Sunday, July 21, 2019

Amtrak adventures

It is no secret; I’m a big time train geek. My European friends are amazed at the state of railroads in the US. Yes, friends, railroads in the US are mostly for hauling freight. There are some good commuter trains in larger cities and metro areas. And, many cities have good subway and light rail systems. But, medium-to-long distance passenger service? Not so much.

But, we do have Amtrak. Surprisingly, I have never set foot on an Amtrak train (commuter or otherwise.) Recently, I had a meeting to attend in California and decided to take Amtrak. I took the California Zephyr from Denver to Sacramento. I sprung for the big bucks and booked a Superliner bedroom rather than just a seat or a roomette.

Amtrak GE Genesis Locomotive
The room can comfortably *seat* 3 or 4 people during the day if you want to have your friends stop by. It has nice big windows, a private bathroom / shower, and was comfortable. The views through the Rocky Mountains and the Sierra Nevada Mountains were spectacular.

Our car attendant was friendly and helpful. The couch folds down in to a bed and there is an upper bunk that folds down. The room can sleep 2 adults comfortably and you might be able to have a small child sleep with an adult in the lower bunk. The folks in the room next door did have 2 adults and a teenager in their room and they seemed to be okay. (They do have “family” bedrooms which are a tiny bit bigger. And, they can combine 2 bedrooms together through a common door between the two rooms.)

The meals in the dining car were decent but not spectacular. The lounge / observation car offered great views and was very popular.

The Superliners do have cheaper Superliner roomettes, quite a bit smaller, intended for up to 2 people. Smaller beds and common area shared bathrooms and showers. The Superliners have both an upstairs and a downstairs. 
Superliner car

Observation car
If you are planning a trip cross country and time is not a factor, this is a great way to travel. No snippy flight attendants, no “sit down and buckle your seatbelt” turbulence, no haughty TSA agents, no airport lines, no body scanners. 

I figured I would share a few observations and tips. 
  • Amtrak in the ancient Latin means “late”. Get used to it. In their defense, they share track with freight trains and freight trains, by law, get priority. But, we are not in a hurry, right? 
  • You will meet some very nice people. I had many great conversations with people in the dining car and lounge car.
  • The top speed I have measured is about 79 MPH. This ain’t Europe or Japan.
  • Bring a small power strip. There will probably not be enough power outlets for all of your devices.
  • Some of the mainline track in the US is, well, how should I put this.... horrendous. The train ride is not always smooth as silk.
  • Bring some cash. Tip your car attendant. They work long hours. Usually at least $10 per person per night. Meals for sleeper car passengers are included but do tip your waiters in the dining car.
  • The Amtrak Superliner equipment is old. Like 1970’s. They have refurbished them and they are not bad. But, they are rough around the edges.
  • Amtrak has some bus services to cities they do not serve or to connect between cities.
  • At some stops, they allow people to get off the train to stretch their legs or for a smoke break. Do *not* go far. The train *will* leave without you.
  • Sleeping on a train, much like sleeping on an airplane, is not something everyone can do. I was out like a light when my head hit the pillow, but my spouse said it took a while. 
  • Bedrooms and roomettes fill up fast during busy seasons. Try to book plenty of time in advance.

Monday, May 13, 2019

PowerShell Manual of Style and Best Practices

Just like writing a book or a complex C++ program, using consistent styles and formatting will help make sure your PowerShell script is both readable, efficient, and easy to debug.

I strongly recommend that new scripters and experienced PowerShell gurus take a look at The PowerShell Manual of Style.

Labels: , , ,

Tuesday, April 09, 2019

Luke: My best friend at 9 1/2

9 1/2 years ago, this awesome creature came home with me. Since the time he was a puppy, I look in to his eyes and see an old soul. Smart, intuitive, independent, and stubborn, I can't imagine my life without him. He has been with me almost 10 years and across thousands of miles. He takes it all in stride. He loves trips to the mountains, hanging out in my office, or just chilling someplace remote that we have hiked to. His coat is a bite lighter now and he is a bit more grumpy in the morning, but he is still that independent minded puppy I meet at 4 weeks old.

