Friday, December 15, 2006

Tip - Installing Communicator Mobile from Vista / WMDC

When launching Communicator Mobile on Vista RTM with Windows Mobile Device Center Beta 3 you get this message –

Current version of ActiveSync is not supported. Please install Microsoft ActiveSync 4.1 ….

The workaround is to create an administrative install of Office Communicator like this –

msiexec /a CommunicatorMobile_PPC50.msi

And then launch the PCinstaller.exe from e.g. C:\Microsoft\Communicator Mobile\Windows Mobile 5 PocketPC\Setup.

Wednesday, December 13, 2006

Negating PowerShell switch parameters

The example below should tell it all. Just copy it into a file, execute it and see the output.

set-psdebug -trace 1
# f1 is a normal function with a switch parameter

function f1([switch] $showOutput) {
if ($showOutput.isPresent) {

# f2 is a function with a switch parameter defaulted to present
function f2([switch] $showOutput=[switch]::present) {
if ($showOutput.isPresent) {

# f3 is a function with a switch parameter defaulted to true, this gives the same result
# as using [switch]::present
function f3([switch] $showOutput=$true) {
if ($showOutput.isPresent) {

# run f1, no output shown
# run f1, show output
f1 -showOutput

# run f2, show output

# run f2, show output
f2 -showOutput

# run f2, no output
f2 -showOutput:$false

# run f3, same behavior as f2
f3 -showOutput
f3 -showOutput:$false

# Show the acceptable values for a switch parameter
f2 -showOutput:no
# f2 : Cannot convert value "System.String" to type "System.Management.Automation.SwitchParameter",
# parameters of this type only accept booleans or numbers, use $true, $false, 1 or 0 instead.
# At line:1 char:16
# + f2 -showOutput:n <<<< o

So what can this be used for? It is good for defaulting switches like WhatIf to true. This forces the user to enter -WhatIf:$false to get the destructive action executed

Updated: Fixed typo, thanks John!

Monday, December 11, 2006

Friday, December 01, 2006

RTC Client API's and Windows Vista

FYI there's a new post on the Unified Communications Group blog regarding the RTC API's. The main point is that they're not included in Vista; as they we're in Windows XP. Furthermore Netmeeting is deprecated in Vista and the following limitations apply -

The IM, Presence, Voice and Video functionality of the RTC 1.3 APIs work on Vista RTM. While audio and video quality are acceptable the quality level does not match what users using Communicator 1.0 have experienced in the past.
Application sharing and white boarding require Windows NetMeeting, which Vista has replaced with Windows Meeting Space so these features of the RTC 1.3 APIs will not function on Windows Vista.

Tuesday, November 28, 2006

FYI: RDP 6.0 Client for Windows XP released

MS has RTW'ed a RDP 6.0 client that supports the Vista/Longhorn features. You can find it here

Monday, November 27, 2006

Oxios ToDo list v6.11

As you may know, I'm very fond of the little software add-on I have on my Smartphone called Oxios ToDo List. Well, recently I updated to v6.10 and then v6.11 - but both versions gave me problems with the edit task view, so I felt a little disappointed. Finally, I decided to figure out what the problem was yesterday evening (a Sunday). I uninstalled the product completed and reinstalled it - no change. I attempted to find an older version - but without luck. And finally, I did what I should have done right away - I took some screen shots and sent a mail to Oxios.

It is now 10 Monday morning. I have already received an email from Oxios telling me what the problem was. I have tested the fix (an old file ToDo.exe.0409.mui was left over) and replied that everything works just fine.

This story just to say, that this kind of support deserves all the credit it can get :)

Friday, November 24, 2006

SANS Top-20 Internet Security Attack Targets

SANS just updated their yearly report. Good stuff to be oriented about and a must read for anyone working with security. Especially interesting is the fact that new - and most likely less mature - technologies like VoIP are being attacked. E.g. Asterisk, the soft-PABX, had four vulnerabilities reported! As always, keep up your defenses!

EV SSL Certificates

They used to be called High Assurance certificates but now the name seems to be Extended Validation (EV).

Anyway, according to this entry in the IE blog EV SSL Certificates are Coming in January. Let us hope this will improve the trust in the web by the common user.

Friday, November 17, 2006

Daemon tools 4.06 x86/x64 with full Vista support

FYI: Daemon tools has been released in a new version that fixes the problems with the old version of daemon tools on Vista (It couldn't install).

Vista available on MSDN

FYI: Vista is now available on MSDN and Office 2007 has been there a couple of days (Vista has also been available on the Volume Licensing site for a couple of days now).

I'm still dualbooting though as my Logitech Quickcam Notebook Pro Camera is missing drivers for Vista, some of my LCS utilities doesn't work in Vista and LiveMeeting still isn't to stable.

Tuesday, November 14, 2006

PowerShell RTM'ed

According to the keynote this morning at TechEd IT-Forum in Barcelona, Spain by Bob Muglia, PowerShell is ready for manufacturing as of today. Cool!

I just found that it went public in the PowerShell blog.

Friday, November 10, 2006

Give me the RTM bits now please !

I'm really frustrated here ... I use the RSS reader in Outlook 2007 Beta 2 TR and it stopped working a few days ago so I can't read my RSS feeds. I also run Vista RC2 (A.k.a. a legacy OS or at least a legacy build ;-) and knowing that both products has RTM'ed I don't want to fix the problem - I want the Bits so I can reinstall my machine (Or at least my dual boot Vista partition).

Even though I'm a member of the Office 2007 TAP and member of the Vista Beta I have to wait like everyone else for the release on my MSDN. What is this - don't you know who I am (If you do please send me an e-mail and Cc. my shrink) ... I WANT THE BITS NOW .... please ;-)

Anti-exploit in Vista

Read this Michael Howard article that focuses on explaining what Address Space Layout Randomization in Windows Vista is all about but also covers other security mechanisms. The whole idea is to make a system more unpredictable to the attacker making the attack much harder to make. Hopefully, it will take a while before the bad guys catch up.

Thursday, November 02, 2006

Protocols used when accessing Sharepoint in Explorer View

I have always thought, that accessing Sharepoint in Explorer View used WebDAV to do the work. But that is not always the case. WebDAV is actually quite restricted in how it can be used: It is limited to port 80 and consequently it can also not be used with SSL. So what is used instead? A protocol called FPRPC - FrontPage Server Extensions Remote Procedure Call. This protocol - designed before the standard WebDAV protocol was defined - is being used in all other situations. How can you tell the difference? Well WebDAV is a built-in network provider in Windows XP and you can map network drives to a WebDAV URL. Any Windows program can use WebDAV to access data. FPRPC on the other hand is a shared library only being used by programs taking advantage of it. This is typically the Office products. Windows Explorer is able to use both protocols, and in Explorer View you can tell the difference by looking at how Windowish it looks. 3D-icons and all the normal choices in the new menu signals WebDAV. A more flat view is FPRPC (this may be different in Vista).

Find you more in the whitepaper - Understanding and Troubleshooting the SharePoint Explorer View.

Wednesday, October 25, 2006

Consolidating security event

Finally, a decent solution seems to appear in SCOM (System Center Operations Manager - got to learn those acronyms) for this.

I learnt it here.

Tuesday, October 10, 2006

Live Meeting Console fix for Vista

I'm regularly using Live Meeting and due to problems with stability on Vista / Office 2007 I always dual boot in to my XP for presentations etc. (Actually the only time I use XP since I switched to Vista during my summer vacation).

Microsoft has now released an update that fixes some of the problems with Vista / Office 2007. Find it here

Wednesday, September 27, 2006

PowerShell RC2 Released

Finally, the RC2 release is here. I havn'nt tried it yet but plan to do so soon - very soon.

You'll find it for XP x86 here.

Tuesday, September 19, 2006

How to plan for and deploy certificates in Live Communications Server 2005 Service Pack 1

One of my contacts at Microsoft, Shawn Mahan, who is an expert in PIC issues and many other LCS subjects is presenting a webcast on the use of certificates in LCS on Thursday, September 21, 2006 10:00 AM Pacific Time.

