Thursday, August 31, 2006

Certifcates necessary for Windows Mobile 5 and earlier when using the GoDaddy CA

If you are like me, you like cheap SSL certs! And GoDaddy delivers! The problem is that the certificate authority that GoDaddy uses is not installed by default on the Windows Mobile 2002, 2003, and 5 devices. This means you need to install those certificates on each of those mobile devices. A number of my customers are using GoDaddy certs and I was tired of digging the certs up each time, so here they are! Take a look at this this artile on Daniel Petri's web site: "How can I add a Root Certificate to my Windows Mobile 2003 Pocket PC?"

Wednesday, August 30, 2006

Windows Mobile and ActiveSync - ActiveSync Encountered A Problem On The Server

For the past couple of days, a problem with Windows Mobile 5 and Exchange 2003 SP2 ActiveSync has been driving me up the wall. Single E2K3 SP2 server on W2K3 SP1 with an ISA Server 2004 acting as a reverse proxy. Forms Based Authentication (FBA) is enabled. In the past 3 months, I have configured ActiveSync on 4 other, almost identical servers and it worked fine.

However, each time, the device showed:
Result:
ActiveSync encountered a problem on the server.
Support code: 0x85010014


In the HTTP proocol logs, two interesting codes were showing up in the protocol status, substatus, and W32status:
401 2 2148074254 (that is error 401.2)
500 0 0 (error 500)

401.2 indicates an authentication problem and 500 indicates an internal server error.

I went through KB 817379: "Exchange ActiveSync and Outlook Mobile Access errors occur when SSL or forms-based authentication is required for Exchange Server 2003" at least 4 times trying to see if I had missed something. I went through a similar article on Daniel Petri's site. No luck.

I compared setting-by-setting the Exchange server, the ExchangeVDir virtual directory, and the ISA Server with other sites that were working. No luck.

I finally broke down and called Microsoft PSS. I really hate calling PSS since you spend the first hour going through the same things you have been troubleshooting for the past 2 or 3 days. And often end up teaching the front-line tech support guys a few things about Exchange.

At least the PSS guy had heard of KB 817379, though. Nonetheless, we went through it line-by-line once again. And again. No luck.

Then, he has me disable Forms Based Authentication on the Exchange Virtual Server, then wait for DS2MB to replicate the settings to IIS, THEN make an exported configuration of the /Exchange virtual directory, the re-enable Forms Based Authentication, then create the /Exchange-OMA virtual directory using the steps in KB 817379.

This time, it worked!!!!! Yay!!!! I'm just a little peeved that I had to use up a support incident to find this "double secret probation" technique out. Apparently it is something that PSS tries when it does not work the normal way. Why in the name of Siddhartha Gautama is this little tidbit not publicly documented somewhere!!!???

Sunday, August 27, 2006

Out of date GAL got you down? Directory Update v1.1 released

I'm in the software business for real. Scary. My programmer dudes have just finished testing Directory Update v1.1 and it includes the most commonly requested feature updates. Specifically you can hide fields from the interface, hide an entire section from the interface, and convert drop-down lists to text boxes (or vice-versa).

If you are just tuning in, Directory Update is an alternative to GALMOD, web-based GALMOD, WebDir, and other self-service user attribute management systems. Directory Update is an application that allows a user to update or edit their information in the Exchange Global Address List / Active Directory via a simple, easy-to-use web interface. The administrator can help to ensure that this information is valid by using drop-down lists.

More and more the Exchange Global Address List is used as a organization-wide directory of employees. Having this information up-to-date helps employees to do their jobs more efficiently.
If you are going to download the evaluation and give it a try, please read the documentation. :-)

Saturday, August 26, 2006

Avast maties and land lubbers! Talk Like A Pirate Day is coming!

One of the great things about being friends with Paul Robichaux is that I learn things I never new that I never new. For instance, Sept 19 is National Talk Like A Pirate Day. I'll be in Dubai that day, so I'm sure talking like a pirate will be lost in cultural translation.