#siberianHusky #lifeWithLuke #bestFriend

Wednesday, March 20, 2019

They are like potato chips - Happy Birthday, Broker!

People in the know say that Siberian Huskies are like potato chips... you can't have just one. That is sure true. After a year and a half with Luke, I had to have another. And along came my Broker-boy.

Broker is the anti-Luke. He is always in a good mood and he always wants attention. He does not like children or other dogs. But, he is the sweetest dog alive if he likes you.

He has been with me now for almost 8 years and across thousands of miles. So happy to have my Broker-boy chilling next to me.

Monday, December 17, 2018

PowerShell and file hashes

Microsoft introduced a handy security cmdlet in PowerShell 4; the Get-FileHash cmdlet is very useful for validating the integrity of a file provided you know the hash value of the ‘known good’ version. A hash is essentially a sequence numbers and letters that are calculated using a function, such as SHA256 or SHA384 using (in this case) a file as input.

As an example, let’s say that I build a software application, widget.exe. I run the SHA384 hashing function on it and come up with 38A519CE7. (A real value would be much longer.) If even a single bit changes in widget.exe, the hash value would change the next time the was calculated. I post my widget.exe program on my web site and I also include a note saying that the SHA384 has is 38A519CE7.

Assuming you trust me as a source for software, you download my program and compute the hash value of widget.exe using the SHA384 algorithm. If the value you calculated is not 38A519CE7, then something is amiss. Maybe I posted a new build of widget.exe and did not update the new hash value. Maybe it was corrupted during download. Or, maybe someone modified my program and included hostile code.

Calculating a hash value and checking it against a known-good value is a simple, easy way to verify the integrity of a file, whether the file is a simple text file, spreadsheet, script, executable, or binary. By themselves, security experts will tell you that they are not a 100% perfectly secure solution. After all, if I can modify your software, I can also try and find where you keep your ‘known good’ hashes, recalculate the hash value, and modify your list of known good hashes.

Is the Get-FileHash command available to you? Using the $PSVersionTable variable in PowerShell and make sure you are running at least v4.0. A word of caution, though, you may have scripts written that will only work with earlier versions of PowerShell, so do your homework before updating to new versions of PowerShell.

Let’s go through an example. I have a file in the c:\temp folder called Get-IthicosSystemInfo.PS1. I want be able to detect if changes have occurred that I did not make. I’m going to use the SHA384 hash algorithm since it is a newer, modern, and more secure algorithm. If you do not specify the -algorithm option, then Get-FileHash will use SHA256. If the file hash will be calculated on other operating system platforms, make sure that the other platforms support the hash you will choose. I would type this command at the PowerShell command prompt:
Get-FileHash .\Get-IthicosSystemInfo.ps1 -Algorithm sha384

The Get-FileHash cmdlet will return the hash algorithm used, hash calculated, and the file path. The hash value is actually too wide, so I’ll do a little bit of PowerShell magic to set the hash information as a variable:
$filehash = Get-FileHash .\Get-IthicosSystemInfo.ps1 -Algorithm sha384

Then I can just type $filehash.hash, like so:
PS C:\temp> $filehash.hash


Awesome! I’m almost done. Now, I’ll take that hash code, copy it and paste it in to a JimsHashCodeKnownGoodValues.txt file and save it to the C:\temp folder with the script. Hurray! My script is protected and I can sleep well at night.

Some of you are probably saying to yourself, “Self, if an intruder can get to the temp folder and modify the script, well, the ‘known-good’ values file is right there next to the script...” You would be correct. I should store my known-good hash values in a different place. Of course, I need to apply restrictive NTFS permissions on to my script so that only a small group of trusted admins can edit it. And, if the script is edited, a new hash value needs to be calculated.

At some point in the future, if I want to validate that they script has not been modified, I’ll simply run the Get-FileHash command again using the same hashing algorithm. If the hash value is the same, the file has not been modified.

Using hashes to verify file integrity should never be the only security tool in your arsenal but they can provide you with an additional layer of security for validating file integrity. In another article, I’ll discuss digitally signing code and how that can provide you with a higher level of assurance.

