Thursday, August 27, 2015

SANS Institute - Thanks for nothing

Wow! I don't think I have every encountered a more disorganized, inflexible organization than the SANS Institute. Thanks to the burden of moving, I called in 4 days after an exam period had expired. It took 10 days, 5 different people, 4 emails, and 7 phone calls to get an answer and then they flat out refuse to extend the exam time period. Lots of excuses and finger pointing. ‪#‎fail‬ ‪#‎sansinstitute‬ ‪#‎sans‬

Monday, December 15, 2014

GALSync on a budget

It seems harder and harder to sync two different AD forests.  First, we had the "almost free" Microsoft IIFP which worked remarkably well. Then Quest released a series of free PowerShell scripts that would do the same thing.  Unfortunately, when they got Dell'ed, those scripts are no longer free.

A customer recommended this jewel, though.  I need to give it a test drive sometime, but wanted to share.

A GALSync powershell script

Tuesday, November 11, 2014

Amazon EC2 instance problem: not accessible from the network

I had my first issue with Amazon EC2 this week.  I rebooted a Windows Server EC2 micro instance and when it came back up, it was no longer accessible via RDP.  I tried stopping it and starting it several times with no success.   I found these instructions to fix the problem.

1.   Stop your instance through the AWS console

3.   Right click the instance in the management console, select change instance type such as C3.*, R3.*, or I2.*  (This upgrades the instance to a different network platform.  The public IP address will probably also change.)

4.  Start the instance.

5.   When the instance passes health check, RDP to the instance.

7.   Uninstall the AWS PV Driver Version 7.2.0 via "Programs and Features.”

8.  Reboot the machine when prompted by the uninstaller.

10.  Reboot when prompted by the installer.

11.  Run the script from step 6 again. This will ensure that this issue is corrected ongoing.

12.  Stop the instance and change the instance type to your previous instance.

Monday, July 21, 2014

So long, little MEC v2, we hardly knew ye

To the excitement of many, two years ago Microsoft resurrected the Microsoft Exchange Conference.   To many in the Exchange server community, this represented a renewed focus on Microsoft's part towards providing top-notch information to the Exchange community.  Though I found the timing to be a bit suspect (after all, MEC had been gone for 10 years), it was a welcome resurrection even though, at the time, I was the speaker chair for the Penton Media Exchange Connections Conference.

Alas, nothing lasts forever and apparently MEC v2 is already being canned in favor of a bigger, better, more stupendous TechEd.  The new event, now called Unified Microsoft Commercial Technology Event, will roll TechEd, MEC, the SharePoint, and the Lync conference.

I am disappointed in this latest devolution of Microsoft's conferencing strategy.  Unfortunately, large conferences tend to have to their sessions dumbed down a bit to a lower common denominator.  Smaller conferences, like MEC or Connections, does allow for more detailed and specialized sessions.  And, it does allow for more interaction with the presenters and vendor subject matter experts.


Sunday, July 20, 2014

Change Auditor installation broke Exchange 2010 scripting

Last week, we finally got around to starting our Change Auditor for Exchange installation.  We had tested this pretty thoroughly in the lab, but had not yet put it in to production.  So, we picked an unused public folder server in our Disaster Recovery site.

We did not realize that the first Change Auditor for Exchange agent that gets installed also enables a global setting that enables the Scripting Agent.  Once enabled, admin scripts and SCOM scripts could no longer run.  And, we use a lot of scripts for admin tasks.

If we had gone ahead and completed the Change Auditor agent installation on all servers, the problem would have been resolved.  But, since something was "broke" we halted the installation until we could figure out what had happened.

As a work around, we changed the ScriptingAgentConfig.XML file (see the above link) and disabled it on all other E2K10 servers.

Sunday, July 06, 2014

Mailbox storage: If you really don't like your users... give them what they ask for...

Mailbox storage is always been a sore spot with me.  Regardless of how often you remind users to manage their mailbox, they want to hold on to almost everything.   But, I get this... I often refer back to email conversations that I had 2 or 3 years ago.  Email is an extension of my brain/memory.

In my user community, we have users that regularly receive 1.0GB of email per month.  PPTs, PDFs, documents, spreadsheets, images, audio, newsfeeds, you name it, they get it.  And, they keep it.

