Server 2012 VSS Restore Source Path Too Long Error. VSS restore from SAN

croplaa Uncategorized , , ,

VSS is a great tool for allowing users to undo mistakes when they accidently delete a folder but what happens when you need to restore files or folders or entire directories and it throws up a message complaining that the source path is too long! This is because the path exceeds 260 characters (http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx#maxpath).

There are a couple of ways you can do this and its well documented on the web from using net use to map a drive with the path to shorten its ultimate path to using subst to do the same thing. All great ideas but in my experience not always successful.

Now if the data was on local disk it might be easier to recover the files but in my case the data was on 3PAR spindles accessed by a 2012 cluster. In my case I had to access the data by browsing the share name achieved by entering it in the run command. If I browsed the data by using File Explorer I could see the data but no VSS snap shots so browse by share name if your data is on SAN or storage.

Use robocopy, easy quick commands to do this as robocopy ignores the character limitation defined.

1. Find the folder(s) you want to recover from VSS and right click on the folder or file and select properties. If the entire folder has been deleted then choose the folder above where it would have been.

2. Select Previous Versions tab and select the date you want to restore from. Right click and select properties.

3. On the General tab highlight and copy the location to notepad.

4. In notepad edit the location to include the folder name below if that what is required as below.

This is the location as copied \\mydomain.myname\data\team info\@GMT-2015.02.01-08.53.31

This is the location including the folder name that I want to restore

\\mydomain.myname\data\team info\@GMT-2015.02.01-08.53.31\foldername

Copy this path to the clipboard (CTRL-C)

5. Open a command prompt and enter the following. If you have spaces in your path as I do then don’t forget the open ” and closing ” the recovered path is local disk on the server you are running the command from.

robocopy “\\mydomain.myname\data\team info\@GMT-2015.02.01-08.53.31\foldername” “c:\recovered\team info” /e /z

The switches used above are /e : Copy subfolders, including empty subfolders and /z : Copy files in restartable mode (survive network glitch).

There are lots of switches available just have a look on the net but a quick useful one is – http://ss64.com/nt/robocopy.html

6. Once you run the command and it is complete you will need to address the file names and folders to reduce the path length. If you don’t do this as soon as you put the recovered files back into its original location you will hit the same original problem.

Can you ping it?

croplaa Power Shell Scripts , , , , ,

Lots of posts out there in the millions of web pages on how to do this but here’s my way. I cant take all the credit as its cobbled together from lots of other peoples scripts.

Need a way to ping a list of servers on your domain? AD need tidying up? DR failover testing? Power cuts and data centre outages? This little PowerShell script will take a list of your server names and ping them and then generate a list of success or fails. Read my comments for further info on how to use this, best run within PowerShell ISE. You could if you wish output to a txt file, just substitute the csv file for txt.

#########################################################################

# canyoupingit.ps1 Yes you can #

# Ping Servers Script does what it says it does! #

# Create from AD a csv file export of all servers you wish to ping test #

# Clean the columns up to only include the server name #

# Create the column name DNSName with all servers undeneath #

# Save as servers.csv #

# Create a blank csv named logfile.csv #

# Run the script and enter the paths as prompted to the two csv files #

#########################################################################

param (

[Parameter(Mandatory = $true)]

$SourceFile,

[Parameter(Mandatory = $true)]

$OutFile

)

Function Ping-Hosts {

param ($server)

$test = Test-Connection $server -Count 1 -Quiet -ErrorAction SilentlyContinue

$ip = Test-Connection $server -Count 1 | select ipv4address -ErrorAction SilentlyContinue

$ip = $ip.IPV4Address

if ($test.ToString() -like “true”) {

Write-Host $server $ip is pingable” -ForegroundColor green

Write-Output $server,$ip,yes” | Out-File $OutFile -Append

}

else {

Write-Host $server not pingable” -ForegroundColor Red

Write-Output $server,$ip,no” | Out-File $OutFile -Append

}

$test = $null

$name = $null

$server = $null

$ip = $null

}

$filetype = $SourceFile.split(“.”)[1]

Write-Output “ServerName,IP,RespondsToPING” | Out-File $OutFile -force

if ($filetype -eq “txt”){

gc $sourcefile | % {

ping-hosts $_

}

}

Elseif ($filetype -eq “csv”){

Import-Csv $sourcefile | % {

ping-hosts $_.dnsname

}

}

else{

Write-Host “Filetype: $filetype not recognized. Filetype must be .csv or .txt . Please try again.” -ForegroundColor DarkRed -BackgroundColor White

}

 

Subnetting made easy

croplaa Ciso , , , , , , ,

Now most of us cannot do subnetting on the fly without the use of an app or website with a calculator of some description – welcome to the real world!