Labels: , ,

Monday, December 15, 2014

GALSync on a budget

It seems harder and harder to sync two different AD forests.  First, we had the "almost free" Microsoft IIFP which worked remarkably well. Then Quest released a series of free PowerShell scripts that would do the same thing.  Unfortunately, when they got Dell'ed, those scripts are no longer free.

A customer recommended this jewel, though.  I need to give it a test drive sometime, but wanted to share.

A GALSync powershell script

Tuesday, November 11, 2014

Amazon EC2 instance problem: not accessible from the network

I had my first issue with Amazon EC2 this week.  I rebooted a Windows Server EC2 micro instance and when it came back up, it was no longer accessible via RDP.  I tried stopping it and starting it several times with no success.   I found these instructions to fix the problem.

1.   Stop your instance through the AWS console

3.   Right click the instance in the management console, select change instance type such as C3.*, R3.*, or I2.*  (This upgrades the instance to a different network platform.  The public IP address will probably also change.)

4.  Start the instance.

5.   When the instance passes health check, RDP to the instance.

7.   Uninstall the AWS PV Driver Version 7.2.0 via "Programs and Features.”

8.  Reboot the machine when prompted by the uninstaller.

10.  Reboot when prompted by the installer.

11.  Run the script from step 6 again. This will ensure that this issue is corrected ongoing.

12.  Stop the instance and change the instance type to your previous instance.

Monday, July 21, 2014

So long, little MEC v2, we hardly knew ye

To the excitement of many, two years ago Microsoft resurrected the Microsoft Exchange Conference.   To many in the Exchange server community, this represented a renewed focus on Microsoft's part towards providing top-notch information to the Exchange community.  Though I found the timing to be a bit suspect (after all, MEC had been gone for 10 years), it was a welcome resurrection even though, at the time, I was the speaker chair for the Penton Media Exchange Connections Conference.

Alas, nothing lasts forever and apparently MEC v2 is already being canned in favor of a bigger, better, more stupendous TechEd.  The new event, now called Unified Microsoft Commercial Technology Event, will roll TechEd, MEC, the SharePoint, and the Lync conference.

I am disappointed in this latest devolution of Microsoft's conferencing strategy.  Unfortunately, large conferences tend to have to their sessions dumbed down a bit to a lower common denominator.  Smaller conferences, like MEC or Connections, does allow for more detailed and specialized sessions.  And, it does allow for more interaction with the presenters and vendor subject matter experts.


Sunday, July 20, 2014

Change Auditor installation broke Exchange 2010 scripting

Last week, we finally got around to starting our Change Auditor for Exchange installation.  We had tested this pretty thoroughly in the lab, but had not yet put it in to production.  So, we picked an unused public folder server in our Disaster Recovery site.

We did not realize that the first Change Auditor for Exchange agent that gets installed also enables a global setting that enables the Scripting Agent.  Once enabled, admin scripts and SCOM scripts could no longer run.  And, we use a lot of scripts for admin tasks.

If we had gone ahead and completed the Change Auditor agent installation on all servers, the problem would have been resolved.  But, since something was "broke" we halted the installation until we could figure out what had happened.

As a work around, we changed the ScriptingAgentConfig.XML file (see the above link) and disabled it on all other E2K10 servers.

Sunday, July 06, 2014

Mailbox storage: If you really don't like your users... give them what they ask for...

Mailbox storage is always been a sore spot with me.  Regardless of how often you remind users to manage their mailbox, they want to hold on to almost everything.   But, I get this... I often refer back to email conversations that I had 2 or 3 years ago.  Email is an extension of my brain/memory.

In my user community, we have users that regularly receive 1.0GB of email per month.  PPTs, PDFs, documents, spreadsheets, images, audio, newsfeeds, you name it, they get it.  And, they keep it.

Years ago, our users complained loudly that they did not like having mailbox storage limits.  Management heard their screams and told us to raise the storage limits so we adopted Enterprise Vault and essentially give our users a "bottomless mailbox."   Vault comes through and archives anything older than 30 days. 