Years ago, our users complained loudly that they did not like having mailbox storage limits.  Management heard their screams and told us to raise the storage limits so we adopted Enterprise Vault and essentially give our users a "bottomless mailbox."   Vault comes through and archives anything older than 30 days. 

Normally, they don't let me anywhere near end users because I don't have a filter.... but over the past 2 years I have spoken to a lot of our user community.  And, they have resoundingly said "we hate Enterprise Vault" and "give us a larger mailbox and then just let *us* decide when we delete something or if we keep it."

So, our newest email platform now provides each user with a 2GB mailbox and a 10GB personal archive.  Within 6 months, some of our users had already exceeded these limits and more exceed them every day. 

And, you guessed it...  they want a way for "the vault to archive their older stuff".


Wednesday, June 11, 2014

OWA for Android App

Very cool!  Microsoft released today an OWA for Android app.  It is still in pre-release, but so all of you early adopters out there can expect few bugs.  And, of course, if you have been following the OWA apps for mobile devices, there is the caveat that it is only available for Office 365 for Business customers.  ;-(    So, more bait to get people to move to Office 365.

Tuesday, June 10, 2014

Show pictures the Exchange 2010 OWA GAL

Thanks again to Lee Derbyshire

How To Show GAL Pictures For Internal Emails In Exchange 2010 Outlook Web App

Moving Exchange database or defrag'ing Exchange database

I still see these questions asked pretty frequently:

1)  I need to defrag/compact my Exchange 2007 / 2010 / 2013 database?  What is the best way to do that? 
2)  I need to move my databases to a new disk.  What is the best way to do that?

If you have the free disk space, by and large the best way to defrag or move data is to just create a new database on the new disk.  Then, use the New-MoveRequest option to move the mailboxes over. This takes a bit longer but it also minimizes downtime and customer annoyances.  And, in the case of a defrag, it minimizes risk to the database file.

Automated user provisioning - Savior or Satan?

Over the past 10 years, more and more medium and large corporates have embraced user account and group provision systems as part of their identity management strategy.  In this article, Why Provisioning Should Move Away from IT, Dell/Quest advocates moving the provisioning process away from IT entirely.  (Well, that would be almost impossible, but at least get the "process" if not the technology away from IT.)

My own organization embraced a fairly customized version of Microsoft's Forefront Identity Manager (FIM) as our provision system.  It integrates with our PeopleSoft system as well as a number of other databases to provide a unified identity picture.

We have about 1 1/4 full time Microsoft Consulting Services employees on staff that help us maintain this behemoth, another almost full-time contractor, and another almost full-time employee that helps operate the system.  For 45,000 user objects, I'd estimate we spend about $750,000 per year in labor to maintain this.

The system is always a few generations behind where we need it to be.  Feature requests are generally a year to three years behind in integration and implementation.  (Part of this is due to some... "mishaps" our management is so gun-shy about anything to do with this platform that doing nothing is their IM strategy.

Meanwhile, the system works partially well for only about 75% of our employees/contractors since our PeopleSoft system maintains data for only employees not a lot of contractors.  So, our help desk still manually provisions many user accounts and groups. And, our PeopleSoft system often spits out phone numbers in formats that are not usable by UC "dialer" links or software.  So, dial links in Lync are useless.  And, our HR department refuses to update their system to accommodate us.

I'd guess that this platform actually costs us *more* than a manual provisioning system.  Sometimes, there is a reason why there is "no school like the old school."

If you are considering an automated user provisioning system, I strongly recommend going through as many different use cases as possible.  Not just your full time employees, but look at temps, short term contractors, long term contractors, VIPs, etc...  Go through your proposed IM system and look at all of these use cases and determine if the work flows are going to accommodate these.   And, if now, how many users fall outside of the "automated" boundary and how are you going to take care of them?

Monday, June 09, 2014

AssociatedItemCount versus ItemCount

 Recently, one of my "Yes, but show me the TechNet article to prove it" co-workers asked me about the different between AssociatedItemCount and ItemCount properties in Exchange 2010 (and, of course 2007 and 2013) when looking at mailbox and public folder statistics.  (We all have one of these co-workers, don't we?)

ItemCount reflects the total number of actual, viewable mail/calendar/contact/etc... items in the folder.  Anything the user sees in the folder or mailbox.