Now at a time when my CCNA is up for recertification I struggled to remember the rules of subnetting on the fly and as they don’t give you any calculators to use or allow your iPhone you really need to know how to do this. Trust me you  will need to be able to subnet on the fly for any chance of passing your CCNA or CCENT routing and switching exams.

I remembered a lecturer showing us a way to do this by way of creating a little cheat sheet. Whilst its not cheating in the broadest sense you are allowed to use this in an exam scenario. Cisco kindly give you 10 minutes before the exam starts to follow the exam tutorial, time best served creating your subnet sheet. All you need to do is firstly understand it then learn to create it parrot fashion so you can easily recreate within your 10 minutes, after a week or so you should have this down to 2-3 minutes easily, if not then keep writing it out until you do. I have seen similar but they were all a little confusing to use and remember. So with a little modification for ease of use I created my version of the CCNA Subnet sheet.

Click on the image below to view it.

subnetting

A quick guide to for using this.

Hosts* – Use this line to work out your hosts. Start from the far right (oct 6) and work towards the left doubling the number each time. Then in the line above (Hosts) subtract 2 from the below line to give you the number of hosts per CIDR. Cross out the original number so as not to confuse yourself.

X – Use this to work out the mask. Start on the left at octet 1 using 128 as the mask. Then add the next X number to the previous mask each time i.e. 128 (mask) + 64 (X) = 192, 192 (mask) + 32 (X) = 224 etc etc. working your way right until complete.

Wild Card – Subtract 1 from each X to give you a wild card, useful when you need to use a wild card instead of a full mask. Some questions give you a wild card instead so you can easily see from your sheet what the subnet should be.

Good luck.

Office Communicator 2007 – MOCS – IE11 – Does not Download GAL

croplaa Uncategorized

OK another post about the GAL not downloading for Microsoft Office Communicator 2007 (MOCS 2007) and the red exclamation mark showing on the task bar icon.

Symptoms included the old red exclamation mark which when clicked gave the “Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator” and Outlook Find a Contact feature being empty or not displaying contacts.

Now I know I have already posted a fix for this but this issue came about for a roll out of IE 11, previously my client was running IE 8. During testing I noticed the red exclamation mark and digging further I could see that the GAL was not downloading and the GalContacts.db and GalContacts.db.idx would not appear in the following location

C:\Users\”username”\AppData\Local\Microsoft\Communicator\sip_username@domain.com

I applied my other fix to check it wasn’t CRL and also applied the reg key to download the GAL as soon as Communicator was started. By default the initial download could be random depending on the traffic hitting your OCS server, it starts attempting to download after a 1 second delay once the client application is started, then 2 seconds, 4 seconds, 8 seconds and doubles every time it attempts up to a maximum of 64 minutes.

x86 systems

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator]
“GalDownloadInitialDelay”=dword:00000000

x64 systems

[HKEY_CURRENT_USER\Software\Wow6432Node\Policies\Microsoft\Communicator]
“GalDownloadInitialDelay”=dword:00000000

Please make sure you back up your registry before making changes.

When this didn’t download the files immediately I then started looking at policies and tested these with a fresh build with IE8 it was at this point I realised the issue was caused by upgrading to IE 11. A quick look at the advanced setting’s I noticed that the setting for “Do not save encrypted pages to disc” was checked. I cleared the check box and restarted Communicator… voila it downloaded the GAL. I suggest you set this with a group policy for your OU.

Capture

 

Your meeting request was declined – Exchange shared calendar’s

croplaa Exchange and Comms , , , , , , ,

This resource can only be scheduled up to 365 days in advance. The end time should fall before dd/mm/yyyy.

This resource can only be scheduled up to 180 days in advance. The end time should fall before dd/mm/yyyy.

I hit an issue the other day with a user trying to create room bookings for the year ahead on calendars within public folders and returns one of the errors above.

