Today's quote
"Patriotism is not a short and frenzied outburst of emotion but the tranquil and steady dedication of a lifetime."
- Adlai E. Stevenson, Jr.
Jim's Web Log: Ramblings related mostly to Microsoft Exchange, IT security, bug notices, workarounds, tips, PowerShell, and stuff. Sometimes Active Directory, 4Runners, trains, GoT, Siberian Huskies, social commentary, politics, events, religion, or humor, but, well, mostly Exchange.
"Patriotism is not a short and frenzied outburst of emotion but the tranquil and steady dedication of a lifetime."
Serenity the Movie! It ships on DVD on Dec 20th! This is my favorite movie of the year and it was one of the best TV shows (Firefly) that has been on TV in years. Here is the Synopsis from Amazon:
Paul Robichaux's "The Definitive Guide to Exchange Disaster Recovery and Availability" eBook is now completed and the full guide is published at on realtimepublisher's web site (www.realtimepublishers.com) I was the technical editor and contributor on this eBook, but being a contributor or editor for Paul is one of the easiest jobs in the world because Paul is quite thorough. The eBook is easily read and understood by not only IT techies, but decision makers as well. Here is the chapter breakdown:
Hello (again) from Redmond. The Tuesday, December 20th edition of Mike Nash's Microsoft Security360 includes an interview with me. The topic of discussion is essentially multi-layer e-mail security which ties in nicely with an e-mail security e-book that I'm e-working on. :-)
Microsoft today released the Microsoft Exchange Server ActiveSync Web Administration Tool. I saw a demo of this tool at Exchange Connections back in November and it is most cool. This tool is designed to allow an administrator of moible devices to manage devices remotely by erasing mobile devices that may have been lost/stolen/compromised. Using this tool, the mobile device administrator can:
The Exchange server must be running Exchange Server 2003 SP2 and the mobile devices must run Windows Mobile 2005 with Feature Pack 1 installed. The feature pack must come from the vendor of your mobile device.
I heard some interesting Christmast music last week and went off in search of the CD. In fact, I found many. The Trans-Siberian Orchestra is the alter-ego of a rock band called Savatage. One reviewer of their music said they often contain flashes of brilliance. I would have to describe what I have heard so far as a mixture of classical and rock. Sort of like what would happen if the New York Philharmonic and Metallic collide. So, for a different (and very welcome take) on Christmas music, get one of their CDs or listen to some of their music on Amazon. I'm hooked.
It has been an "interesting" 6 months at CTA. Today, the BizMD himself, Mike Hulser announced he was leaving CTA 6 months before his cushy consulting gig was up. I figured I would immortalize this moment. If anyone were left, there would be dancing in the streets.
This is actually old news now, but at the Microsoft IT Forum 2005, Microsoft confirmed some rumors that have been floating around that Exchange 12 will be 64-bit only. So, yes, the decision has been made that Exchange 12 will run only on a 64-bit platform; there will NOT be a 32-bit version of Exchange 12. Microsoft is in a precarious position of delivering improved support for some of their clients and delivering a stable platform for all customers. I'm afraid that supporting two different platforms may make the product much more difficult to be supported.
I think by the time Exchange 12 ships, this will all have blown over and the industry will be much more likely to embrace 64-bit applications.
I recently had a situation where we had seperated forever some Exchange 5.5 sites. They were never going to be rejoined for directory replication. Never, ever, ever! After separating them, we found a lot of public folders that we could not take ownership of (using the Exchange 5.5 server's DS/IS Consistency Adjuster and choosing to rehome public folders from unknown sites).
As promised, I'm posting my Powerpoint slide decks from a number of recent presentations have done.
On November 16 at 2:00pm EST, I am participating in a web cast sponsored by Windows IT Pro magazine and XOsoft. The topic is Managing and Reducing Planned Downtime; my specific focus for my part will be on the reasons for planning scheduled downtime for Exchange, choosing a downtime window, and how much time you need for your downtime window. Topics include:
You can register for this web seminar on Windows IT Pro's Web Seminars page. I hope you will attend.
In my Analysis of Disaster Recovery session as well as a couple of other sessions, there were a lot of good questions on using the Recovery Storage Group. Someone asked if you can do a dial-tone restore, then restore the production database to an RSG, then swap out the RSG database with the "dial-tone" database, and then finally ExMerge the data from the dial-tone database in to the production database.
While this is just an overview, it gives you an idea of what the steps are. I recommend you read the Using Exchange Server 2003 Recovery Storage Groups whitepaper and practice this before you have to do it in production.
During my Exchange Connections presentation on availability and clustering, one of the attendees said that he had been told by Microsoft that he should NOT use mount points on a cluster due to performance problems. (For those of you that don't use mount points, this feature allows you to mount a disk partition in to a folder on an existing drive letter rather than creating a new disk drive letter.)
In yesterday's closing session of the Exchange and Windows Connections conference, during the Q&A portion, an attendee described a problem she had with a user who was selecting hundreds or thousands of users from the GAL manually and sending worthless/non-business related messages. She asked if there was a way to stop this. We had some lively discussion on this, but one thing that was not mentioned was restricting the maximum number of recipient limits for all of the users (say to 100 recipients rather than the default of 5,000.)
One of my favorite things to do at a trade show or conference is to visit the exhibits area. Usually to look for interesting software or things I have wanted to learn about. And, of course, to troll for some swag.
Microsoft released a new tool today called the Exchange Disaster Recovery Analyzer (ExDRA). This tool looks at an Exchange server's databases, and collects configuration data and header information from databases and transaction log files. The tool analyzes all headers and creates a detailed list of instructions explaining what the problem is, and how to resolve it. The goal is to guide a user through the disaster recovery process, automating as much as possible.
The buzz this week at the Exchange and Windows Connections conference in San Diego has been Mark Russinovich's discovery of a rootkit on one of his own computers. The rootkit was placed their by a Sony music CD. Read Mark's discussion of how he found and analyzed this corporate malware at Sony, Rootkits and Digital Rights Management Gone Too Far. Very scary. Very slimy. Sony has gone way too far.
On page 39-40 and page 99 of the Exchange Server 2003 24seven book, I claimed that you can copy the EXCHMEM.DLL, ESCPRINT.DLL, ADDRESS.DLL, and MAILDSMX.DLLs in to the \windows\system32 folder, register them, and that would provide the Exchange specific property pages for Active Directory Users and Computers. While this was a neat trick in Exchange 2000, it does not work with the Exchange 2003 DLLs.
I am frantically finishing up my demonstration machines for the Exchange Connections conference. I built all of these virtual machines running on a desktop using Microsoft Virtual Server 2005. However, when I copied them over to my new Dell D810 laptop (2gb of RAM, 2.1GB Pentium M, 7200RPM drive) , the performance is absolutely terrible. The VMs are sometimes just fine and other times they are slow, they hang up/freeze up, the mouse stops responding, file copies from a shared folder on the host fails, and they keyboard shortcuts work sometimes and sometimes they don't. And, often the performance is bad even with just one VM running.
Virtual Server 2005 is not great on a laptop, but at least it has become tolerable. Thanks to Scott Schnoll for sitting down with me and helping me tweak and tune the laptop a little more.
In case anyone cares, here is where you can find me at the Exchange Connections 2005 conference in San Diego the week of Oct 31.
The folks that work in Microsoft Product Support Services (PSS) have seen it all! They have a tremendous amount of knowledge of the inner workings of Exchange and how it behaves in all manner of different circumstances; their knowledge is probably as good as the folks working in the Exchange Product Group. Much of this information is documented and published internally, but in a "raw" format that is not easily publicly disseminated. For example, the information may not have step-by-step instructions, have been edited for typos or grammatical mistakes, or even formatted to be "readable".
Exchange 2003 SP2 is finally ready. You can download it from links found at the Exchange site. The release is available in English, Chinese, German, Spanish, French, Japanese, and Italian. Here is a list of the Issues that are fixed in Exchange Server 2003 Service Pack 2 And, SP2 is cumulative, so you don't need to apply SP1 first.
Okay, so what is Monad?
I bought one of these a few months ago and love it. Side-by-side, this looks even better than the Samsung 24" (around $1,800) and the Sun 24" (around $3000!). The monitor retails for $1,199 (already a bargain). I just found a Dell coupon code that will get you 35% of this montior (or $779). This is an incredible deal. When checking out, use coupon code WFQ9X9GW1VT?2R. Hurry, it expires 10/18 or after 5,000 uses.
I'm setting up demos for some presentations I'm doing for Exchange Connections in San Diego. One of these demostrations will include building a 2-node active/passive cluster. I have done this before using VMWare. There is a really good article called A VMWare Clustering Recipe by Chris Wolf that was helpful in getting this working. Unfortunately, I can't find my VMWare license keys and they have been less than forth-coming in getting me another one.
I saw Serenity last night. Joss Whedon has outdone himself. Great movie, lots of action, River kicks butt, and Kaylee gets two of the funniest lines of the movie. River gets the vote for best facial expression. I won't give any of the movie away, though. I plan to see it again while it is still on the big screen. See the movie and tell Fox to bring back the series!
I learned an interesting tidbit of information from John Savill's Windows Tips & Tricks FAQ (www.windowsitpro.com). The feature of Exchange 2003 Service Pack 2 that allows a database to be larger than 16GB is NOT enabled by default. There is a Registry value that you need to create to define the maximum database size. In my example, the server name is HNLEX01. Locate the following registry key in HKLM\SYSTEM\CurrentControlSet\Services
I'm hooked! A few days ago, a friend lent me the first DVD from Joss Whedon's Firefly - The Complete Series. Wow! What a great TV series! And what a shame that Fox cancelled it after only showing 11 episodes. Another example of the TV networks assuming that the viewing public has the attention span for nothing more than reality (hack, hack, cough, cough) TV series. I just ordered the entire set for myself after watching the pilot twice and the first two regular episodes. The cast forms a perfect ensemble, the characters are well developed and likeable, the technology is interesting, and the view of humankind 500-years in the future is fascinating. I never thought I would see people riding up to a spacecraft on horseback or a spacecraft flying over a train.
In the environment in which I'm currently working, the OU admins in Active Directory have "Exchange View Only Admins" permissions to their respective Exchange admin groups. We have started seeing a problem when modifying e-mail addresses. When an OU-level admin modifies an e-mail address such as an SMTP on the user's E-Mail Addresses property page (using Active Directory Users and Computers), they get the following error message:
If you read my blog much, you will know that I'm a gadget freak. My office at home is full of gadgets. This extends to my desktop, too. I recently installed the new Google Desktop v2 beta and thought it was the cat's meow. However, I just found a tool that Yahoo now owns called Konfabulator. Very spiffy. And lots of Konfabultor widgets that you can download and add to it. I have weather report, clock, stock ticker, picture viewer, and NY Times headline viewer widgets on my desktop. They look much more slick than the Google Desktop. For those of you that use the Mac, yes, I know, this looks a LOT like the Tiger desktop. I'm assuming this is where the concept came from.
This week there has been some discussions on one of the e-mail lists to which I describe about the proper placement of the MSDTC (Microsoft Distributed Transaction Coordinator) resource in an Exchange-only cluster. Over the past couple of years, I have seen recommendations that state that it should be in its own cluster resource group (with its own physical disk, IP address, and network name) versus putting the MSDTC resource in the Cluster group with the cluster quorum and the quorum drive. Even Microsoft's own guidance on this has been less than consistent.
If you have been keeping up with some of my past posts, you have seen that I have been wrestling with clustering issues and also with security templates and GPOs. I came up with a list of things that has been helpful to us in deploying our clusters.
KC Lemson wrote on the Exchange Team blog that Exchange 12 would only ship on DVD. I think this is a good move. In most environments in which I have worked, we copy the entire Exchange CD-ROM on to a shared folder anyway.
As many people that have applied Windows 2003 SP1 have found, there have been a number of different things done to "harden" the operating system. These include changing some of the rights that the built-in services accounts (i.e. SERVICE, Local Service, Network Service) have to services.
Microsoft Exchange Connections Conference - October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. Microsoft and Exchange experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register by September 12 to save $100 off your conference registration and attend sessions at Windows Connections free!
I have seen this problem a couple of times over the past couple of years and today I saw a newsgroup posting on it so I figured it was blog-worthy. :-)
This seems to be a pretty common question on the newsgroups, in design meetings, and in classrooms. I was inspired this morning by Russ Kaufmann's WINS is a Friend of Mine blog entry. Read it! Yes, you should continue to include WINS servers in your designs for Windows 2000 and Windows 2003 networks. Exchange 2003 has some of it's own particular need for NetBIOS name resolution and WINS is the best solution for this. The Exchange 2000 and 2003 setup program, Exchange System Manager, Exchange 2000/2003 clustering, and ExMerge all make a the occasional name lookups using NetBIOS name resolution.
I'm working on a full-day, pre-conference presentation for the Exchange Connections 2005 conference in San Diego. From the amount of postings I see in the newsgroups, there is still a lot of questions related to Exchange 5.5. This tells me a lot of organizations have not yet made the leap to a newer version of Exchange.
Microsoft has released an Exchange Server 2003 Service Pack 2 Community Preview. I recommend you build a TEST server (if you don't have one already), download this beta of SP2 and give it a test run. If you load this in production, you are on your own! This release is unsupported by PSS!!!!
About two weeks ago, a newly installed Exchange 2003 cluster (2-node, Active-Passive) started doing some weird things. We really did not notice until we started trying to run backups and move mailboxes. We had failures while using the Exchange Move Mailbox Wizard in Active Directory Users and Computers or Exchange System Manager.
Every once and a while, someone asks me about what to do when one of their users sets a password on their Microsoft Outlook PST file and then forgets the password. Believe me, this happens frequently enough. There are a number of utilities that I have seen that can remove the password from the PST file. It does not really crack or hack the PST password, but rather recreates the PST file without the password requirement. Not very good security, I know.
Microsoft has one a $7,000,000US settlement from Scott Richter, dubbed the King of Spam by some. Though, I would like to dub him something else entirely. This is the result of a nearly two year legal battle against this punk who was at one time responsibile for sending nearly 40,000,000 spam messages per year. Will this settlement stop spammers? No. But, I think it is a good start and it surely sets a good legal precendent.
Microsoft has released their July 2005 update to the Outlook 2003 Junk E-Mail filter. The date on the OUTLFLTR.DAT file once this update is applied is 09-JUN-2005. See the Microsoft Knowledge Base article 895658: Description of the Outlook 2003 Junk E-mail Filter update: July, 2005, for more information.
While this does not have anything to do with Exchange, I have gotten seen some good advice over the years and have learned some interesting tips. Even my own mother got phished about two and a half years ago. So, we have to be diligent.
If you suspect any of your credit card or banking information has been compromised, call all releveant companies immediately. The longer you wait, the more likely it will be that you will be responsible for some of the charges.
Call the three national reporting agencies and tell them to place your name and social security number on a fraud alert. This will help halt issuance of new credit cards in your name. Do this right away.
Call the police and file a police report immediately. Keep copies of the report if you need to provide proof to the credit agencies.
Keep records of all conversations you had, with whom, and the date and time. Record the details of these conversations along with what you have been told will be done.
"The condition upon which God hath given liberty to man is eternal vigilance."
- John Philpot Curran (though often attributed to Thomas Jefferson or Patrick Henry)
You heard right, Sender Id is coming! What is Sender Id, you ask? Don't feel bad, most Exchange admins are asking the same question. Essentially (and very simplified) Sender Id is part of an initiative (I'm not sure that is the exact correct word), to reduce spam. Sender Id is part of the Sender Policy Framework (SPF).
Paul Robichaux is speaking on a webcast that is being produced in conjunction with the release of his new eBook entitled The Definitive Guide to Exchange Disaster Recovery (Realtimepublishers.com) and registration for the event is free. It will take place on Wednesday, July 27th, 2005 at 2pm EST. Paul’s webcast discussion will touch upon the following series of topics:
Chapter 2 of the eBook is now available. It is titled The Definitive Guide to Exchange Disaster Recovery and Availability. This chapter will explore the fundamental principles behind disaster recovery and look at technical solutions that purport to improve disaster recovery. It will then examine some of the design choices and tradeoffs you face in trying to design an effective disaster recovery plan.
I have seen a number of questions relating to getting ExMerge running in Exchange 2000/2003. The quickest and dirtiest way to do this is to clear the Send As and Receive As "explicit denies" on the Exchange organization object for Domain Admins and Enterprise Admins. However, this is sloppy and it means that anyone with Domain Admins or Enterprise Admins can open anyone's mailbox.
Once you have cleared the Receive As and Send As checkboxes in the Deny column, this user will truly have "complete control" of your Exchange organization.
Some Exchange gurus are going to look at this and say that the Exchange Demi-god Admins group has too many permissions to the Exchange organization. And this is true. You can scale back the permissions by delegating only the Exchange View Only Admins role, then explicitly assigning only Receive As. The above procedure is just about the simplest, but somewhat secure solution I could quickly write about. More secure solutions are usually somewhat more complex. The important thing is that you protect the use that has these rights.
Finally, from where do you run ExMerge? IMHO, the most efficient place (if you have the local storage for the PST files) is the console of the Exchange server on which you are extracting mail. If this is the case, the Exchange Demi-god Admins group will also need to be delegated permissions to log on locally to the Exchange server console and (probably) access the server through Remote Desktop Connection (you can do this through a GPO).
Granting a user permissions to access mailboxes (even for the sake of performing archives, extracting viruses, or other official work) can be tricky. Make sure management knows that you have this capability and under what circumstances it may have to be used.
It's here! The Exchange team has written the final word on whether or not you should use the /NOPAE and /EXECUTE switches in the BOOT.INI file of an Exchange 2003/Windows 2003 SP1 server with more than 1GB of RAM (and 4GB of RAM or less, anything more than 4GB of RAM in an Exchange 2000/2003 server is usually a waste of money)
Everytime I think Google has out-done themselves with another neat new technology. I'm still impressed with Google Maps (and the Satellite view!) and Picasa. With Google's purchase of Keyhole's image library and technology, they have been able to add neat imaging services to their offerings. Now comes Google Earth! I'm stuck. I'm addicted. I have got to stop playing with this and get some work done! And the best part is the basic services are all free. Awesome quality images from satellite.
This past week, I tackled a problem that really kicked my behind for a few days. I was installing a new Exchange 2003 server in to an existing Exchange 5.5 organization. Windows 2003 Service Pack 1. The forest had been prepped and so had all of the domains. Lots of time for replication to occur. The user I was logging in with had all the necessary administrative permissions. All the prereqs had been met.
My roommate and I recently took a trip to Thailand and Cambodia. A couple of folks asked me about pictures, so I finally got around to going through the 1,500+ pictures, picking some good ones, and posting them. Anyone interested can see them at http://www.somorita.com/travel. And, if you are wondering, Cambodia was definitely the high point of the trip!
I see this posted in the newsgroups and I'm asked in almost every Exchange class I teach if it is possible for a user to pick which SMTP address they want to when they send a message (when using Outlook). For example, Joe Snuffy wants to send a message from his own mailbox, but have people reply to the Sales alias. You can change the "reply to" address, but the display name will still be Joe Snuffy's.
Today, in the Exchange and Outlook Update newsletter, Paul Robichaux answered a reader's question about whether or not Exchange 2003 could be integrated with Exchange 2003 Service Pack 1 in such a way that you only have to install the "integrated" package. This is actually a fairly frequent question on the newsgroups and that I am asked personally. I felt it was blog-worthy. :-)
This is an excellent monitor. One my clients ordered a couple of these when they became available. $899.00 is an awesome price for smaller flat-panels, much less a 24-inch wide screen. Side-by-side, this looks even better than the Samsung 24" (around $1,800) and the Sun 24" (around $3000!). The monitor retails for $1,199 (already a bargain), but this coupon code (4K32?8XWMKS6CH) gets you another 25% off making it $899. Expires on 6/28 at 5:59AM CDT or after 500 uses.
Microsoft has released today an updated version of the Exchange Best Practices Analyzer (ExBPA). Today's release is v2.1. Enhancements include HBA Collection, a new Health/Performance Check scan, improved cluster reports, better screen layout, checksum operations, and over 100 new rules.
Just when you think you have seen it all. A copy called OOOMS has released their "City Hideout" or Portable Urban Hideout. When the stress of city living gets to be too much, just put this hideout together, jump inside, and close the lid. The box looks just like a street-light control box or other boxes found commonly along streets and sidewalks. It comes complete with vents so you can see out and watch the world go by while you hide and wait for your therapist.
Realtimepublishers.com has just released the first chapter to the free ebook The Definitive Guide to Exchange Disaster Recovery and Availability by Paul Robichaux. For those of you that don't know him, Paul Robichaux is one of the best technical writers in the technology industry. Expect future installments of this XOSoft sponsored ebook over the next several months.
Today I was working on an Exchange 2003 cluster build and learned a neat new trick. Actually, we were not working on anything related to Exchange, but rather prepping Windows and the SAN drive letters. My buddy Aran Hoffmann creates a text file in the root of each SAN disk and/or mount point that has in its name the drive letter of the disk.
For the past 5 days, my Internet connectivity at home (Time-Warner's Road Runner) has been down. After they admitted they have had problems in my area, they keep insisting that my problem is within my premises. This is in spite of the fact that I went down to their office and got a new cable modem. They can't schedule someone to be at my house until July 2nd. And they can only give me a timeframe of between 8AM and 4PM, nothing more specific. Congratulations Time-Warner, you can convinced me that I don't want you providing my local phone service. But, I'm not bitter...... ;-)
Do you want a GMail mailbox? All the cool geeks are getting them; Just so you don't have to feel the geek peer pressure, I have about 75 unused invites to send. If you want one, send me a message and indicate what e-mail address to which you would like the invite sent. First come, first serve basis. E-mail me at EXCHANGE24SEVEN (at) GMAIL.COM
You may have noticed an error that pops up when you run the Exchange 2003 setup program on a Windows 2003 Service Pack 1 server. The message says: Exchange Server 2003 has a known compatibility issue with this version of Windows. For more information, refer to http://go.microsoft.com/fwlink/?LinkId=37488. To run the program, click Continue.
I'm back from southeast Asia. No lingering tropical diseases or arrests. I need a vacation now just to recover from my vacation. :-) I'll try to get some pictures posted somewhere, in case anyone is interested. Now I have 100,000 e-mails to go through.
Hi everyone! I have really tried to regularly contribute useful content to this blog over the past 6 months. However, I'm going to be offline for a few weeks; very offline, in fact. I'll be in Angkor Wok and Siem Reap in Cambodia and Bangkok, Phuket, and Chiang Mai in Thailand. If you want to do something nice for me (*grin*), scroll down and visit one of the Ads by Google links; though, do pick something you are interested in. :-) I'll be back by around June 10th. Thanks to all my regular visitors.
If you have tried modifying or manipulating objects in your Windows 2003 Active Directory using some of the new command-line tools such as dsget.exe, dsmod.exe, msquery, or dsrm.exe, then you have discovered the same limitations that many others have. I see a lot of postings to this effect in the newsgroups. These tools only support a limited set of attributes. My favorite tool for dealing with this is ADMODIFY.NET.
Backing up Exchange to disk has become an increasingly popular way to backup Exchange databases. Microsoft is doing "backup to disk" and is keeping two days worth of backups online and available; this can dramatically reduce the amount of time it takes to restore from backup. And, logically, the backup you probably want to restore from is the most recent.
Ever had a problem where you right click on an image in Internet Explorer, but the Save As dialog box only allows you to save the image as a bitmap (BMP) file? I have seen this for a couple of years, but never figured out why. And, the problem was inconsistent. Thanks to Eugene Siu, I now know why. The Internet cache is full. Purge it or increase it, close the browser, reopen it, and try again! Thanks Eugene, you are my new favorite blogger!!!!!
realtimepublishers.com and AlterPoint introduce a new chapter to the free ebook Tips and Tricks Guide to Network Configuraiton Management - 2005 Edition by Don Jones. Networking and security guru Don Jones has just written this new chapter covers questions dealing with configuration management best practices, troubleshooting, security, compliance management, and configuration management. In my experience, once a network is in place and running, one of the biggest problems that administrators experience is improper change and configuration control. This is something we should all get better at and this ebook is a good start.
A lot of people still don't know these exist, so I thought I would blog them. Although, I think the audience for my blog is probably already aware of these. Microsoft has a couple of e-mail aliases for product suggestions. They DO monitor these and the suggestions get routed the product group managers. For all Microsoft products, use mswish@microsoft.com. For Exchange Server, exwish@microsoft.com. If you have ideas for Microsoft products or feature suggestions, please let Microsoft know about them.
Move mailbox reports in Exchange 2003 are stored in XML format in the \My Documents\Exchange Task Wizard Logs folder of the user that moved the files. However, they are not very readable without a style sheet being applied to the XML file.