I also got a major kick out of Fun Facts About Bruce Schneier. For the geeks that are reading this, if you don't know who Bruce Schneier is, then shame on you!

Friday, August 25, 2006

Exchange monitoring - The hit list

I am teaching an Exchange 2003 class this week. Today and yesterday, I facilitated a discussion with my students about what they thought was the top items that should be monitored (based partly on our dicussions of monitoring and disaster recovery/prevention). It was an interesting and relevant list and I wanted to post it here for further discussions.

The question essentially was, "independent of a specific monitoring system, what would you want to check, monitor, or identify on your Exchange servers?"
  • Backup related status
    - Did it run successfully? Backup errors?
    - Did transaction logs purge?
    - How long did backups take?
    - Did you back up databases you expected to back up?
  • Check disk space
    - Disk space above warning threshold
    - Disk space growth over time (weekly / monthly)
  • Database (edb and stm) file size growth (weekly / monthly)
  • Queue status / growth (internal and external)
  • Anti-virus system
    - Signatures updated
    - Virus trends (unusual spikes in activity)
  • Online maintenance completion
  • Information store service responding
  • OWA / Web service responding
  • SMTP service responding
  • Test message / measure round-trip times (internal and external)
  • Protocol log file sizes and trends
  • Scan Application logs for common, critical errors:
    - Database / ESE errors (e.g. -1018 errors)
    - Active Directory / DSAccess related errors
  • Critical performance monitor counters:
    - RPC latency
    - Average % disk time
    - CPU usage
    - Available memory within norms
    - Page file usage within norms
  • Physical server / hardware statistics
    - Power supplies functioning
    - Memory / single bit errors
    - Disk / array failures
    - RAID array battery status
    - Temperature alarms
    - Tamper alarms
  • External DNS health (able to resolve external DNS names and our public MX and A records are correct
  • Internal DNS health (resolve internal domain and domain controller resources)
  • Internal network health check (perform network check and compare baseline TTLs)
  • Cluster service responding
  • Cluster virtual servers residing on "home" node as expected
  • Daily administration tasks (who has made Exchange related configuration changes)

Free Virtual Machine technology

Virtual Machine technology is one of the coolest things to hit the mainstream PC market. I won't go as far as saying it is "new", because the Mac had Virtual PC at least 1o or 15 years ago. Virtualization has been around even longer (anybody remember IBM VM?) But the availability of the technology and the commonplace knowledge of it is "new'. And, now it is free! Microsoft and VMWare are now racing to see who is going to be the top "virtual machine" company in the future (VMWare is by far better today!).

So, next time you need to test something, build a lab, or even combine a few low-usage application servers to a single machine, consider virtual machine technology. You will need LOTS of memory. At home, I run 5 to 8 simultaneous VMWare Server-based machines at home on a single computer with 4GB of RAM and they run okay. Here are you "free" choices:

VMWare Server
Microsoft Virtual PC 2004
Microsoft Virtual Server 2005

My personal preference is VMWare Server.

Thursday, August 24, 2006

Web Seminar: How to simply Exchange troubleshooting

On September 14, I am doing a Windows IT Pro web seminar with Ahmed Datoo from Zenprise. We are going to cover some of the tools available for troubleshooting and isloating Exchange problems. Ahmed will be demostrating some of the advanced troubleshooting and problem solving capabilities of Zenprise. I had a demonstration of this product just recently and it is very impressive how quickly it can narrow down in on the root cause of a problem. Plan to register and attend if you can.
______________
Character is doing what’s right when nobody’s looking. -- J.C. Watts

Wednesday, August 23, 2006

Parking Perfection

This little thingy is showing up everywhere. The folks in an IT shop in which I was working last week were all playing it. It is called Parking Perfection by Mousebreaker. It is very simple little Flash-based game where you try to park your car. Good thing I drive better than I play this game. It is fun enough and additive enough that I had to share it.

