Saturday, April 30, 2005

Bizarro Award: Stupid laws department

At times, Florida legislators outdo themselves when it comes to silly legislation. They have passed a law that requires every public classroom to display an American flag. The flag must by 3 feet by 2 feet. Many classrooms already had flags, but they did not meet the size requirements. In central Florida alone, 15,000 flags will need to be replaced (a cost of approximately $60,000). Well, the schools would have just wasted that money on books, raises for teachers, school repairs, or other such wasteful uses of education funds.

http://www.tampabaylive.com/stories/2004/12/041206flags.shtml
http://www.alligator.org/pt2/050218flags.php

Wednesday, April 27, 2005

Creating a "catch all" mailbox in Exchange

I have been meaning to 'blog this for a long time, but keep putting it off. I see this question a lot in the newsgroups and I even covered it in my Exchange 2003 24seven book (go out and buy the darned thing for heaven's sake!)

Situation: You want to direct all incoming mail for a specific domain name (or all unresolved mail) to a specific mailbox. You can do this now by specifying a mailbox to which you can forward all NDR'ed mail. However, the NDR is still issued to the sender. What you need is typically called a catch all (or catchall or catch-all) mailbox.

Microsoft published a KB article called How To Create a Catchall Mailbox Sink For Exchage 2000 that is helpful, but it catches everything. Someone (I don't know which clever person to give credit to on this) took Microsoft's script from KB 324021 and modified it and put it here at Event Sink-baesd Catch All Mailbox including Active Directory User Lookups.

However, there is a company called TurboGeeks that created a product called MailBasketMD that does exactly what I have wanted it to do in small business where they want to catch everything sent to a specific domain even if there is not an explicit mailbox. It is very configurable and VERY affordable. It costs $95.00 per server and that is dirt cheap when you compare it to the neat things it does, the trouble involved in installing your own event sinks, and the quality of the application. They even have a 30 day trial you can download.


Monday, April 25, 2005

Much ado about disclaimers

One of the most common questions that pops up in the newsgroups is how to put a disclaimer on the bottom of all outgoing e-mail messages. Something like this:

This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organisations is strictly prohibited. The contents of this email do not necessarily represent the views or policies of Somorita Surfboards Corporation, its employees, law firm, accountants, stockholders, etc....

I avoid these puppies like the plague. First and foremost, is that there is no precedence in law that these are legally binding. Second, if a bad person that should not have read this message sees the disclaimer, are they going to repent and say "Gee, I was going to pass this sensitive message on to all the other evil-doers I know, but well, since it has a disclaimer on it..."

Finally (and from a technical perspective the most important), most of these disclaimer solutions will break your S/MIME digital signatures. The S/MIME digital signature is generated by the client (such as Outlook or Outlook Express) when the user clicks Send. If anything alters the message body or attachments after that point, the message digest (hashed value of the message) will change.

Need more fuel for the disclaimer fire? Here is an interesting and humorous take on Stupid Email Disclaimers.

Avoid disclaimers, PST files as primary e-mail storage, and brick-level backups! If you have to have disclaimers, require that the clients/users put them on the message using Outlook's auto-signature function.

Sunday, April 24, 2005

Bizarro Award: The TSA wisely spending our money

An internal audit of the Transportation Security Administration (TSA) spent almost $500,000 on an awards night including a "lifetime achievement" award for one employee (the agency is 2 years old at the time of the awards banquet in November 2003.) The Inspector General of the TSA found they had spent $64.00 per gallon of coffee, and $81,000 for award plaques. This has been reported numerous times, most recently on balkanalysis.com.

Recently, the TSA has been under fire for blatantly improper expenditures such as art consultants, silk plants, cable TV, and a 4,200 square-foot fitness center.

All of these perks, and a Department of Homeland Security report indicates that safety has not improved at US airports. Despite the fact that they add an additional 10 - 45 minute delay at the metal detector, make me take my shoes, jacket, and belt off. And thank heavens I don't accidentally carry on nail clippers with a nail file or more than three extra AA batteries! The republic could crumble. Oh the horror!

Exchange 2003 clustering and Windows 2003 SP1

Right now, I only have two major customers, though I help CTA Engineering, Dell Professional Services, and Microsoft Consulting Services out with others. Clustering is something I generally try to avoid, but the customer is always right. So, I end up working around clusters.

I am helping prepare one of my customers for updating to Windows 2003 SP1 (my other major customer is already working on getting their 300+ servers upgraded. The customer I'm currently helping with their upgrade plans have all of their 20,000 mailboxes on clustered nodes and make heavy use of Outlook Web Access. So, a little incompatibility I stumbled across in the Windows Server 2003 Service Pack 1 Application Compatibility article is really valuable for these folks.

It points to an KB Article 841561 which describes a situation where OWA clients may receive the 500 - Internal Server Error if an end-user tries to access their mailbox. Yuck! Anywho, there is a fix for this (that updates the the server's DAVEX.DLL component. This is documented and the fix can be downloaded in Update for Exchange 2003 (KB 841561).

Saturday, April 23, 2005

New Time Zone system tray tool for Windows

Microsoft has a really spiffy tool for Windows XP (and I'm using it on Windows 2003 Server, too) called Time Zone. Simply install it, (it needs to be launched the first time), then set your 5 favorite time zones. If you want to see the time in of your preferred locations, click the Time Zone icon in the system tray (notification area) and up pops the time and date in your previously specified locations.
Microsoft Time Zone thingy

Thanks to my bud Roberry C. for turning me on to this. This is really useful for those of us that work with folks in multiple time zones. (Now! Those of you that have called me at 3:00AM and said "Gee, I thought it was the AFTERNOON there", you have NO excuse! :-)

Friday, April 22, 2005

Sharing an SMTP address space with two systems (and the Default Recipient Policy)

I had an adventure just recently that I felt deserved to be shared. Actually, it started out as George Cue's adventure, and I just hopped onboard after George had taken an Uzi to his co-workers. (Kidding!) George is one of my buds, a bright systems engineer, and one of my co-workers. If he and Clayton (another bud, bright SE, and co-worker) can't fix a problem, I know it is serious.

Anyway, in this new Exchange organization, they must share their SMTP address space with a Unix Sendmail system. The SMTP address (for example) is @somorita.com.

The users that are on Sendmail have mail-enabled contacts such as snuffy@somorita.com in the Active Directory.

On the SMTP Address in the Recipient Policy had the This Exchange Organization Is Responsible for All Mail Delivery To This Address checkbox cleared. If this checkbox is not cleared, all SMTP addresses for that SMTP domain are considered local and Exchange won't even attempt to deliver the message elsewhere.

Anywho, when anyone picked an mail-enabled contact from the Global Address List whose mailbox existed on the SendMail system (but had the same SMTP address), the sender would get an NDR report like this:

A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator. somorita.com #5.4.6.

When we checked the message tracking logs, the messages were hitting the advanced queuing engine and the categorizer (PHATCAT), but the SMTP protocol was never sending mail to the Sendmail system (we also checked the SMTP protocol logs).

When an SMTP Connector was created that specifically was used to forward mail to that Sendmail system (by putting the somorita.com name in to the Address Space listing on the Address Space tab), ALL mail for ALL local mailboxes was being delivered (and NDR'ed) to the Sendmail system. The message the users were then getting was:

The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address.
domain name.com #5.1.1>

The solution was to create an additional Recipient Policy for all users, set the Default Recipient policies primary SMTP address to something other than @somorita.com. And, of course, clear the This Exchange Organization Is Responsible for All Mail Delivery To This Address checkbox on the new policy's SMTP address space.

Sharing an SMTP address space is a pain. It probably would have been easier to create an alias in Unix for those mailboxes and change the contact objects in Exchange to send mail to something like snuffy@sendmail.somorita.com or something.

Even though we fixed it, I was not sure that this was the case or not. Thanks to Dustin "Ranger" Johnson for looking at this as well as Andrey Fyodorov and Michael B. Smith for reviewing my quandry. Michael also confirmed that there is a KB article that refers to this. See KB 321721: Sharing SMTP address spaces in Exchange 2000 Server and Exchange Server 2003 for more information.

The gist of it is:
"Exchange must always be authoritative for the prarimy SMTP address (the one in bold) on the default recipient policy. Otherwise, local mail flow may not occur."

Monday, April 18, 2005

Maximum size of Windows event logs

I stumbled across something recently that is of interest to anyone setting event log sizes. Actually, I was referred here by Alex N.; thanks Alex!

If you follow any sort of "guidance" from the DISA, NSA or other government agencies on setting event log sizes to file sizes of 1GB up to 4GB!!! This is a very bad thing. It boils down to the EVENTLOG.DLL runs as part of the SERVICES.EXE process. No single process can have more than 1GB of memory-mapped files. SERVICES.EXE runs other components and all of the components have to play nicely in that 1GB of memory space.

In some circumstances, events that SHOULD have been logged will NOT be logged. No errors will be logged or displayed, either.

Microsoft recommends in the Event Log Policy Settings document that the combined size of these files be no more than 300MB. For regular servers, that means the combined size of the System, Security, and Application logs. For domain controllers, don't forget to take in to consideration the DNS, File Replication Service, and Directory Service event logs.

I recommend the following event log sizes:
System: 49,152MB
Application: 49,152MB
Security: 196,608MB

Usually, the DNS, File Replication Service, and Directory Service logs don't need to be more than a few MB each.

This will be fixed in a future version of Windows, but probably not in a service pack. This issue affects all versions of Windows up through Windows 2003 and will require an overhaul of the event logging system. More technical details can be found on Microsoft TechNet.

Saturday, April 16, 2005

Windows and Exchange Connections 2005 - Oct 31 - Nov 3, 2005

Someone told me today tha TechEd 2005 in Orlando is sold out! That is great that it has sold out since it demostrates our desire for continually updating our technical skills. And, let's face it. In the IT industry, you never stop learning new things. Unfortunately, I'm swamped and in the middle of two projects right now and won't be able to go to TechEd this year.