AssociatedItemCount are the "hidden" objects associated with a folder or mailbox including rules, forms, form-type, Admin info, moderation information, views, auto-complete items, categories, etc... 

Here are the relevant passages in the scripture. 
MSDN Folder Associated Information
MSDN Content Tables
MSDN Folder-Associated Information Tables

Saturday, June 07, 2014

Goodbye Sitemeter

I have been using Sitemeter for years to provide a simple visit counter and reports for some of my web sites.  Recently, I noticed that sometimes my Ithicos site was loading slowly sometimes and the browser was going to a lot of sites that I *know* I don't have links to.

This includes:

Apparently, Sitemeter has been bought by the same ad-ware intensive company that bought MySpace.  And, now the script that you embed on your web site for the Sitemeter is also going out and establishing connections and setting cookies for all of these other sites.

I not only found it is setting this cookies and establishing these connections, but it is also REDIRECTING my site to an "ad" page and my site visitor has to click "Return to Original Site" link.

Goodbye Sitemeter!

Tuesday, June 03, 2014

Marriott Destinations Club Members

If you are a Marriott Destinations Club member, I just found a cool trick.  If you are short on points for the year, you can Buy or Rent Marriott Destinations Points.  Technically, this is called "renting" because you only get the "one time" use of the points for a particular, but it is very cool.  It allows a lot of flexibility for those that want to add some points some years to their portfolio without going back and purchasing permanent points.  The site lets you find DC owners that have extra points and want to "sell" them.  They usually sell for about $0.45 to $0.60 per point.

Wednesday, May 21, 2014

Outlook 2007: Are you longing for a way to see GAL photos?

I think showing people's photos in the Global Address List is a great way to improve collaboration between employees.  Especially in medium or large businesses or in businesses that are geographically dispersed.  It adds a nice, friendly, personal touch to email. 

If you are still stuck on Outlook 2007, good news!  There is an Outlook 2007 Social Connector add-on.

Monday, May 05, 2014

Easiest thing I have done this spring.... Kemp Load Balancer

I have to say, setting up a Kemp Load Balancer to front-end 2 Exchange 2010 servers was just about the easiest thing I have done this year.  Set up the hardware, registered the device with Kemp, loaded up an Exchange 2010 template, and configured the two virtual servers.   First time I had done this. It took a a bit more than hour from the time we pulled it out of the box until the it was done.  Nice!

Tuesday, April 08, 2014

Usage of higher MX records

I recently noticed something that at first seemed a bit weird.   A company had transitioned to an external email hygiene service but left their old MX record in place with a higher cost value, so their MX records looked like this (I shortened the text a bit)     MX=10     MX=10     MX=20

 We noticed that a lot of email was still coming directly in to (their old gateway). 

  According to the RFCs, the SMTP transport is supposed to always pick the lowest MX record first and only move to a higher one if the lower ones fail.  But, we were seeing a different behavior.

  After some additional analysis, we found that only spam and malware were coming in to the MX record of 20.   After some discussion with some colleagues, I found out that spammers will intentionally do this in hopes of finding backdoors or SMTP paths in to your system will less security or message hygiene in place.

 Ideally, once you start using an external provider, you should remove your old MX records, get their IP addresses from which they send, and block everyone else's TCP port 25 at your firewall so that spammers can't find you by port scans.

Monday, March 31, 2014

Forms based authentication and anonymous folders

Sometimes I have seen some weird issues with some forms based authentication.  On the logon form, the images do not show up and the text and other information does not line up correctly.  The images are in the .\images folder and the style sheet is in the .\styles folder.

Turns out, this is by design because forms-based authentication is enabled and the authorization section specifies that anonymous users are denied access (in the <authorization> tag.

      <deny users="?" />
      <allow users="*" />

I found a lot of discussion threads indicating that the <location> could be used with the path option to specify a path that could be accessed anonymously.  But, I found conflicting information.  One poster said you could only have ONE <location> tag.  However, upon testing it, I found that you can indeed have 2 different <location> tags.  See below.

    <!-- This location tag specifies that the styles and images folders are accessible before logon. This allows the logon page and logo to be displayed correctly. -->
     <location path="styles">
            <allow users="*"/>
     <location path="images">
            <allow users="*"/>

  I put these inside the <configuration> tag of the web.config file near the bottom.  This seems to clear up the issues.