Scenario – The user creates from their calendar an appointment which is, lets say 380 days in advance, they then click the invite attendees and selects rooms. They add the room they want to book, complete the details etc. and hits send. Within a few moments the user receives an email from the room booking email address declining the meeting. The message body will look something like the one below.

decline

This is because the booking window set for the mailbox calendar is less than the number of days (from the current date) than the number of days in advance you are trying to create the appointment for.

Under testing the same happens for reoccurring appointments, this is because the Exchange server calculates the 180 or 365 days based on the creation date of the meeting/appointment, and NOT the meeting start date.

Now the interesting thing here is even though the message returned to you says that it was declined, the appointment IS actually scheduled!

Easily resolved by changing the booking window for the calendar in question using cmdlets via the Exchange Management Shell.

Open up the Shell on the Exchange server and run the following cmdlet to determine the booking window for the calendar in question.

get-CalendarProcessing -Identity “MailboxName” | fl

This will return the properties of the mailbox and within the details you will clearly see the number of days of the booking window

bookwin

As you can see the booking window is 365 days and the meeting in the scenario was 380 days in advance, outside of the booking window set.

This can be changed by setting the booking window to a number of days of your choosing with this cmdlet.

set-CalendarProcessing -Identity “MailboxName” -BookingWindowInDays 381

Run the get cmdlet again to check the booking window and test.

A word of caution here, I wouldn’t go with a booking window too far in advance for numerous reasons such as users leaving, meeting and projects change and even meeting rooms being turned into offices and no longer being there when the time of meeting arrives. Nothing worse than turning up to a meeting room hundreds of miles away to find that the meeting room in question is now a break out room with a ball pit! I guess what I’m getting at is, be sensible with the window you want to create.

Now go off and keep that Exec Secretary or PA happy with your impressive IT skills!

 

Cisco 837 ADSL router and BT Business ADSL with 5 IP Addresses connecting to Cisco ASA 5505

croplaa Ciso , , , , , , ,

I recently found need to replace my BT infinity setup with BT Business Broadband because I needed a static IP along with additional IP addresses. Unfortunately this meant upgrading to their business package. BT offer 5 additional IP’s for the same price as just one so foolish not to take them up on this. This config will also work for 12 static addresses.

If you want to pass traffic through a router for multiple IP’s there a lots of guides out there on how to accomplish this but here is my setup and config as I am sure there are others out there wanting a similar set up to use with BT Business Broadband with multiple static IP’s. I will post the ASA config at a later date once I have finalised my set up and tidied it up a little. Apologies if this a “little baby steps” for the more Cisco savvy reading this, hopefully the not so techie will be able to follow this as well.

My set up is a Cisco 837ADSL router > Cisco ASA 5505 > Cisco 2960 Switch. I wanted to route all my available IP’s through to my firewall rather than NAT them at the router, any NAT’ing would be carried out by the firewall.

If you have the BT router home hub box, un-plug it and place it under the bed and forget about it. Then get yourself a good Cisco 837 ADSL router cheap off of the Bay of E. Less than a tenner should secure you a good one with the power supply. If you haven’t already got one then another Bay of E purchase will secure you nice blue Cisco console roll over cable. Make sure you have a com port on your PC/Server/Laptop otherwise, back to the Bay of E for a usb to com port adapter.

Next thing you will need is a copy of Putty free from http://www.putty.org and once installed your pretty much ready to go.

Before we get started there are a few things you will need from BT which they should have provided to you on email.

First you will need your username and password supplied to you.

Second you will need the IP range allocated to you. You will have 8 static IP addresses assigned to you of which 3 of these will be reserved. For example:

81.141.xx.xx2 will be your network address.

81.141.xx.xx3 – 81.141.xx.xx7 will be for use by you as you see fit.

81.141.xx.xx8 will be your router address.

81.141.xx.xx9 will be your broadcast address.

Subnet for this will be 255.255.255.248 or /29

OK ready? Here we go.

Connect your console cable to your com port or usb and the console port on the router. Make sure your putty settings are set to Serial and change the COM port to the one that’s configured for your computer to use. If you unsure check in device manager or just change the COM port number in putty until you hit the right one. Click Open to open the session.

putty1

Power on the router and you should see within a few seconds, the router running through its start up sequence. Now for the purpose of this post I am assuming you have either bought or have a router that has had its config wiped or set back to default, if not then read my other posts or google up the simple procedure of setting a router back to its default config.