Normally, they don't let me anywhere near end users because I don't have a filter.... but over the past 2 years I have spoken to a lot of our user community.  And, they have resoundingly said "we hate Enterprise Vault" and "give us a larger mailbox and then just let *us* decide when we delete something or if we keep it."

So, our newest email platform now provides each user with a 2GB mailbox and a 10GB personal archive.  Within 6 months, some of our users had already exceeded these limits and more exceed them every day. 

And, you guessed it...  they want a way for "the vault to archive their older stuff".


Wednesday, June 11, 2014

OWA for Android App

Very cool!  Microsoft released today an OWA for Android app.  It is still in pre-release, but so all of you early adopters out there can expect few bugs.  And, of course, if you have been following the OWA apps for mobile devices, there is the caveat that it is only available for Office 365 for Business customers.  ;-(    So, more bait to get people to move to Office 365.

Tuesday, June 10, 2014

Show pictures the Exchange 2010 OWA GAL

Thanks again to Lee Derbyshire

How To Show GAL Pictures For Internal Emails In Exchange 2010 Outlook Web App

Moving Exchange database or defrag'ing Exchange database

I still see these questions asked pretty frequently:

1)  I need to defrag/compact my Exchange 2007 / 2010 / 2013 database?  What is the best way to do that? 
2)  I need to move my databases to a new disk.  What is the best way to do that?

If you have the free disk space, by and large the best way to defrag or move data is to just create a new database on the new disk.  Then, use the New-MoveRequest option to move the mailboxes over. This takes a bit longer but it also minimizes downtime and customer annoyances.  And, in the case of a defrag, it minimizes risk to the database file.

Automated user provisioning - Savior or Satan?

Over the past 10 years, more and more medium and large corporates have embraced user account and group provision systems as part of their identity management strategy.  In this article, Why Provisioning Should Move Away from IT, Dell/Quest advocates moving the provisioning process away from IT entirely.  (Well, that would be almost impossible, but at least get the "process" if not the technology away from IT.)

My own organization embraced a fairly customized version of Microsoft's Forefront Identity Manager (FIM) as our provision system.  It integrates with our PeopleSoft system as well as a number of other databases to provide a unified identity picture.

We have about 1 1/4 full time Microsoft Consulting Services employees on staff that help us maintain this behemoth, another almost full-time contractor, and another almost full-time employee that helps operate the system.  For 45,000 user objects, I'd estimate we spend about $750,000 per year in labor to maintain this.

The system is always a few generations behind where we need it to be.  Feature requests are generally a year to three years behind in integration and implementation.  (Part of this is due to some... "mishaps" our management is so gun-shy about anything to do with this platform that doing nothing is their IM strategy.

Meanwhile, the system works partially well for only about 75% of our employees/contractors since our PeopleSoft system maintains data for only employees not a lot of contractors.  So, our help desk still manually provisions many user accounts and groups. And, our PeopleSoft system often spits out phone numbers in formats that are not usable by UC "dialer" links or software.  So, dial links in Lync are useless.  And, our HR department refuses to update their system to accommodate us.

I'd guess that this platform actually costs us *more* than a manual provisioning system.  Sometimes, there is a reason why there is "no school like the old school."

If you are considering an automated user provisioning system, I strongly recommend going through as many different use cases as possible.  Not just your full time employees, but look at temps, short term contractors, long term contractors, VIPs, etc...  Go through your proposed IM system and look at all of these use cases and determine if the work flows are going to accommodate these.   And, if now, how many users fall outside of the "automated" boundary and how are you going to take care of them?

Monday, June 09, 2014

AssociatedItemCount versus ItemCount

 Recently, one of my "Yes, but show me the TechNet article to prove it" co-workers asked me about the different between AssociatedItemCount and ItemCount properties in Exchange 2010 (and, of course 2007 and 2013) when looking at mailbox and public folder statistics.  (We all have one of these co-workers, don't we?)

ItemCount reflects the total number of actual, viewable mail/calendar/contact/etc... items in the folder.  Anything the user sees in the folder or mailbox.

