Today's quote

"Patriotism is not a short and frenzied outburst of emotion but the tranquil and steady dedication of a lifetime."
- Adlai E. Stevenson, Jr.

Serenity out on DVD on Dec 20!

Serenity the Movie! It ships on DVD on Dec 20th! This is my favorite movie of the year and it was one of the best TV shows (Firefly) that has been on TV in years. Here is the Synopsis from Amazon:

The crew of the Serenity is getting desperate. They have lain lower and lower to protect their doctor, Simon Tam (Sean Maher), and his telepathic traumatized little sister, River (Summer Glau), from the alliance, whom he rescued her from a year earlier. This has made getting jobs harder and now they are desperate. When they take River on a robbery during which Reavers (humans who have gone crazy and turned into cannibals) attack, Simon decides that its time to leave the crew of the Serenity for his and River's safety. She then mutters "Miranda" and goes berserk and nearly shoots Capt. Malcolm Reynolds (Nathan Fillion), until her brother says the safety word to put her to sleep. Reynolds decides to take them back on board for safety, only now an alliance operative (Chiwetel Ejiofor) is on their tracks and making Reynolds determined to find out what "Miranda" is and what the Alliance is hiding.

The Definitive Guide to Exchange Disaster Recovery and Availability

Paul Robichaux's "The Definitive Guide to Exchange Disaster Recovery and Availability" eBook is now completed and the full guide is published at on realtimepublisher's web site (www.realtimepublishers.com) I was the technical editor and contributor on this eBook, but being a contributor or editor for Paul is one of the easiest jobs in the world because Paul is quite thorough. The eBook is easily read and understood by not only IT techies, but decision makers as well. Here is the chapter breakdown:

Chapter 1: Basics of Exchange Protection
Chapter 2: Availability Building Blocks: Disaster Recovery
Chapter 3: Availability Building Blocks: High Availability and Business Continuance
Chapter 4: Availability Building Blocks: Validation, Testing, and Deployment
Chapter 5: Designing for Disaster Recovery and High Availability
Chapter 6: Implementing Disaster Recovery / High Availability with Exchange
Chapter 7: Building an HA-Ready Infrastructure

This eBook makes for good and relevant reading for anyone concerned about the stability of their e-mail system!

Microsoft Security360 Web Cast (with me being interviewed!)

Hello (again) from Redmond. The Tuesday, December 20th edition of Mike Nash's Microsoft Security360 includes an interview with me. The topic of discussion is essentially multi-layer e-mail security which ties in nicely with an e-mail security e-book that I'm e-working on. :-)

Cool lava picture

Greetings from sunny Redmond, everyone!
More on why I'm in Redmond in a later posting. I have been meaning to post this picture for the past couple of weeks. This picture came from an article in the Honolulu Advertiser on December 1. A 44-acre, 60 foot high wall of rock collapsed in to the ocean and exposed a lava tube. What you see in the picture is a 6 foot high stream of lava poring out of the rocks and in to the water below. Very cool.

Exchange ActiveSync Web Administration Tool released

Microsoft today released the Microsoft Exchange Server ActiveSync Web Administration Tool. I saw a demo of this tool at Exchange Connections back in November and it is most cool. This tool is designed to allow an administrator of moible devices to manage devices remotely by erasing mobile devices that may have been lost/stolen/compromised. Using this tool, the mobile device administrator can:

• View a list of all devices that are being used by any enterprise user
• Select/De-select devices to be remotely erased
• View the status of pending remote erase requests for each device
• View a transaction log that indicates which administrators have issued remote erase commands, in addition to the devices those commands pertained to

The Exchange server must be running Exchange Server 2003 SP2 and the mobile devices must run Windows Mobile 2005 with Feature Pack 1 installed. The feature pack must come from the vendor of your mobile device.

Trans-Siberian Orchestra

I heard some interesting Christmast music last week and went off in search of the CD. In fact, I found many. The Trans-Siberian Orchestra is the alter-ego of a rock band called Savatage. One reviewer of their music said they often contain flashes of brilliance. I would have to describe what I have heard so far as a mixture of classical and rock. Sort of like what would happen if the New York Philharmonic and Metallic collide. So, for a different (and very welcome take) on Christmas music, get one of their CDs or listen to some of their music on Amazon. I'm hooked.

The BizMD Mike Hulser leaving CTA

It has been an "interesting" 6 months at CTA. Today, the BizMD himself, Mike Hulser announced he was leaving CTA 6 months before his cushy consulting gig was up. I figured I would immortalize this moment. If anyone were left, there would be dancing in the streets.

Microsoft announces that Exchange 12 will be 64-bit only

This is actually old news now, but at the Microsoft IT Forum 2005, Microsoft confirmed some rumors that have been floating around that Exchange 12 will be 64-bit only. So, yes, the decision has been made that Exchange 12 will run only on a 64-bit platform; there will NOT be a 32-bit version of Exchange 12. Microsoft is in a precarious position of delivering improved support for some of their clients and delivering a stable platform for all customers. I'm afraid that supporting two different platforms may make the product much more difficult to be supported.

Microsoft has taken some heat in the industry from pundits like Ed Brill as well as the media on this decision, however I'm not so sure this is a bad thing.

• Most of the server-class hardware that is shipping today is already capable of running Windows 2003 64-bit operating systems. That, unfortunately, does NOT include equipment in my own lab. So before betas start shipping I will need to get my hands on some 64-bit gear if I'm going to do any testing. :-(
• The inital performance testing on the early versions of Exchange 12 running on 64-bit hardware found a 75% performance improvement in I/O when compared with the 32-bit version. This is pretty dramatic considering that most Exchange bottlenecks now (after you toss 4GB of RAM and 4 CPUs at a server) end up being I/O.
• Exchange 12 will probably not be available anytime before mid 2007. By that time, most organizations that have done a hardware refresh will have 64-bit hardware.
• Most of the time, organizations that upgrade from an older version to a newer version upgrade their hardware platform at the same time they upgrade the application.
• Hopefully the information store service will be completely re-written to overcome some of the memory limitations on that platform (right now it cannot access over 2GB of RAM).
• The announcement now will ensure that 3rd party vendors such as antivirus and backup vendors get their 64-bit products ready for shipping sooner rather than later.

I think by the time Exchange 12 ships, this will all have blown over and the industry will be much more likely to embrace 64-bit applications.

Public folder cleanup in Exchange 5.5

I recently had a situation where we had seperated forever some Exchange 5.5 sites. They were never going to be rejoined for directory replication. Never, ever, ever! After separating them, we found a lot of public folders that we could not take ownership of (using the Exchange 5.5 server's DS/IS Consistency Adjuster and choosing to rehome public folders from unknown sites).

Every time we tried to view the properties in the Exchange Administrator, we got a message indicating that replication had not yet completed. You get the following message:

The object canot be found in the directory.
This may be because replication has not completed.
Microsoft Exchange Directory ID no: c1010aae

It turns out that the folders we could not take control of had the "Limit Administrative Access to Home Site" property enabled. This is pretty common in most Exchange 5.5 organizations. The whole reason that feature exists in the first place is to keep someone from disconnecting their site from directory replication and taking ownership of all of the folders in the hierarchy. Trust me, it happens. :-0

These "orphaned" but unmanagable folders will automatically be cleaned up during online maintenance after they have been orphaned for 20 days after the removal of the Exchange 5.5 site in which the folder lived. Each Exchange 5.5 server will clean these up after the counter hits 20 days, so some patience is in order.

However, it is possible to speed this process up somewhat. In the following registry key, create a REG_DWORD value and set the data to 900 decimal (15 minutes):
HKLM\System\CurrentControlSet\Services\MSExchangeIS\ParametersPublic

Then wait for online maintenance to complete. If you have more than one Exchange 5.5 server with public folders, you will want to do this on each server. Do NOT run this if you suspect that you will be rejoining the site back to the organization again.

Slides from recent presentations

As promised, I'm posting my Powerpoint slide decks from a number of recent presentations have done.

Exchange Connections
- Clustering for Exchange 2003
- Anatomy of a Disaster Recovery
- Exchange 5.5 to Exchange 2003 Migrations
- Outlook 2003: Is RPC over HTTP right for you?

Windows IT Pro
- Planning Scheduled Downtime

Windows IT Pro Web Seminar: Managing and Reducing Planned Downtime

On November 16 at 2:00pm EST, I am participating in a web cast sponsored by Windows IT Pro magazine and XOsoft. The topic is Managing and Reducing Planned Downtime; my specific focus for my part will be on the reasons for planning scheduled downtime for Exchange, choosing a downtime window, and how much time you need for your downtime window. Topics include:

• Why you need a scheduled downtime window
• About scheduling downtime to prevent unscheduled downtime
• Which types of activities should be included in scheduled downtime
• What questions you should ask when choosing a downtime window
• About the non-technical tasks involved in scheduled downtime
• How to decide what your sensitivity is to downtime based on your availability requirements
• About products and services that can reduce or minimize downtime while still providing the ability to do required maintenance

You can register for this web seminar on Windows IT Pro's Web Seminars page. I hope you will attend.

