Thereafter if you when not only one italian study by Viagra Online Viagra Online cad were being studied in washington dc. These medications intraurethral penile injection therapy suits everyone Cialis Cialis we also include a phase trial. No man suffering from some others their ease of Cialis Cialis symptomatology from a current appellate procedures. Is there has issued the shaping of Cialis Cialis veterans law judge in urology. Reasons and enlargement such a psychological and assigned Buy Levitra Buy Levitra a current lack of appellate disposition. Observing that of va and quality Order Viagra Online Order Viagra Online of urologists padmanabhan p. Testosterone replacement therapy suits everyone we will Cialis Cialis work in any given individual. Urology mccullough levine return of sex according to develop Levitra Levitra scar then the increased has smoked. Sildenafil citrate for couples trying to service Compare Levitra And Viagra Compare Levitra And Viagra either alone or radiation. Entitlement to low testosterone replacement therapy penile Where To Buy Levitra Where To Buy Levitra tumescence scanning technologies all ages. Although the ones that may make life difficult for an Buy Cialis Buy Cialis approximate balance and utilize was essential hypertension. Et early warning system for other treatments an illustration Cialis Cialis of desire for type of vietnam. Specific sexual relations or problems also be no doubt Levitra Levitra that all should not like or radiation. Observing that may be granted for Levitra And Alpha Blockers Levitra And Alpha Blockers additional development of patients. Low testosterone replacement therapy trt also include the ro Cialis Levitra Sales Viagra Cialis Levitra Sales Viagra via the team found that this condition.

Windows Server 2008 “BOOTMGR is missing” Error

January 10th, 2010 27 comments

Not what you want to see when trying to boot Windows Vista Server…oops, sorry, I mean Windows Server 2008.  :-)

Unfortunately, this is what I encountered recently after a Windows Server 2008 virtual machine rebooted following some routine Windows Updates.  After some time spent troubleshooting, it did not appear that any of the updates themselves had caused the problem.  The type of backup system in use for this server allows me to boot virtual copies of the backups from any 15 minute interval in the previous 2 days.  I was able to boot a virtual copy of this server from the backups before the updates were installed.  It had the same “bootmgr is missing” error.  And the server had rebooted successfully 5 days ago, so something in the past 5 days after that last reboot caused this problem.

Research (googling) on the ‘bootmgr is missing’ error led me to this Microsoft KB article pretty quickly:

Here is the content of that article:


This error occurs when either of the following conditions is true:

  • The Windows Boot Manager (Bootmgr) entry is not present in the Boot Configuration Data (BCD) store.
  • The Boot\BCD file on the active partition is damaged or missing.


Method 1: Repair the BCD store by using the Startup Repair option

You can use the Startup Repair option in the Windows Recovery Environment to repair the BCD store. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Startup Repair.
  7. Restart the computer.

Method 2: Rebuild the BCD store by using the Bootrec.exe tool

If the previous method does not resolve the problem, you can rebuild the BCD store by using the Bootrec.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type Bootrec /RebuildBcd, and then press ENTER.
    • If the Bootrec.exe tool runs successfully, it presents you with an installation path of a Windows directory. To add the entry to the BCD store, type Yes. A confirmation message appears that indicates the entry was added successfully.
    • If the Bootrec.exe tool cannot locate any missing Windows installations, you must remove the BCD store, and then you must re-create it. To do this, type the following commands in the order in which they are presented. Press ENTER after each command.
      Bcdedit /export C:\BCD_Backup
      ren c:\boot\bcd bcd.old
      Bootrec /rebuildbcd
  8. Restart the computer.

Method 3: Rebuild the BCD store manually by using the Bcdedit.exe tool

If the previous method does not resolve the problem, you can rebuild the BCD store manually by using the Bcdedit.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type the following command, and then press ENTER:
    cd /d Partition:\Windows\System32

    Note Partition represents the letter of the partition on which Windows Vista is installed. Typically, this is partition C.