AssociatedItemCount are the "hidden" objects associated with a folder or mailbox including rules, forms, form-type, Admin info, moderation information, views, auto-complete items, categories, etc... 

Here are the relevant passages in the scripture. 
MSDN Folder Associated Information
MSDN Content Tables
MSDN Folder-Associated Information Tables

Saturday, June 07, 2014

Goodbye Sitemeter

I have been using Sitemeter for years to provide a simple visit counter and reports for some of my web sites.  Recently, I noticed that sometimes my Ithicos site was loading slowly sometimes and the browser was going to a lot of sites that I *know* I don't have links to.

This includes:

Apparently, Sitemeter has been bought by the same ad-ware intensive company that bought MySpace.  And, now the script that you embed on your web site for the Sitemeter is also going out and establishing connections and setting cookies for all of these other sites.

I not only found it is setting this cookies and establishing these connections, but it is also REDIRECTING my site to an "ad" page and my site visitor has to click "Return to Original Site" link.

Goodbye Sitemeter!

Tuesday, June 03, 2014

Marriott Destinations Club Members

If you are a Marriott Destinations Club member, I just found a cool trick.  If you are short on points for the year, you can Buy or Rent Marriott Destinations Points.  Technically, this is called "renting" because you only get the "one time" use of the points for a particular, but it is very cool.  It allows a lot of flexibility for those that want to add some points some years to their portfolio without going back and purchasing permanent points.  The site lets you find DC owners that have extra points and want to "sell" them.  They usually sell for about $0.45 to $0.60 per point.

Wednesday, May 21, 2014

Outlook 2007: Are you longing for a way to see GAL photos?

I think showing people's photos in the Global Address List is a great way to improve collaboration between employees.  Especially in medium or large businesses or in businesses that are geographically dispersed.  It adds a nice, friendly, personal touch to email. 

If you are still stuck on Outlook 2007, good news!  There is an Outlook 2007 Social Connector add-on.

Monday, May 05, 2014

Easiest thing I have done this spring.... Kemp Load Balancer

I have to say, setting up a Kemp Load Balancer to front-end 2 Exchange 2010 servers was just about the easiest thing I have done this year.  Set up the hardware, registered the device with Kemp, loaded up an Exchange 2010 template, and configured the two virtual servers.   First time I had done this. It took a a bit more than hour from the time we pulled it out of the box until the it was done.  Nice!

Tuesday, April 08, 2014

Usage of higher MX records

I recently noticed something that at first seemed a bit weird.   A company had transitioned to an external email hygiene service but left their old MX record in place with a higher cost value, so their MX records looked like this (I shortened the text a bit)     MX=10     MX=10     MX=20

 We noticed that a lot of email was still coming directly in to (their old gateway). 

  According to the RFCs, the SMTP transport is supposed to always pick the lowest MX record first and only move to a higher one if the lower ones fail.  But, we were seeing a different behavior.

  After some additional analysis, we found that only spam and malware were coming in to the MX record of 20.   After some discussion with some colleagues, I found out that spammers will intentionally do this in hopes of finding backdoors or SMTP paths in to your system will less security or message hygiene in place.

 Ideally, once you start using an external provider, you should remove your old MX records, get their IP addresses from which they send, and block everyone else's TCP port 25 at your firewall so that spammers can't find you by port scans.

Monday, March 31, 2014

Forms based authentication and anonymous folders

Sometimes I have seen some weird issues with some forms based authentication.  On the logon form, the images do not show up and the text and other information does not line up correctly.  The images are in the .\images folder and the style sheet is in the .\styles folder.

Turns out, this is by design because forms-based authentication is enabled and the authorization section specifies that anonymous users are denied access (in the <authorization> tag.

      <deny users="?" />
      <allow users="*" />

I found a lot of discussion threads indicating that the <location> could be used with the path option to specify a path that could be accessed anonymously.  But, I found conflicting information.  One poster said you could only have ONE <location> tag.  However, upon testing it, I found that you can indeed have 2 different <location> tags.  See below.