This Support WebCast discusses the purpose of certificates in Microsoft Office Live Communications Server 2005 and describes how to appropriately deploy certificates for common scenarios. These scenarios include Remote Access, multiple pools, Director or Access Proxy arrays, Microsoft Office Communicator Web Access, and public instant-messaging (IM) connectivity (PIC).

The use of certificates is often confusing to newcomers to LCS and Shawn is IMHO a very skilled Escalation Engineer, so if you are interested in the subject go watch his presentation here.

Monday, September 18, 2006

LCS 2005 Supportability Guide

Microsoft has released a new Supportability guide for Live Communications Server 2005.

This document identifies supported configurations for Microsoft® Office Live Communications Server 2005, Live Communications Server 2005with Service Pack 1 (SP1), and Microsoft Office Communicator Web Access.

It includes all sorts of info, coexisting LCS with other applications, Certificates required, SQL versions support (Now including SQL 2005 SP1), topologies, clients supported and you name it. You can find it here.

Thursday, September 14, 2006

Office 2007 Beta 2 Technical Refresh has been released

Besides some (hopefully) useful updates, it also now supports Vista RC1

The update should be located here according to the Office Preview site and the mail I recieved from the Beta team and indeed all the other Office products and the now separate download for "Save as PDF / XPS" can be found here, but if you want the Office 2007 System TR you need to look here. Notice the following warning before installing

IMPORTANT: Please read the update documentation, referenced in the "To install this download" section on this page, BEFORE applying this Beta 2 Technical Refresh update. The documents list several steps that you must complete prior to installation to ensure a successful update. This is NOT a single click update.

Friday, September 08, 2006

CSTA and Reverse number lookup in Office Communicator

If you haven't worked with CSTA / 3PCC (Third Party Call Control) in Office Communicator, then Paul Robichaux has a nice write-up on how Office Communicator translates incoming phonenumbers to contact information (Retrieved from the AD or WAB) and also includes some information on normalization of phone numbers (That usually is a big deal

It also includes a nice little tip on how to forcibly update the locally downloaded Address Book (If you are using this). See more at his post.

Using LCS 2005 with multiple domains

Over at the new UCG blog there's a post on how to support multiple domains in LCS.

It will tell you how to use autoconfiguration of Office Communicator (Using DNS not Group Policies) in a multi-domain environment and it shows you how to enable Enhanced Federation for your primary domain, while allowing for Direct Federation for "secondary" domains in your company using Subject Alternate Names in your certificates.

Read more at Configuring LCS 2005 w/ SP1 for Multiple Domains.

I'm currently investigating where/if we can buy commercial certificates for the Access Proxies that support Subject Alternate Names and whose Root CA's are part of the standard Windows Server 2003 list of Trusted Root CA's. I chatted with a customer representative at Verisign and the answer was a firm no, but after some discussion she told me that they would get back with further info. The last time I looked I couldn't find anyone, but I've been told that some Microsoft customers have been able to do so - I will be back with further info.

Thursday, September 07, 2006

Adding entries to visionapp Remote Desktop with PowerShell

Now that you have visionapp Remote Desktop as I wrote about, how do you populate it easy with all the servers you want? Easy! The configuration is stored as XML as one long string in the registry value hkcu\software\visionapp\vRD\Configuration. And as the registry and xml is native to PowerShell the choice was easy.

So here is my PowerShell scripts adding a test folder and a test connection -

# The registry key

$regkey = get-item 'HKCU:\software\visionapp\vRD'

# read the configuration value
$config = $regkey | get-itemproperty -name configuration

# save it to a file in %temp% - just in case (you can also use backup from the app)
$savedConfig = join-path $env:temp vRd.saved
$config.configuration > $savedConfig

# convert string to xml - cool huh!
$config = [xml] $config.configuration

# show part of the xml file
# and drill down into the ConnectionsFolder

# Create a Folder xml element
$newfolder = $config.CreateElement("Folder")

# Set its name
$newfolder.SetAttribute("Name","Test folder")

# and add it as a child to the ConnectionsFolder

# show the added folder

# Add some attributes - note that you can do this before or after
# adding the xml element - $newfolder is a pointer to the live value
$newfolder.SetAttribute("Description","Testing dude!")
# Link folder to a credentials GUID (I checked this beforehand)

# Create a Connection xml element with some attributes
$newconnection = $config.CreateElement("Connection")

# Add it to the new folder

# dump folder as XML

# we have to do this several times, so a small function is easier
function addElement($xml,[string] $elementName, $elementText) {
return $e

# these values must be child elements - not attributes - to the connection element

# note the double-parenthesis - the inner is used to call the addElement function
# and return the value to the appendChild method
$newconnection.appendChild((addElement $config "SmartCard" "false"))
$newconnection.appendChild((addElement $config "ResolutionX" "1024"))
$newconnection.appendChild((addElement $config "ResolutionY" "768"))
$newconnection.appendChild((addElement $config "AutoSize" "true"))
$newconnection.appendChild((addElement $config "Description" "Test server"))
$newconnection.appendChild((addElement $config "Printer" "false"))
# Take credentials from parent folder
$newconnection.appendChild((addElement $config "InheritCredentials" "true"))
$newconnection.appendChild((addElement $config "Credentials" "00000000-0000-0000-0000-000000000000"))
$newconnection.appendChild((addElement $config "SeparateWindow" "false"))
$newconnection.appendChild((addElement $config "Console" "false"))
$newconnection.appendChild((addElement $config "Serial" "false"))
$newconnection.appendChild((addElement $config "LocalDrives" "false"))
$newconnection.appendChild((addElement $config "Audio" "false"))
$newconnection.appendChild((addElement $config "Port" "3389"))

# dump again

# update configuration in registry

$regkey | set-itemproperty -name configuration -value $config.get_innerxml()

# folder and connection added!

PowerShell rocks! - did I mention that earlier...

A much better Remote Desktops

Remote Desktops - note the ending s - is a tool for collecting multiple Remote Desktop sessions in one console. I have used it a lot, but it has many drawbacks -
  • You cannot see whether you already have connected to a server or not
  • You have to change cached credentials for every entry
  • It sometime crashes - especially after resume from hibernation (you learn the good old advice: When you have do so much work that you do not want to do it again, you save your data)
  • And perhaps most annoying - you cannot sort/move/reorganize the entries

I have tried to figure out, how to either reorganize the entries or generate a new console based on data held in Excel - but failed so far pursuing this path.

One of my customers pointed me to an alternative: visionapp Remote Desktop from the German company visionapp. I have used it for a while now - and all the drawbacks are gone.

Thank you very much visionapp!

Wednesday, September 06, 2006

LCS and Windows Server 2003 R2 known issue

As you might know Live Communications Server 2005 SP1 is now supported on Windows Server 2003 R2 and SQL Server 2005 SP1. Besides SQL 2005 SP1 it is also a requirement that you install the hotfix documented in KB911996 (Note the quirky installation procedure and that uninstall equals reinstall of LCS!!).

This time I was scripting the complete installation of LCS using LcsCmd and LCServer.msi (It's way easier to document, than "screenshooting" the GUI installation) and I also had a clustered SQL 2005 installation as a Backend Server.

After the installation I wanted to launch the LCS MMC on the Enterprise Edition front-end server, but it only presented me a window with the orange "Live Communications Server 2005" logo on top and a text in the middle "Live Communications Server 2005" - but no navigation pane.

I suspected it was either the scripted installation or SQL 2005 SP1 that was causing the problem, so this was where my trobleshooting efforts went. Two hours and a keyboard later I tried to open the MMC snap-in and manully add the Live Communications Server snap-in and voila, the navigation pane was back ;-)

I later chatted with one of my few contacts at Microsoft that really know LCS (You know who you are - and I'll keep my promise ;-) and was told that this was a "known issue", which they are investigating (Which is fine with me - since that means that my clustered SQL installation and installation scripts work as expected).

Interested in Network Bandwidth Usage of Audio/Video in Office Communicator !?

