Renew SSL certificate for Domain Controller LDAPS

Renew SSL Certificate for Domain Controller LDAPS

If you have created SSL certificate for LDAP over SSL on Domain Controller thru internal Microsoft Standalone CA as shown in LDAP over SSL for Domain Controller article, you might face the problem in renewing this certificate using MMC/GUI.

When you try to Renew This Certificate With The Same Key using the certificate mmc, you will get the following error:


Enrollment Error
The request contains no certificate template information.




1. From the Domain Controller that you need to renew the certificate, find the certificate thumbprint. Below are the steps for find the certificate thumbprint

a.) Open the Microsoft Management Console (MMC) snap-in for certificates.
b.) In the Console Root window’s left pane, click Certificates (Local Computer).
c.) Expand the Personal folder
d.) Expand the Certificates folder
e.) Double-click on your target certificate.
f.) In the Certificate dialog box, click the Details tab.
g.) Scroll through the list of fields till you find the Thumbprint.
h.) Copy the hexadecimal characters from the box.  For example, the thumbprint “a1 29 53 2e 12 3f 3d 35 53 2c f2 53 26 c2 4d 27 33 b2 6b 3c”.

2. Create cert-renew.inf as shown below and paste the certificate thumbprint you gathered in the previous step for RenewalCert. Make sure you put in open and close quote if the certificate thumbprint have space in between

;—————– cert-renew.inf —————–[Version]Signature=”$Windows NT$”[NewRequest]

Subject = “CN=servername.domain.local” ; replace with the FQDN of the DC
UseExistingKeySet = TRUE
MachineKeySet = TRUE
RenewalCert=”a1 29 53 2e 12 3f 3d 35 53 2c f2 53 26 c2 4d 27 33 b2 6b 3c”


3. Go into cmd prompt, create the certificate request

certreq -new cert-renew.inf cert-renew.req

4. Submit Certificate request to internal stand-alone CA

certreq -submit cert-renew.req

You will notice the RequestID will be provided if the certificate request successfully submitted to internal CA

5. Approve the certificate for the internal CA

6. Back to the Domain Controller that request for for certificate. Retrieve the certifcate

certreq -retrieve RequestID cert-renew.cer

7. Accept the certificate in your machine

certreq -accept cert-renew.cer




Migrate Public Folder to Exchange 2010

Migrate Public Folder to Exchange 2010

One of the challenges for Microsoft Exchange 2003/2003 migration to Exchange 2010 is Public Folder. It can be very complicated and time-consuming if the Public Folder size is huge of lot of folders. The Public Folder is required for Outlook 2003 to continue access to Exchange 2010 server.
Microsoft Exchange provided the following PowerShell script for Public Folder migration in\v14\ Server\Scripts:

PowerShell Script Task Description
AddReplicaToPFRecursive.ps1 Add a server to the replication list
AggregatePFData.ps1 Aggregate data across all public folder replicas
RemoveReplicaFromPFRecursive.ps1 Remove a server from the replication list
MoveAllReplicas.ps1 Replace a server in the replication list
ReplaceReplicaOnPFRecursive.ps1 Replace a server in the replication list with a new server


Add new Exchange 2010 Server into Public Folder replication list

Launch the Exchange Management Shell and the go to the Exchange script folder:

cd $exscripts


Let’s say you current environment have either or both the EX2003 and EX2007. The new Exchange 2010 server name is EX2010. Below is the command you need to run in EXC2010 server.

To replicate all the non-system public folders for the top root to EX2010:

.\AddReplicaToPFRecursive.ps1 –TopPublicFolder \ –ServerToAdd  EX2010


To replicate all the System folders to EX2010:

.\AddReplicaToPFRecursive.ps1 -TopPublicFolder “\NON_IPM_SUBTREE” -ServerToAdd EX2010


*The replication might take up to days or even week depending on your Public Folder size

Common mistake or misconception:

  1. Make sure the ServerToAdd is the new Exchange 2010 server that you need you has a replica of Public Folder.
  2. Not to worry about which server is currently holding which part/folder of the Public Folder. The AddReplicaToPFRecursive.ps1 command to find by itself and then add to new server
  3. Do not point ServerToAdd to existing old server (Exchange 2003 or 2007 server) because it will add the Public Folder replica to this old server.  It might cause this old server to jam up if there is not enough space to hold all the public folder copy (because most of these old Exchange servers are running almost out of this space). 