    <!-- This location tag specifies that the styles and images folders are accessible before logon. This allows the logon page and logo to be displayed correctly. -->
     <location path="styles">
            <allow users="*"/>
     <location path="images">
            <allow users="*"/>

  I put these inside the <configuration> tag of the web.config file near the bottom.  This seems to clear up the issues. 

Saturday, February 01, 2014

Exchange 2013 Architecture Poster

Microsoft just released a PDF version of their Exchange Server 2013 Architecture Poster.  Free to download.

Tuesday, December 17, 2013

Convert OST file to PST file

I still see questions in the forums from time to time where someone is asking if it is possible to convert an OST file to a PST file.  This is usually due to a mailbox being deleted, but the OST file remains.

Microsoft does not provide any mechanism to convert an OST file to a PST file.  However, if you can open up the OST file when you open Outlook, you can create a new PST file and just export email to it or drag-and-drop items in to the PST file.

There are a few third party tools that will do this, but I have not tested any of them.

Sunday, December 15, 2013

.NET Framework 4 application issues on fresh Windows 2008 R2 installation

A bit of frustration with Windows Server 2008 R2 and the .NET Framework 4.0.  Just because you use the Add-WindowsFeature Application-Server option to add the .NET Framework, the 4.0 Framework may not be properly registered with IIS.  This seems to be true when you install the 4.0 Framework first and then later add Web-Server and Application-Server options to Windows later.

I installed the prerequisites, then installed my 4.0 Framework application and got this error:

HTTP Error 500.21 - Internal Server Error

Handler "PageHandlerFactory-Integrated" has a bad module "ManagedPipelineHandler" in its module list

This implies that the ASP.NET managed handler is incorrect, but in reality the 4.0 Framework is not properly registered.

Open up a command prompt as an administrator, then change to this folder:

Run this command:
aspnet_regiis.exe -iru 

  There are a couple of different installation/registration options for aspnet_regiis.exe, but the -iru option is the safest since it only registers the 4.0 Framework and does not change/update any existing applications or web sites.  That is helpful if you have web applications that are still using the 2.0 Framework.

Sunday, December 08, 2013

Ithicos Solutions Customer Survey

If you are a customer of Ithicos Solutions and use our Active Directory self service tools such as Directory Update, Directory Manager, Directory Search, and/or Directory Password products, we would like your feedback:

Ithicos Solutions survey

This survey should take no more than 5 minutes to complete and will help us determine better ways to support you in the future.  The survey is completely anonymous, but if you can leave your email at the end for a chance to win an Amazon gift card.


Saturday, December 07, 2013

Convert user mailbox to linked mailbox in Exchange 2010

A few weeks ago, someone enabled the user accounts for a bunch of our Exchange 2010 linked mailboxes.  One of the workflows in our FIM system saw this as an indication that they should be user mailboxes rather linked mailboxes and thus converted them all from linked mailboxes to user mailboxes.

I did a bit of research and was somewhat heartbroken to find this TechNet article

This article implied that converting user mailboxes back to linked mailboxes was not possible using the EMC. 

After a bit more research and an email from Jason Sherry, I fortunately found out this article is wrong.  (I'm hoping Microsoft updates this.)

It is pretty simple to convert a user mailbox with E2K10 SP2 or E2K10 SP3 back to a linked mailbox.

Set-User <userID> -LinkedMasterAccount  AccountDomain\UserID  -LinkedDomainController AccountDomainControllerFQDN

Here is an example:

Set-User jim -LinkedMasterAccount Contoso\Jmcbee -LinkedDomainController dc01.contoso.local


Monday, November 25, 2013

Search Exchange for credit card or social security numbers

A question came up recently at a customer site about how they could search their Exchange mailboxes for email messages that contain credit card numbers.  (This is prohibited by their company policy, but they still find credit card numbers occasionally.)   Almost immediately after that, someone on a newsgroup asked if it was possible to search all mailboxes using Exchange Server 2010 or 2013 eDiscovery tools for social security numbers.

