SMS Scripting Guide

Was released the other day. Get it from MS Downloads. Contains some very good examples. One I found particular useful was the Status Filter Rule example. Add it to your scripting arsenal.

IIS Diagnostics Toolkit

New on MS Download -
The IIS Diagnostics Toolkit is a combined release of popular tools used by today's IIS users. These tools include tools aimed at resolving problems related to Secure Socket Layer (SSL) issues, permission or security problems, gathering data for your SMTP server included with IIS, as well as the famous Log Parser utility used to sift through hundreds or thousands of log files very quickly. The toolkit consolidates all the tools into a convienant download and is supplemented by updates every 90-days to ensure that users have the most current diagnostics tools at their fingertips.

Windows 2003 SP1 released / known SCW/Exchange issue

As you might have seen the final version of SP1 for Windows Server 2003 has been released and can be downloaded from here. Others have reviewed the enhancements and new functionality in SP1 so I won't dig into that - but I wanted to inform you about a known issue with the Security Configuration Wizard and Exchange.
There is an issue with the Security Configuration Wizard when Exchange isn't installed in the default %ProgramFiles%\Exchsrvr directory which potentially could block the TCP Ports used by Exchange. The solution to the problem is simple - you should manually specify the path to the Exchange executables when SCW displays [Not found!] next to one or more of the processes in the Network Security Section.
According to my contact at Microsoft there will be posted detailed info about this issue on http://blogs.technet.com/exchange/ in the near-term future (Update - here's a link to the blog posting on You Had Me At EHLO)

Exchange server is not supported on virtual servers

To my surprise, Microsoft does not support Exchange in a virtualized environment - not even in their own Virtual Server/PC. Read the support statement in this KB. Consequently, you should stick to using virtual technology in testing scenarios.

Windows Update Services RC available

According to a mail I received from Mickeysoft today the Release Candidate for Windows Update Services is finally publicly available. New features since Beta 2 are -

• Replica mode for WSUS server hierarchies, making them easier to manage.
• SSL connections between WSUS servers and clients, providing an even more secure end-to-end environment.
• Automatic Update policy to allow non-administrators to receive update notifications, offering greater flexibility in organizations where logged on users are commonly not administrators.

I haven't had the time to test it so no comments from me (Except that I and many of my customers are eager to get the FINAL product) - but check it out for yourself by registering for download here.

Bart's bootable Windows XP CD/DVD

A little but very useful "lifesaver" that provides a WinPE like environment but with a larger and more extendable featureset via the plugins available from Bart's homepage and others like the Ultimate Boot CD for Windows that builds on BartPE. It's very useful for many purposes as for example recovering systems from Virus attacks or creating snapshots of existing systems - check out the feauture set for yourself on his homepage.

Lighter Side Dept. - Best IT Advertisement?

Check out this LiveVault "Institute for Backup Trauma" ad starring John Cleese. Never mind the product – which may or may not be good - but if you are a Phyton/Cleese fan this is a “must”.

Extracting files from MSI

I wanted to be able to extract files directly out of an MSI file. Sometimes, I simply do not want to power up the correct OS version or install a product just to get to the files within. I tried doing it with ORCA (from the platform SDK) – but couldn’t figure it out. I also tried some of the other platform SDK msi*.exe tools – again without luck. Maybe someone can tell me how? Next I tried to investigate whether the MSI could be accessed by SQL. Again, I failed to find the necessary information. Finally, I got it. I looked at the Project Windows Installer XML (WiX) toolset. I downloaded the wix i386 binaries and extracted the ZIP file. Then I ran –
Dark.exe file.MSI file.XML /x .
The result of this conversion (file.XML) and extraction (/x) is a file.XML (which I have no use for) and the binary files contained within the MSI file.
Thanks to the people working with WiX.

Default owner of objects varies between Windows XP and Windows Server 2003

As a follow-up to my earlier post on Protecting your administrative permissions, I noticed an update from Aaron explaining how the default owner varies depending on whether you are using Windows XP or Windows Server 2003. Read the rest here.

Warning about importing Exchange MPs in MOM 2005

I came across a Microsoft KB about a bug in the import management pack process. It seems like only packs sharing common rule groups have the problem. The Exchange MPs are such a case.

Network Traffic Analyzers

I always install Netmon on my servers - just in case I need it - which I often do. Not from an operation perspective, but for debugging and analyzing stuff. The other day, I was debugging some Kerberos problems in combination with SAP and Active Directory - but Netmon was not able to decode the packages...
Luckily, I know another product which I often uses at my own PC – Ethereal. Download it and the required library winpcap from here. You only need winpcap if you want to capture packages – to analyze, only Ethereal is needed.
Netmon pros –
- Microsoft supported and security patched
- Part of OS
Ethereal pros –
- Live view of captured packages including live filtering
- Can read files saved by Netmon
- Can decode more protocols – like Kerberos
- Free

Give it a go – it is worthwhile.