To verify the Public Folder was replicated to new server:

Get-PublicFolder -Recurse | fl Name, Replicas


To verify the System Folders was replicated to new server:

Get-PublicFolder -recurse \non_ipm_subtree |fl name, replicas


Remove Public Folder from old server

To remove Public Folder replica from old server:

.\RemoveReplicaFromPFRecursive.ps1 –TopPublicFolder \ -ServerToRemove EX2003


To move all the Public Folder (including System folders) from old server (EX2003) to new server (EX2010):

.\MoveAllReplicas.ps1 –server EX2003 –NewServer EX2010


PowerShell cmd-let to verify Public Folder replica and replication:

Get-PublicFolder -Recurse | fl Name, Replicas

Get-PublicFolder -recurse \non_ipm_subtree |fl name, replicas

Get-PublicFolderStatistics -server E2010

Get-PublicFolderStatistics -server E2003


Additional clean-up task

Some of the System folder might not have the new Exchange 2010 server in the replication list. Here are the steps for check:

.\Get-PublicFolder “\NON_IPM_Substree\Schedule+ Free Busy” -recurse |fl name, replicas

If case that new Exchange 2010 server in not holding the Schedule+ Free Busy replica, you might get the event id 14029 with the error message of “Couldn’t find an Exchange 2010 or later public folder server with a replica of the free/busy folder…”

event id 14029
event id 14029

Perform the following command to resolve event id 14029 issue:

.\AddReplicaToRecursive.ps1 -TopPublicFolder “\NON_IPM_Substree\Schedule+ Free Busy” -ServerToAdd EX2010


Perform the same checking and rectification for other System folder (e.g. EForms Registry and Offline Address Book)

.\AddReplicaToPFRecursive.ps1 -TopPublicFolder “\NON_IPM_Subtree\EFORMS REGISTRY” -ServerToAdd EX2010

.\AddReplicaToPFRecursive.ps1 -TopPublicFolder “\NON_IPM_Subtree\OFFLINE ADDRESS BOOK” -ServerToAdd EX2010


Move Offline Address Book (OAB) generation to new Exchange 2010 server (that holds the Mailbox role)

Move-OfflineAddressBook “Default Offline Address List” –Server EX2010


Reference and Resource



How to update to IOS 5

IOS 5 update / upgrade

Apple IOS 5 was released and I can wait no more for the latest excitement from IOS5. A remarkable IOS revolution by Steve Jobs.

1. Make sure your IOS device is compatible with IOS 5. Below are the list of compatible IOS devices:
– iPhone 3GS
– iPhone 4
– iPhone 4S
– iPod touch 3rd generation
– iPod touch 4th generation
– iPad
– iPad 2

2. You must be running Apple iTunes 10.5 or latest. You can run the update for the iTunes software itself or download the latest iTunes from
3. The whole IOS5 update/upgrade process take up to 4 hours  for 16GB iPhone 3GS (with around 14GB of data) (excluded the Apple IOS 5 downloading time). Make sure you forward/divert your call to other phone number during the IOS 5 update process.
4. Make sure you IOS device is not 100% full in space. Recommended to have at least 1GB space left
5. In brief, the IOS 5 update prossess will
a.) backup your IOS device
b.) Install IOS 5 with factory setting
c.) Restore your device setting
d.) Restore your apps, video and music (This will take the longest period because it will download all the apps into your device)
e.) Configure IOS 5 in your IOS device (You can start performing this task as the the system restoring your apps in step #5d above)
f.) After iOS5 updated, make sure you update with latest apps because the latest apps are optimized / fine-tuned for iOS 5.


**  This might be the only and last time for uing iTunes because iCloud service allow you to synchoronize all the iOS device over the air **


ChangePassword for Linux compilation error

ChangePassword for Linux compilation error

ChangePassword is the web CGI that allow the user to change their password thru the http/web instead of telner/SSH into the system in order to change their password. The installation source file can be found from

Basically the configuration and compilation is simple as below:

1. Run ./configure


./configure –enable-cgidir=/var/www/cgi-bin –enable-smbpasswd=/usr/local/samba/private/smbpasswd –disable-squidpasswd

2) run “make”
3) run  “make install”
4) copy the logo file (if set by –enable-logo option) to the website root htdocs folder