While searching for text or numerical patterns, such as "XXXX XXXX XXXX XXXX" or XXX-XX-XXXX is a piece of cake for some search engines using regular expressions (RegEx), this is not possible with Exchange eDiscovery tools.   I should not that you can do some pattern matching using transport rules and it is possible to intercept messages in transit, but not possible at rest.  So, if you are looking for data that is already in your database, then you are somewhat out of luck.  At least "out of the box".

Sherpa Software's Discovery Attender does, however, do more complex pattern matching.

Tuesday, July 30, 2013

Update to Exchange 2013 CU2

Microsoft has released an update to Exchange 2013 CU2 that fixes an issue with public folder permissions.  Check the build number if you have recently deployed.  The build number for the new release should be 712.24.  See Microsoft KB2859928 for more information.

Thursday, July 25, 2013

ResolveP2 headers in Exchange 2010 and 2013

Exchange 5.5, 2000, and 2003 had a feature called ResolveP2 headers.  Essentially, it allowed Exchange to accept an inbound message, inspect the sender's SMTP address (or other type of address back in the olden days) and if the address was associated with an object in the Global Address List / Active Directory, then replace the sender's address with the name from the GAL.

For example, if the email was sent from, but you had a mail-enabled contact or mail-enabled user in GAL with that SMTP address, it would resolve the name and the From would instead say "Snuffy Smith" or whatever the display name was.   You can read more about this feature from the olden days in this blog by David Lemson: 
ResolveP2, RerouteViaStore, and its equivalent in Exchange 2003

This feature was turned off by default to keep spammers from sending "reputable" looking mail by trying to make a message look like it came from a valid internal sender.

Recently, we were trying to figure out out to turn this back on due to an ongoing migration.  We needed the senders in DomainX to be resolved properly to GAL objects when they sent to DomainY.

The ResolveP2 feature does not exist in Exchange 2010 (and 2013).  Exchange will only resolve the sender's address to a GAL object if the message comes from an authenticated or trusted source.

You can duplicate this functionality in Exchagne 2010 / 2013 with a receive connector that is configured to allow relay and on the Authentication properties, include the "Externally Secured" property.

Bharat Suneja has an excellent article on how to do this.
How To Allow Relaying in Exchange 2010 and Exchange 2007 

Once you have set up the relay receive connector, add the sending system's IP addresses to the authorized source IP addresses.

Take care with this feature because you can inadvertently allow people to relay through your system which will inevitably add you to block lists, get you in trouble with your ISP, and bring about plague-o-locust across the land.  Anyone that sends through this particular receive connector will have these rights.


Friday, July 19, 2013

Exchange 2013 CU2 - OWA Forms Based Authentication automatically enabled

I think most people automatically use OWA Forms Based Authentication (FBA) for web mail, but in some cases you may have just Basic or Integrated Windows Authentication enabled.

Some people have been reporting that even though FBA is disabled in their environment, once the update to E2K13 CU2, the logon form is displayed rather than using Basic or IWA.

If you check the OWA virtual directory properties, the FormsAuthentication form option is set to "False", yet the FBA form still appears. 
Get-OwaVirtualDirectory | FL forms*,basic*
FormsAuthentication : False
BasicAuthentication : True

  This happens because when CU2 is installed, it replaces the existing web.config file with a new one that has FBA enabled.  This is easy to fix, though.

Simply "enable" and then "disable" FBA on your OWA virtual directories. 

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $True
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $False 

This should reset FBA back to off.

For more information, see this KB article "The FBA page is displayed when a user accesses OWA or ECP to log on to Exchange Server 2013"

Thursday, July 18, 2013

OWA for the iPad and iPhone for Office365 users

If you are on Office365, this should be some good news.  Microsoft has released Outlook Web App for the iPad and iPhone.  They are available for download from the Apple App Store.  Unfortunately, this seems to be only for Office365 users rather than on premises users.

Thursday, July 11, 2013

Exchange 2013 RTM CU2

Microsoft released Exchange 2013 RTM CU2 this week.  Cumulative Release 2 includes a number of big fixes and product improvements.  Some important notes include that the RBAC roles have been updated (so test thoroughly) and the AD schema will need to be updated. 

See Ross Smith IV's EHLO blog posting on Exchange 2010 RTM CU2.