IIS 6.0 404 Error for a file you *know* is there

This morning I was doing some maintenance on a customer's machine and needed to reinstall the application. The customer site is closed, but the work still needs to be done. I had a copy of the ISO media available on a server in our office, so the solution seemed obvious: drop it on a web server and pull it down from the client's machine.

So, I created a directory on one of our web servers, placed the ISO file there, and turned on "Directory Browsing" for that directory. I then logged into my customer's machine and navigated to the site and found the file. I right-clicked on the file, hit "Save Target As..." and ....

Internet Explorer cannot download myfile.iso from my.webserver.com.
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

I went back to the site and this time, just clicked on the file name, and was greeted with the generic 404 message.

Fortunately, the solution is very simple and only takes a few seconds.

1. Open up IIS Manager.
2. Navigate to the web site (if you don't want to change the setting for the entire web server, you can just navigate to the directory path off the web site).
3. Right-click > Properties on the website (or directory).
4. Select the "HTTP Headers" tab.
5. Select the "MIME Types" button.
6. Click the "New" button.
7. Add the extension type (in my case, ISO).
8. Add the MIME type (in my case, application/octet-stream).
9. Click OK three times.

Try to re-download the file in your browser.

The reason for this behavior is described in detail in the IIS 6.0 documentation here.

How to fix a bad/corrupt/hidden source in Cydia

I was adding a new Cydia repository the other day to my iPhone and apparently mistyped something. I deleted it from the GUI, but every time I went to search Cydia for an application or manage my source list, I received an error that the repository was unavailable and then received the following error:

Sub-process bzip2 returned an error code (2)

Fortunately, there's a way to fix it. You'll need a few pieces of software:

• OpenSSH installed on your iDevice
• WinSCP (free Windows Secure Copy client; available at http://sourceforge.net/projects/winscp)
• plist Editor for Windows (Mac OS Property List editor; http://www.ipodrobot.com/blog/2009/02/free-plist-editor-for-windows-10-released.htm)
  

1. Make sure you have SSH access to your iDevice When you installed Cydia, you had the option for which tool sets you wanted. If you didnt' select a tool set that includes command-line tools, you'll need to install those first (OpenSSH is the main piece that's required). If SSH isn't working, you'll need to reinstall it and then respring your device.
2. Test your SSH login credentials by using an SSH client such as putty connecting to your device's WiFi address and logging in as 'root.' If you have not changed the root password, the default is 'alpine.'
3. Using a secure copy client (such as WinSCP), connect to your iDevice and navigate to /private/etc/apt/source.list.d.
4. Right-click > Edit the cydia.list file, remove the offending line, and click Save. Close the WinSCP editor.
5. Navigate to /private/var/lib/cydia.
6. Copy the metadata.plist file to your computer.
7. Using plist editor, open the metadata.plist on your computer.
8. Search for the repository you need to remove. The line will look something like deb:http://repositoryname/:./
9. Select and delete down to the next key tag. Your selection should start with an open key tag and end with a close dict tag and should contain approximately 9 lines of data.
10. Copy it back to /private/var/lib/cydia and overwrite the existing file.
11. Navigate to /private/var/lib/apt/lists and delete the files starting with the name of the source you wish to remove.
12. Navigate to /private/var/lib/apt/list/partial and do the same.
13. Close WinSCP and respring your iDevice.

Bulk add host headers to IIS site

Kind of in line with my previous post of bulk adding DNS zones and configuring secondaries is the need to bind multiple new host headers to a customer's site. Doing it from the IIS Manager is tedious, to say the least.

Fortunately, there is a way to bulk do this as well. This method is a little clunky, but still way better than doing it all manually.

1. From IIS Manager, locate the identifier for your website (if it's not the default site).
2. Open a command prompt and navigate to (default) \Inetpub\Adminscripts.
3. Run the following command:

cscript adsutil.vbs get w3svc/{site identifier}/serverbindings

The reason this has to be done is the adsutil.vbs set command will overwrite this settings (not add to them), so if you just plug in your new host headers, you'll lose all of your old ones!

You should get an output that looks similar to this:

":80:www.oldhostheader1.com"
":80:www.oldhostheader2.com"

4. Copy/paste the output into a notepad window. Delete the white spaces until it's all one continuous line.
5. Using the same format, add your new host headers to this list so that it looks like this:

":80:www.oldhostheader1.com" ":80:www.oldhostheader2.com" ":80:www.newhostheader1.com" ":80:www.newhostheader2.com"

6. At the beginning of the line, prepend cscript adsutil.vbs set w3svc/{siteidentifier}/server bindings, and save it as a .bat file.
7. Run.

Quick 'n dirty DNSCMD scripts

Periodically, I get requests to bulk add domains to our DNS hosting environment. Here are a few simple DNScmd scripts to help make the job easier.

On the DNS Primary server, I created a batch script named "zoneadd_primary.bat" and put this in it:

@ECHO OFF
REM
REM Add DNS zones in from command line parameter file as
REM Standard Primary zones.
REM Replace n.n.n.n with IP address of primary/master DNSserver.
REM Replace x.x.x.x and y.y.y.y with your secondary/slave servers.

REM Check for command-line parameter
if "%1"=="" GOTO USAGE

for /F %%a in (%1) do dnscmd /zoneadd %%a /primary /file %%a.dns

REM Add secondary/slave servers to zones
for /F %%a in (%1) do dnscmd /zoneresetsecondaries %%a /securelist x.x.x.x y.y.y.y
GOTO END

:USAGE
ECHO.
ECHO Error: no file specified
ECHO.
ECHO Usage:
ECHO zoneadd_primary [filename]
ECHO.
ECHO where [filename] is a text file with a list of domains.
ECHO.
ECHO Example:
ECHO.
ECHO zoneadd_primary domains.txt
ECHO.
:END

And then, on the slave servers, I put a companion script called "zoneadd_secondary.bat" with a similar script:

@ECHO OFF
REM
REM Add DNS zones in domains.txt as secondary zones.
REM Replace n.n.n.n with IP address of primary/master server.

if "%1"=="" GOTO USAGE

for /F %%a in (%1) do do dnscmd /zoneadd %%a /secondary n.n.n.n
GOTO END

:USAGE
ECHO.
ECHO Error: no file specified
ECHO.
ECHO Usage:
ECHO zoneadd_secondary [filename]
ECHO.
ECHO where [filename] is a text file with a list of domains.
ECHO.
ECHO Example:
ECHO.
ECHO zoneadd_secondary domains.txt
ECHO.

:END

Not much to it, but I do find it useful.

Mitch McConnell, This One's For You

Also titled, "Everything that's wrong with Republicans and Democrats."

It's been a while since I've posted something political; now that the dust is getting kicked up around the compromise deal between President Obama and the Senate Republicans, I think it's a good time to let my feelings out.

Hearing Mitch McConnell on the radio is an audio reminder of why I don't consider myself a Republican anymore. I have no idea how he can claim that extending the Bush tax cuts to the wealthiest 2% of Americans is going to help our ailing economy. Since it's obvious that it's been a few years since he's had an economics course, I'm going to share my limited recollection of college econ.

Now, mind you, I was born and raised in a house that bled Reaganomics. I still hear stories about how I ran around the Whitewater Armory on election day yelling "Ronald Reagan is a good man!" I was always told that the rich people create jobs and that you never asked a Wal-Mart greeter for a job. I was told that everyone's born a Democrat, and then they grow up.

However, I've come to the realization that this particular viewpoint was very one-sided and not very practical.

While rich people and businss owners *do* create jobs, they create jobs when there is sufficient economic cause to do so. Rich people didn't get to be rich by spending their money foolishly, and few things are more foolish than employing a bunch of people making stuff that isn't getting sold.