Problem: Error in compilation

You might encounter error during the “make” step for certain Linux distribution/version. Below is the error:

suse10:~/changepassword-0.9 # make
gcc -c -o smbencrypt/SMBPasswdGen.o  smbencrypt/SMBPasswdGen.c
gcc -c -o smbencrypt/encrypt.o       smbencrypt/encrypt.c
gcc -c -o smbencrypt/md4.o           smbencrypt/md4.c
gcc -c -o smbencrypt/smbencrypt.o    smbencrypt/smbencrypt.c
gcc changepassword.c -o changepassword.cgi smbencrypt/SMBPasswdGen.o smbencrypt/md4.o smbencrypt/smbencrypt.o smbencrypt/encrypt.o -lcrypt -DPACKAGE_NAME=\”\” -DPACKAGE_TARNAME=\”\” -DPACKAGE_VERSION=\”\” -DPACKAGE_STRING=\”\” -DPACKAGE_BUGREPORT=\”\” -DHAVE_LIBCRYPT=1 -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_STDIO_H=1 -DHAVE_STRING_H=1 -DHAVE_STDLIB_H=1 -DHAVE_PWD_H=1 -DHAVE_ERRNO_H=1 -DHAVE_SIGNAL_H=1 -DHAVE_SHADOW_H=1 -DHAVE_TIME_H=1  -DEnglish -DSMBPASSWD=\”no\” -DSQUIDPASSWD=\”no\” -DLOGO=\”giant_logo.jpg\” -L./smbencrypt -ldes
/usr/lib64/gcc/x86_64-suse-linux/4.1.2/../../../../x86_64-suse-linux/bin/ld: skipping incompatible ./smbencrypt/libdes.a when searching for -ldes
/usr/lib64/gcc/x86_64-suse-linux/4.1.2/../../../../x86_64-suse-linux/bin/ld: cannot find -ldes
collect2: ld returned 1 exit status
make: *** [changepassword.cgi] Error 1

Solution: Recompile libdes.a

This is due to the incompatible file named libdes.a. Below is the solution

suse10:~/changepassword-0.9 # cd  smbencrypt/
suse10:~/changepassword-0.9/smbencrypt # tar -xzvf libdes-4.04b.tar.gz
suse10:~/changepassword-0.9/smbencrypt # cd des/
suse10:~/changepassword-0.9/smbencrypt/des # make
suse10:~/changepassword-0.9/smbencrypt/des # cp libdes.a ..
suse10:~/changepassword-0.9/smbencrypt/des # cd ../..

run the “make” and “make install” again from the root of the changepassword installation source

suse10:~/changepassword-0.9 # make
suse10:~/changepassword-0.9 # make install

the compilation should be able to go thru.


Lotus Domino

Recover Lotus Notes Archive to standard mail file

Recover Lotus Notes archive to standard mail file

All the Lotus Notes archive mail file look similar with the standard mail file because they are using the same mail template. You might need to use the archive mail file to replace the existing mail file in server for certain cases. However you will notice that the mail archive will have some limitation/restriction such as

1. Cannot rename the database/mailbox name. You will see the name  “Archive” in the mail file

Cannot rename mailbox

2. No archive action from the menu

No Archive Action


This is due the to parameters/values configured in the Archive Database Profile that will treat this database is archive file. You have to delete/modify the Archive Database Profile in order to revert/recover the Lotus Notes archive into standard mail.

Solution to Revert/Recover the Lotus Notes archive into standard mail file:

1. After open the archive mail file, select Create – Agent from the menu

Create agent

2. Give a name for the agent

agent name

3. Under Initialize sub routine, enter the following code:

Sub Initialize()

Dim session As New NotesSession
Dim db As NotesDatabase
Dim doc As NotesDocument
Set db=session.CurrentDatabase
Set doc=db.GetProfileDocument("archive database profile")
Call doc.remove(True)
If doc Is Nothing Then
MsgBox "Archive Database Profile document was successfully removed. Please restart the Lotus Notes client"
MsgBox "Profile Document WAS NOT Removed",48
End if

End Sub

remove archive database profile


4. After you saved the agent, you should be able to use the “revert archive to standard mail” (or whichever name you used to created the agent) agent from the Action menu

revert archive to standard mail action

5. Once you run the action/agent, a message will tell you the status and you have to restart the Lotus Notes client in for the view the result

6. After restarted the Lotus Notes client, you should be able to use the mail file as normal.

In case that you do not see the “Archive” action, then you have to refresh/replace the mail template.

Lotus Traveler

Lotus Traveler not sync after mail file restored

Lotus Traveler not sync after mail file restored. You might encounterd that Lotus Traveler in iphone/ipad unable to synchronize with IBM Lotus Domino server after restored user’s mail file. Restart, removed and reinstall the mail profile in iphone/ipad would not help much.