Then you should look at the NetMeeting Resource kit as the technologies used by Office Communicator 2005 are thosed offered by NetMeeting (Mainly H.323 and T.120). Chapter 4 also looks at the Firewall configuration and ports used by OC.

Friday, August 25, 2006

FYI - Vista Build 5536 / Pre-RC1 for x86 has been released - updated

I was looking at for a x64 version of 5472 for my Acer (Knowing that RC1 is just around the corner, but I had some time to play while upgrading an Exchange cluster), but I just noticed that 5536 (RC1) is available for download (So far only for x86, I guess I will wait for the x64 version before proceeding with my Acer). UPDATE - No x64 edition of 5536 will be released according to

I have been using 5472 as my primary OS since it was released and I guess with RC1 that I will make the shift from dualboot to "single-boot" on my primary laptop (Dell Latitude D820) - with an XP installed on a Virtual PC / Virtual Server image.


I just noticed that RC1 of Internet Explorer 7 was released to the web -

  1. Technology Overview: Internet Explorer 7 RC1
  2. Internet Explorer 7 RC1 (ia64)
  3. Internet Explorer 7 RC1 (x64)
  4. Internet Explorer 7 RC1 (Windows Server 2003 SP1)
  5. Internet Explorer 7 RC1 (Windows XP SP2)

I "of course" use Vista as my primary OS by now, so I will have to wait for the soon-to-be released RC1 of Windows Vista.

You can check Paul Thurrot's review of RC1 here

Thursday, August 24, 2006

Would you like to integrate Asterisk with LCS ?

Then voipen has created a tutorial on how to do this -

This is a tutorial on how to setup calling to/from MS LCS 2005 using SER and Asterisk. In this case LCS is acting as the IM/Presence/VoIP server, SER converts protocols TCP2UDP and Asterisk is a SIP to ISDN gateway. This setup allows for outbound calls from Microsoft Office Communicator – OC to a normal telephone and inbound calls from a normal telephone to Microsoft Office Communicator - OC. This also allows you to access services provided by Asterisk such as Meetme Conferencing. You can also use Windows Messenger 5.1 instead of OC client.

You can find the tutorial here.

Thursday, August 17, 2006

Look & feel of msgoodies

We are playing a bit with the template used for msgoodies as we are preparing to move to a "Stretched" template and hopefully soon the updated version of Blogger (Check or, that better will serve larger postings and postings including code samples. it shouldn't affect our RSS readers, but our web readers probably need some "patience" with the look & feel of msgoodies.

Sorry for the inconvenience !

Friday, August 04, 2006

APOD Viewer v1

I love APOD - Astronomy Picture of the Day - as I'm privately quite interested in the universe and all that stuff. But I do not visit APOD daily, so once in a while I browse the site.

But, wouldn't it be nice to have a slideshow with the pictures?

Surprise! PowerShell to the rescue.

This script really show the power of PowerShell. It has a web client, caculates dates and controls Internet Explorer. Give it a shot. If you make any clever changes, please post those as comments. I have a big wishlist myself, but this got me going.

function apod {
param([int] $days=1) # show latest picture by default

# create IE COM object
$ie = new-object -com internetexplorer.application

# create .net object
$webclient = new-object

# date manipulation
$date.AddDays(1) # start tomorrow as the loops starts by subtracting a day

# You may have to press the window in the taskbar to make it appear

# An easy way to do a for loop - could have used for, but as said this is easier
1..$days | % {

# back one day

# construct url
$url=$baseurl+"ap" + $date.tostring("yyMMdd") + ".html"

# get HTML page
$html = $webclient.downloadstring($url)

# Pick up the link the picture has - links to the high resolution version
# I want to display
# This is not idiot proff coding - but, hey, scripts are easy to change

$html -match '<a href="([^"]*)">\W*<img'
# get the value matching the pattern in parenthesis

# show high resolution picture

# wait for IE to load picture
while ($ie.busy) {sleep -s 1;"busy"}

# give me 10 seconds to enjoy the picture
sleep -s 10


# shutdown IE


# wish list: load pictures overlapping (but keep presentation interval)
# wish list: include some kind of fancy transition
# wish list: pick out the explanation and present it in some way
# add our own...


An easier way to learn/use PowerShell

When I write PowerShell stuff, I end up typing a lot on the keyboard - and using command recall a lot. When you start doing complex things, that gets quite boring. An alternative is to have a work PS1 file, editing it with notepad (or another tool) and only recall the line, that executes the PS1 file. In this way you 'only' have to ctrl-s, alt-tab, up arrow, return to execute the changes and the alt-tab back to make the next change.As I hate repeating the same actions over and over again - that is the reason I love making computers do just that - why not use PowerShell to help me? This is also an opportunity to use PowerShell for a real thing.

To do just that, I made these two functions -

function workpad {
$global:workpad = "$env:temp\workpad.ps1"
"Start workpad - execute with '. $workpad'"
notepad $workpad

function execute-workpad {
param([boolean]$executeFirst=$false) if ($executeFirst) {
else {
$oldLastWriteTime=$(get-childitem $workpad).lastwritetime
"Waiting for change.."

while ($true) {
$lastWriteTime=$(get-childitem $workpad).lastwritetime
if ($lastWriteTime -eq $oldLastWriteTime) {
start-sleep -s 1
else {
"File changed - executing"
. $workpad
"Waiting for change.."
So now it is just a matter of starting the editor with workpad (and it takes you off where you left) and use execute-workpad to have the changes to the file executed automatically whenever you press ctrl-s. To break execute-workpad use ctrl-c or ctrl-break. I would have liked a version where you could use the window interactively at the same time, but I have not found a similar function to cmd's start/b (yet, I hope). Start /b is like & in the korn shell. Any feedback on this would be welcome - but keep in mind that the execution of the interactive commands must be done in the same context as the workpad script executes in, so variables can be used directly.


During the last couple of months I've spent quite some time on getting the grips on PowerShell (PS). As written earlier, PowerShell will be important, but expect it to take some time and effort to get it 'in the fingers'.

When you first look at it, you may ask yourself - hey - what's the big news in the examples you see? Most things can easily be done with other well-known tools. What so funny about - say - creating 10 folders -
PS> 1..10 % { md folder$_ }
when I could do it with
CMD> for /l %i in (1,1,10) do md folder%i

And what is the big advantage in starting a service with
PS> start-service bits
when I could do it with
CMD> net start bits

Of course, restart is nicer
PS> restart-service bits
But this does the job as well
CMD> net stop bits & net start bits

But as you start try to do REAL stuff you realize the potential. How about keeping the logs for the last 10 days, named with the date? That is not easy at all with CMD and I often created an self-contained script to do the job -
CMD> set script=%temp%\x.vbs
CMD> echo script line 1 > %script%
CMD> echo script line 2 >> %script%
CMD> cscript %script%
With PS you can do it right away with code like -
PS> $logbase="$env:temp\my.log"
PS> $fivedaysold=$logbase+[system.datetime]::now.adddays(-5).tostring("yyyyMMdd")
PS> $fivedaysold

So, if you want to learn PS, do not just use it once in a while. Expect that you will spent much time on learning it - but stop using CMD as much as possible and realize that you can combine all your tricks and (programming) skills by combining command line stuff with COM, WMI and .Net stuff - right from the command line. In this way, you will learn along the way.

Be powershelled yourself!

Friday, July 28, 2006

New Office Communicator 2005 hotfix

Microsoft has released a new hotfix for Office Communicator 2005 as described in KB921348. It contains the following fixes -
  • Advanced VoIP calling features are unavailable in Office Communicator 2005
  • Internet Explorer unexpectedly closes when you refresh a Web page
  • A telephone number may contain a clock icon instead of the number zero in Communicator 2005
  • Error message when you try to shut down Windows: "End Program-WMS Idle"
  • You experience poor video quality in Communicator 2005 running through a multipoint control unit
  • Communicator 2005 responds to invitations to conversations with a "Busy" reply
  • Communicator 2005 stops responding during a video conversation with Communicator 2007

I guess it must be cumulative and include the updates from the February 10th hotfix(KB903928) as it also updates Communicator.exe, now updated to build 183 (From 121).

Wednesday, July 26, 2006

Internet Anonymity, TOR and Scatterchat

Came across an article about the Scatterchat tool, recently released in the Danish Computerworld. The article is in Danish - sorry. Anyway, it is not that important as the important stuff can be found on the EFF web site. EFF has a good article on the TOR network. The aim of TOR is to provide anonymous communication on the internet. Some researchers claim that more money is put into making statistically analyses of the network traffic than trying to decrypt encrypted traffic. Read more about TOR here - and read this research paper on why networks like TOR are very problematic to establish and run. Parts of the paper can be hard to read - but I think I got the most out of it without needing to understand all the formulas therein.

Tuesday, July 25, 2006

Virtual PC fix for laptops

I'm using VPC on my laptop and after suspends/hibernations, the screen goes blank and I have to restart VPC to get it back in shape. Well, according to Virtual PC Guy a laptop hotfix was just released. Fine, but versioning is to say at least weird for Virtual PC 2004 as I have written about earlier. This time, you have to download SP1 (again). calls this version 582.27 but with a release date of July 12th 2006. Downloading the zip and opening it, reveals a subfolder called Laptop Hotfix. This folder contains the MSP-file, that you want to apply to you laptop. The hotfix has an associated KB 889677.

After applying the hotfix, my version is now called (5.3.)582.32...

The Hypervisor term

Hi. Now that my summer vacation is approching the end (bad, bad), I just catched up on a few blogs including Virtual PC Guy. Ben has a good article on what the Hypervisor term actually is.

And while being there, I also followed his link to Wolfenstein 3D and took a little stroll down memory lane...

Saturday, July 15, 2006

Windows VistaBootPRO 2.0 Beta

PROnetworks has released their second version of VistaBootPRO. Its an editor for the Boot Configuration Store (BCD) store that replaces boot.ini in Windows and it works with Beta 2 and Build 5456 (Corrected build # - Reminds me not to blog while my wife is shouting "Dinner is ready" ;-) .

Designed for both beginners and advanced users, VistaBootPRO can be used to make "cosmetic" changes to the Windows Vista boot Menu such as changing the name of the Operating Systems shown in the boot menu and make advanced "functional" changes like adding an Operating System to the boot menu and repairing the Windows Vista boot configuration data. Advanced settings include backing up and exporting your boot loader configuration and modifying various details for the entries. Included in this latest release are additional features, including a built-in help file and more advanced boot configuration options. VistaBootPRO 2.0 has been completely rewritten using Microsoft C# for improved stability and performance.

In my multiboot environment I have three partitions, one for Windows XP, one for Vista builds and one for my Data (Documents, redirected shell folders, my source code, drivers/applications etc.) and at one time I had to recover my system entirely from ground up after a failed install of an older build of Vista. The Vista version of the editor called Bcdedit is a pain in the .. to work with - at least when you need to have a working machine by the next day and don't have the time to research how its working (So VistaBootPRO comes to the rescue as a real life saver ;-)

Information on the new version found at

Thursday, July 13, 2006

Service Level of Public Instant Messaging Connectivity (PIC) in LCS

When deploying Instant Messaging with Live Communications Server in your company you of course expect to get enterprise degree service levels out of it.

But what happens when you mix a consumer based service (Like Yahoo, MSN and AOL) with an enterprise level deployment of LCS with PIC federation?
Well for me the answer is obvious you get a Consumer degree service level out of it - and this is also what my experience shows me.
What is important here is that if you are a customer or a consultant talking to customers/decision makers, then its worth to emphasize the point that PIC isn't an enterprise level service.

Also if you are implementing and/or troubleshooting PIC then its worth to look at at the LCS PIC troubleshooting posting.

Yahoo! and Microsoft Instant Messaging connectivity

Microsoft has just announced their integration between Yahoo! and Live Messenger. You can sign up for the beta at either or - Not avilable for Denmark though :-(

Read more at at the Inside Windows Live Messenger blog Talk to your Yahoo! friends from Windows Live Messenger or at the Press release Yahoo! and Microsoft Bridge Global Instant Messaging Communities.

Tuesday, July 11, 2006

LCS Federation information

Microsoft has published a whitepaper with details on how both federation has been implemented in LCS. It includes details on how the proposed IETF standard "Best Current Practices for Interdomain Instant Messaging using SIP/SIMPLE" has been used as a model for federation in LCS. It includes which standards are followed and which aren't and how PIDF documents are used.

Some of the details of the implementation hasn't been described though as they are subject to "licensing" :-(

Thursday, July 06, 2006

ActiveSync 4.2 ready for download

You can find it here. The fixes include -

  • Microsoft Outlook Improvements: Resolves issues relating to error code 85010014.
  • Proxy/DTPT interaction Improvements: Improved auto configuration of device Connection Manager settings when desktop has no proxy path to the internet.
  • Improved Desktop Pass Thru behavior with ISA proxy failures.
  • Partnership improvements: Better resolution of multiple devices with the same name syncing with the same desktop.
  • Connectivity Improvements: Better handling of VPN clients (resolve unbinding of protocols from our RNDIS adapter). New auto detection of connectivity failure with user diagnostic alerts.

Also there's a nice little troubleshooter tool, that will check your computer for problems and, given the pemission to do so, send the results to Microsoft.

It still seem to have a problem with setting up the synchronization of tasks directly with the Exchange Server from ActiveSync, this still needs to be setup from the device itself (On a new/wiped device that is, if it already has been setup, it recognizes it correctly).

Saturday, July 01, 2006

Remote Desktop goodies in Vista

When you use multiple monitors (Like I do) then this is nice little trick.

In Vista (Build 5456) there's a commandline switch called /span that will allow the remote desktop to span across multiple monitors (I often help Service Providers or manage our own network by using a single server/workstation as a jump-host to the rest of the systems, sometimes doing it while writing documentation in a Wordpad document or the like in the same Remote Desktop session, so this is a very useful addition to mstsc).

Other enhancements are two-way pre-authentication when connecting to Vista/Longhorn Terminal Services and the possibility of using a TS Gateway, that will allow you to connect through HTTPS/443 to a Gateway server, that again will connect to Terminal Services inside the network (Thereby avoiding the use of VPN and 3389 in and outgoing on the network - the latter being a real advantage when you are connected to e.g. a customers network).

Thursday, June 29, 2006

WSUS SP1 upgrade issues

If you, like me, have had or are having problems with WSUS SP1 upgrade and MSDE databases that have been migrated to SQL, then look at the article named Known problems when you upgrade to Windows Software Update Services (WSUS) Service Pack 1

  • Proxy server user name and password settings are reset
  • WSUS SP1 does not update WSUS servers that are set up using remote SQL deployments
  • Computer name changes after you install the original release version of WSUS and before you install WSUS SP1
  • WSUS SP1 upgrade may fail when the Microsoft SQL Server 2000 Desktop Engine (Windows) (MSDE) database has been migrated to a local SQL Server 2000 computer
  • WSUS SP1 upgrade may fail when the MSDE database has been migrated to a remote SQL Server 2000 computer
  • WSUS database is in an inconsistent state after a failed upgrade

Wednesday, June 28, 2006

Joining a domain remotely through VPN in Windows Vista build 5456

If you have joined a domain remotely through VPN in Windows XP you probably know that the trick is to use the local user to create a VPN connection for everyone, dial-up to your company, join the domain, reboot and then use the logon using dial-up networking feature, when you first logon with your domain account (Thereby caching your credentials for future logons).

In Vista there is no Logon using dial-up networking option (Or at least I haven't found it ;-) instead the trick is to create a VPN connection, dial-up to your company, join the domain, reboot and then logon with the local user. Then dial-up to your VPN again and selest padlock icon, Switch User (While keeping you VPN connection open) and now logon to you domain account.