If it prompts you to enter the initial configuration dialog as below enter NO and hit return. Press Return to get started and let the router run through its start up which should take 30 seconds or so.

intial

You should finish up at the router prompt Router> if not then hit enter a couple of times.

Type en to enable exec mode which will change the prompt to Router#

No for the next bit I would suggest you copy and past the below config into your favourite text editor and modify the required sections to suit your own config and delete my comments including the (brackets). This also serves as having a backup of the router config somewhere just in case!

version 12.3
 no service pad
 service tcp-keepalives-in
 service tcp-keepalives-out
 service timestamps debug datetime msec localtime show-timezone
 service timestamps log datetime msec localtime show-timezone
 service password-encryption
 service sequence-numbers
 !
 Hostname router
 !
 security authentication failure rate 3 log
 security passwords min-length 6
 no logging buffered
 enable secret PASSWORD123 (replace PASSWORD123 with one of your choice)
 !
 username admin password PASSWORD1234 (this sets the user name as admin, replace PASSWORD1234 with one of your choice)
 no aaa new-model
 ip subnet-zero
 no ip source-route
 ip tcp synwait-time 10
 !
 !
 no ip bootp server
 ip cef
 ip audit notify log
 ip audit po max-events 100
 ip ssh time-out 60
 ip ssh authentication-retries 2
 no ftp-server write-enable
 !
 !
 !
 !
 !
 !
 !
 interface Null0
 no ip unreachables
 !
 interface Ethernet0
 description ETHERNET_TO_FIREWALL (you can give the description of your choice or leave it as it is)
 ip address 81.141.xx.xx8 255.255.255.248 (Use the router IP address that was supplied to you by BT)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 hold-queue 100 out
 !
 interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
 !
 interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38
   encapsulation aal5mux ppp dialer
   dialer pool-member 1
 !
 !
 interface FastEthernet1
 no ip address
 duplex auto
 speed auto
 !
 interface FastEthernet2
 no ip address
 duplex auto
 speed auto
 !
 interface FastEthernet3
 no ip address
 duplex auto
 speed auto
 !
 interface FastEthernet4
 no ip address
 duplex auto
 speed auto
 !
 interface Dialer0
 description OUTSIDE_INTERFACE (you can give the description of your choice or leave as is)
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname myusername@hg70.btclick.com    (enter the username provided to you by BT)
 ppp chap password mypassword  (enter the password provided to you by BT)
 ppp pap sent-username myusername@hg70.btclick.com password mypassword  (enter the username and password provided to you by BT)
 !
 ip classless
 ip route 0.0.0.0 0.0.0.0 Dialer0
 ip http server
 ip http access-class 1
 no ip http secure-server
 !
 access-list 1 remark HTTP Access-class list
 access-list 1 remark SDM_ACL Category=1
 access-list 1 permit 81.141.xx.xx2 0.0.0.7  (Use the network IP address that was supplied to you by BT)
 access-list 1 deny   any
 access-list 100 remark VTY Access-class list
 access-list 100 remark SDM_ACL Category=1
 access-list 100 permit ip 81.141.xx.xx2 0.0.0.7 any   (Use the network IP address that was supplied to you by BT)
 access-list 100 deny   ip any any
 dialer-list 1 protocol ip permit
 no cdp run

 !
 line con 0
 login local
 no modem enable
 transport output telnet
 line aux 0
 login local
 transport output telnet
 line vty 0 4
 access-class 100 in
 login local
 transport input telnet ssh
 !
 scheduler max-task-time 5000
 scheduler interval 500
 !
 end
Once you have edited the above config to suit your own setup and removed all the  comments you are ready to copy and paste it into your router.

At the Router# prompt enter the command conf t

This will drop you into configuration mode and the router prompt will show Router (config)#

Copy and paste your config from the text file you created into the router (note: use right click of the mouse to drop the contents of the clipboard into putty)

Once the config is copied it should drop you out of config mode but in case it doesn’t use either CTRL-Z or  type exit to drop you out of config mode and back into exec mode.

At this point make sure save the running config to start up. There are two ways to do this. Either type wr mem or copy run start

Once the config has built and saved type reload to reboot the router, confirm the reload. Let it reboot and this time you will be prompted to enter a username and password. Enter the credentials you used in your config. Assuming you entered them correctly this will allow access to the router. Type en to enable exec mode and again enter the password you used in your config.

Finally we need to bring the ports up we configured. Make sure we are in exec mode Router# type conf t to enter configuration mode and type the following commands into the router.

int dialer1
no shut

int atm0
no shut

int eth0
no shut

exit

Finish up by saving the config again using the wr mem command.

Now if you have got this far without any issues we can test the router and connection. Plug your ADSL cable from the wall socket straight into your router port labelled ADSL. Also add yourself a network cable into port 0 and connect this to your laptop/pc/server NIC.

Configure your NIC TCP/IPv4 settings with the following IP address details. Use one of your static IP’s available to you for testing.

IP address: 81.141.xx.xx3
Subnet: 255.255.255.248
Gateway: 81.141.xx.xx8  (This is the IP for the router)

For the DNS enter Google’s standard DNS of 8.8.8.8

If all is right you should be able to ping external sites and browse the internet. It doesn’t matter which of your available static addresses you use for testing, as they all should be routed through.

It really isn’t as complicated as it first appears and to the more technically astute I am sure there are a ton of improvements that can be made to this config but its simple, works and is secure.

Next up is the firewall. Ahem!

 

 

A quick script for checking users last logon for a specific OU on all DC’s and export to CV

croplaa Power Shell Scripts , , ,

Following on from my earlier script for finding users last logon from a specified OU in a multi DC environment, I needed a quick way for Tier 1 support staff to do this simply from PS, without the need for installing Quest tools. This quick and dirty script goes and checks all DC’s and dumps it all into a nice CSV of your choosing.

Just copy and paste this into a PS ISE running as an administrator, all on one line and run.

Get-ADUser -Filter * -SearchBase “ou=ouA,ou=ouB,ou=ouC,dc=A,dc=B” -ResultPageSize 0 -Prop CN,lastLogonTimestamp | Select CN,@{n=”lastLogonDate”;e={[datetime]::FromFileTime($_.lastLogonTimestamp)}} | Export-CSV -NoType c:\lastlogon.csv

Obviously you will need to modify the OU structure and naming of the OU’s and DC’s to suit your own AD structure.

Export to CSV AD users last log on time using PowerShell

croplaa Power Shell Scripts , , , , , ,

After being asked by a client to export details to Excel for their organisations users, I promptly turned to PowerShell for the task.

Certain caveats were included with this request such as Display name, Last Logon, all nothing out of the ordinary however, I hit a wall when it came down to only extracting data for specific OU’s. After a little trial and error modifying other scripts I had used I turned to Google for help and after a wasted afternoon trying other peoples scripts and butchering them I gave up.

New day same challenge. The only thing to do was to write it from scratch.

First off you will need the Management Snapin for AD from Quest http://www.quest.com/QuestWebPowershellCmdletDwnld64bit

For those of you not familiar with Quest tools, don’t worry it is just a set of powerful tools that integrates into PowerShell nicely.

The second thing to bear in mind is that I am running this on a Windows 7 machine but I have also tested this on 2012.

OK, so you’ve installed the Quest tools, now open up PowerShell ISE by right clicking the PowerSehll icon on the taskbar and Run ISE as Administrator. This opens up the ISE which will allow you to write and modify your script in the scripting pane before running it using the Play button found on the toolbar. You could if you wish type this direct into the PowerShell window but I think its nice to be able to see what your coding and tidy it before you run it and tie up resources on the DC’s.

Before you start coding the script you need to first register the PowerShell Snapin and add the Quest Snapin. You can do this direct into the PS Pane

Get-PSSnapin -Registered
Add-PSSnapin Quest.ActiveRoles.ADManagement

Now if you run the script as is you will hit a limit of objects returned which by default is 1000, so if your environment is likely to hold more users than that, add the below to remove the limit.
Set-QADPSSnapinSettings -DefaultSizeLimit 0

shell

Now to write the script itself. In the scripting pane you can write the bones of your PowerShell Script

$Userlist = Get-QADUser -SearchRoot “OU=nameofou,OU=nameofou2,DC=domain,DC=name”

# If the users you require data on are in the OU “IT” which is nested in “Departments” and your domain is named “scripts.com” your search root would look like this  -SearchRoot “OU=IT,OU=Departments,DC=Scripts,DC=com”
$Report = @()
Foreach($User in $Userlist){
$Userdata = Get-QADUser -Identity $User |
Select FirstName, LastName, DisplayName, SAMAccountName, LastLogon, Office

# Here you can define the attributes you wish to collect data from. The ones I was particularly interested  was SAMAccountName and LastLogon but you can add what ever attribute you like, provided its supported of course! If you unsure of which attributes to select from have a look at the attributes of a user object using ADSI Edit.
$Report += $Userdata
}
$Report | Export-Csv -Path c:\logontimes.csv -NoTypeInformation

#Self explanatory path and file name of your choosing.

script

Hit the Play Button on the Command Toolbar to execute your script. Don’t worry if it takes a little time to complete, the first time I ran it with a user base of 3500+ users it took a good 10 minutes to complete.

Once complete it will create a nice little CSV with the extracted data you requested. Any user accounts that haven’t logged on will be blank. I know some of you wont trust this blank box especially when it comes to using the data to delete or disable accounts but you can check the account to be sure. Don’t trust the AD Users and Computers management console as when you open up a user properties and look at the object create and modified dates this is often incorrect. Instead use a simple PowerShell Script on a DC, no Quest tools required.

Import-Module ActiveDirectory

function Get-ADUserLastLogon([string]$userName)
{
  $dcs = Get-ADDomainController -Filter {Name -like “*”}
  $time = 0
  foreach($dc in $dcs)
  {
    $hostname = $dc.HostName
    $user = Get-ADUser $userName | Get-ADObject -Server $hostname -Properties lastLogon
    if($user.LastLogon -gt $time)
    {
      $time = $user.LastLogon
    }
  }
  if($time -ne 0)

{

    $dt = [DateTime]::FromFileTime($time)

    return $dt

}
  Write-Host $username “last logged on at:” $dt }

Get-ADUserLastLogon -UserName  myuser #myuser being the account name of the user you want to check

If the user has never logged on this should return a blank timestamp.

 

That’s it,  hopefully this will help someone out but this isn’t the only way to extract data from AD and I welcome any suggestions on improving it.

Communicator cannot synchronize with the corporate address book.

croplaa Exchange and Comms , , , , ,

OK I know this is an old subject for an old tech but I was recently on a clients site who had this issue and it gave me a few days of head scratching to get this resolved.

My client was running Exchange 2010 on premise with OCS 2007R2 with end users running Outlook ’10 and the MOCS ’07 client on a mixture of XP and 7.

Symptoms included the old red exclamation mark which when clicked gave the “Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator” and Outlook Find a Contact feature being empty or not displaying contacts.

mocs

I checked the usual suspects, non existent proxy server, browsing the URL of the OCS from the client IE. Spent a lot of time reading TechNet articles and other peoples blogs but to no avail.

What was interesting is that some clients were experiencing the issue and others weren’t. It made no difference what the OS was, it was just frustratingly random and difficult to replicate consistently, some clients worked others just plainly refused to play ball.

The final piece of the puzzle was when someone happened to mention that they had had a new PKI environment built and that’s when the alarm bells jumped up and slapped me across the face.

Now in my defence I had no prior knowledge of the customer’s infrastructure and I had originally checked the certificates on the OCS server to make sure they hadn’t expired, they did seem to be valid. The client didn’t mention that they were in the process of removing the current CA and implementing PKI otherwise we may have go to the resolution a little quicker.

The issue was caused by CRL (certificate revocation list). Easily identified by checking the OCS server certificate and making sure the CRL path is still valid.

cert

The other way to quickly determine if it is CRL and indeed for a quick fix if you can’t request a new certificate is to edit the registry (disclaimer – Back up your registry first, I cannot be responsible for any corruption that may occur by incorrectly editing your registry)

Edit or create the following key in your registry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\

CertificateRevocation

Value = 0

This key just forces the client to ignore the CRL of the certificate, it will NOT force it to ignore expired certificates and I suggest once you have resolved the certificate issue on the server that this reg hack is removed or returned to its former state.

I hope this saves someone some time!