RMS protection outside the boundaries of your domain or forest. Hope you find this useful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.