SIDF - Adding Sender ID Framework DNS Records

To enable mail receivers to validate that your emails are legitimate, you have to add SIDF. SIDF are a merger between Microsoft’s caller ID and SPF (Sender Policy Framework). SIDF is implemented on the sender and the receiver side. On the sender side you have to add and maintain some DNS TXT records. On the receiver side you simply need an email server checking the stuff. The receiver does not use SIDF to do a pass/no-pass decision. Instead, the result is put into the normal spam detection algorithms. If you do not publish SIDF information, you should expect your mails to be ‘suspected’ more and more as SIDF becomes more widespread and as email administrators starts to squeeze the spam rules forcing SIDF to be required.

A good place to start is the www.microsoft.com/senderid site. I think this is a very good presentation, so start with it. Afterwards, you can use the Microsoft Sender ID Framework SPF Record Wizard to generate your SPF record.

If you add the stuff in Microsoft DNS, remember to select ‘Other new’ record type, Text (TXT) and leave the name field blank. This will result in a line in the GUI like –
(same as parent folder) Text (TXT) SPF data

You can check the SPF of my company with –
nslookup "-set type=txt" inceptio.dk

Go and declare your email domains!

Software Updates for Dell Server Hardware Using SMS 2003

On MS Downloads.
This solution accelerator helps SMS administrators effectively and efficiently deploy software updates for Dell server hardware using Systems Management Server (SMS) 2003 and the SMS 2003 Inventory Tool for Dell Updates.

ISA 2004 Standard Edition SP1 Available on MS Downloads

Get it here. Is it a MSP file. The update contains both updates to the server component and the firewall client. Check out the changes in the readme.

How to query the Microsoft Knowledge Base by using keywords and query words

Maybe I should have known more about this years ago - I actually have thought about it - just never investigated it. Nevertheless, you can use predefined keywords to make a more precise search for you KB articles. Not all keywords are in the help article. Some, you have to figure out yourself.
Two useful ones are Windows SP2 fixes kbwinxpsp3fix and Office 2003 SP 2 ones kboffice2003presp2fix.

New Permission Objects in SMS 2003 SP1.

While creating a script setting up permissions in SMS, I realized that there are some a new kids in town – the manage folder permission and the software updates class. But the binary value of those are not documented in the SDK!

Manage folder is bit 17 hex 0x20000 decimal 131072. Software Updates is class value 10. Both are the next available bit/value - makes sense.

Software Updates has read, modify, delete, administer, create and delegate permissions.

Guest OS Slow - Give It More RAM

Playing around with Virtual Server 2005, I ran into some very slow guest OS’s – some reacted very, very slowly, so here’s a hint:
If you are experiencing that one or a few of your guest OS’s are slow but the others are running as expected, you probably have starved the slow ones. Give them more RAM to speed things up. The easy way to check whether a guest is starved is to compare the assigned RAM to the Commit Level (Task Manager) and at the same time look at the page fault delta values (Task Manager, Processes tab, select columns). If you want to get the most out of your RAM, you probably will run with the Commit Level some above the amount of RAM – but too much paging will slow you down.

MOM 2005 Core MP Updated

An update of the MOM 2005 Management Pack versioned v05.0.2803.0000 was released February 9th. My existing is 2746. You can get it here. The changes can be viewed by using the MP2XML and MPDiff tools of the Resource Kit -

• Convert the old and the new AKM files to XML with MP2XML AKM-file XML-file
• Run MPDiff.Console.exe /src:old.xml /tgt:new.xml /v:cad. You can also run it with one of the cad (changed, added, deleted) letters at a time.
• View the output or view diffout.xml with Internet Explorer

Virtual Server 2005 and InCd are not best friends!

I found the solution to the problem in my earlier post. InCd conflicts with Virtual Server 2005. Uninstalling InCd made the problem go away.

Indigo - Applications on Longhorn

If Microsoft is able to hold the schedule, we need to start considering how managing and running Longhorn applications is going to be. Applications utilizing Longhorn will be based on the Indigo application framework. I stumbled across this article about Indigo. It is worth reading! And as the article ends -
The impact of this technology will not be small. Anyone who builds distributed applications on Windows, especially applications that must interoperate with those on other platforms, should pay close attention. Indigo will significantly change their world.