Sunday, August 20, 2006

Exchange 2007 Get Ready Road Show in September

The Windows IT Pro Get Ready for Exchange & Office 2007 Roadshow is coming back to Europe. If you are near any of these cities, please plan to attend one of these events. I'll be there speaking on Exchange 2007!

Sept 18 - Dubai, UAE
Sept 21 - Istanbul, Turkey
Sept 25 - Rotterdam, Netherlands

Saturday, August 19, 2006

ISO Recorder


I just came across this on Paul Begley's blog. Very cool. It is an ISO Recorder utility for Windows XP Pro SP2 and Windows 2003. Once installed, you have the ability to right click and copy the ISO to a CD. this is very hepful since I get a lot of ISO files. (CD's only at this time, Vista is supposed to include DVD burning capabilities.)

Once installed, ISO files have their own data type and are associated with the ISO Recorder, just right click on an ISO file and choose Copy Image To CD. Very nice utility! See the ISO Recorder web page for more information.

Introducing Sydney Alexandra Hutchinson


I'm an uncle again! My little sister Becky has just had a daughter. Sydney Alexandra Hutchinson! Welcome to the world, Sidney!

Congrats to David and Becky, her new and very proud parents.

Friday, August 18, 2006

Exchange in resource forest and public folder access problems

I spent the better part of yesterday and today working on a problem with a new customer. The customer runs Exchange 2003 in a resource forest. The resource forest has a trust relationship with the accounts forest. The original consultant that set up the Exchange organization configured Outlook so that the user must enter their user name and password; they then instructed the users to logon to Exchange using their resource forest credentials.

I know, I know, brain dead design. But, I'm the one FIXING it.

The user logging on each time they accessed Outlook was a major pain point for the user community.

I helped configure a few accounts with additional Mailbox Rights. We assigned the user's account from the accounts forest the "Read Permissions", "Full Mailbox Access", and "Associated External Account" permissions. The user could immediately open their mailbox without being challenged for credentials! Hoorah!

The problem came for users that were explicitly delegated permissions to a public folder (such as the folder's Owners, Publishing Editors, Publishing Author's, etc...). If a group was assigned the permissions, the access was fine. I tried disabling the account in the resouce forest (per Planning for a Complex Exchange Organization paper, but that was not effective.

Finally, after burning another 4 hours, a PSS incident and explaining the concept of resource forests and folder permissions versus directory rights to the first line PSS guy, he managed to get someone that could answer the question.

Not only do you have to disable the account in the resource forest, but you have to re-assign the public folder permissions for the mailbox so that SID that is used for the public folder belongs to the account specified in the Associated External Account permissions. First disable, then re-assign individual permissions.

This should be a KB article.

Another priceless moment with the President

I really hate "photo op" poses. Here is why:


  • - Trip on Air Force One to visit Army Generals - $1,000,000
  • - New Suit - $6000
  • - Weather proof jacket complete with US Flag Patch - $500
  • - Bulletproof vest - $6000
  • - Commander-in-Chief of your nation's defense forces using binoculars without removing the lens cap - Priceless

Sunday, August 13, 2006

I'm in the Microsoft Security Newsletter

I was just reading the August 2006 Microsoft Security Newsletter and did a double-take. "Hey! Why is my picture in here!" Anyway, I'm MVP of the Month. Hee hee... It includes a link to a short article I wrote on a study I helped do for an organization that was overwhelmed with spam and was evaluating solutions. This is also a promo for a free eBook that I wrote for Realtimepublishers.com and Microsoft called The Tips and Tricks Guide to Secure Messaging.

This was at the bottom of the newsletter. Finally! Just about 8 years later than it should have been!
Digital Signatures Help Make Microsoft Security Newsletters More Secure
To help increase your security, Microsoft will soon begin digitally signing all of its security newsletters with the Internet standard, Secure Multipurpose Internet Mail Extensions (S/MIME). This means that if you use Microsoft Outlook, or another full-featured e-mail program, you have an added assurance that the e-mail newsletter came from Microsoft and has not been tampered with. However, many Web-based e-mail programs and some other e-mail programs do not support digital signing with S/MIME. To learn more, please see how digital signatures help make Microsoft security newsletters more secure.

Saturday, August 12, 2006

Using Microsoft's IIFP (Identity Integration Feature Pack) to sync GALs / Active Directories

One of the common questions that shows up in the newsgroups and classes is "how do I synchronize my Global Address List" between two separate Exchange organizations?' There are a number of third party products (SimpleSync and HP's LDSU) that do this, but if you have SQL Server and Windows 2003 Enterprise Edition, you can use the Microsoft Identity Integration Feature Pack (IIFP). IIFP is a free directory synchronization tool that has a subset of the features found in it's big brother, Microsoft Identity Integration Server.

IIFP allows an administrator to synchronize data between multiple Active Directories or the ADAM (Active Directory Application Mode) directory database. Most of it is wizard driven and it is pretty simple to get working. It reads users (or mail-enabled users) from one Active Directory and creates contacts (or mail-enabled contacts) in the other Active Directory forests you specify. I have been part of IIFP and MIIS installations before, but I just did my first installation "on my own". I learned a few important lessons I wanted to share.
  • Windows Server 2003 Enterprise Edition is required
  • SQL Server is required
  • Microsoft has Global Address List Synchronization Walkthrough that takes you through the process complete with lab setup and detailed step-by-step instructions. However, the person / people that wrote this must have forgotten the original title because they use the full-blown MIIS product in their examples and they include an LDAP data source (which, of course, requires MIIS), a Sun ONE Directory Server, and a telephone directory source. You can still disseminate what you need from the article, but it is muddied by all of this additional information. Focus guys, focus!
  • Marc Grote published a much better and more concise guide called GAL Sync With The Identity Integration Feature Pack (IIFP). Very helpful.
  • The sync process on the IIFP server is a two-part process. First the sync process copies data from the directory in to the Management Agent's name space. Then the data in the Management Agent's name space is sync'ed in to the IIFP's "Metaverse", which is a combination of all directories that are being sync'ed. The Indentity Manager on IIFP console lets you browse this directory.
  • Download the IIFP from Microsoft's Windows 2003 Downloads.
  • Get the IIFP service pack (this fixed a couple of issues I was having!) See KB 884192: "How to obtain the latest Identity Integration Feature Pack (IIFP) cumulative hotfix package"
  • Create service accounts in each of the Active Directory forests in which you are going to synchronize. The documentation and walkthroughs never actually tell you which rights you need, so from what I can gather the service accounts have administrative equivalence. For the customer I was working with, this was absolutely unacceptable. Create a regular user for the service account, make sure it has "read" permissions to all of the OUs from which it will be reading user information and that it has permissions to create Contact objects in the OU in which contacts will be created from other forests. Finally, on the properties of the domain, display the Security property page and give your service account user the "Replicate Directory Changes" and "Replicating Directory Changes All" permissions. This is in KB 303972, but there is a typo in the KB article and the exact permission is unclear and I never got clarification from anyone at Microsoft, so I set both. I tried it without setting this permission on the domain and got a "Replication Access Was Denied" when I tried to run the IIFP Management Agents.
  • When creating management agents, on the Configure Directory Partitions properties, make sure you clear the "Sign and Encrypt LDAP Traffic" option.
  • When creating management agents, most of the defaults can be accepted, so don't be intimidated by all those checkboxes!
  • From the Identity Manager of IIFP console, choose Tools -> Options and make sure you click the "Enable Provisioning Rules Extension" checkbox. Otherwise objects are never created in the Active Directory forests you are synchronizing.
  • Create yourself a test organization first so that you can test all of your settings without interfering with production.
  • In a small organization (a few thousand objects), you could get away with running this even on a domain controller, but as you scale to more than a few thousand total objects, you should build a member server that handles the synchronization (initial and deltas) process. You might even consider making it a stand-alone server rather than a member of one of the Active Directory domains.
  • Schedule synchronization is accomplished by creating a "Run profile" of the sync steps and the exporting this to a script. There is a Script button on the Configure Run Profiles wizard that does this for you. Then you just run the schedule the script to run.