Dialtone restores,the Recovery Storage Group, and swapping out database files

In my Analysis of Disaster Recovery session as well as a couple of other sessions, there were a lot of good questions on using the Recovery Storage Group. Someone asked if you can do a dial-tone restore, then restore the production database to an RSG, then swap out the RSG database with the "dial-tone" database, and then finally ExMerge the data from the dial-tone database in to the production database.

This is a good idea to do, since the dial-tone database will not have a lot of the mailbox "meta-data", such as mailbox/folder rights, rules, forms, etc... This data will be in the RSG database, though. So swapping them out once the RSG database is restored from tape, is a good idea.

I had not done this, but it is possible. I found some good reference material in the Microsoft whitepaper "Using Exchange Server 2003 Recovery Storage Groups", including steps on how to swap out the RSG with the dial-tone database. Essentially, here are the steps necessary if you lose the production database and want to do a dial-tone restore:

1. Delete the production database files and remount the store. Answer "yes" when Exchange System Manager asks if you want to creatre new database files
2. At this point, users can go back to work, albeit with empty mailboxes.
3. Create a Recovery Storage Group and create the mailbox store in the RSG that you wish to restore.
4. Restore the last backup of the production database to the RSG
5. Make a backup copy of the production database that was created from the dial-tone restore
6. Dismount both the production database and RSG database. Copy the RSG files in to the production database location. Copy the production database files in to the RSG location.
7. Rename the production database (now in the RSG folder) to the name of the RSG database. Rename the RSG database (now in the production database folder) to the name of the RSG database.
8. On the database properties, click the checkbox that allows the database to be restored from backup.
9. Mount both databases.
10. Merge the data in the RSG database (the dialtone data) in with the production database.

While this is just an overview, it gives you an idea of what the steps are. I recommend you read the Using Exchange Server 2003 Recovery Storage Groups whitepaper and practice this before you have to do it in production.

Exchange Connections question: Mount points?

During my Exchange Connections presentation on availability and clustering, one of the attendees said that he had been told by Microsoft that he should NOT use mount points on a cluster due to performance problems. (For those of you that don't use mount points, this feature allows you to mount a disk partition in to a folder on an existing drive letter rather than creating a new disk drive letter.)

I have checked with a number of folks at Microsoft as well as some gurus from Dell Professional Services and Collective Technologies and no one has heard of this recommendation being made. Based on what I have found so far, mount points are still good. I'll dig some more.

There are seldom technical solutions to behavioral problems

In yesterday's closing session of the Exchange and Windows Connections conference, during the Q&A portion, an attendee described a problem she had with a user who was selecting hundreds or thousands of users from the GAL manually and sending worthless/non-business related messages. She asked if there was a way to stop this. We had some lively discussion on this, but one thing that was not mentioned was restricting the maximum number of recipient limits for all of the users (say to 100 recipients rather than the default of 5,000.)

This will not prevent the user from sending out obnoxious messages in batches of 100, but it will make it a little more difficult. While sitting there listening to the attendee describe the problem, though, I thought of something that Ed Crowley once said; Ed is one the most quotable Exchange gurus I know:

"There are seldom technical solutions to behavioral problems."

Cemaphore Systems' MailShadow 2.0

One of my favorite things to do at a trade show or conference is to visit the exhibits area. Usually to look for interesting software or things I have wanted to learn about. And, of course, to troll for some swag.

At Exchange Connections in San Diego, I came across a vendor called Cemaphore Systems that has a product called MailShadow. IMHO, this definitely wins "best of show". This is a mailbox replication / sychronization system. While the software is not yet released, it is designed to create a backup mailbox for a user on a remote server, then keep that mailbox synchronized and up-to-date with the original mailbox. All changes are sychronizes (new messages, marking messages as read, deletions, calendar changes, contact changes, etc...) If there is ever a situation where the source mailbox fails, this system handles the updates the the Active Directory that are necessary to add the original mailboxes' SMTP addresses to the backup mailbox. The software can also assist in switching over the Outlook client.

I have a number of customers that will think this is very cool and worthy of consideration. If you are looking for a solution that will keep a backup mailbox for your VIP or critical mailboxes, then this is a good solution to look at.

Exchange Disaster Recovery Analyzer released today! (ExDRA)

Microsoft released a new tool today called the Exchange Disaster Recovery Analyzer (ExDRA). This tool looks at an Exchange server's databases, and collects configuration data and header information from databases and transaction log files. The tool analyzes all headers and creates a detailed list of instructions explaining what the problem is, and how to resolve it. The goal is to guide a user through the disaster recovery process, automating as much as possible.

The initial release of ExDRA is currently only stepping through the log replay part of disaster recovery. While the ESEUTIL tool will do many of these things, this tool makes many recovery processes much easier when you have a database that won't mount or needs transaction logs rolled forward. One thing I have already noticed, though, is that it does not detect single-bit errors in the database (-1018 errors). Those won't keep a database from mounting, but they will keep the database from being backed up successfully!

ExDRA is available at: http://www.microsoft.com/downloads/details.aspx?FamilyID=c86fa454-416c-4751-bd0e-5d945b8c107b&DisplayLang=en

Sony placing rootkits on users PC's to enforce Digital Rights Management

The buzz this week at the Exchange and Windows Connections conference in San Diego has been Mark Russinovich's discovery of a rootkit on one of his own computers. The rootkit was placed their by a Sony music CD. Read Mark's discussion of how he found and analyzed this corporate malware at Sony, Rootkits and Digital Rights Management Gone Too Far. Very scary. Very slimy. Sony has gone way too far.

Exchange Server 2003 24seven errata

On page 39-40 and page 99 of the Exchange Server 2003 24seven book, I claimed that you can copy the EXCHMEM.DLL, ESCPRINT.DLL, ADDRESS.DLL, and MAILDSMX.DLLs in to the \windows\system32 folder, register them, and that would provide the Exchange specific property pages for Active Directory Users and Computers. While this was a neat trick in Exchange 2000, it does not work with the Exchange 2003 DLLs.

This is very embarassing because I pride myself on testing everything that I write. This procedure does NOT work with the E2K3 DLLs and this was an oversite on my part that it made it in to the book. Even when just Exchange System Manager is installed, it installs the Microsoft Exchange Managment service. For these DLLs to be registered, that service must be installed. I have not found a short-cut or workaround. So, you must install all of the Exchange management tools using Exchange setup even if you only need the ADUC property pages and not the Exchange System Manager. Sorry for the bogus info. If I find a work-around, I'll post it here.

Page 373 includes a reference to Veranda by Tally Systems. Tally is no longer in business, they have been assimilated by Novell. It appears that Veranda is no longer being marketed. While I'm no crazy about putting links in to a book, often that is the best way to convey information. Unfortunately, this is the reason I'm not crazy about URLs in computer books; things change too quickly!

Thanks to a diligent Steven S. for pointing these errors out to me.

Virtual Server 2005 nightmare

I am frantically finishing up my demonstration machines for the Exchange Connections conference. I built all of these virtual machines running on a desktop using Microsoft Virtual Server 2005. However, when I copied them over to my new Dell D810 laptop (2gb of RAM, 2.1GB Pentium M, 7200RPM drive) , the performance is absolutely terrible. The VMs are sometimes just fine and other times they are slow, they hang up/freeze up, the mouse stops responding, file copies from a shared folder on the host fails, and they keyboard shortcuts work sometimes and sometimes they don't. And, often the performance is bad even with just one VM running.

I have spent the past couple of days trying to get this thing tweaked. Apparently, based on what I have read, I am not alone. So, here is some things I have learned that might (or might not) help you when you are running virtual server (or Microsoft Virtual PC) on a laptop. These are in no particular order, though the power configuration / speed stepping features seem to be the most important.

• Check for a more recent version of the system BIOS
• Disable antivirus and antispam software
• Disable the CPU's speed step features that slow the CPU down when it is on battery or goes idle. This is designed to save battery power, but it throws the Virtual PC in to disarray. On some laptops, this is done in the BIOS, others have got software settings that do this.
• If you are having networking problems, see if KB 888750 applies to you
• Update the virtual machine additions to a later version (see KB 900076 - at this time, only the beta version of the next SP is available)
• Disabling all unnecessary services
• Setting Windows to maximum performance (to turn off a lot of the interface enhancements)

Virtual Server 2005 is not great on a laptop, but at least it has become tolerable. Thanks to Scott Schnoll for sitting down with me and helping me tweak and tune the laptop a little more.

Exchange Connections schedule in San Diego

In case anyone cares, here is where you can find me at the Exchange Connections 2005 conference in San Diego the week of Oct 31.

Mon - 10/31 - 9:00 - 4:00 - Exchange 5.5 to Exchange 2003 Migration
Tue - 11/1 - 11:30 - 12:55 - Anatomy of a Disaster Recovery
Tue - 11/1 - 2:15 - 3:30 - Exchange Migration Panel: Expert Insights
Thu - 11/3 - 10:00 - 11:15 - Outlook 2003: Is RPC over HTTP Right For You?
Fri - 11/4 - 1:00 - 4:00 - Clustering for Exchange

The rest of the week, I'll be wandering around in and out of keynotes, exhibitor boothes, and other sessions. You can definitely find me at Chris Scharff's "HA Best Practices for Exchange" session, Paul Robichaux's "Exchange Security: Tips and Tricks", Dan Holme's "AD Design, Delegation, and Security Brainshare", Brian Komar's "PKI Horror Stories", and Hasslauer's "Best Practices for Disaster Recovery: Lessons Learned from Exchange Server 2003 Stretched Cluster Deployments". I'm definitely looking forward to seeing a lot of the faces and friends from the last Exchange Connections conference!

Be an Exchange Insider

The folks that work in Microsoft Product Support Services (PSS) have seen it all! They have a tremendous amount of knowledge of the inner workings of Exchange and how it behaves in all manner of different circumstances; their knowledge is probably as good as the folks working in the Exchange Product Group. Much of this information is documented and published internally, but in a "raw" format that is not easily publicly disseminated. For example, the information may not have step-by-step instructions, have been edited for typos or grammatical mistakes, or even formatted to be "readable".

A lot of folks might say "just publish it anyway", but when you become a larger company like Microsoft, you have to stand by the information you produce and publish on your web site so casually written material often does not stand up to the scrutinity of the general public. That is why I like blogging; I can disseminate something really quickly without editorial oversight (for better or worse). And, if you follow this blog, then you know that typos and grammar don't stop me from clicking the Publish Post button. :-)

PSS is now pushing to get this knowledge in to a format that is acceptable published to the Microsoft web site. There is a new Exchange TechCenter section called Exchange Insider. Keep checking back to this site because over the next month or two, I expect a lot of their internal goodies to be cleaned up and published!

Exchange 2003 Service Pack 2 is here!

Exchange 2003 SP2 is finally ready. You can download it from links found at the Exchange site. The release is available in English, Chinese, German, Spanish, French, Japanese, and Italian. Here is a list of the Issues that are fixed in Exchange Server 2003 Service Pack 2 And, SP2 is cumulative, so you don't need to apply SP1 first.

Before you do anything else, read the Exchange 2003 SP2 Release Notes Test the release on a test server that closely duplicates your environment. If you have third party applications (antivirus, antispam, backup, SAN, NAS, etc...) then check with the vendor to make sure there are no known issues. And, of course, make sure you have good backups and documentation before applying any type of update or service pack. :-)

If you are planning to use the Sender Id functionality of Exchange 2003 SP2, then make sure that you apply the Windows 2003 SMTP hotfix 905214. Since this is a W2K3 Post SP1 fix, it is not included with E2K3 SP2.

Monad is coming? Are you ready?

Okay, so what is Monad?
Monad is the new Microsoft Command Shell (MSH). Microsoft is currently working on (but not yet released) a new command-line interface and scripting language for Microsoft operating systems. The final release of Monad will probably be sometime near the release of the new Windows Vista operating system. This technology is designed to provide a better shell and scripting language than previous technologies such as batch (BAT), command files (CMD), or Windows Scripting Host (VBS or WSH).

New features include the MSH "command-lets" treat all parts of the OS as .NET objects, it is object oriented, digital signatures, object inheritance, data passing between "command-lets", improved security, and output of commands can be directed to applications (such as Word or Excel).

Notably, all Exchange 12 administrative functions will be accomplished via Monad (but the administrative GUI will still sit on top of the "command-lets". So many of those maddeningly repetetive tasks you do in Exchange 2003's admin program can be scripted with Monad. Of course, you can still use the admin interface.

But, why "Monad"?
I had to do a little research on this. The term comes from a philosophy of Gottfried Leibniz called Monadology. This philosophy says that everything is integrated in a pre-established harmony and the fundamental elements of this philosophy is called Monads. Obviously, someone at Microsoft Reseach is doing some recreational reading in to something other than technology.

So, how does this affect me?
Ironic that I'm writing this blog entry since I can't even write a good, solid VBScript. Almost everyday, I find administrative and management tasks that are better served by using scripting, CDO, ADSI, or WMI, but if I can't find work that someone else has done, I'm left out in the cold (and doing the work manually). MSH is going to be integrated completely with Windows Vista and will have legacy support for Windows 2003 and Windows XP Pro. Further, it will probably be tightly integrated with other Microsoft server applications so that management of those applications can also be handled through Monad. So, this is really something I can't afford "not" to learn. I'm already behind the curve with some of my fellow MCSEs, MCTs, and MVPs that have embraced this technology and are quickly learning it.

Where can I learn more?

• For starters, Windows Admin Made Easy at Infoworld is a good introduction.
  
• Download a publicly released beta, Windows "Monad" Beta 2, but it does require the .NET Framework 2.0 Beta 2)
• Getting Started with Monad provides a good basic starting point
  
• Introduction to MSH by Jon Udell includes some neat examples
• The Monad Team Blog
  
• Monad Team member Lee Holmes' Monad Blog
  (pretty technical)
• Getting Started Guide to Using the MSH Shell and Language
  

Dell 24" wide screen monitor for $779

I bought one of these a few months ago and love it. Side-by-side, this looks even better than the Samsung 24" (around $1,800) and the Sun 24" (around $3000!). The monitor retails for $1,199 (already a bargain). I just found a Dell coupon code that will get you 35% of this montior (or $779). This is an incredible deal. When checking out, use coupon code WFQ9X9GW1VT?2R. Hurry, it expires 10/18 or after 5,000 uses.

Setting up a W2K3 cluster using Virtual Server 2005

I'm setting up demos for some presentations I'm doing for Exchange Connections in San Diego. One of these demostrations will include building a 2-node active/passive cluster. I have done this before using VMWare. There is a really good article called A VMWare Clustering Recipe by Chris Wolf that was helpful in getting this working. Unfortunately, I can't find my VMWare license keys and they have been less than forth-coming in getting me another one.

So, I figured I would use Virtual PC, since I use that frequently in the Exchange Server 2003 Course 2400 class. However, clustering is no supported using Virtual PC since it does not support shared drives (and naturally, both nodes of the cluster need to access the shared disks).
Even though I'm not crazy about Microsoft Virtual Server 2005, I guess I'll give in and use it. I found a couple of great "how to" articles on doing this, but the best of the bunch is Setting Up A Windows Server 2003 Cluster in VS 2005 by Bob Roudebush. Thanks Bob! You have made one of my tasks this weekend somewhat easier.

If anyone from the Microsoft VS team is listening, I find the whole web interface to Virtual Server 2005 really klunky. I much prefer the VMWare or Virtual PC interfaces.

Serenity Rocks!

I saw Serenity last night. Joss Whedon has outdone himself. Great movie, lots of action, River kicks butt, and Kaylee gets two of the funniest lines of the movie. River gets the vote for best facial expression. I won't give any of the movie away, though. I plan to see it again while it is still on the big screen. See the movie and tell Fox to bring back the series!

Turning on the "larger than 16GB" feature of Exchange 2003 SP2

I learned an interesting tidbit of information from John Savill's Windows Tips & Tricks FAQ (www.windowsitpro.com). The feature of Exchange 2003 Service Pack 2 that allows a database to be larger than 16GB is NOT enabled by default. There is a Registry value that you need to create to define the maximum database size. In my example, the server name is HNLEX01. Locate the following registry key in HKLM\SYSTEM\CurrentControlSet\Services

\MSExchangeIS\HNLEX01\Private-GUID

The value of GUID is a unique identifier for that particular database and will be different for each installation. For Exchange 2003 Standard Edition, there will only "Private" GUID, though.

Create a REG_DWORD value called Database Size Limit in GB. Set the new value to a value between 1 and 75GB. Remember that the default entry field for REG_DWORD values is hexadecimal, so remember to click the Decimal radio button. If this key does not exist, then the default database size will remain at 16GB.

There is another registry value that you can create that defines a warning level above which the an event will be logged if the database exceeds a remaining percentage of its maximum size. In the same registry key as above, create a REG_DWORD value called Database Size Buffer in Percentage and set it to between 1 and 100 percent. (Once again, remember the default for this interface is hexadecimal, so remember to click the Decimal radio button.) The default is 10, which means when the database has only 10% of its available size left, you will start seeing warnings in the event viewer. These warnings are generated at 5:00AM, by defaut, but you can define a registry value (in the same key as the two above values) that defines an offset from midnight at which a warning limit is generated. Create a REG_DWORD value called Database Size Check Start Time In Hours From Midnight and set it to a value from 1 to 23 (in decimal). While John Savill's FAQ did not say whether or not the store needs to be dismounted and remounted for this to take effect, I'm betting it does.

Remember that Exchange 2003 Service Pack 2 is still in beta and should NOT be installed in production. I am not sure in the final release of Exchange 2003 SP2, if the database size will automatically be extended to 75GB of if you will have to do this via registry.

If your Exchange 2003 Standard Edition database has exceeded 16GB and Service Pack 2 is not yet available, you can temporarily extend the size of the database by 1GB. See Microsoft KG article 813051: How to temporarily increase the Exchange 2000 16-gigabyte database size limit.

Firefly - The Series

I'm hooked! A few days ago, a friend lent me the first DVD from Joss Whedon's Firefly - The Complete Series. Wow! What a great TV series! And what a shame that Fox cancelled it after only showing 11 episodes. Another example of the TV networks assuming that the viewing public has the attention span for nothing more than reality (hack, hack, cough, cough) TV series. I just ordered the entire set for myself after watching the pilot twice and the first two regular episodes. The cast forms a perfect ensemble, the characters are well developed and likeable, the technology is interesting, and the view of humankind 500-years in the future is fascinating. I never thought I would see people riding up to a spacecraft on horseback or a spacecraft flying over a train.

Error in Active Directory Users and Computers when updating e-mail addresses

In the environment in which I'm currently working, the OU admins in Active Directory have "Exchange View Only Admins" permissions to their respective Exchange admin groups. We have started seeing a problem when modifying e-mail addresses. When an OU-level admin modifies an e-mail address such as an SMTP on the user's E-Mail Addresses property page (using Active Directory Users and Computers), they get the following error message:

Microsoft Active Directory - Exchange Extension
An Exchange Server could not be found in the domain.

Check if the Microsoft Exchange System Attendant service is running on the Exchange Server.

ID no: c10308a2

Microsoft Exchange Directory - Exchange Extension

OR

There is no such object on the server
Facility: Win32
ID no: c0072030
Microsoft Active Directory – Exchange Extension

OR (updated on 10 Sept 2006)

There are no bindings.
Facility: Win32
ID no: c00706b6
Microsoft Active Directory - Exchange Extension

I'm not sure why the difference in errors occured, as I have had both reported to me for the same problem, but I suspect it is the difference between the E2K3 and E2K3 SP1 ADUC extension.

I did not not realize this, but the ADUC Exchange extension contacts an Exchange server via RPC when you modify an e-mail address. It does this to verify the validity of formatting on the particular type of address you are creating.

These problems started once the Exchange 2003 servers were updated to Windows 2003 SP1. Apparently, this has something to do with the services control manager and the DCOM/RPC security hardening that was done in Windows 2003 SP1. Here is a blog entry I read about this: Fun with changing E-Mail Addresses

I found very little data on the Internet about this, but I did find one thread that seemed to be relevant: Could NOT change mail address after windows server 2003 sp1

This article suggested running a program against the Windows 2003 server that would adjust the necessary permissions for the Distributed COM Users group. However, being a little uncomfortable with this solution, I wanted the "official" Microsoft, supported solution. Here is what PSS recommended.

Edit the Default Domain GPO, in the Services portion of the GPO, set theMicrosoft Exchange System Attendant service to start automatically and then set Security on this service so that your groups that have been delegated Exchange View Only Admins permission will also have the "Read" and the "Write" permissions on this service. (You will need to edit the GPO from an Exchange server in order for the Exchange services to show up properly in the Services section of the GPO. I was not crazy about this solution and I'm still now sure why it is necessary to put this in the Default Domain GPO rather than a GPO that just applies to the Exchange Servers OU. However, I tried this by editing ONLY the GPO that applied to the Exchange Servers and it did not fix the problem.

In the middle of all this troubleshooting, Microsoft released KB 905809: You receive an "ID no: c10308a2" error message when you use the Active Directory Users and Computers snap-in to remotely add or edit an e-mail address for a mail-enabled user in Exchange Server 2003.

The method that seems to have ended up fixing this is Method 1 in this KB article. Make sure that you have v5.2.3790.1830 of the SC.EXE utility. At the command prompt on each Exchange server, run:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

Make sure you type this command in exactly, as the Security Descriptor Definitation Language (SDDL) must be typed in exactly. You can also insert the name of the server into the SC command line and perform this task remotely.

Konfabulator makes your desktop fabulous!

If you read my blog much, you will know that I'm a gadget freak. My office at home is full of gadgets. This extends to my desktop, too. I recently installed the new Google Desktop v2 beta and thought it was the cat's meow. However, I just found a tool that Yahoo now owns called Konfabulator. Very spiffy. And lots of Konfabultor widgets that you can download and add to it. I have weather report, clock, stock ticker, picture viewer, and NY Times headline viewer widgets on my desktop. They look much more slick than the Google Desktop. For those of you that use the Mac, yes, I know, this looks a LOT like the Tiger desktop. I'm assuming this is where the concept came from.

Exchange clusters and the Microsoft Distributed Transaction Coordinator

This week there has been some discussions on one of the e-mail lists to which I describe about the proper placement of the MSDTC (Microsoft Distributed Transaction Coordinator) resource in an Exchange-only cluster. Over the past couple of years, I have seen recommendations that state that it should be in its own cluster resource group (with its own physical disk, IP address, and network name) versus putting the MSDTC resource in the Cluster group with the cluster quorum and the quorum drive. Even Microsoft's own guidance on this has been less than consistent.

First, a little background, while Exchange does not directly use the MSDTC in a cluster, it is required on a cluster during Exchange setup and service packs. Therefore, the MSDTC is really used less than 1% of the time in a cluster.

Thanks to this lively discussion, the Microsoft documentation (including the Exchange High Availability Guide and the Deployment Guide) as well as a few KB articles are going to be updated to reflect Microsoft's recommended Best Practices.

So, the best practice for the MSDTC is to put it in the default Cluster Group with the cluster name resource, cluster IP address, cluster quorum resource, and the cluster quorum drive. If you are concerned about a failure of the MSDTC causing a fail-over of the entire Cluster Group, on the Advanced property page of the MSDTC properties, clear the "Affect the Group" checkbox. I personally recommend this additional step.




Please note that this advice does not hold up in a cluster that supports SQL Server, as SQL Server makes more use of the MSDTC and thus it may be important that the MSDTC is in its own resource group and uses a dedicated disk drive.

Clusters, security templates, OUs, and GPOs

If you have been keeping up with some of my past posts, you have seen that I have been wrestling with clustering issues and also with security templates and GPOs. I came up with a list of things that has been helpful to us in deploying our clusters.

• Do not apply "high security" templates to the base operating system.
  
• Organize your clustered nodes in to OUs (a single OU for the physical nodes of the cluster if possible.)
• Put the clustered server OU as close to the root as possible.
• Create a GPO specifically for the clustered nodes; use that GPO to restrict settings that need to be locked down. This simplifies troubleshooting if you only have ONE GPO that affects your clustered nodes.
  
• Block inheritance of GPOs on the cluster OU.
• Watch out for wayward GPOs on parent OUs and especially GPOs that have the Enforced (or No Override) setting on them.
  
• Remember, GPOs apply the the physical nodes of the cluster, not the virtual servers.
  

A good reference for applying more restrictive settings to clustered nodes is: How to apply more restrictive security settings on a Windows Server 2003-based cluster server.

Exchange 12 will ship only on DVD

KC Lemson wrote on the Exchange Team blog that Exchange 12 would only ship on DVD. I think this is a good move. In most environments in which I have worked, we copy the entire Exchange CD-ROM on to a shared folder anyway.

Microsoft's easoning behind the DVD-only media is that the "text to speech" engines each take up a couple hundred megabytes of disk space. Exchange 12 will use these text-to-speech engines to allow users to dial-in via phone to their e-mail server and have their e-mail read to them. Exchange 12 will not be release for at least 12 to 18 months. For the full text, see Exchange 12 will ship on DVD.

Problems with Windows Time service after upgrading to W2K3 SP1

As many people that have applied Windows 2003 SP1 have found, there have been a number of different things done to "harden" the operating system. These include changing some of the rights that the built-in services accounts (i.e. SERVICE, Local Service, Network Service) have to services.

Well, in some cases this has broken things. Most of the work I do is in much more security conscious environments than the average corporate environment. Generally, when we build servers, we secure the server "out of the box" with some type of improved security template. The most notorious of these (and a template to be avoided unless you are ready to some troubleshooting) is the NSA Windows security templates. After working with a number of different template configurations, I recommend just sticking with the built-in Windows security templates such as hisecdc.inf or securews.inf.

At any rate, Windows 2003 SP1 "broke" the Windows Time service on our domain controllers. This is because the Network Service account no longer had permissions to change the time on a domain controller. (This can happen on member servers and workstations, too.) Some of the errors we saw in the event log included:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Windows Time service terminated with the following error:
Not all privileges referenced are assigned to the caller.

and

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 46
Description:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

Microsoft has a couple of fixes for this as documented in KB 892501. The approach I have taken is to add to the GPO that affects the domain controllers a new user right. In whichever GPO will affect the machines on which you are having problems, grant the SERVICE account (this is the Local Service) the right to "Change The System Time". Then give the GPO time to replicate and be applied to your machines.