Solution for Lotus Traveler to synchonize with Lotus Domino Server after mail file restored:

1. Remove the mail profile from iphone / ipad

2. Find the device IP associaed with the user by running the command below in Domino Console

tell traveler show <user name>

3. You will be able to get the “Device ID” associated with the user from the result in the the previous step.

4. Delete the device from Lotus Traveler by the command below in Domino Console:

tell traveler delete <device id> <user name>

Note: If user have few device associated, you have to perform the same task to delete all the device.

5. Reinstall the mail profile in iPhone/iPad

6. The mail will start coming in.

Lotus Traveler

Lotus Traveler not working for iPhone / iPad

Lotus Traveler not working for iPhone / iPad

Lotus Traveler is working for Nokia Symbian but not for iPhone and iPad. You are able to login in Lotus Traveler website (example: and generate the Apple profile. You would not ” Cannot Get Mail” error (as shown below) after you installed the Lotus Traveler profile.

Cannot Get Mail


This is most likely cause by the disabled HTTP Method. Check you Lotus Domino’s Notes.ini file and make sure you only disable TRACE in for HTTP method. Nothing more. The configuration should be like this:


Remove any other parameters in this HTTPDisableMethods other than TRACE method.

After modify the notes.ini, issue the following command in the Domino Console:

tell traveler quittell http quit

load http

load traveler

Delete existing Lotus Traveler profile from your iPhone/iPad and regenerate again from your Lotus Traveler server website.

Lotus Domino

Useful command for Lotus Domino/Notes server maintenance

Useful command for Lotus Domino/Notes server maintenance

Below are some of the useful commands for IBM Lotus Domino/Notes server maintenance. Use in Domino Console

Command Description
load compact [database] -C Uses copy-style compaction. Use this option to solve database corruption problems.
load compact [database] -B Uses in-place compaction, recovers unused space, reduces file size unless there’s a pending structural change in which case copy-style compacting occursUses in-place compaction, recovers unused space, reduces file size unless there’s a pending structural change in which case copy-style compacting occurs
load fixup [database] -F force fixup to check all the documents. Append “-J” if transaction log is enabled
load updall [database] -R -X Rebuilds all used views and rebuilds full-text indexes
tell router compact Compact the
tell router update config Request mail router to update/refresh the mail routing path and cost
route * force to route all the mail out
load convert -U mail\mailfile * NewMailTemplate.ntf Replace mail nsf file with new template (normally used after version upgrade). You can use the command to convert to old template and then back to new template in case the user mail file pop-up some error message when user accessing it.
dbcache flush Flush the cache on holding/opening databases. Use the command if the Domino Console show the database is in-use and you need to do some maintenance task for the particular database.
drop all Drop all the existing connection to the server. If user is actively using the server, they will not reconnect to the server immediately. Normally use this command to clear out the idle connection prior to any maintenance task so that we know who is still using the server
Lotus Domino

How to repair Lotus Domino/Notes NSF file

How to repair IBM Lotus Domino/Notes NSF file

IBM Lotus Domino/Notes use NSF (Notes Storage Facility) file to storage the data together with the design. All the mail file in Lotus Domino/Notes is in *.nsf format. There are cases that these individual NSF file might get corrupted. Below are some of the example of corrupted nsf file message

Error compacting Mail *.nsf: Database is corrupt — Cannot allocate space

Cannot open NSF files

RRV bucket is corrupt


Repair the database while system is online

Run the following command in Domino Console one by one

dbcache flush
load compact [database] -C
load fixup [database] -F
load updall [database] -R -X

Repair the database with Lotus Domino shutdown

This is mainly for database that is always open and locked by Domino server or user access

1. Shutdown Lotus Domino server

2. Go to Lotus Domino installation folder

cd c:\Lotus\Domino

3. Run the repairing tasks

ncompact [database] -C
nfixup [database] -F
nupdall [database] -R -X

Notes: If the transaction log is enable, use with additional of “-J” switch for fixup and nfixup command



Remove “Install Drupal web hosting” footer

Remove “Install Drupal web hosting” footer

If you are using SimpleScripts to install the Drupal, you might have “Install Drupal web hosting” at the bottom of your drupal webpage. Below are the sample of the html source code embedded:

<a href=“” title=“install Drupal”>Install Drupal</a><a href=“” title=“web hosting”>web hosting</a>

You might want get rid of this message due to the security and confidentiality issue


Remove the above codes from the following files: