Friday, December 17, 2004
Thursday, December 16, 2004
The maximum amount of memory that Exchange can make use of is 4 GB (old news) but more interestingly is that the article recommends disabling the use of PAE (Physical Address Extension) on Enterprise and Datacenter versions of Windows with the use of the /nopae boot.ini switch (If using the /3GB switch) - as it puts unnecessary strains on the system.
New facts to me are the notes regarding the scalability of Exchange in terms of CPU's - on a 8 CPU system Exchange supposedly can fully utilize 900 MHz CPU's but it isn't able to utilize e.g. 8 1400 MHz Xeon CPU's (Unless you are running e.g. anti-virus products on the same boxes).
Wednesday, December 15, 2004
I would classify the content in these checklists as very good things-to-remember lists - as they by no means are complete. But they are indeed a good start when preparing the disaster recovery procedures and operational processes for an Exchange 2000/2003 deployment (and of course many of the checks on the lists could be implemented in e.g. MOM 2005 instead of doing it manually).
Sunday, December 12, 2004
If you do not have an existing IPSec policy, I recommend that you deploy this method right away. The easist deployment may be to do it with psexec or modify the script as ipseccmd.exe can take a server name as the first argument.
Friday, December 10, 2004
Microsoft just released a new paper on this. When running Microsoft® Exchange Server 2003 or Exchange 2000 Server in larger environments, the frequency of queries to the Active Directory® directory service can be very high. Exchange Server uses its directory access component to communicate with Active Directory domain controllers and global catalog servers to perform tasks such as e-mail address lookups, distribution group expansion, Microsoft Outlook® client proxy, and referral services. With such a heavy load being placed on domain controllers, Microsoft IT optimized the performance of Exchange when communicating with Active Directory by creating a new Active Directory site and isolating domain controllers and global catalog servers just for Exchange. Get it here.
Thursday, December 09, 2004
Microsoft has an article called Browsing the Web and Reading E-mail Safely as an Administrator - which actually refers to Aaron's blog :). The article has a DropMyRights utility, which is able to remove your permissions while starting an application. This is also a useful approach - e.g. run Internet Explorer and Outlook with lower permissions.
Finally, there is work-around of how to start Windows Explorer as another user from runas - Aaron again. I used to start iexplore.exe to do this trick, but it seems that if only you start it with the /root argument, it will start in its own instance. Read about that here. You can also read about a useful toolbar, that shows the current credentials.
Tuesday, December 07, 2004
Currently, there are no known incidents - and maybe WINS servers are too few worth attacking. If you do not implement one of the suggestions - after you have considered the situation carefully - at least follow the situation in the press and be ready to take action.
It goes beyond this posting to describe the complete list of functionality changes and updates in SP1 but its sure that as consultants and system administrators we are most eagerly awaiting the release of the Security Configuration Wizard that promises to deliver role based lockdown of servers including the ability to -
• Disable unnecessary services.
• Disable unnecessary IIS Web extensions.
• Block unused ports, including support for multi-homed scenarios.
• Secure ports that are left open using IPSec.
• Reduce protocol exposure for Lightweight Directory Access Protocol (LDAP), LAN Manager, and server message block (SMB).
• Configure audit settings with a high signal-to-noise ratio.
Furthermore it uses an extensible XML knowledge base, which lets administrators import existing Windows security templates and lets developers extend the SCW to handle new user defined roles.
You can get access to the SP1 Technical Preview Program and the bits here - so while waiting for the final version of the SP1 - go ahead and test/play with the RC version ;-)
Furthermore Microsoft is kicking off a series of Windows Based Hosting Webcasts with the Experts from the Hosting Solutions Unit at Microsoft -
See live demonstrations of technical best practices on the full range of Windows-based Hosting topics, including interactive presentations, product overviews, and question-and-answer sessions. Each Webcast session will be hosted by one of the Windows-based Hosting Solutions program managers discussing how-to technical best practices and thought-provoking business perspectives.
Especially the "Active Directory Guidance for Hosting Service Providers" webcast looks interesting and this time they done something really friendly to us Europeans with 3 timeslots (Based on timezones) for each webcasts (Thanks MS - maybe I'll finally manage to see one of these webcasts ;-)
Saturday, December 04, 2004
We've already been mentioned on the MS Exchange blog (Thanks Chris ;-) and also our favorite MS bloggers at You Had Me At EHLO... has created a link to our blog (Check the front page under "Other Exchange Blogs") - so now we have decided to remove the "experimental" word from our about box, 'cause Per and I have decided to continue posting and enhancing the content and features of this blog.
Personally I'm finally back from my paternity leave (See my daughter Ida here) and will be back with more info on Exchange, IMF and ISA and updates to some of the topics I've been posting earlier (use our Atom Site Feed for subscription to new/updated posts) .
Per will continue to cover his main areas - from security, networking, AD over to management (MOM 2005 and SMS 2003).
Thursday, December 02, 2004
It also explains how to use the new SP1 OAB network bandwidth throttling option and how SP1 better handles mismatched SMTP addresses (Causing full instead of partial download on Pre-SP1 systems). Check it out here and don't miss out the add'l resources section in the appendix.
The KB has gone through several iterations in both KB 817379 and later KB 822177 and they were both withdrawn from the web. KB 817379 appearently has been updated and re-released - I don't usually memorize KB's but as I can remember the now only 23 step procedure has been updated with both an export and an import (new step) of the Virtual Directory and a new solution (Setting up an FE server) has been introduced (And E2K3 SP1 fixes some of the problems we had with the old solution).
Friday, November 26, 2004
Microsoft and Dell reports that Dell will deliver management software working with the Dynamic Systems Initiative (DSI) (what we in the real world call SMS and MOM). Read more at Dell Unites with Microsoft to Provide Better Management Solutions and at Dell, Microsoft make a patch pact for servers
Thursday, November 25, 2004
Tuesday, November 23, 2004
The current version version of WUS will of course update Windows (As SUS already does), but more interestingly it will also update Microsoft Office, Exchange and SQL (Including MSDE) and will in the "near future" also include other Microsoft products.
It will still leverage the BITS (Background Intelligent Transfer Service) platform but now in an updated version 2.0 (As does Windows Update v5) and much more interestingly it will now have the targeting and reporting features that we missed so much from SUS (making it much more applicable for other than small to medium organizations).
I've played a lot with the earlier versions of WUS and it's a big step forward - so go ahead download and test it so that you will be ready for the final release (Check out screenshots of WUS in this article).
Saturday, November 20, 2004
...files that are required for the package to install correctly on ISA Server 2000 Service Pack 1 (SP1) are missing. Additionally, the installer package included a setting that limited installation to Windows 2000 Service Pack 4 (SP4) only.
I haven't had the time to test this hotfix yet so do test the hotfix extensively (as always ;-) before applying it to your environment.
Friday, November 19, 2004
Wednesday, November 17, 2004
Saturday, November 13, 2004
Wednesday, November 10, 2004
Monday, November 08, 2004
Sunday, November 07, 2004
Friday, November 05, 2004
- Windows Services (Account Name)
- COM+ Applications (Identity)
- Task Scheduler (Run As)
- AT (Service Account)
- VDirs in IIS (Anonymous User & UNC User)
Tuesday, November 02, 2004
Saturday, October 30, 2004
Wednesday, October 27, 2004
Tuesday, October 26, 2004
Friday, October 22, 2004
Set /a 0x7a
Next step might be to convert it into an error message:
Net helpmsg 122
This can be done in a one-liner:
Set /a e=0x7a & (net helpmsg %e%)
Note the parenthesis – without, the e environment variable does not exist when net… is parsed by the interpreter. With parenthesis, it is treated like a separate line.
If you get an error number like -2147024891, you have to remove the upper 16 bits before you get the real error number:
set /a "-2147024891 & 0xffff"
Note that the quotes are necessary to treat & like a bit-wise and.
If you don't know the You had me at EHLO... blog i would suggest that you check it out - IMHO it's a must read for everyone working with Exchange.
Thursday, October 21, 2004
In Windows Server 2003, administrators can change the computer name of a Windows Server 2003 domain controller by using My Computer or Netdom.exe, but neither method renames the domain controller's corresponding NTFRSmember object for SYSVOL from the old computer name to the new computer name. The difference between a domain controller's NetBIOS name and the common name for its NTFRSmember object does not break any functionality until a new domain controller is promoted into the forest with the old NetBIOS name of the renamed domain controller. When this behavior occurs, the new domain controller deletes the existing (duplicate) NTFRSmember object and recreates a new NTFRSmember object for itself. The renamed domain controller that originally created the NTFRSMember object ends up without an NTFRSmember object.
Read the rest in this KB
Wednesday, October 20, 2004
I've just finished recovering a SBS 2003 Exchange installation from the results of an antivirus scanner which found a variant of Netsky in the e00.log file (The "working" log file in use by exchange, which will be renamed to Exxxxxxx when it reaches 5.120 KB) and deleted it - resulting in a dirty shutdown and an -1811 error from Exchange which prevents mounting the Store.
The person who installed it had excluded the catalogs containing the .EDB files but had forgotten to exclude the catalog where the log files resides - so when you configure this remember that the Exchange Stores and their log files can be placed in many different directories and also to exclude the SRS folder.
To make things worse the Anti-Virus client was configured to delete files instead of quarantining them (so I weren't able to recover the file) and the customers last backup was more than 5 days old. So I had to do a full repair of the databases (Luckily there wasn't any serious corruptions - it was primarily inconsistencies due to dirty shutdown and the missing log file).
This time I used the dial tone restore method, which starts by creating a blank database so all the users got access to e-mail (Sending and receiving new mail, not old e-mail or public folders), while I had the time to repair the old Information Stores and mounting them in a RSG for testing. Afhter this I switched the Dial tone Mailbox Store and the now repaired Mailbox Store around between the Storage Groups and ran Exmerge (The purpose of switching databases is that you retain all outlook rules etc. and just has to Exmerge the content of the smaller Dial tone Store into the older/repaired Store).
Check this page for 4 security best practices for Exchange - including info and links to articles on configuration of filebased antivirus scanners and what to do when everything has gone wrong.
Tuesday, October 19, 2004
Monday, October 18, 2004
Wouldn't it be great to be able to test new servers immediately, without formatting hard drives, using Virtual Something or dedicating one or more computers to the project? Now you can, with the TechNet Virtual Lab
Thursday, October 14, 2004
Microsoft has a reference at MSDN. But I know for sure, that it is not complete. Anyway, it is a good starting point.
Wednesday, October 13, 2004
Is Linus Torvalds secretly working for Microsoft? That sounds crazy until you consider that lately, the free operating system he created, Linux, has been helping Microsoft close deals.
Read the rest of this article. Beware of the annoying ads.
Interesting WebCast for those of you new to Hosted Exchange 2003 and/or those of you who have already created your own hosting solution based on Exchange 200x -
This Support WebCast discusses Windows-based Hosting, including Hosted Exchange 2003 ... Hosted Exchange 2003 enables service providers to offer flexible and scalable rich e-mail, messaging, and collaboration services to consumers, and to both small and medium businesses. Hosted Exchange is a tested, pre-engineered solution that is based on standard Microsoft server products ... The Support WebCast also reviews the important components of the solution and addresses common challenges in the hosting world. This includes multi-tenancy (address isolation between customers), automation and provisioning (creating new customers by using automation and without the RUS), client auto-configuration for Outlook by using RPC over HTTP, active user reporting, three-year CALs versus Service Provider Licensing Agreement, multiple services per hosted organization, and user namespace per organization.
Tuesday, October 12, 2004
As you may know (kb252398 and KB257341) you cannot grant dial-in access to a user simply by setting the msNPAllowDialin property on the user object in Active Directory. For some reason this attribute must be synchronized with information in the userParameters blob – sic!
Instead of chasing a way to make this happen, simply ask your Windows Server 2003 IAS server to ignore the dial-in attribute and stick to group membership or whatever you feel like. This is done by setting Ignore-User-Dialin-Properties on the remote access policy. For more information click here and read the section called Ignoring the dial-in properties of user accounts.
Saturday, October 09, 2004
Wednesday, October 06, 2004
... Our initial investigation has revealed that the vulnerability could allow an attacker to bypass authentication on a Web site running ASP.NET applications on Windows 2000, Windows 2000 Server, Windows Server 2003, Windows XP Professional by sending a malicious request to a Web server. This could allow an attacker to make changes to the content of a Web site, but would not allow the attacker to control the computer or run software on it.
... Microsoft is providing this prescriptive guidance in order to inform customers as quickly as possible about the vulnerability and information on how to prevent an attack. Microsoft is actively investigating the issue and plans to release additional guidance
Cool new tool from Microsoft – spotted at You Had Me At EHLO...
ADModify is a tool that was (and is still) developed and maintaned out of our Support Services (aka PSS) team, and was created to make it easier to modify / import / export objects in Active Directory in bulk .... ADModify.NET (v2.0) was written from the ground up using Visual C# .NET 2003. When benchmarked against its predecessor, it made the same modifications in less than half the time. Its new feature set allows administrators to bulk modify any AD attribute from any AD partition with almost limitless flexibility.
Microsoft released their Exchange Server Best Practices Analyzer tool to the web. The tool in different versions has been used for quite some time by PSS and is now subject to general availability. I can only recommend that you Download and start using the tool today on your own systems (its agentless) – it analyses more than thousand different parameters also including Active Directory and Exchange clustering. Check out the blog at You had me at EHLO… for more information on this exciting “new” tool.