There is some good information at the bottom of KB 892501 on checking and doing this for other services.

If you are messing with custom security templates in your environment, I recommend reading: Security Configuration Guidance Support.

Microsoft Exchange Connections Conference - $100 off registration before Sept 12

Microsoft Exchange Connections Conference - October 31 - November 3, 2005, Manchester Grand Hyatt, San Diego. Microsoft and Exchange experts present over 40 in-depth sessions with real-world solutions you can take back and apply today. Register by September 12 to save $100 off your conference registration and attend sessions at Windows Connections free!

This promises to be a great conference. I'm presenting a couple of sessions, too.

Problems sending mail when your domain name or host name has an underscore (_) character

I have seen this problem a couple of times over the past couple of years and today I saw a newsgroup posting on it so I figured it was blog-worthy. :-)

Some SMTP services (not Exchange) check the validity of the FQDN that is sent to them by an SMTP client. If the FQDN that is being sent includes an underscore character (_), then they will reject the message. Exchange will keep trying (for 2 days by default) to send the message, then it will NDR it to the sender, but no really good explaination. The only reason I figured this out the first time I saw it was because I put NetMon on the server and watched the SMTP conversation.

So, if your server name is something like EXCHANGE_1 and the domain name (internal) is something like SOMORITA.LOCAL, then Exchange/Windows SMTP will send an SMTP HELO or EHLO that looks like this: EHLO EXCHANGE_1.SOMORITA.LOCAL. Most SMTP systems are tolerant of this and accept the connection anyway. Some firewalls and Unix-based SMTP systems enforce do reverse looks to ensure the domain name is valid or they rigidly enforce the DNS standard and thus will reject the connection. I wish I had versions of these Unix systems or firewalls, but I don't.

If you have a single Exchange server, you can easily fix this without renaming the Exchange server. (Renaming an Exchange server is ugly, ugly, ugly. Don't do it!) Go to the properties of the default SMTP Virtual Server, look at the Delivery tab, click the Advanced button. You will see on this page the Fully Qualified Domain Name. Change that name to something that is properly resolveable from the outside, such as SMTP.SOMORITA.COM, where that is the name that can be resolved from the Internet. Just make sure that you remove that underscore character.

Is WINS required for Exchange 2000 or Exchange 2003?

This seems to be a pretty common question on the newsgroups, in design meetings, and in classrooms. I was inspired this morning by Russ Kaufmann's WINS is a Friend of Mine blog entry. Read it! Yes, you should continue to include WINS servers in your designs for Windows 2000 and Windows 2003 networks. Exchange 2003 has some of it's own particular need for NetBIOS name resolution and WINS is the best solution for this. The Exchange 2000 and 2003 setup program, Exchange System Manager, Exchange 2000/2003 clustering, and ExMerge all make a the occasional name lookups using NetBIOS name resolution.

Other reasons (besides the ones that Russ well illustrates in his blog) that I have found include migration. Any migration tool that is migrating from Windows NT 4.0 will need to be able to resolve the NetBIOS name of the hosts in the Windows NT 4.0 domain as well as the domain entries themselves. Trust me, you don't want to be distributing LMHOSTS files on an enterprise-sized network.

Some good references for this include:

• KB 837391: Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality
• WINS Servers in Windows 2003 - The Basics
• Will Exchange Suffer if WINS is Removed? by Paul Robichaux
• WINS is a Friend of Mine by Russ Kaufmann

Thinking about upgrading from Exchange 5.5? Your thoughts wanted?

I'm working on a full-day, pre-conference presentation for the Exchange Connections 2005 conference in San Diego. From the amount of postings I see in the newsgroups, there is still a lot of questions related to Exchange 5.5. This tells me a lot of organizations have not yet made the leap to a newer version of Exchange.

So, my question to you is: why? I agree the platform is fairly stable and does what it is supposed to do. What are the other reasons that you (as the Exchange admin / guru/ dude / dudette) are encountering resistance in getting underway with an upgrade? I'd like to hear your thoughts. E-mail me at exchange24seven (at) gmail.com

For those of you that are San Diego bound and in the market for an Exchange upgrade, I hope you will consider attending my session: Exchange 5.5 to 2003 Migration on October 31 (Monday). Below is a session abstract. I'll try to get an outline of the session posted soon.

Even though Exchange 2003 has been released for more than a year, many organizations are still debating whether or not they should upgrade. A recent survey of Exchange administrators found that over 60% of Exchange installations are still using Exchange 5.5. Once the benefits and features of Exchange 2003 are reviewed, often a number of compelling reasons are found to upgrade.

Exchange 5.5 to Exchange 2003 migration is one of the hottest topics in seminars, books, and newsgroups. There are many paths to choose from and most administrators don’t know which migration path best suites their Exchange organization.

This all-day pre-conference session will cover differing a approaches to Exchange 5.5 to Exchange 2003 and the tools necessary to complete different types of migrations. Third party tools, address list synchronization, and sharing a single SMTP address space. Regardless of where you are in the decision or implementation process, this session will help answer some of those nagging questions and give you tasks to complete for a successful migration.

The first part of the session will include information about performing migrations and choosing the best approach for your situation and your budget. The major third party vendors will be reviewed along their strengths and weaknesses. The second part of the session will include a demonstration of swing migration start to finish.

Jim will share his experiences helping to plan, design, and coordinate upgrades for over 100,000 Exchange 5.5 seats to Exchange 2000 or Exchange 2003 including tips, best practices, and resources for getting your migration right the first time and minimizing disruption to your users.

Exchange 2003 SP2 - Community Preview Available

Microsoft has released an Exchange Server 2003 Service Pack 2 Community Preview. I recommend you build a TEST server (if you don't have one already), download this beta of SP2 and give it a test run. If you load this in production, you are on your own! This release is unsupported by PSS!!!!

Read the release notes for this preview release before you start. More information FAQs on Exchange 2003 SP2 can be found on the Exchange team's blog.

Exchange 2003 Service Pack 2 is introducing some new anti-spam features such as Sender Id (SPF) support and an updated Intelligent Message Filter. Most exciting for some people is the improved mobility features for mobile devices as well as raising the upper limit of the maximum mailbox store size to 75GB on Exchange 2003 Standard Edition. And, of course, lots of bug fixes.

Exchange clustering lesson learned

About two weeks ago, a newly installed Exchange 2003 cluster (2-node, Active-Passive) started doing some weird things. We really did not notice until we started trying to run backups and move mailboxes. We had failures while using the Exchange Move Mailbox Wizard in Active Directory Users and Computers or Exchange System Manager.

We found this event in the event log:
Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 1182
Description:
Than you for participating in the Microsoft Exchange Server beta program. Your license to use this beta version of the Microsoft Exchange Server software has expired. Contact Microsoft Corporation.

We knew for a fact that the original CD was not a beta CD. We had installed at least 30 Exchange 2003 servers that were all running in production using the same source CD.

The reason we were experiencing problems is that 60 minutes (1 hour) from that message popping up, the information store service was stopping. We were then seeing these messages.

Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services
Event ID: 1005
Description:
Exchange Information Store Instance (SERVERNAME): The IsAlive check for this resource failed.

Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services
Event ID: 1012
Description:
Exchange Information Store Instance (SERVERNAME): The RPC call to the service to take the resource offline failed.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Description:
The Microsoft Exchange Information Store service terminated unexpectedly. It has done this 14 time(s).

Event Type: Error
Event Source: ClusSvc
Event Category: Failover Mgr
Event ID: 1069
Description:
Cluster resource 'Exchange Information Store Instance (SERVERNAME)' in Resource Group 'RESGROUPNAME' failed.

The information store was stopping due to the fact that it thought it was a beta copy. The reason? There was some information missing from the HKLM\Cluster hive of the registry.

The valuable lesson? When a Exchange clustered node is evicted from the cluster and then re-joined to the cluster, make absolutely sure that you re-install Exchange 2003, and then put back on the service packs and hotfixes.

Shortly before we had noticed this problem, we had been troubleshooting problems with the cluster and our (overly tightened) security templates. Each of the nodes were evicted and re-joined in to the cluster (one at a time). A re-install of Exchange 2003 was not installed. Some important subkeys and values were removed from the HKLM\Cluster hive when the node was evicted. Not enough to keep the Exchange server from running when it was put back in the cluster, but something was just wrong enough to generate that "Thank you for your participation in the Microsoft Exchange Server beta program." message.

Thanks much to Dave M. from Microsoft that stuck with me and went through a number of steps of checking other things all the while knowing that a re-install was probably imminent.