Office Communicator Mobile updated

Microsoft has released version of Communicator Mobile (I was running 1.0.530.0 until now) and it includes the following fixes -

  • You are not notified that a "File Transfer" or a "Remote Assistance" request from Communicator 2005 to Communicator Mobile could not be delivered
  • The home screen layout on a Moto Q device changes when Communicator Mobile is installed
  • A "Call Computer" request in Communicator 2005 is not established when the recipient is a Communicator Mobile user
  • Nothing occurs when you single-tap the "My Status" screen in Communicator Mobile on a Pocket PC
  • ActiveSync may try to install the incorrect version of Communicator Mobile on a device
  • Updated phone forward settings may not be displayed on a Windows Mobile-based Smartphone that uses Communicator Mobile
  • The bottom of the text in the second row of a contact note is truncated in Communicator Mobile
See more information in KB919950.

NOTE that the uninstall/install process is a bit quirky. You need to change the today screen away from the "Communicator Standard" to something else and then reboot your device, before uninstalling the old version of Communicator Mobile.

Remember to check out Tom Laciano's post on support issues, that still seems to apply to this version of CoMo (And may I ask, when are you, MS, releasing an updated version of Office Communicator, I hope we won't have to wait for the 2007 release).

Read JPG email attachments on Qtek 8310

For some reason, the default setup does not work. The default is to open up Pocket Internet Explorer with a file://, but then PIE does not show the picture and whenever you try to do something, focus is forced back to PIE. Battery out&itt seems the only solution out of that…

Well, if you associate JPG with the picture viewer used by the camera app, everything works.

To make the association, follow these steps -

  • Open File Manager
  • Find any JPG file
  • Select Menu, 1 File, 6 Associate (the actual wording may change as my phone runs Danish and I’m too lazy to change language)
  • Associate the program called pimg.exe

Have fun!

Monday, June 26, 2006

Microsoft unveils Unified Communications Product Road Map

A quick note - the long awaited announcements on the next versions of Live Communications Server and Unified Messaging happens today. I'm actually joining a live webcast tonight held by Jeff Raikes (President, Microsoft Business Division), Anoop Gupta (Corporate Vice President, Unified Communications Group) og Gurdeep Singh Pall (Corporate Vice President, RTC roduct Group) but it seems that MS is already starting to announce the new products officially to the web -

The interesting development here is the move towards integration of the desk and mobile phone with Office Communicator and also the integration of Live Meeting into Live Communications Server (And also the Ringcam now called "Microsoft Office RoundTable" is pretty nifty. I will be back with further info in the upcoming days, depending on how much information is disclosed publicly this evening.

Wednesday, June 21, 2006

Smart Spam

My spam filter removes most of the unwanted stuff, but today I got a spam message that uses a new method, I haven't seen before - and which reminds me of the good old days when printing was done on line printers (yes, I worked in IT back then).

When I previewed the message, I got this picture -

I was curious - not for the uncensored videos - I live in a country that liberated porn in 1969, so nothing is censored here - but for the funny graphics. Using the mouse, I realized that it was actually text, no a picture. The text is used for drawing larger letters, just like the banner pages on a line printer. I remember creating such a program once in Cobol...

Anyway I selected a line of text before taking the screen shot as you can see from the blue line. To get into more detail, I copied all the 'uncensored' lines, pasted them into notepad and isolated the U - to make this more readable for you -

As you can see, the picture is drawn from different letters. I wonder how a antispam product will be able to detuct this kind of message, containing no 'nasty' word. I fact, the big letters could be made up of non-spamish sentences.
Spammers seem to be very creative.

Sunday, June 11, 2006

Windows Vista beta 2 testing

Just got a brand new Dell Latitude D820 with the necessary power to run Vista including Aero (NVIDIA GeForce Go 7400/Quadro NVS 120M). The aim is to use it for testing Vista and Office 2007 and to automate the installation, so I can rebuilt it with SMS whenever Vista, Office or the drivers get updated.

My first major obstacle was to get a grahics driver - the NVidia Forceware beta 88.61 did not recognize my hardware (even though the claim it is a universal driver).

Well today I browser the Dell forums and found this thread which linked be to the Nicke Anderson blog and finally it ended up at Laptop Video 2 Go, which have a modded nv_disp.inf that did the job. I included all the steps in my search, so you can get all the details yourself.

After installing the driver with the modded .inf, I just had to adjust the display resolution (1920x1200 nice!) and select the Aero color scheme.

So, now I'll continue my tests...

Thursday, May 25, 2006

LCS, Audio/video, file transfers and firewalls

I was responding to a question on the ASP.NET forums and thought it would be a good contribution to msgoodies (Almost unedited so maybe I will update it some day to be more thorough ;-)

The question was

What happens when a LCS solution sits behind a firewall/nat?

The answer is -

It is possible to do file transfers and audio/video in a hosted or enterprise LCS environment, where LCS sits behinds a NAT/firewall but it all depends on your configuration of LCS and/or Office Communicator and/or your firewall.

For a start LCS is basically a SIP Server and SIP is of course Session Initiation Protocol. In SIP you use what we refer to as a triangle. User A will initally communicate with User B through the LCS server and SIP, but when a user decides to start a session with e.g. audio/video or file transfers, the server will help the client negotiate the right protocols etc. and when this is in place the clients will communicate directly with each other (Thereby creating the SIP triangle between both User A, User B talking with each other and both talking with the LCS server). So only SIP is passed through the server and the rest is usually done peer to peer.

So why is it not working for you? A lot of reasons for this might apply, which I try to explain in the following -

Office Communicator
Well for one you need to check or set the relevant Group Policies. You can do this by importing the Communicator.adm file in to the Administrative Templates in the Computer Configuration part of the GPO (Or by setting the relevant registry keys manually). The interesting parts here are SIP Security mode, where High Security mode will require encrypted SIP communication but still allow P2P filetransfers and audio/video, but it disables the use of uPnP, which sometimes is necessary if one of the parties involved in the communication is sitting behind e.g. a Wireless ADSL Router/Packet filtering firewall. The other interesting policy is obviously the policy called "Prevent File Transfer".

On the server side is enabled by default on the Access Proxy and it disables file transfers and URLs in IM's, so instead I would deploy the LCS Intelligent IM Filter which is more configurable in terms of allowing certain file types.
Furthermore if you implement e.g. Sybari Antivirus on the server all file transfers are forced to go through the server (Thereby needing to open the ports used for TFTP through the Service Providers firewall).

In the case of file transfers the protocol used is TFTP over TCP and it runs over port 6891-6900 (Allowing for 10 concurrent file transfers). For application sharing T.120 through Port 1503 is used and for audio/video a combination of RTP / RTCP is used. You can find more info in KB 903056 and in the article Windows Messenger in Windows XP (Note that Office Communicator uses the underlying technologies of Windows Messenger and thereby have the same restrictions).

The sum is that in a hosted or enterprise LCS scenario, all audio/video, file transfers and application sharing can work perfectly internally between desktops and mobile devices (Communicator Mobile) at the customer (Assuming they are not firewalling between internal network segments). But when a client needs to communicate with users outside their firewall, the same restrictions apply that apply for companies deploying their own LCS solution. NetMeeting is an old product and just doesn't handle traversing firewalls and NATs very well (even though some workarounds can be made) and this is probably why it is deprecated in Windows Vista (See RTC Client API's and Vista). The next version of LCS called Live Server and Office Communicator will supposedly handle this "in another way" but we will have to wait a couple of months until Microsoft will go public with more info in this product (Launching just after Office 2007).

Monday, May 22, 2006

How to delete a contact for several users in LCS / Office Communicator

A little follow-up to my earlier post on Populating Users in Office Communicator / LCS. If you want to delete a contact for all users (E.g. for a employee leaving the company) - you can remove the /contactsgroup parameter and instead use the /delete paramater e.g. -

cscript LCSAddContacts.wsf /usersfile:contacts.txt
/contactsfile:delete.txt /delete
(Wrapped for readability)

The syntax of the contacts.txt and delete.txt input file is -

Check my earlier post for further info.

Tuesday, May 02, 2006

What drink should I serve?

Well, simply look at the drink property in Active Directory. Yes, it really exists!

Came across it from this blog.

BTW: The answer is G&T if you are going to buy me one...

Friday, April 28, 2006

Support issues with Communicator Mobile

Tom has posted a Product Support Guide for Communicator Mobile on his blog, containing issues that isn't part of the release notes or accompanying documentation (As of yet).

One of the things he notes is that installation of Communicator Mobile isn’t supported on Storage Cards (As I enjoy to do with the limited memory on my Qtek 8310), also it explains why CoMO sometimes can be unresponsive.

Find the guide here.

Wednesday, April 26, 2006

Exchange 12 / Monad name changes

Just a quick note - At the MMS in San Diego there were a few announcements on this. Exchange 12 is now named Exchange Server 2007, and Monad is now Windows PowerShell.

Sunday, April 23, 2006

Where Vista Fails

Interesting article with some harsh comments from Paul Thurrot -

The company itself has turned into that thing it most hated (read:

The bad news, then, is that UAP is a sad, sad joke. It's the most annoying feature that Microsoft has ever added to any software product, and yes, that
includes that ridiculous Clippy character from older Office versions.

On Media Center: It's a horrid update to a wonderful bit of software, an ugly stepchild of beautiful parents.

Feature complete, my butt

OK, let's not get silly here. I don't hate Windows Vista ... That's not
horrible. It's just not what was promised.

Read it all here (Btw. I'm downloading build 5365 for my x64 notebook now - lets hope it has improved since 5342, which IMHO was way to unstable to do any testing on). Originally seen on

Microsoft Office Communicator Mobile released

I've been using Office Communicator Mobile since the first beta released last year and was happy to get an e-mail from the beta team, stating that it finally has been released to the web (And also last week I heard that the RC of Qtek 8310 AKU2 was released - so we will probably soon see the final version).

So what's in the product ?
  • A new Home/Today screen showing you availability
  • Presence on your contacts including federated and PIC users (Including their icons)
  • Contact information like "Idle since .." and Outlook calender information like "Free for next 2 hours"
  • Escalation from IM conversation to phone calls
  • VoIP calls through Wireless LANs (No firewall traversall though - so just internal within the companys network)
  • 3rd Party Call Control like changing your desk/work phone forwarding settings
  • E-mailing the content of an IM conversation
  • And much more ;-)
You can find information here -
And the download here.

Thursday, April 20, 2006

runas without domain trusts

Being a consultant, I often work from my own laptop on my customers computers. This often results in a lot of commands like these -
net use \\server\ipc$ /user:custdomain\account

Recently, I discovered, that I could actually create a new process with runas and use my customer credentials from that process. The trick is the /netonly argument. If I do a -
runas /user:custdomain\account /netonly cmd
I end up with a command prompt running as my normal user. But when I access network resources from that command prompt - or any child processes - I do it with my customer credentials. Needless to say, this saves a lot of tedious work.

Remember that if you do somethings, that invokes Explorer, you are often back to your default credentials - read more here.

When you use /netonly, you can actually specify any domain\user you like. The security check will - as always - be made when you try to access a resource.

Finding and fixing those LUA problems

Back in 1997, I was working at LEGO doing a PC project based on Windows NT workstation. The goal was end-users without local administrative permissions. This made perfectly sense, as we came out of a OpenVMS environment where that was the norm.
Back then, we learned the hard way how difficult it was to do this and without regmon and filemon we never could have do it. Back then the problem was lack of documenation - today the problem is the waste amount of documentation - and when you finally hit the right spot you sometimes find that the detail you were looking for was left out of the documentation - or simply wrong.
Things have improved when it comes to using LUA but there are still a way to go before nirvana is reached.
Aaron Margosis created a series of articles on this - and the best is the prioritized approach he has taken - i.e. should I start tweaking the registry permissions first or should I copy parts of the class registry to HKCU? Read it all here and here.

Also read my LUA article about controlling permissions with Group Policy.

Thursday, April 13, 2006

To be or not to be - really random

Having the flu - this is day #5 - I found energy to browse to motion my cheeks. I saw Scott Adams blog and had to read it as I like his twisted mind. From there I came across a reference to real random numbers called HotBits. The most interesting part was the How HotBits Works. This explains parts of quantum physics in a really simple way - e.g. that a beta particle is simply an electron and that gamma ray is simply high energy photons.
So is this really 'in scope' of this blog? Hmmm - well random numbers are - else simply blame it on the flu.

Wednesday, April 12, 2006

Microsoft Exchange's 10 year anniversary

As one of my contacts at Microsoft just pointed out, Microsoft Exchange was released more than 10 years ago in March 1996. It also means that I now have been a MCP for 12 years (Since April 1994); time has certainly gone fast since Microsoft Advanced Server 3.1 was the new kid on the block and it was unique to be a MCSE (I still remember competing with Per to be the first MCSE+I). I personally started working with OS/2 LanServer and Lotus cc:Mail and variations of Microsoft Mail and later evolved to Exchange 4.0 and Exchange 5.0/5.5, where clustering were one of my specialities and also my first piece published to the web was on the subject of Tips for Clustering Exchange Successfully (In the days of NT 4.0 and Exchange 5.5).

Windows IT Pro has released a very good article series by well known Industry Experts like Tony Redmond, Kevin Laahs and Kieran McCorry (All former colleagues at Digital/Compaq), Eric Legault and Pierre Bijaoui. It’s called A Decade of Exchange and it is certainly worth a read.

More interesting, to me anyway, is the future of Exchange in the Unified Communications group. We are probably going to witness a unification of Exchange, Live Communications Server (SIP) and related Voice services (VoIP, PBX, Centrex etc.), the interesting part here will ultimately be which technologies will be delivered by Microsoft and which will be delivered by 3rd party products. Also the evolution of SIP and perhaps disruptive Peer-to-Peer SIP standards/products and its impact on e.g. Microsoft UC and telephony service providers (And vendors) will be interesting to follow on the side-/frontline.

In my world Live Communications Server and the upcoming Live Server and their integration in Exchange and to CSTA, VoIP and MCU’s will certainly continue to be a main focus.

Monday, April 10, 2006

Sending IM messages through scripts

Would you like to send an instant message through script like this -

cscript lcsSendmsg.vbs
"Hello world how are you doing”

Then look no further than Glen's Exchange Dev Blog and his post on the subject, where he uses the newly announced AJAX SDK for the purpose (Btw. if your scripting against Exchange his blog is certainly worth a look; in this case I'm only sorry that I didn't get around to write the script ;-)

Tuesday, April 04, 2006

Office Communicator Web Access AJAX Service SDK 1.0

Microsoft has released the Office Communicator AJAX Service SDK 1.0 including the following sample applications:

A simple instant messaging (IM) client written in JavaScript.
A simple instant messaging (IM) client written in C#.
A C# application that receives events from Communicator Web Access and displays them, as well as the methods that are being sent to the server, in JSON format.
You can find it here

Saturday, April 01, 2006

Corrupted logon Web page when you try to log on to Communicator Web Access

If you are running Windows 2000 on your clients, and they are accessing an internal CWA Server, you may have had problems with corrupted web logon pages. Microsoft has now released a public hotfix for this problem.

See the KB describing the problem, download the hotfix and the description here

Friday, March 31, 2006

Vista feature summation

If you want to know what kind of beast Windows Vista is, then there is a nice summary to be found here -

Also if you want to know more about the new features (Including those features from XP not making it to Vista), there's a nice wiki here -

(Thanks to Steffen Madsen from Inceptio A/S for the hint).

Wednesday, March 29, 2006

Windows deployment resource

Here’s some shameless advertising for a friend of mine ;-) Rico Raja, and some of his friends, has started a blog/forum/website, that centers mainly around Windows Deployment, Preinstallation and unattended installation. His expertise is, amongst others, Vista Deployment and he (and his friends) has produced some very exciting records in installation time for Windows Vista Deployments.

Check out and since they haven't implemented a RSS or Atom feed (Hint, hint!) you need to bookmark it for future updates (I have seen some of the upcoming content and it looks promising).

Friday, March 24, 2006

IM Culture

Along with new ways of communicating, there will be new do's and don’ts. I personally have more than 100 persons on my IM lists, but I prefer to have most of my private contacts on a separate IM client, namely Live Messenger, and first when Office Communicator implements Spheres as per the RFC's (a.k.a. selective per group availability) will I move them to OC. And why is that you may ask? Well mainly because my family (Including my 79 years old grandmother) has a habit of "disturbing" me during my work time, and my business contacts tends to be more into the IM way of doing things, with only occasional, important and short IM conversations.

Heather Leigh wrote an interesting blog about her opinion on this subject called IM Angst, quote

"What’s the deal with people you have never met before IMing you? This is analogous to interrupting a potentially important conversation (let’s not pretend all of my conversations are important but some of them are...some are even important AND interesting). In my opinion, IMing basically says, “I know you well enough to do this” (among friends) or “this is urgent” (among business associates). I cannot tell you how many times I receive IMs that fall into neither category. When a simple e-mail would suffice, IM is chosen for the immediacy (of the sender) without regard to the time of the receiver."

Suffice to say new habits and cultures will arise. Quickly, if appropriate, moving from e-mail to IM with Office Communicator has certainly lessened the amount of e-mails in my inbox and also moving from IM to phone or video/VoIP conferencing has shortened the amount of time in the IM space for my sake.

Thursday, March 23, 2006

Migrating RSS feeds from RssReader to Outlook 2007

Adding more than 100 feeds manually into Outlook 2007 wasn't an option and RssReader does import OPML, but doesn't export to it. So I did a little Googling and found a nice script, with an accompanying XSLT transform file. It will take RssReaders XML based export file as an input and create an OPML compliant XML file. The only thing missing here is Groups, so I had to manually regroup all my feeds :-

You can find the script here

Btw. Outlook 2007 RSS implementation in Beta1 TR is way better that the last version I've tested - but there is still room for enhancement (Remember its still beta, so it will probably change). The concept of groups is badly implemented (Especially when adding new feeds), the formatting of the posts is nothing compared to RssReaders and there's missing a "View all Unread Posts" and a "Mark all Unread Posts as Read" (It can be accomplished under Unread Mail - but I personally don't like to mix these in the same folder).

Tuesday, March 21, 2006

Whitepaper/resources on Exchange 2003 Mobility and MSFP / AKU2

As several different Telcos are releasing WM5 AKU2 / MSFP updates to their devices, there's also a need to setup the environment to support these new devices. I have earlier described a "Quick Guide" to upgrading the device, and configuring the website and ISA for DirectPush. But, as reported by several sources, Mr. Mobile a.k.a. Jason Langridge has released a large whitepaper on configuring all the aspects of mobility including web sites, certificates, ISA, certificate login and configuring the device. His excellent whitepaper can be found here.

Furthermore Vlad has posted a very good set of resources in a post called Advanced Mobility and Stalking with WM5.

Office Communicator now available in new languages

Office Communicator MUI has been updated, so that it now also includes Danish and Finnish (And perhaps other languages - I don't recall the former list of supported languages). It is recommended that you apply the hotfix from KB903928 before installing the new MUI, which can be found here.

Friday, March 17, 2006

Microsoft Connect and SMS 4 Beta

Wanted to join the SMS 4 Beta program - and consequently got into a new (for me at least) site called Microsoft Connect. Connect is a kind of new betaplace. Browsing the available programs page, I found another interesting product called Certificate Lifecycle Manager Beta 1. You can check it out yourself - I will when I have a little time to spare.

Communicator Web Access guides released

Three new Communicator Web Access guides has been released -

Microsoft Office Communicator Web Access Getting Started Guide
This guide describes how to use the instant messaging (IM) and presence features of Microsoft® Office Communicator Web Access.

Microsoft Office Communicator Web Access Technical Reference Guide
This guide provides reference and troubleshooting information for administrators who are deploying or have deployed Microsoft® Office Communicator Web Access.

Factors Affecting User Capacity of Microsoft Office Communicator Web Access
This white paper discusses the factors that affect the number of users that can be supported on a Microsoft® Office Communicator Web Access server.

Also Don't forget the "old" guide on (With the pace Microsoft is announcing VoIP, SIP and UC news 3 months must be considered old ;-)

Microsoft Office Communicator Web Access Planning and Deployment Guide
This guide helps you plan and deploy Communicator Web Access for your organization.

Thursday, March 09, 2006

Live Communications Server Snap-in cannot open the certificate store

OK – now Per is at it, I also want to confess about one of my “mistakes”. I want to tell a story about LCS and the certificates snap-in that eventually made me rip my hair off (figuratively speaking that is – I need a magnifier and a pair of tweezers to find some) and calling PSS (It’s not a shame to do so btw … I keep telling myself).
As usual in LCS deployments I started by installing a LCS Home Server, implemented the necessary internal DNS records and then tested the functionality with TCP (Everything worked like a breeze). I then installed my LCS Access Proxy, used LCSCertUtil from the resource kit to request a public certificate and installed this on the Public Interface and our own certificate on the Internal Interface.
Then on my LCS Home Server I requested the necessary certificate and started the Live Communications Server 2005 MMC. I dribbled down through Forest, LCS Servers and pools, Server and right-clicked Properties on my server. I then clicked add and received the error message Live Communications Server Snap-in cannot open the certificate store followed by a Live Communications Server Snap-in cannot read the certificate information associated with this entry and a greyed out Add Connection Window. The same happened when I clicked the Security tab.
Googling the error message showed me that there was a known issue, whereby Sysadmins had installed the certificate in the user store (Checking, double and triple checking this made me certain that this wasn’t the problem) also the certificates checked out fine. Eventually (A day later) I ended up reinstalling the server, and it had no effect what so ever (Thinking that missing security rights or something the like was an issue).
To cut the story short(er) then I’m a geek so when I install new servers, I disable everything I can. One of the things I like to disable is File and Printer Sharing for Microsoft Networks on servers/network cards that doesn’t need it.
With the assistance of a skilled PSS guy from Turkey, named Fadi, it turned out, that when a LCS Home Server needs to find certificates in the GUI of the LCS MMC; it needs File and Printer sharing enabled on the server! But this isn’t the case on Access Proxies – so in the beginning I had no clue what to look for. Disabling File and Printer Sharing again, after installing and verifying the certificates, works fine so it must be a “feature” in the LCS 2005 MMC.

Wednesday, March 08, 2006

DoS'ing ISA by modifying a user object in AD

The other day, one of the contributers to this blog unwillingly made a Denial-of-Service on our ISA server. It went on like this –
“I wonder if it is possible to hand out a static route to a user, when a VPN is established?”
So this admin found his user object, tabbed to Dial-in, enabled Apply Static Routes and clicked Static Routes. Added the wanted route and saved it all. Next, the user reconnected the VPN – and things started to go wrong…
After messing things back to normal, I – sorry, the admin - began reading the help text –

Hmmm, the answering server – the ISA server in this case – does this. It is not handed to the client. Bad luck!

The worse part of this – and the reason I’m writing this – is to warn you. If you grant you helpdesk, decentral admins etc. the permissions to change these settings on your user objects having VPN access, you risk they make your ISA server unavailable!

The GUI settings corresponds to these LDAP properties –
1> msRADIUSFramedRoute: 1;
1> msRASSavedFramedRoute: 1;

So if someone has change access to these properties – i.e. they have full permissions on the user, explicit permissions for the properties or implicit permissions you are at risk. Beware that the RAS-Information a.k.a “Remote Access Information” property set includes these properties. Note that the default for Active Directory is to give the built-in Account Operators group permissions to update these.

Tuesday, March 07, 2006

Blocking MSN Messenger traffic by using HTTP filtering in ISA

FYI: Tom Shinder at has published a nice little step-by-step guide to blocking MSN Messenger traffic in ISA with the short name - ISA Firewall Quick Tip: Blocking MSN Messenger Access through the ISA Firewall while Enabling Access to Some Users.
In this article we'll go over the following procedures: Create the HTTP/HTTPS Access Rule to Deny Access to MSN Messenger; Configure the User Group Exception and the HTTP Security Filter on the Deny Rule; Create the Allow Rule for the Excepted Users.

Thursday, March 02, 2006

Populating users in Office Communicator / LCS

OK - so now you've setup your Live Communications Server environment and login to Office Communicator 2005 or Windows Messenger just to see an empty list of users. Then the next questions come into mind - how do you populate users?

In Inceptio we initially used dsquery and some of the scripts that are part of the LCS 2005 SP1 Resource Kit.

First of I used dsquery to create a file with contacts (Check dsquery /? for further commands e.g. for traversing more OU's)

dsquery * "OU=Users,OU=Inceptio,DC=domain,DC=com" -attr msRTCSIP-PrimaryUserAddress -filter (msRTCSIP-UserEnabled=TRUE) > contacts.txt

Then I used the LCSAddcontacts.wsf script that will add contacts to a list of LCS users (The contacts.txt created earlier) - the script can be found in "%Programfiles%\Microsoft LC 2005\ResKit\WMI Samples" and information on the use can be found in LCSAddcontacts_readme.htm file

CScript LCSAddContacts.wsf /usersfile:contacts.txt /contactsfile:contacts.txt /contactsgroup:Inceptio

As you can se I use the same file twice for both the user and contact list, thereby adding all users to all users contacts list (Thanks to Ray Breen / Google for this trick).

Then I need to auto allow the users. This is (in my case) easily done by using LCSAddACEs.wsf (Also from the reskit)

CScript LCSAddACEs.wsf /usersfile:contacts.txt /acesfile:Acesfile.txt

I reuse the same contacts.txt file used earlier, but I now use also use an Acesfile.txt file containing the following text (Notice that Allow, Prompt, Block and Deny are case sensitive) -

domain Allow Allow

As we are a small consulting company there is no problem in auto allowing all users to see each other, I recognize that this will not be useful in most larger companies (Certainly not in our customers), in these cases I would manipulate the contacts.txt file to create a new file looking like this -

user: Allow Allow
user: Allow Allow


I would not recommend using All Allow Allow as acesfile.txt input as it also gives All Other Contacts allow rights (Instead of notifying as usual), which probably isn't a desirable behavior for PIC or Federation contacts.

The above is just an example of how to use the sample scripts to populate users. It would be a good idea to join and refine the scripts into a single script taking e.g. OU or AD Group as input and then populating organization groups etc. with each other contacts.

Btw. the above scripts should be run from the LCS Home Server

Tuesday, February 14, 2006

Use Group Policy Software Restrictions to control LUA

The least-privileged user account (LUA) principle is great - but in some situations very hard to implement. One of these places is my home computer :) shared by all the family members. Running games etc. without admin permissions is almost impossible.

While reading the Applying the Principle of Least Privilege to User Accounts on Windows XP article, I was linked to Browsing the Web and Reading E-mail Safely as an Administrator, Part 2 and discovered something new about the Software Restriction feature of Group Policy. I have been using Software Restriction for a while. I use it for preventing spyware from starting as Software Restrictions is 'stronger' than administrative permissions.
What I discovered, reading the article, was that there is a hidden feature, that can be enabled. This feature called 'Basic User', gives Group Policy control over programs. This means that you can force programs - like Internet Explorer - to start in restricted mode (same as using runas + protect my computer and data from unauthorized program activity) without any user intervention.

Right now, I have implemented it and is giving it a go. Let's see if my kids start to scream...

Saturday, February 04, 2006

Choosing a new EASI passport domain for MSN

As I wrote in my earlier post on "Issues with EASI passport domains, LCS and MSN Messenger" a change of the EASI passport domain is sometimes necessary when implementing LCS PIC. But the link provided in the post will only allow you to change the domain to either or - if say you would like to change from to, then it is possible through Just choose Credentials and then Change your e-mail address. From there you will be able to choose your new EASI domain address (Thanks to Per the hint).

HMC 3.5 Feature Pack 1 released

HMC 3.5 Feature Pack One includes additional resource management feature capabilities and some partner-requested solution fixes for the Hosted Messaging and Collaboration version 3.5 solution. It is strongly recommended that any service provider deploying Hosted Messaging and Collaboration version 3.5 download and install this feature pack, once they have installed HMC version 3.5.

Microsoft just released Feature Pack 1 for Hosted Messaging and Collaboration 3.5. The "most wanted" feature of Feature Pack 1 must be the new more flexible resource allocation for Mailboxes / Organizations. Prior to this release we we're required to allocate mailbox space at the organization level, but now it can be allocated at the time you provision mailbox users (Which fits most serviceproviders plans/packaging better).

Find the Feature Pack 1 ISO here.

Wednesday, February 01, 2006

ISA 2004 SP2 released

ISA 2004 SP2 can now be found on the Microsoft Download center. Note that you cannot (successfully anyway) install it remotely via RDP as it enters lockdown mode during installation (According to the SBS Diva). You can find standard edition here and enterprise edition here.

Friday, January 27, 2006

Using Oxios ToDo List for SmartPhone

Just wanted to update you on my earlier post as promised.

I just bought Oxios ToDo List for SmartPhone for my Qtek 8310 as a substitute for the built-in. This one is much better - I can edit my tasks - and very important - works on the same database and thus synchronizes with Outlook/Exchange.

Thursday, January 26, 2006

AKU2 / MSFP and SP2 DirectPush configuration

The requirements are an Exchange Server 2003 with SP2 and a Mobile Device with Windows Mobile 2005 that includes the Messaging Security Feature Pack (MSFP aka Adaption Kit Update 2 (AKU2)) and for sync via USB with your machine you need ActiveSync 4.1 (Although this is not absolutely required). Furthermore for administration of the remote wipe features you will need the ActiveSync Web Administration tool.

The MSFP is actually a new version of the Windows Mobile OS so you need to wipe the device completely - with WM5 it is a pretty straight forward process; I started the phone in bootloader mode, connected it to USB and started the upgrade process. There's a very good TechNet Webcast called "Managing Windows Mobile-based Devices with the Messaging and Security Feature Pack" that includes very detailed info on security in Windows Mobile 5, the new features in MSFP and how upgrades can be done.

On the server side you need to change the IIS and Firewall timeout values. This is due to the fact that "DirectPush" works by keeping an http connection open to the server (Through a concept called heartbeats, where the mobile device periodically pings the server). If the firewall timeouts before the periodic ping, the device will need to ping/reconnect more frequently and errors might turn up in your eventlog. KB Article 905013 on "Enterprise firewall configuration for Exchange ActiveSync Direct Push Technology" explains more on this subject.

If you are using ISA server as a firewall you can change the timeout on the Web listener for your Front End mail server (Find it under properties for the web listener, Preferences, Advanced) and also you need to change the IIS timeouts on your Exchange Servers to a corresponding value (I'm currently using 30 minutes or 1800 seconds, which seems to work fine in a small environment).
It will be interesting to measure the scalability effects of these connections in Exchange 2003, where many users now not only will have an Outlook 2003 connection but also (almost always?) an active connection to their mobile devices - according to Microsoft its part of the reasoning that Exchange 12 will be 64 bit only (Longer story - I'm part of the beta program so I'm preparing to test it on my newly acquired AMD x64 Acer Ferrari 4000 notebook).

In overall the MSFP/DirectPush experience is great (Mail at times arrive on my mobile device before RPC/HTTPS syncs ;-), configuring the security policies and applying them to the devices also works fine, I can’t understand how I ever lived without GAL Lookup and I only have a few negative comments. The most annoying part is that the phone insists on informing me that a new mail has arrived, also when I’m at my desk. If I change my profile to “No sound” on mail arrival it will also turn of sound from SMS messages.
Another annoyance is the fact that the keyboard lock and device lock features doesn’t work together. So when the device is locked by the security policies and the phone is in my pocket – It doesn’t lock the keyboard and after x failed attempts it will wipe the device (Guess the rest of the story yourself ;-)

Friday, January 20, 2006

Monad beta 3 is out

As a follow up to my previous post, I just wanted to tell you that beta 3 is available for download.