So, in closing, give this a try! It is pretty slick and it is FAR better than the old Microsoft MetaDirectory Server that Microsoft used to have.

The most important single ingredient in the formula of success is knowing how to get along with people. -- Theodore Roosevelt

Configuring the Intelligent Message Filter (IMF) v2 to exclude recipients from spam filtering

Microsoft has released an update to the Exchange 2003 Intelligent Message Filter v2 (yes, you MUST be running Exchange 2003 SP2) that allows the administrator to specify a list of aliases or SMTP Addresses for internal recipients; you can configure this an exclusive list (all recipients in the list must be in the message) or an inclusive list (any of the recipients can be in the message).

I thought this was a pretty commonly understood feature until I had to actually do a search for it the other day. The feature is well described in Microsoft Knowledge Base article 912587: Exchange Server 2003 Intelligent Message Filter does not provide the functionality to exclude a particular recipient from anti-spam filtering.

The reason that I needed this feature is that I have a customer that receives multiple important e-mails every day from one source. All of these e-mails go to a single mailbox and are processed. For some reason, the IMF ranks these as an SCL 8 everytime, but they reject SCL 8 and 9 messages.

To get this functionality, you need to get the hotfix described in KB 912587, create the multi-string Registry values and enter the e-mail addresses. I have used the "inclusive" list feature and it works just fine.

We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth. -- Sherlock Holmes (Sir Arthur Conan Doyle)

Tuesday, August 08, 2006

What Jesus Meant by Garry Willis

I consider myself a fairly spiritual person, but when getting down to naming a particular religion or denomination, I claim to be an agnostic. A more accurate discription probably lays somewhere between being a Presbyterian and a Buddhist, if that is possible. Anyway, for years I have been interested in Jesus Christ not only as a spiritual person, but also from a historical perspective. Jesus is one of a handful of historical figures that literally changed the world (for the good in this case.) Few historical figures can ever be attributed with actually changing the
course of the word.

In recent years, there has been a lot fiction written questioning the divinity and providing alternate theories of his life, not the least of which is Dan Brown's The Da Vinci Code (which I loved) and Steve Berry's The Templar Legacy (also quite good).

I stumbled across What Jesus Meant by Garry Willis and initially did not give it a second glance. However, I learned more about its author and became intrigued. Willis is a former Jesuit seminarian and considers himself a good Catholic. He certainly did not start out with the intent of maligning the life of Christ.

Based on the scriptures, Willis looks at the life of Christ and attempts to explain the type of person that Jesus actually was in his own time as well as what he would be like today. From this, he explains what it was like to be a follower of Jesus. This book made an enlightening read. Willis' conclusions about Jesus Christ in today's world are similar to my own. Jesus would not set foot in most churches. "He broke every possible religious rule of his time. He broke Sabbath. He consorted with unclean people. Everything that could offend external releigion, he did.... Why would he be any different now." says Willis.

Saturday, August 05, 2006

GALMOD - What is it?

A few weeks ago, I posted about an application called Directory Update that I had originally designed and had a friend develop that allows a user to edit / modify their own attributes in Active Directory. I called it a GALMOD alternative. Well, I have had at least 2 dozen e-mails asking "What is GALMOD?" "Where can I get it?", "How do I use it?", etc...

First of all, GALMOD (or GALMOD32.EXE) is a utility that works with Microsoft Outlook that allows a user to update certain attributes in the Exchange 5.5 directory. It was developed by Microsoft Consulting Services with assistance from the Exchange Team and originally shipped on the Back Office Resource Kit and then later on the Exchange 2000 Resource Kit. It is an "unsupported" utility.

It will work against Active Directory since when the client sends updates to what it "thinks" is the Exchange 5.5 directory service, the Exchange 2000/2003 server will pass those updates on to Active Directory.
However, even though it looks like it will allow you to update the State, Title, Company, Department, and Office fields / attributes, it does not unless the user has additional permissions.
Exchange MVP Lee Derbyshire wrote an article called User Access To The Exchange 5.5 GAL With GALMOD32.EXE that is helpful in further understanding this utility.

Finally, where can you get it? I haven't a clue. Just so I could take a screen capture, I went through several stacks of old CDs and binders before I found an old copy of the BackOffice Resource Kit (from 1998). I did find one non-Microsoft place that I could download it, but since this utility was originally part of something that had to be purchased I'm afraid to link to it. You don't spit in the wind, you don't pull the hat off the Lone Ranger, and you don't mess around with the Microsoft Legal Department. :-)
Microsoft KB Q242223: "How to install and use the Global Address List Modify for Web tool" insinuates that is available for download, but I could not find a link. Microsoft has also published a web-based version of GALMOD, but it has the same limitations as the GALMOD32.EXE.
Thus, I had a need for a customizable, flexible web-based replacement for GALMOD and that is how Directory Update was born. I have had enough interest that my company is going to try and market this tool as a commercially available software application.
Great spirits have always encountered violent opposition from mediocre minds. -- Albert Einstein

Squeaky Lobster exposed!

Exchange ESE (aka JET Blue) Developer Brett Shirley gave a really good and definitive history of the Exchange 5.5 ESE database tuning registry key "Squeaky Lobster". Thanks Brett, that was one of the coolest things I have read all week. But, did Andrew get the girl?

There are two ways to be rich--make more or need less. - Rimo’s Rule

Friday, August 04, 2006

I made Ed Brill's blog!

I made Lotus Notes guy Ed Brill's blog the other day. My blog entry on Exchange 2007 hardware requirements caught his eye. I'm almost giddy! I feel validated! Now I know how Kim Jung Il (Grand Poobah of North Korea) must have felt when Bush named him as part of the Axis of Evil.

One question for you, Ed. How is that Notes Web Mail interface working out for ya. :-) (Just kidding - sort of.)

Be slow in choosing a friend, slower in changing. -- Benjamin Franklin

Planemos - Twin planets discovered

This is just absolutely cool. A pair of planets that seem to change the definition of planet and star have been discovered. They have been dubbed "planemos" and they circle each other. If anyone knows where there is a higher-resolution image of this, please post in the comments.

Nearly all men can stand adversity, but if you want to test a man's character, give him power. -- Abraham Lincoln

Thursday, August 03, 2006

Exchange Troubleshooting Assistant (ExTRA) released

Microsoft released yesterday the first version of their Microsoft Exchange Troubleshooting Assistant (ExTRA). This new tool is a union of Exchange Performance Troubleshooting Analyzer (ExPTA), Exchange Disaster Recovery Analyzer (ExDRA), and a new development we called Exchange Mail Flow Analyzer (ExMFA). Now you can troubleshoot performance, database and also mail flow problems just with ExTRA. Upon starting the tool, you will be presented with a list of symptoms you would like to troubleshoot so the user interface is very intuitive.

Check out the Exchange Team's blog entry on this. The troubleshooting functionality in ExTRA for performance and database issues are the latest (contains post 1.1. ExPTA and ExDRA) and mail flow troubleshooting functionality is brand new to tackle major issues such as no or slow deliveries and queue back-ups. For more information, see also http://www.microsoft.com/exchange/analyzers

Litigation: A machine which you go into as a pig and come out as a sausage. - Ambrose Bierce - The Devil's Dictionary