Basically when you modify this particular group policy setting it changes the local policy on the machine. Manage out capabilities in Direct Access require the internal source user and computer account to authenticate IPsec connections to the DA client. This particular policy setting controls what accounts have access to system services on the DA computer. If the source computer account does not have this access then IPsec authentication will fail. The default setting for this is the only supported one currently for DA, by default this includes – Administrators, Backup Operators, Everyone, Users

Hope this helps others resolve a peculiar difficult to determine issue!

Ash

Related posts:

1. RDP over Direct Access A customer has requested recently that they want to be...
2. How to Configure the Network Access Account in SCCM 2012 Just a quick guide on where to configure the Network...
3. ADFS 2.0 401 Unauthorized Access We had an issue recently when setting up CRM 2011...

Related posts brought to you by Yet Another Related Posts Plugin.

Looking in the c:WindowsWindowsUpdate.log file I could see that there was an error with BITS (Background Intelligent Transfer Service) which Windows Update uses to download updates. This led me to use the bitsadmin tool to see if there was any downloads stuck:

1. Open a command prompt as administrator

2. Type in the following command and press enter:

bitsadmin /list /allusers

3. If there any lines in the output such as the following then we need to reset the jobs:

{04D0B991-54E3-41C4-B475-572D9E31BFE5} ‘WU Client Download’ SUSPENDED 0 / 1 0 / 13352278

To kill off the jobs is not as simple as it seems as even with an administrator account I could not kill off the jobs giving me an unable to cancel error. The task had to be run as system as a scheduled task:

1. Open up notepad and put in the following line:

bitsadmin /reset /allusers

2. Save the notepad file back as a batch file by save as and giving it a name with the extension .bat

3. Open Task Scheduler and create a new task that runs that batch file and put it to run at a certain time or manually.

4. Before the task runs we just need to change the user account that it runs under system by clicking on Change User or Group button, typing in system as object name and clicking on Check Names:

5. Either schedule the job to run or right click on the job and select run now.

Once the job has run then you can again run the bitsadmin /list /allusers and you should get an output showing no jobs:

The update for the Anti Spam updates should then install without any problems and you should no longer receive this alert.

Hope this helps.

Cheers

Paul

Related posts:

1. HRESULT: 0x800f0818 Unable to add/modify Roles or Features through Server Manager or Powershell after installing updates After installing numerous Windows Updates, usually when bringing a newly...
2. Activation context generation failed for "C:Windowssystem32conhost.exe” Error We have came across an error this month after patching...
3. SharePoint 2010 Prerequisites Installer Error “Error: the tool was unable to install Windows Identity Foundation (KB974405)” We got an error recently when trying to install  the...

Related posts brought to you by Yet Another Related Posts Plugin.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Description:
The FSCController service hung on starting.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Description:
The FSEIMC service depends on the FSCController service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7001
Description:
The Microsoft Exchange Transport service depends on the FSEIMC service which failed to start because of the following error:
The dependency service or group failed to start.

Solution:

Ensure Service Pack 2 is installed for Forefront Security for Exchange Server

Related posts:

1. Information Store and Microsoft Exchange Transport service do not start Automatically after a Reboot We came across an issue recently on a Exchange 2007...

Related posts brought to you by Yet Another Related Posts Plugin.

“550 5.7.1 :127.0.0.3:Client host … blocked using 88.blocklist.zap; Mail from IP banned. To request removal from this list please forward this message to delist.forefront@messaging.microsoft.com”

If you are sure that the sender is legitimate and trusted, mail from the senders domain can be allowed by completing the followings solution.

Solution:

Add the IP address of the remote domain to the “IP Allow List” on your Edge servers. (This IP can be found in the NDR or by contacting the remote party):

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Solution:

Run the “fixsqlserverlogin.vbs” script from the “Installing Forefront TMG SP1” TechNet article:

http://technet.microsoft.com/en-us/library/ff717843.aspx#fixsqlserverlogin_vbs

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

To resolve this issue I implemented IIS 7’s shared configuration and put a process in to replicate the content between web servers.

You will need a domain account (or local account on each web server if your web servers aren’t domain joined) which will be used to access the shared configuration (it only does this – your web applications continue to run under what ever application pool identity you have set) and a file share to store the configuration on.

Assuming you’re at the stage of having a configured web server with the IIS configuration how you want it you need to export the configuration:

1. On the first web server / machine which will host the shared configuration create a directory & share it giving full share and ntfs permissions to the service account created, all other permissions should be removed.
2. In IIS manager on the server with IIS configured as per the previous steps click on the server node in the left pane, then open shared configuration in the right pane, then finally select the export configuration option on the right, store the export in the directory created in step 1, entering an encryption key (this should be recorded as it is needed for all nodes which will be accessing the shared configuration).
3. When exported tick the ‘Enable shared configuration’ box, enter the UNC path to the configuration (eg \machinenameiisconfig) enter the username domainserviceaccount and the password for that account, press apply, you will be prompted for the encryption key provided in step 2.
4. Restart the server to apply configuration, then check IIS is still functioning and the IIS manager can be accessed.

The above steps will reconfigured your already configured web server to work from the shared configuration, now we need to replicate the web content and configure all other web servers to work from the same configuration.

There are several ways of replicating the physical content, DFSR is one option, however I chose not to use it as the content on the web servers is staying static so frequent updates to the other nodes will not be required and it gives the operator responsible for the servers more control over how content updates are deployed.  So instead I used robocopy (which has been built in since Vista / Server 2008) to mirror the content from the configured server to all others (this was executed on the web server to be copied to):

robocopy \configuredwebserverc$inetpubwwwroot c:inetpubwwwroot /MIR

Once the file content was in place two quick steps are required to configure IIS to use the shared configuration:

1. Open IIS manager, click on the server name in the left pane, then select the shared configuration option in the right pane, tick the ‘Enable shared configuration’ box, enter the UNC path to the configuration as specified on the first web server (eg \machinenameiisconfig) enter the username domainserviceaccount and the password for that account, press apply, you will be prompted for the encryption key.
2. Restart the server to apply configuration, then check IIS is still functioning and the IIS manager can be accessed.

This process will replicate all application pools and IIS configuration, however if you have ODBC data sources etc.. (things external to IIS which your web applications are using) then you will need to find a way to replicate these settings as well. 

An important point is how IIS behaves if the configuration becomes unavailable, under Server 2008 (not R2) if the configuration disappears IIS will essentially stop, under R2 the server will detect this, continue working and reconnect when the configuration source comes back online.  You can enable offline files for added resiliency should you require it.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Forefront Threat management Gateway the successor to ISA server 2006 is now RTM and the eval is available for download form the following link above

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.