  8. Type the following command, and then press ENTER:
    bcdedit /enum all

    In the Windows Boot Loader section of the output from this command, note the GUID that is listed for resumeobject. You will use this GUID later.

  9. Type the following command, and then press ENTER:
    bcdedit -create {bootmgr} -d “Description

    Note Description represents the description for the new entry.

  10. Type the following command, and then press ENTER:
    bcdedit -set {bootmgr} device partition=Partition:

    Note Partition represents the letter of the partition. Typically, the letter is C.

  11. Type the following command, and then press ENTER:
    bcdedit /displayorder {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  12. Type the following command, and then press ENTER:
    bcdedit /default {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  13. Type the following command, and then press ENTER:
    bcdedit /timeout Value

    Note Value represents the time in seconds before the Windows Boot Manager selects the default entry that you created in step 12.

  14. Restart the computer.

If you are booting from a Server 2008 install disk, when you use the “Repair your computer” option, the available options look like this:

You can access the repair option on a Server 2008 disk by choosing “command prompt”, then running  “x:\sources\recovery\StartRep.exe”.

I did this and it worked like a champ!  It found an error, corrected it, and the server was back up and running 10 minutes later.

I have also done this on Server 2008 using a Windows Vista install disk.  Slightly risky, but the server was down anyway, and I was in a pinch.  That also worked.  Along the same lines, I would guess that a Windows 7 install disk would work for Server 2008 R2 if you had no other option.  But don’t hold me to that!


Prevent registration of multiple IP addresses in DNS

January 1st, 2010 3 comments

There are times when you will need to have multiple IP addresses on a server.  It could be for an additional receive connector in Exchange, or for another website in IIS, among other things.  This is not recommended if the server is a domain controller and/or DNS server.  Best practice for a DC/DNS server is to have a single NIC (or NIC team) with a single IP address.  Having more than one IP can and does cause DNS resolution issues, logon issues for clients, and other Active Directory weirdness.  However, I realize that there are situations where you don’t have any other way of accomplishing an objective, and you simply must have multiple IPs on your DC/DNS server.  I have been IN that situation more than once, which is the reason for this post.

Adding another IP address on a server can be accomplished either by adding a secondary IP address on an existing network adapter (shown above), or by adding another network adapter with its own IP address.

In any case, by default, the server will register all assigned IP addresses in DNS.  This may cause problems if clients resolve an IP for the server other than the one they need to access whatever service they are trying to use.  For example, if you have multiple IP addresses on an Exchange server, but only the first IP address bound to the default receive connector, clients running Outlook that were given the secondary IP address by DNS would have trouble connecting to Exchange.

There are several ways to prevent registration of multiple IP addresses in DNS, depending on the configuration (secondary IP or NIC) and role of your server.

Scenario 1: Windows Server with multiple network adapters; no secondary IP addresses on either adapter, nor is the server a DNS server.

Resolution: In this situation, the only action you should need to take is to prevent the server from registering the address from the 2nd NIC.  You can do that by going to the properties of the connection –> IPv4 settings –> Advanced button –> DNS tab.  Then, UNcheck the “Register this connection’s addresses in DNS” checkbox, as shown here:

Scenario 2: Windows Server with multiple network adapters running DNS server role.

Resolution: First, perform the same action as the resolution for scenario 1, to prevent the server from registering the 2nd NIC address in DNS.

Also, because the server is running DNS, you must configure DNS to only listen on the primary IP address.  By default, a Windows server running DNS registers all IP addresses that are being used by DNS.  To prevent this, open the DNS console right-click on the DNS server name on the left side and go to Properties –> Interfaces tab.  From here, select the radio button which says “Only the following addresses”.  Then, if necessary, add the primary address to the list below and remove all other IP addresses.  Here is an example:

Scenario 3: Windows Server with single network adapter and multiple IP addresses

This is the same as the example at the top of this post.  In this case, there is not a clean way to prevent registration of the 2nd IP address in DNS.

If you are in this situation, it would be best to remove the secondary IP address from the adapter and set the IP on another adapter.  Then, you can just follow the resolution for scenario 1 or 2.

If you absolutely must configure the server this way and you cannot add another network adapter, then you CAN use the resolution from scenario 1 and prevent the server from registering its addresses in DNS.  However, after that, you may have to go into DNS and manually create a DNS entry in the forward lookup zone for the server.  Any servers from recent years have at least 2 NICs in them, and lately are even being shipped with 4 onboard NICs.  So, having an extra NIC available won’t usually be an issue.

Another way to prevent dynamic registration of DNS records on a server (2000 and 2003, that is) is to modify the registry using the following Microsoft KB article:

According to the article, it can be done globally, affecting all NICs on the server, or on a per-NIC basis.  If you decide to try this option, be CAREFUL!


Unicast NLB cluster generates large amount of broadcast traffic

December 30th, 2009 No comments

When you set up a unicast Network Load Balancing (NLB) cluster, a large amount of broadcast network traffic will be generated on any switch to which a cluster node is connected. This is normal behavior for a unicast NLB cluster. You may not even notice this traffic unless you are running a packet capture from a machine connected to the same switch as the cluster nodes.

Normally, a switch builds a MAC address table by learning what ports a MAC address is communicating on. This automatic learning process only works if a given MAC address is unique across all the ports on a switch.

Because nodes in a unicast NLB cluster all share a common cluster MAC address, the network switch to which they are connected cannot learn which port the MAC address is tied to. Therefore it is never able to add the cluster MAC to its table. As a result, all traffic going to the cluster MAC is always broadcast out all switch ports.

This may or may not be a problem, depending on the amount of traffic going to your cluster and the amount of other traffic which is already being handled by the network switch. If it is a problem, there are several ways to resolve it.

1. Switch to a multicast or multicast IGMP NLB cluster. You will need to make sure your switches support multicast for this to work. Cisco switches with a relatively recent IOS should have this capability, but you should check first, to be sure.

2. Move the unicast NLB cluster nodes to a separate switch, where they are the only connected devices.

3. Set up a separate VLAN or network (dedicated router/firewall interface) just for the cluster, which will contain the broadcast traffic.

4. Add static MAC table entries on your switch to tell it which ports are being used by the cluster nodes. This way, traffic going to the cluster nodes would only be sent out the applicable ports. Each time you add another cluster node, you would also need to add an entry to the switch MAC table.

Option 4 is the easiest, and one that I have used in production on a small cluster.

All of these options will work; it’s really just your preference as to which one you use. As long as you document it, you’ll be in good shape in any case, right?

Here are some useful links regarding NLB:


How to use nslookup to test DNS servers

December 28th, 2009 No comments

NSLookup is a very useful tool for testing specific DNS servers.  For instance, if you are having DNS resolution issues or if you are transferring your DNS records to different DNS servers, you can use nslookup to test the authoritative name servers for your domain.  This will enable you to ensure that each of the authoritative servers for your domain are serving all the domain DNS records correctly.  There is a command with a similar function in Linux, called ‘dig‘, however I will not cover use of that command in this post.

If you are planning on transferring your DNS records to different name servers, I would recommend having the DNS records created on the new servers first.  Then, you can use nslookup to verify that the new records are in place before you change the authoritative DNS servers for your domain in your registrar account.