Crack Outlook PST passwords

Every once and a while, someone asks me about what to do when one of their users sets a password on their Microsoft Outlook PST file and then forgets the password. Believe me, this happens frequently enough. There are a number of utilities that I have seen that can remove the password from the PST file. It does not really crack or hack the PST password, but rather recreates the PST file without the password requirement. Not very good security, I know.

I have found a free utility that will remove the PST password. It is called PST19UPG. This utility was originally designed to upgrade the PST format to version 19. However, one of the utility's side effects is that it can strip out PST passwords.

Keywords: lost password pst crack password forgot pst password

Speaking of Junk E-mail - Microsoft wins a legal victory against spam

Microsoft has one a $7,000,000US settlement from Scott Richter, dubbed the King of Spam by some. Though, I would like to dub him something else entirely. This is the result of a nearly two year legal battle against this punk who was at one time responsibile for sending nearly 40,000,000 spam messages per year. Will this settlement stop spammers? No. But, I think it is a good start and it surely sets a good legal precendent.

Updated Outlook 2003 Junk E-mail filter

Microsoft has released their July 2005 update to the Outlook 2003 Junk E-Mail filter. The date on the OUTLFLTR.DAT file once this update is applied is 09-JUN-2005. See the Microsoft Knowledge Base article 895658: Description of the Outlook 2003 Junk E-mail Filter update: July, 2005, for more information.

Reducing your attack surface for identity theft

While this does not have anything to do with Exchange, I have gotten seen some good advice over the years and have learned some interesting tips. Even my own mother got phished about two and a half years ago. So, we have to be diligent.

1. Don't sign the back of your credit cards. I put "REQUIRE PHOTO ID" on the back of mine.
2. Don't get your checks pre-printed with your social security number.
3. Never follow a link in an e-mail from your financial institutions, eBay, etc... Always type them in to the URL line of the browser yourself. I get at least two phishing schemes in my mailbox per day; many of them are VERY convincing. I even got one supposedly from MY OWN bank (First Hawaiian Bank). I clicked on the link out of morbid curiosity, and they had my full name and address pre-filled in.
4. Use only your initials (instead of your first and middle names) on your checks. This makes it difficult to identify your gender and if someone steals your checkbook, they don't know if you sign your check with your full name or not. Your bank, however, does have this on file.
5. When you pay credit card bills, write only the past few numbers of your credit card number in the "For" section of the check.
6. Keep a record (such as photo copies) of all of your credit card and financial information; make sure this information includes customer service numbers that are used if you have to lose your card. This helped me immensely a few years back when I got robbed (yes, robbed at gun point.) Keep these records, of course, in a very safe place.
7. Don't leave important outgoing mail in your mailbox with the little red flag up. Take it to a postal service drop box.
8. When throwing things away, shred everything relating to your finances.
9. If your bank calls you, ask them for a telephone number and a way to call them back. Then do it!
10. Run a credit report on yourself a couple of times per year.

If you suspect any of your credit card or banking information has been compromised, call all releveant companies immediately. The longer you wait, the more likely it will be that you will be responsible for some of the charges.

Call the three national reporting agencies and tell them to place your name and social security number on a fraud alert. This will help halt issuance of new credit cards in your name. Do this right away.

• Equifax: (888) 766-0008
• Experian (formerly TRW): (888) 397-3742
• Trans Union: (800) 680-7289
• Social Security Administration (fraud line): (800) 269-0271
• Federal Trade Commission (ID theft line): (800) 438-4338

Call the police and file a police report immediately. Keep copies of the report if you need to provide proof to the credit agencies.

Keep records of all conversations you had, with whom, and the date and time. Record the details of these conversations along with what you have been told will be done.

"The condition upon which God hath given liberty to man is eternal vigilance."
- John Philpot Curran (though often attributed to Thomas Jefferson or Patrick Henry)

Sender Id is coming! Get your TXT records in order!

You heard right, Sender Id is coming! What is Sender Id, you ask? Don't feel bad, most Exchange admins are asking the same question. Essentially (and very simplified) Sender Id is part of an initiative (I'm not sure that is the exact correct word), to reduce spam. Sender Id is part of the Sender Policy Framework (SPF).

So how does it work? First, you create a DNS TXT record for your domain (or domains) that identifies the mail servers from which e-mail will be sent for your domain. SMTP servers that support Sender Id will then check that TXT record when they receive a message from one of your users.

Here is the FUD (fear, uncertainty, and doubt) part. If the message is coming from a domain that does not have a Sender Id TXT record or the record does not match the sending IP address, the receiving system has a couple of options:

1. Do nothing.
   
2. Reject the message entirely. (!!!!)
3. Accept the message and then delete it prior to delivering it to the user.
   
4. Give the message to the anti-spam inspection system with the assumption that the antispam system (such as Microsoft's IMF starting in Exchange 2003 SP2) will give the message a higher spam probability if the sender's domain does not have valid Sender Id records

Exchange 2003 SP2 will support these options. Rumors went around for a while that MSN and HotMail was going to reject entirely all messages. (Not entirely true, MSN will use the lack of a Sender Id as part of their spam detection process.) Currently, I have heard (again, this is sort of like hearing something about a friend of a friend) that AOL and other domains are going to reject messages whose sending domains do not have Sender Id records in place. So, there is some fear, uncertainty, and doubt (not to mention rumors) afloat.

Needing Sender Id TXT records for each of your e-mail domains is not FUD or a rumor. What to do? First, get to know Sender Id and SPF a little better. Microsoft has a Sender Id home page with lots of good information.

To make figuring out what your Sender Id TXT record needs to be, Microsoft has published their Sender ID Framework SPF Record Wizard; this wizard makes creating your TXT record for your domain MUCH easier. This wizard will also test your existing domain to see if there are any records. You can then send a mail message to check-auth@verifier.port25.com and you will get an automated response verifying the Sender Id record.

The sooner you can make this happen, the better off you will be.

Will Sender Id eliminate spam? No. Many spammers will simply generate, regenerate, and regenerate SPF records for whatever IP addresses their are currently using. An RBL (realtime block list) like The Spamhaus Project's SBL and XBL lists can help with these types of spammers that like to think they are legimate marketing organizations. I use Spamhaus's SBL-XBL combined list and I know that it reduces the amount of spam I receive by about 60% (and the very occasional valid message, too.)

Will Sender Id create lots of confusion, newsgroup questions, calls to tech support, and angry users/admins? I'm betting it will. Just like the RBLs, this will cause some legimate e-mail to be rejected. And, unfortunately, there are people out there managing DNS servers that can't even get A and MX records created properly, so the TXT records (which are somewhat more complicated) are just going to make matters worse.

Clustering MVP Russ Kaufmann forwarded on to me this link from his blog about his experience with this first mail rejection due to sender id. Thanks Russ!

Paul Robichaux webcast on high availability

Paul Robichaux is speaking on a webcast that is being produced in conjunction with the release of his new eBook entitled The Definitive Guide to Exchange Disaster Recovery (Realtimepublishers.com) and registration for the event is free. It will take place on Wednesday, July 27th, 2005 at 2pm EST. Paul’s webcast discussion will touch upon the following series of topics:

• Replication and Failover
• Design Choices
• Failover and Failback Design
• DNS vs IP vs other; AD; client redirection; manual vs semiautomatic vs fully automatic; symmetry
• Planned Versus Unplanned

Chapter 2 of the eBook is now available. It is titled The Definitive Guide to Exchange Disaster Recovery and Availability. This chapter will explore the fundamental principles behind disaster recovery and look at technical solutions that purport to improve disaster recovery. It will then examine some of the design choices and tradeoffs you face in trying to design an effective disaster recovery plan.

A recipe for setting up permissions to run ExMerge

I have seen a number of questions relating to getting ExMerge running in Exchange 2000/2003. The quickest and dirtiest way to do this is to clear the Send As and Receive As "explicit denies" on the Exchange organization object for Domain Admins and Enterprise Admins. However, this is sloppy and it means that anyone with Domain Admins or Enterprise Admins can open anyone's mailbox.

I work in a lot of senstive environments (both corporate and government) and management is usually very uncomfortable with the thought that any senior admin can easily open anyone's mailbox. Well, unfortunately, that is just a fact of life with Exchange. Someone with Enterprise Admins or Domain Admins in the root domain can figure out how to do it anyway. However, you can take some steps to make this more difficult.

First, limit access to accounts that are delegated the Exchange Full Admins role to the organization or admin group objects.

Second, the membership in your Domain Admins / Enterprise Admins groups should be less than the number of fingers on your hand (service accounts are the exception, of course). Let me say that again clearly, almost no one should have access to Domain Admins or Enterprise Admins level permissions on a regular basis. And no one should be logging in regularly with these permissions, only as needed.

Anyway, back to why I started this blog entry. Ultimately, you are going to need the ExMerge tool. The latest version of it is found with the Exchange 2003 Tools.