For some reason, Mitch McConnel seems sold on the idea that the richest 2% of Americans need all of these tax breaks extended because we're in a fragile economy and that extra oomph is needed to entice them to create jobs.

Mitch, I've got news for you--no one with bags of money sits around thinking, "I'm going to create some jobs by employing a bunch of minimum wage folks in hopes of stimulating the economy." There is no benevolent employer who is looking for the opportunity to create a warehouse full of unsold goods. Rich people don't get to be rich by hiring a bunch of people to stand around idle. What stimulates the economy is a lot of people buying stuff over a sustained period. The spending must come before the job creation does.

What he (and the other Congressional Republicans) need to remember is that the most direct ways to stimulate the economy and reduce the deficit are:

1. Extend unemployment benefits. People who are on unemployment aren't building a rainy day fund. UE is barely enough to keep food on the table for most families; every last penny of it is going immediately back into the economy.
2. Simplify the tax structure. It was tried in 1986, but didn't really have a huge net change. There are so many loopholes favoring the rich that they can, in some cases, pay less taxes than people making 1/10 of what they make. Eliminate the vast majority of deductions. There is no reason that the personal tax code can't be under 100 pages, or even 50.
3. Broaden the tax base. Get more people to pay taxes. Fewer exemptions and deductions means more people are affected.
4. Lower marginal tax rates. If the tax base is sufficiently broad, everyone's marginal rates can go down. This woul directly put money back into pockets to be spent. A family of four making $40,000 per year spends a much higher percentage of their income on necessities than a single person making $2m a year. Lowering the tax rates (especially on the low end of the income scale) again means that more money would be going directly back into the economy. And we all know that money flowing in means employers need to hire more people (that whole supply and demand thing).

The President and his Debt Commission have several recommendations; I think a lot of the ideas are good. There are only two ways to shrink the deficit--raise revenues and cut spending. Republicans and Democrats seem to think that those ideas are mutually exclusive. Democrats want to increase revenues, Republicans want to cut spending on bleeding-heart programs.

Things that I think would beneficial for a comprehensive tax plan:

1. Exempt first $35,000 from personal income tax.
2. Do away with all deductions except charity and medical expenses (EIC, mortgage deduction, etc)
3. Eliminate capital gains tax.
4. Eliminate inheritance tax.
5. Implement progressive income tax (maybe about 18% on $35,000-70,000; 22% on $70,000-150,000; 25% on 150,000-$500,000, etc. It would take a bit of math, but in the end, the marginal tax rates drop significantly, but with a broader base and only two deductions (charity and medical expenses), I think we'd see an overall increase in government revenue.

My numbers may need some tweaking, but I think in teh end, it's going to take some out-of-the-box ideas like that (like touching the sacred cow "Mortgage deduction") to put real money back in the pockets of the people most likely to spend it and start growing our economy.

How to Join Windows XP Media Center to a Domain

During an SBS deployment, I ran into a few machines at my customer's site that were running Windows XP Media Center Edition (MCE). As most of you know, the only machines that are technically eligible to join a Windows domain are "Business" class operating systems, such as Windows XP Professional, Windows Vista Business, Windows Vista Enterprise, Windows 7 Professional and Windows 7 Enterprise (although not technically "business" class, Windows Vista/7 Ultimate Editions are also able to join domains, since they're supposed to be everything-but-the-kitchen-sink editions).

And, as luck would have it, the customer has critical LOB applications installed on these machines and some other pieces of legacy software for which the media is no where to be found, so a fresh install with Windows XP Professional media is out of the question.

No problem, right? I've upgraded dozens of Windows XP Home PCs to Windows XP Professional for this exact reason. I pop some newly acquired Windows XP Professional with SP3 "Get Genuine" media (designed for those folks that have potentially illegitimate Windows versions); the upgrade is going well until ... the part where I enter the license key. It won't take it, even though I know it's valid (tested against an XP Home machine in the same office).

While trying to find a reason why I can't upgrade, I stumble upon another blog with some basic instructions on how to join XP MCE to a domain. The first step the author lists is to install the Windows XP Recovery Console; I run the command and restart ... and ... bluescreen.

I turn to my trusty recovery tools disc (which has gotten me out of more tight spots than you can imagine) and boot to a WinPE shell which has a bunch of great tools loaded, including RegEdit PE.


To perform this feat of amazement yourself:

1. From a WinPE installation, launch RegEdit PE, point it to the Windows installation director, and load up the registry hives.
2. Navigate to HKEY_LOCAL_MACHINE\_REMOTE_SYSTEM\WPA\MedCtrUpg.
3. Double-click the value IsLegacyMCE.
4. Change the '0' to a '1'.
5. Close RegEdit PE and restart the machine into Windows.
6. Join domain.

Outlook Anywhere and Wildcard Certificates in Exchange 2010

When migrating to a new Exchange 2010 environment, I decided to use a wildcard certificate instead of a UC certificate. It cost about twice as much, but seeing as how I have several other services that currently require SSL certificates, it seemed like a good investment.

When running through the Exchange Remote Connectivity Analyzer, I noticed that my configuration kept failing the Outlook Anywhere test with the following error:

Testing SSL mutual authentication with the RPC proxy server.
Verification of mutual authentication failed.
> Additional Details
>> The certificate common name *.domain.com doesn't validate against the mutual authentication that was provided: msstd:mail.domain.com

The solution was relatively easy. Log into your Exchange CAS server and run the following cmdlet from the Exchange Command Shell:

Set-OutlookProvider -Identity EXPR -CertPrincipalName *.domain.com

I've seen some documentation that replaced the CertPrincipalName value with msstd:*.domain.com, but I believe that is incorrect. The name on the actual SSL certificate is *.domain.com, not msstd:*.domain.com. For giggles, I did try using msstd:*.domain.com as the CertPrincipalName value, but it did not allow me to pass ExRCA.

Run the Get-OutlookProvider cmdlet to review your settings:

RunspaceId : 841d7d59-e89c-42b4-9c3c-9388d40dcd95
CertPrincipalName : *.domain.com
Server :
TTL : 1
OutlookProviderFlags : None
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : EXPR
DistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=A
pex Digital Solutions,CN=Microsoft Exchange,CN=Services,
CN=Configuration,DC=domain,DC=com
Identity : EXPR
Guid : d81b1280-1843-4808-812c-48375ed744e0
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Auto-Discove
r-Config
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 11/5/2010 11:53:39 AM
WhenCreated : 1/30/2009 9:23:30 PM
WhenChangedUTC : 11/5/2010 3:53:39 PM
WhenCreatedUTC : 1/31/2009 2:23:30 AM
OrganizationId :
OriginatingServer : mydc03.domain.com
IsValid : True

Fun with PIX, Part Deux

After getting my PIX to boot in my previous post, I decided to run through the password recovery procedures.

What you'll need:

• PIX recovery images (availble from either the Cisco site individually or here in one ZIP file)
• PIX firewall software version
• TFTP server software (I used the TFTP server included in the PacketTrap pt360 Suite in this exercise)
• Terminal Emulator (I typically use PuTTY)

Steps:

1. Connect Ethernet 0 on the PIX to your local LAN.
2. Open a command prompt and run ipconfig to determine your computer's IP address.
3. Download PIX recovery images to a directory on your computer (such as C:\tftp).
4. Point your TFTP server to the download directory containing your tools.
5. With a console cable attached and terminal emulator running, power on the PIX firewall.
6. Note the version of the PIX firewall software. If you missed the boot sequence, you can type sh ver at the prompt. The firewall software version will normally be the first line returned:
   Cisco PIX Firewall Version 6.3(5)
   Cisco PIX Device Manager Version 3.0(4)
   
   In this case, the number you need is "Cisco PIX Firewall Version."
7. Power off the PIX.
8. Power on the PIX.
9. After the startup messages appear, press ESC or send a BREAK command. Note: If you do it too early, you'll get a testing/diagnostic menu. To continue the boot process, type C. A successful BREAK command should leave you at the monitor> prompt.
10. Type int e0 and press ENTER.
11. Type addr a.b.c.d and press ENTER (where a.b.c.d is an IP address you want to assign to the PIX. To reduce troubleshooting, choose an address on the same network as your the computer you're using).
12. Type server w.x.y.z and press ENTER (where w.x.y.z is the IP address of the computer you're using to perform this procedure).
13. Type file np[nn].bin (where [nn] is the version number corresponding to the BIN file for password recovery. For example, if your PIX is running version 6.3 of the firewall software, enter np63.bin).
14. Type tftp and press ENTER.
15. When prompted, type Y to erase the passwords.
16. If prompted to remove the commands from the configuration, type Y.
17. The device will reboot and will have a blank password.

Fun with PIX, Part I

When meeting with a potential customer the other day, she mentioned that she had a running PIX with an unknown password.

I thought I'd refresh my PIX skills and decided to bust out an old PIX 506E we had sitting in the office. After the unfortunate re-realization that my laptop doesn't have a serial port (and the resulting short jaunt to the computer store to get a USB-to-Serial cable), I consoled into the PIX and turned it on.

My adventure was short-lived, however. While watching the boot-up, I was greeted with a hung firewall:

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 00 00 8086 7192 Host Bridge
00 07 00 8086 7110 ISA Bridge
00 07 01 8086 7111 IDE Controller
00 07 02 8086 7112 Serial Bus 9
00 07 03 8086 7113 PCI Bridge
00 0D 00 8086 1209 Ethernet 11
00 0E 00 8086 1209 Ethernet 10

And that's all she wrote.

Fortunately, there's an easy enough work-around.

1. Power off the device.
2. Remove the cover. There are two Phillips screws located at the top rear of the unit. The top half slides back about an inch or so and then lifts off.

3. Locate the J5 jumper. It should be right next to the CMOS battery. Move it over 1 PIN.

4. Power on the device.
5. After unit has booted, power off.
6. Replace cover.

"Saved-Critical" for Almost-Clustered Virtual Machines in Windows 2008 R2 Hyper-V

While staging a clustered Hyper-V environment this week, I ran into a head-scratching issue. After provisioning a few LUNs, masking them, and adding them as available storage to Failover Clustering, I began setting up the virtual machines on one of my cluster nodes. During maintenance, the physical servers were restarted. When I went back to continue configuring the virtual machines (which were not yet clustered at this point), I connected to the physical host on which I had been configuring them. While my other clustered virtual machines were running fine, the new ones that I had not yet finished configuring were in a "Saved-Critical" state.

I attempted to start them, but received an eror that the saved state could not be restored. I attempted to delete the saved state, but received an "Unable to perform operation" error. Additionally, I could not view the properties of the virtual machines in the Saved-Critical state.

I opened up Failover Cluster manager and noticed that the storage was now owned by the other cluster node. The problem is now obvious--the storage is no longer being presented to the host on which I was configuring the virtual machines. So, how to move these disks? Since the disks are marked "Available" (not having run through the new service Failover Clustering wizard to make the virtual machines highly available), I can't move them by right-clicking on them and selecting a new node.

There is another solution, however, and it involves the cluster.exe command.

1. Open up a command prompt.
2. Run the following command: cluster.exe GROUP "Available Storage" /Move

Voila! The disks moved back to the other node and the virtual machine state in Hyper-V manager changed from "Saved-Critical" to "Off." I was then able to cluster the machines normally through Failover Clustering.