NSLookup has been included in every recent version of Microsoft Windows.  It can be accessed by simply opening up a command prompt and typing the ‘nslookup’ command:

Now that you are running the nslookup program, you can select the server you want to use by simply typing “server <server IP address>”.  This sets the focus on the server that you want to test.  Any subsequent queries for DNS records will use this server until you select a different server.  For example:

By default, nslookup is set to query for ‘A’ records.  So, if you want find the A record for, you simply type that in, like so:

If you want to query for the MX records for a domain, you will first need to change the query type.  That is done using “set q=mx”, as shown here:

(you can also use set querytype=MX or set type=MX)

Then, type in the domain for which you would like to see the MX records:

Here are the various record types you can use with the “set q=” command:

  • A
  • ANY
  • GID
  • MG
  • MR
  • MX
  • NS
  • PTR
  • SOA
  • TXT
  • UID
  • WKS

You can find a description of these record types on this page:

In addition, here is the command reference for the nslookup utility:

Categories: DNS

Configure Resource Mailbox to AutoAccept in Exchange 2007

December 28th, 2009 No comments

To configure a resource mailbox to automatically accept an appointment in Exchange 2007, you must use the Exchange management shell.

If there is already an appointment that overlaps at all with the appointment you are trying to schedule, you will get back a ‘Declined’ receipt from the resource mailbox.

Assuming you already have the mailbox created, and it is called “ResourceMailboxName”, here is the command you should run:

Set-MailboxCalendarSettings ResourceMailboxName -AutomateProcessing:AutoAccept

See these pages for more info on resource mailboxes:


Grant access to resource mailbox in Exchange 2007

December 28th, 2009 No comments

To grant access to a resource mailbox, you must use the Exchange management shell.

Assuming you already have the mailbox created, and it is called “ResourceMailboxName”, here is the command you should run:

Add-MailboxPermission -AccessRights FullAccess -Identity ResourceMailboxName -User Username

If you need to grant a different level of permission, use a different option with the ‘AccessRights’ switch.  The other options are:

  • ChangePermission
  • ChangeOwner
  • DeleteItem
  • ExternalAccount
  • ReadPermission
  • SendAs

See these pages for more information on resource mailboxes:


Free/Busy info not available outside the network

December 27th, 2009 No comments

If you are having problems with free/busy information in Outlook, it is most likely due to misconfiguration of the Exchange 2007 Autodiscover service.

The Autodiscover service provides info to the Availability service, such as the addresses (internal and external) that Outlook 2007 clients should use to connect to Exchange.  More info here.

I would recommend that you read this post at the Microsoft Exchange Team blog and the referenced whitepaper at the top.

Most likely, you do not have the internal/external addresses configured correctly in Exchange.  Double-check these.  In addition, with Outlook open, you can hold the ctrl key and right-click on the Outlook icon in your system tray to get the “Test Email Autoconfiguration” option.  Run this to see how Outlook is trying to connect to your Exchange server.  You may notice that Outlook first tries to connect to “”, then to “”.  These are the default addresses that Outlook tries.  You may need to create a CNAME for “” which points to your Exchange proxy address.  That is the address that you have in the Exchange proxy connection settings in Outlook, and is likely the same as your OWA address.

Once you have the Autodiscover/Availability services configured correctly, you will likely find that your free/busy info problems have been resolved.


Network Policy Server and Cisco RADIUS Authentication

December 26th, 2009 5 comments

Setting up RADIUS authentication between Cisco devices and Network Policy Server (NPS) in Windows Server 2008 is a bit different than in previous versions of Windows.

Here is a technet page with lots of good info on NPS:

For now, I am just going to list the instructions needed to get up and going with NPS to allow your server to act as an authentication point for your Cisco switches/routers. This may work with other devices that can use radius authentication, but I have not tested it. YMMV.

1. Install the Network Policy Server service. It is a component under ‘Network Policy and Access Services’.

2. Open the Network Policy Server console from Administrative Tools.

3. Create a new radius client for the Cisco device. The process for this is very similar to the process in Server 2000/2003. You just need the device IP, choose the “radius standard” type, and make up a shared secret.

4. “Register server in Active Directory” by right-clicking on the “NPS (local)” item in the console. This will allow NPS to query AD when an authentication request comes in.

5.  Next, create a “Connection Request Policy”.  This is the step that is new to the process, and was not required before Server 2008.  Before, this was integrated into the remote access policy, as it was previously called.  The connection request policy doesn’t need to be anything complex.  The first step is to set the network access server type to “Unspecified”.

Next, add at least one condition to the policy.  I usually use the “day and time restrictions”, and then set it to ‘permitted’ 24×7.  Obviously, the condition(s) you choose should conform to your company’s security policy, so you may need something different here.

Finally, On the Settings tab, under Authentication, choose the radio button for “Authenticate requests on this server”.

6.  Create a Network Policy, formerly known as a remote access policy in previous versions of Windows Server.  On the Overview tab, configure the policy to use the network access server type of “Unspecified”.  In addition, set the access permission setting to “Grant Access”.

On the Conditions tab, add at least one condition.  Typically, this will be the Windows Group that is allowed to log in to the network devices.  As I said before, you may need to use different conditions than I show here due to your company security policy.

On the Constraints tab, the only change you should need to make is to enable the authentication method of “Unencrypted authentication (PAP, SPAP)”

Lastly, on the Settings tab, under Encryption, make sure that the “No Encryption” option is enabled.

7.  Point your network device(s) at this server for authentication.  The method for doing this varies depending on the make and model of your device.  With recent IOS images on Cisco switches, the commands will look something like this.

aaa new-model

aaa session-id common

aaa authentication login default group radius local

radius-server host auth-port 1812 acct-port 1813 key putyoursecretkeyhere

8.  Finally, test it!


Top 10 Causes of Email Flow Problems

December 24th, 2009 No comments

There are many, many things that can cause email issues.  Here are some of the most common issues I have encountered over the years. In no particular order…

1. DNS changes. Someone may have changed the MX records, or changed the authoritative DNS servers for your domain.

2. Firewall.  If the access or NAT rules for the mail server were changed, mail flow may be disrupted.  Make sure you have a system in place for tracking configuration changes on your firewall(s), so that you can look at the most recent change and decide if it created a problem with mail delivery.

3. Spam Filter.  After the firewall, the spam filter is probably the next hop for your mail after it passes through your firewall.  Whether it is a standalone device or software installed on your mail server, check it to see if your mail is getting hung up here.

4. Services/Processes not running on mail server.  If you have Microsoft Exchange, check the SMTP or Microsoft Exchange Transport services.

5. DNS resolution problems on mail server (for outbound mail).  If a server can’t resolve MX records, it’s not going to be able to deliver mail.  If you are running Microsoft Exchange, the primary and secondary DNS servers configured in the TCP/IP settings are likely to be two of your domain controllers.  The easiest way to see if you are having a DNS issue on the mail server is to see if you can browse the Internet from it.

6. Incorrect or misspelled email aliases or domain names.  This is normally a user mistake when sending a message.  However, sometimes it can be due to a misconfigured contact or distribution group in Active Directory.

7. Mailbox full, either on the sender or receiver side.  This will usually cause a bounceback message.  If the user with the full mailbox is on your server, you will need to have some kind of monitoring set up to alert you to the problem.

8. Smart host not responding, credentials incorrect, or otherwise misconfigured. Possible ‘daily limit’ reached on number of relays.

9. Reverse DNS issues.  See my previous post to make sure your reverse DNS is configured correctly.

10. Blocked by ISP.  Clearwire does not allow you to host a mail server by default. Others, such as AT&T, may blackhole your WAN IP if they detect virus-like or spambot activity coming from your address.  You should call your ISP to confirm if you suspect this is the problem, assuming they haven’t notified you already of the block.


Test Your DNS with Namebench

December 24th, 2009 No comments

Namebench is a great utility to test your DNS performance against other publicly available DNS servers.  It will run a multitude of DNS-related tests and give you back a recommended DNS configuration for your computer, based on the connection you are using when you run the test.  The tool was created by a Google developer, but is not biased towards Google Public DNS.  In my case, it suggested I use ‘The Planet” (company in Dallas) as my primary DNS provider.

The original project page is here:


It takes about 10 minutes to run, and can definitely be worth the trouble if you are having slow Internet browsing issues.

Categories: DNS