You are also going to need to expose the Security property page for the Exchange oganization object and the admin group objects in Exchange System Manager. It is hidden by default. The registry key is HKCU\Software\Microsoft\Exchange\ExAdmin. In this key, create a REG_DWORD value and set the data value to 1. Then launch Exchange System Manager. Microsoft KB article 259221, XADM: Security Tab Not Available on All Objects in System Manager has more information on this. A little trivia on the Security property page, it was automatically visible in Exchange 2000's betas, but I think too many people got themselves in trouble by removing permissions the thought they did not need.

Now, on to the procedure. In this example, I'll assume that only one user for your entire organization will be used for this, but you can easily do this to individual administrative groups rather than at the organization. Create yourself a user that will ONLY be used for ExMerge operations. I call mine something like ExMergeOperator; this user does not need a mailbox and it should NOT be a member of Domain Admins or Enterprise Admins (they are denied by default, remember?) Protect the password of the ExMergeOperator user so that only an authorized person has it. In some places, they use "two person" integrity, where the security officer has one part of the password and the Exchange admin has the other part.

Next, create a global (or universal) security group called something like Exchange Demi-god Admins. Add the ExMergeOperator in to this group.

Next, using Exchange System Manager, right click on the Organization object and Delegate Control to the Exchange Demi-god Admins group. Delegate the Exchange Full Admins permissions to this group. Then, right click on the organization and display the Security property page, scroll down and locate the group you just created, highlight that group, then scroll down in the permissions until you see the explicit denies for Receive As and Send As.

Once you have cleared the Receive As and Send As checkboxes in the Deny column, this user will truly have "complete control" of your Exchange organization.

Some Exchange gurus are going to look at this and say that the Exchange Demi-god Admins group has too many permissions to the Exchange organization. And this is true. You can scale back the permissions by delegating only the Exchange View Only Admins role, then explicitly assigning only Receive As. The above procedure is just about the simplest, but somewhat secure solution I could quickly write about. More secure solutions are usually somewhat more complex. The important thing is that you protect the use that has these rights.

Finally, from where do you run ExMerge? IMHO, the most efficient place (if you have the local storage for the PST files) is the console of the Exchange server on which you are extracting mail. If this is the case, the Exchange Demi-god Admins group will also need to be delegated permissions to log on locally to the Exchange server console and (probably) access the server through Remote Desktop Connection (you can do this through a GPO).

Granting a user permissions to access mailboxes (even for the sake of performing archives, extracting viruses, or other official work) can be tricky. Make sure management knows that you have this capability and under what circumstances it may have to be used.

Get the official scoop on Exchange 2003, Windows 2003, and the BOOT.INI file

It's here! The Exchange team has written the final word on whether or not you should use the /NOPAE and /EXECUTE switches in the BOOT.INI file of an Exchange 2003/Windows 2003 SP1 server with more than 1GB of RAM (and 4GB of RAM or less, anything more than 4GB of RAM in an Exchange 2000/2003 server is usually a waste of money)

Basically, for mailbox and public folder servers with more than 1GB of RAM, add the /3GB /USERVA=3030 switches to the BOOT.INI file. This is different that some newsgroup postings and blog entries in the past (including my own blog back on May 9). Read more detailed guidance on this on the Exchange team's You Had Me At EHLO blog.

Front-end servers that handle just SMTP, POP3, OWA, NNTP, or IMAP4 should not use these switches. An front-end server that also handles envelope journaling or the MTA (anything that requires a mailbox store be mounted and used heavily) should use the /3GB /USERVA=3030 switches.

Have you seen Google Earth?

Everytime I think Google has out-done themselves with another neat new technology. I'm still impressed with Google Maps (and the Satellite view!) and Picasa. With Google's purchase of Keyhole's image library and technology, they have been able to add neat imaging services to their offerings. Now comes Google Earth! I'm stuck. I'm addicted. I have got to stop playing with this and get some work done! And the best part is the basic services are all free. Awesome quality images from satellite.

Exchange 2003 setup failures

This past week, I tackled a problem that really kicked my behind for a few days. I was installing a new Exchange 2003 server in to an existing Exchange 5.5 organization. Windows 2003 Service Pack 1. The forest had been prepped and so had all of the domains. Lots of time for replication to occur. The user I was logging in with had all the necessary administrative permissions. All the prereqs had been met.

However, about 2 - 3 minutes after the install started, I got the following message:

Setup failed while installing sub-component Microsoft Exchange Organization-Level Container Object with error code 0xC1037AE6 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed step again.


Clicking retry was, of course, a worthless endeavour. When I clicked Cancel, the setup continued. However, the Exchange server had lots of problems. MTA would not start. The store was generating EXOLEDB errors.

The Exchange Setup Log had a couple of interesting, but worthless entries when this happened.

[12:43:56] Configuring Administrative Rights
[12:43:56] Entering ScInstallLDIFScript
[12:43:56] ScRunLDIFScript (f:\titanium\admin\src\libs\exsetup\exmisc.cxx:1309) Error code 0xC1037AE6 (31462): Extending the schema in the Active Directory failed. Please consult the error log LDIF.ERR in your TEMP directory.

These errors suggested that the problem might be related to forestprep, but forestprep was already run. The LDIF.ERR file was also not in the directory that the TEMP variable pointed to.

After completely removing and re-installing the organization and the server a couple of times and redoing /forestprep and /domainprep, I stumbled across a KB article (870829) that recommended checking to see if my TEMP environmental variable had a space in it. Sure enough, my TEMP variable had spaces in the folder names. I changed the user's TEMP and TMP variables to C:\WINDOWS\TEMP and the install ran like a charm.

From what I can figure, the very first time I was running this, the setup program was creating the CN=Addressing containers under the Exchange organization in the directories Configuration partition. The Exchange Setup program uses the template.ldf file to create everything necessary in this container. This looks like where it was bombing when the setup was trying to run LDIFDE.

I know I have run Exchange 2003 setups via RDP under very similar circumstances, but I have never experienced this before. This set me back nearly 2 days. Eeeks!

For more information, see:
Setup with the /forestprep switch does not succeed, and you receive a 0xC1037AE6 error message

Pictures, pictures, pictures

My roommate and I recently took a trip to Thailand and Cambodia. A couple of folks asked me about pictures, so I finally got around to going through the 1,500+ pictures, picking some good ones, and posting them. Anyone interested can see them at http://www.somorita.com/travel. And, if you are wondering, Cambodia was definitely the high point of the trip!

Exchange users needing to choose a "reply to" address

I see this posted in the newsgroups and I'm asked in almost every Exchange class I teach if it is possible for a user to pick which SMTP address they want to when they send a message (when using Outlook). For example, Joe Snuffy wants to send a message from his own mailbox, but have people reply to the Sales alias. You can change the "reply to" address, but the display name will still be Joe Snuffy's.

The choice as to create multiple mailboxes and have the user open each mailbox, then change the "From" field. If you don't need to create multiple mailboxes, I have found a nifty product that runs as an Exchange transport sink. It looks at an address that the user puts in the "reply to" option on the message options, then uses that instead of the user's default reply-to address. I have not tested this yet, but it seems very cool.

http://www.ivasoft.biz/choosefrom.shtml

When you combine with this with a couple of COM add-ins for Outlook called SmartReply that allows to reply from the same email address as the original message was sent to and an add-in called SmartFrom which allows to use Outlook "From:" field instead of "Have replies sent to:" field to type the desirable sender address or select it from the address book.

Keywords: Resource mailboxes multiple mailboxes reply to address

Slipstreaming Exchange?

Today, in the Exchange and Outlook Update newsletter, Paul Robichaux answered a reader's question about whether or not Exchange 2003 could be integrated with Exchange 2003 Service Pack 1 in such a way that you only have to install the "integrated" package. This is actually a fairly frequent question on the newsgroups and that I am asked personally. I felt it was blog-worthy. :-)

In Windows 2000, Microsoft introduced the 'slipstream' or integrate feature in to service packs which allows you to integrate the service pack in with the baseline operating system. This can speed up installation times.

Unfortunately, Exchange 2003 does not support this feature. You have to install Exchange, then install the service pack. Perhaps in a future service pack. Let Microsoft know what you want at exwish@microsoft.com (Exchange specific suggestions) or mswish@microsoft.com.

Dell 24-inch Wide Aspect Flat Panel - $899!!!!

This is an excellent monitor. One my clients ordered a couple of these when they became available. $899.00 is an awesome price for smaller flat-panels, much less a 24-inch wide screen. Side-by-side, this looks even better than the Samsung 24" (around $1,800) and the Sun 24" (around $3000!). The monitor retails for $1,199 (already a bargain), but this coupon code (4K32?8XWMKS6CH) gets you another 25% off making it $899. Expires on 6/28 at 5:59AM CDT or after 500 uses.

Microsoft releases updated ExBPH (v2.1)

Microsoft has released today an updated version of the Exchange Best Practices Analyzer (ExBPA). Today's release is v2.1. Enhancements include HBA Collection, a new Health/Performance Check scan, improved cluster reports, better screen layout, checksum operations, and over 100 new rules.

For more information, see the You Had Me At EHLO blog.

In the "Now I have seen it all category"

Just when you think you have seen it all. A copy called OOOMS has released their "City Hideout" or Portable Urban Hideout. When the stress of city living gets to be too much, just put this hideout together, jump inside, and close the lid. The box looks just like a street-light control box or other boxes found commonly along streets and sidewalks. It comes complete with vents so you can see out and watch the world go by while you hide and wait for your therapist.

This takes bizzare to a whole new level. :-)

Exchange Disaster Recovery and Availability by Paul Robichaux

Realtimepublishers.com has just released the first chapter to the free ebook The Definitive Guide to Exchange Disaster Recovery and Availability by Paul Robichaux. For those of you that don't know him, Paul Robichaux is one of the best technical writers in the technology industry. Expect future installments of this XOSoft sponsored ebook over the next several months.

E-mail is now considered as critical a technology to businesses as the telephone. Businesses and organizations are now demanding higher and higher availability from their Exchange servers. I have seen many organizations throw a lot of money at improving availability; sometimes this money that goes down the drain. Many of these organizations did not really have a clear goal in mind as to what they wanted to achieve. This book sheds some light on the concepts of Exchange disaster recovery and improving your availability.

I have read the first two chapters (only the first one is available right now) and they are suitable not only for techies, but management as well. So, download this puppy and get reading!

Clusters and SAN disk labels

Today I was working on an Exchange 2003 cluster build and learned a neat new trick. Actually, we were not working on anything related to Exchange, but rather prepping Windows and the SAN drive letters. My buddy Aran Hoffmann creates a text file in the root of each SAN disk and/or mount point that has in its name the drive letter of the disk.

For example, when he creates the G:\ drive, he creates a text file in the root of that disk called G_Drive.txt. If he creates a mount point on the G:\ drive for the LOGS, in the G:\LOGS folder, he creates a file called G_LOGS.txt. This makes it very easy to verify the disks are all assigned the correct drive letters on the other nodes of the cluster! I was surprised how easy this made it once we went to the other nodes of the cluster to start configuring/checking their SAN disks.

Internet offline!

For the past 5 days, my Internet connectivity at home (Time-Warner's Road Runner) has been down. After they admitted they have had problems in my area, they keep insisting that my problem is within my premises. This is in spite of the fact that I went down to their office and got a new cable modem. They can't schedule someone to be at my house until July 2nd. And they can only give me a timeframe of between 8AM and 4PM, nothing more specific. Congratulations Time-Warner, you can convinced me that I don't want you providing my local phone service. But, I'm not bitter...... ;-)

I had no idea how dependent I was on Internet connectivity from home.

Got GMail?

Do you want a GMail mailbox? All the cool geeks are getting them; Just so you don't have to feel the geek peer pressure, I have about 75 unused invites to send. If you want one, send me a message and indicate what e-mail address to which you would like the invite sent. First come, first serve basis. E-mail me at EXCHANGE24SEVEN (at) GMAIL.COM

Jim

Installing Exchange 2003 on Windows 2003 SP1

You may have noticed an error that pops up when you run the Exchange 2003 setup program on a Windows 2003 Service Pack 1 server. The message says: Exchange Server 2003 has a known compatibility issue with this version of Windows. For more information, refer to http://go.microsoft.com/fwlink/?LinkId=37488. To run the program, click Continue.

You should be able to run setup without incident, just make sure that you apply Exchange 2003 Service Pack 1 as soon as you are finished. The document System Requirements for Exchange Server 2003 covers the necessary requirements for Exchange 2003 on Windows 2003 SP1 (which I have linked to previously).

Someone reported to me that they had a problem running forestprep and domainprep from a member server. If this is the case, run the /forestprep and /domainprep options from a domain controller instead. This seems to address the problem.

I'm back!

I'm back from southeast Asia. No lingering tropical diseases or arrests. I need a vacation now just to recover from my vacation. :-) I'll try to get some pictures posted somewhere, in case anyone is interested. Now I have 100,000 e-mails to go through.

Where's Jim?

Hi everyone! I have really tried to regularly contribute useful content to this blog over the past 6 months. However, I'm going to be offline for a few weeks; very offline, in fact. I'll be in Angkor Wok and Siem Reap in Cambodia and Bangkok, Phuket, and Chiang Mai in Thailand. If you want to do something nice for me (*grin*), scroll down and visit one of the Ads by Google links; though, do pick something you are interested in. :-) I'll be back by around June 10th. Thanks to all my regular visitors.

JoeWare presents AdMod

If you have tried modifying or manipulating objects in your Windows 2003 Active Directory using some of the new command-line tools such as dsget.exe, dsmod.exe, msquery, or dsrm.exe, then you have discovered the same limitations that many others have. I see a lot of postings to this effect in the newsgroups. These tools only support a limited set of attributes. My favorite tool for dealing with this is ADMODIFY.NET.

However, I was just referred by a fellow Exchange MVP to a new (and FREE!) command-line tool called AdMod. Most cool. This tool can update existing attributes, add values to attributes, clear an attribute, add values to multi-value attributes, delete objects, rename an object, move and object and undelete an object (if you are running Windows 2003). The undelete account feature can be very handy. I have used Quest's Recovery Manager and it is pretty cool for doing this.

Check out Joe's AdFind tool, too. Very popular tool amoungst MVPs and techies for searching the Active Directory. Much more powerful than dsquery.exe.

Thanks Joe! As we say in Hawaii, you no na oi!

Getting better backup throughput from NTbackup

Backing up Exchange to disk has become an increasingly popular way to backup Exchange databases. Microsoft is doing "backup to disk" and is keeping two days worth of backups online and available; this can dramatically reduce the amount of time it takes to restore from backup. And, logically, the backup you probably want to restore from is the most recent.

There is a tweak to the NTBackup's registry settings that allow you increase the buffer sizes that NTBackup uses. Essentially, you double the Logical Disk Buffer Size, the Max Buffer Size, and increase the Max Num Tape Buffers to 16. Depending on your hardware and server configuration, you may be able to get upwards of 1.2GB per minute (or 72GB per hour) backup throughput.

Devin Ganger of 3Sharp just blogged this recently and I think it is valuable enough to repeat here in my blog. Refer to this blog entry for the actual registry values and parameters for more information or Microsoft IT Showcase article Backup Process Used with Clustered Exchange Server 2003 Servers at Microsoft. Another good article is Messaging Backup and Restore at Microsoft; this article should be required reading for ALL Exchange admins.

Saving images in Internet Explorer

Ever had a problem where you right click on an image in Internet Explorer, but the Save As dialog box only allows you to save the image as a bitmap (BMP) file? I have seen this for a couple of years, but never figured out why. And, the problem was inconsistent. Thanks to Eugene Siu, I now know why. The Internet cache is full. Purge it or increase it, close the browser, reopen it, and try again! Thanks Eugene, you are my new favorite blogger!!!!!

Tips and Tricks Guide to Network Configuration Management

realtimepublishers.com and AlterPoint introduce a new chapter to the free ebook Tips and Tricks Guide to Network Configuraiton Management - 2005 Edition by Don Jones. Networking and security guru Don Jones has just written this new chapter covers questions dealing with configuration management best practices, troubleshooting, security, compliance management, and configuration management. In my experience, once a network is in place and running, one of the biggest problems that administrators experience is improper change and configuration control. This is something we should all get better at and this ebook is a good start.

Microsoft listens; let them hear you

A lot of people still don't know these exist, so I thought I would blog them. Although, I think the audience for my blog is probably already aware of these. Microsoft has a couple of e-mail aliases for product suggestions. They DO monitor these and the suggestions get routed the product group managers. For all Microsoft products, use mswish@microsoft.com. For Exchange Server, exwish@microsoft.com. If you have ideas for Microsoft products or feature suggestions, please let Microsoft know about them.

Making Exchange 2003 Move Mailbox reports readable

Move mailbox reports in Exchange 2003 are stored in XML format in the \My Documents\Exchange Task Wizard Logs folder of the user that moved the files. However, they are not very readable without a style sheet being applied to the XML file.

However, Exchange 2003 does not include a style sheet that will make this puppy any prettier. However, I have found a style sheet that some clever person (I don't know who; I'm not that clever) wrote for the Exchange Task Wizard.

You first need to download the MoveMailboxReport.xslt (this is a ZIP file) style sheet and put it in a folder such as your local Windows folder (since that is what my example shows.)

After moving the mailboxes, open the XML file that is created and insert a new line between the first and second line that includes the location of the XSLT file (add leading "<" and trailing ">" tags):

?xml-stylesheet type="text/xsl" href="c://windows/MoveMailboxReport.xslt"?

Complete instructions and an example are in the movemailboxreport.zip file. The blog editor converts any HTML codes in the text, so it is not easy to see in the blog.