Anyway, that being said, I am going to be at the Windows and Exchange Connections 2005 conference (October 31 - November 3) in San Diego (one of my favorite cities!). Not only am I going to be there, but I'm going to be presenting! Here are the sessions on which I am working.

  • Full-Day Pre-Conference Session on October 31 (Monday) - Exchange 5.5 to Exchange 2003 Migration Essentials (Tools, methods, dangers, case studies)
  • A 70 minute session on Exchange 2003 and RPC over HTTP
  • A 70 minute session on Disaster Recovery and case studies
  • 1/2 Day Post-Conference Session (Friday) - Exchange 2003 Clustering quandries and personal experiences

And, in addition to me, people like Paul Robichaux, Mark Russonovich, Kieran McCorry, Mark Minasi, Dan Holme, Tony Redmond, and others will be there.

While this conference is not as huge as TechEd, I think this is a good thing. That means that attendees get face time with both vendors/exhibitors and people like Mark Minasi and Tony Redmond. Something that is impossible to get at conferences like TechEd. Of course, someone like me, getting face time is easy since no one much knows who I am. :-)

Plus, the content of the sessions is much more focused towards a technical audience with less (or no) marketing and vendor-based content. I hate sessions where the first 20 minutes of the session is spent talking about a company or specific product that does not relate to the session.

As I get more information, I'll post it here. Suggestions on my topics are ALWAYS welcome.

Friday, April 15, 2005

Free subscription to Redmond magazine

Redmond magazine (formerly Microsoft Certified Professional Magazine) is offering a free subscription to the print edition of their magazine. The online edition is also good and offers up-to-date information. Good magazine for anyone that works in IT and supports Microsoft Windows Server and BackOffice products. With contributors like Danielle Ruest, Roberta Bragg, Andy Barkl, Bill Boswell, Russ Cooper, Nelson Reuest, Bill English, Don Jones, Jeremy Moskowitz, Michael Tedesco, and Chris Wolf, you can't go wrong.

Tuesday, April 12, 2005

Windows 2003 Service Pack 1 (and Exchange 2003)

The long awaited first service pack to Windows 2003 was finally released on March 30th. Microsoft has published a lot of information about this service pack and how you should go about depolying it. While my primary work location is normally conservative about patches and service packs, we started testing it on the day it was released.

We were mostly concerned with possible problems with our Dell hardware (mostly Dell 2650s and 6650s) with Dell Systems Management v4.2 built with the DOSA CD v8.1 and later. While the release notes recommend getting the latest version of the Dell Systems Management, we have not had any problems with it yet.

We have since deployed Service Pack 1 on all of the domain controllers on 3 of our networks, plus our Exchange 2003 servers that do not use NetApps for storage (either via SAN or iSCSI attachment). We are still have not tested usage with the NetApps.

Exchange 2003 Service Pack 1 seems to behave just fine with Windows 2003 SP1. If you are installing Exchange 2003 from scratch, you will receive a note telling you that the software are installing is incompatible with the version of Windows you are running. I have had not problems installing it, but based on what I have read in the newsgroups and heard from other Exchange folks, I am immediately applying Exchange 2003 Service Pack 1.

The only thing we have found that was broken by W2K3 SP1 was the Windows Time service; it would not start on the domain controllers. This was due to some more restrictive security templates we use. The NETWORK SERIVCE account did not have permissions to read the service. This was fixed by modifying the GPO that affects the domain controllers. Thank goodness for Google Groups!

I am recommending other customers begin reading the Windows 2003 Service Pack 1 release notes and documentation, begin testing on their hardware and applications, and start planning for deployment. It sure beats all those hotfixes to fix many of the annoying issues with Windows 2003! Just don't rush in to anything until you are prepared.

Updates for Exchange 2003 SP1

Today Microsoft released a fairly important security fix for Exchange 2003. More information can be found about this fix in KB article 894549 and it can be downloaded here. (There is an Exchange 2000 version of this update, also. See the KB article). This vulnerability could allow denial of service attacks or remote code execution, so it should be applied as soon as practical.

In addition, there is a roll-up fix for Exchange 2003 Service Pack 1 that was released the first of February. The download information and the fixes can be found in KB article 883652. This updates and fixes any bugs found in the Cdoexm.dll and Maildsmx.dll files.

There is also a roll-up fix for Exchange 2003 Service Pack 1 that was released November. The download is here and the fix information can be found in KB article 883543. This fix updates Outlook Web Access 2003 components. Warning, if you have customized your LOGON.ASP, this will overwrite it.

Sunday, April 03, 2005

Hiding Address List in Exchange 2003

There may be a time that you need to hide an address list in Exchange 2003 so that only certain users are allowed to see the address list. The traditional way to do this, is create a "container" address list and then nest the hidden list inside of it. However, that can be kind of kludgy. Thanks to Exchange guru Shawn Martin's research on this (Thanks Shawn!), he has come up with the following procedure. As with any custom changes to your Active Directory, make sure you test this first in test or VM environment to make sure this achieves the result you are hoping to achieve.

Sept 9, 2006 - Sorry all - Procedure pulled per request from Microsoft PSS. Waiting to see if there is an approved procedure.