Tuesday, December 18, 2007

App-Domain could not be created. Error: 0x80131902

Failed to execute request because the App-Domain could not be created. Error: 0x80131902
Event-ID: 1088
Source: ASP.NET 2.0.50727.0

I was getting this error in Event Viewer while trying to run a web app. This was fresh install of IIS, but on an older server. The problem is that after IIS is installed you need to re-install the .Net framework.

Step one is to un-install the .Net framework.
  • Open a Command Prompt
  • run "net stop w3svc"
  • cd %windir%\Microsoft.Net\Framework\v2.0.50727\
  • run "aspnet_regiis.exe -ua"
  • run "aspnet_regiis.exe -i "
  • run "net start w3svc"

aspnet_regiis.exe -r may have worked instead of the two step uninstall / reinstall based on it's discription but I didn't try that option.

Friday, November 09, 2007

Handy Microsoft related blogs

Over time I have found some Microsoft team web sites to be very handy. These include the Microsoft Exchange Team, the IIS team and most recently the Open Source Software lab team. Below I have the links to these sites so you can check them out and add them to your favorites.

Port 25 The Open Source Software Lab at Microsoft

Microsoft Exchange Team Blog (You had me at EHLO...)

Microsoft Internet Information Services Homepage
Also if you have sites that you find useful please leave them in the comments so I can addt them.

Wednesday, October 31, 2007

Prism: Web apps running as Local apps

Today I downloaded and installed Mozilla Lab's Prism. It allows you to run web apps such as Facebook, Gmail, Google Calendar, or even Spiceworks as if it where a local application. It is a slimmed down Mozilla web browser that creates a nifty shortcut for you to use. You can then resize and move the window around as you would any other window.

It best feature is the lack of an address bar. It sounds weird but that can sometime be a big distraction. So now I can have my gmail open and my Calendar open all day long.

Tuesday, October 30, 2007

Microsoft Exchange 2007 Catchall Agent

For those of you looking to implement a Catchall agent in Microsoft Exchange 2007 I finally have an answer for you! CatchAllAgent Exchange2007 Transport Protocol Agent does everything I needed it to do. It can handle multiple domains and supports standard .Net tracing for troubleshooting. Granted I didn't write it but it is simple to set up and configure.

The download is not as straight forward as I would have liked (multiple files vs. a Zip file) but the instructions are clear and consise for installation. The bare minimum you need to download is the CatchAllAgent.dll, config.xml, and Readme.txt. The author has included the source code for the CatchAllAgent incase you want to see how it works or if you have enhancements to make. The one issue I had with installation was due to me not reading ALL of the instructions and missing a step ([PS] C:\catchallagent>enable-transportagent "CatchAll Agent").

There are many reasons to NOT have a catchall agent setup. For one you open yourself up to a Denial of Service attack because all email will now be accepted for your domain, which may also lead to the servers storage being filled. But when the CIO and CEO both say we NEED a catchall I fulfill their request and warn them of the dangers. Hopefully I never have to say "I told you so!"

Thursday, September 27, 2007

Testing Outlook Web Access from the PowerShell

As any of my readers know I check things on a daily basis, typically in the morning. As part of these checks I fire up Internet Explorer 7 and go to our Outlook Web Access page and log in.

Today I figured out how to do all of this from a PowerShell, which has already cut my daily monitoring duties down about 90%. This is a pretty simple oneliner that will test one OWA url. It does however require you to enter a password in a dialog box.

Test-OWAConnectivity -url https://mail.yourdomain.com/owa -mailboxcredentials:)Get-Credential domail\user)

After you run that it will ask you for the password of the user and report back success or failure.

Tuesday, September 18, 2007

Spiceworks 1.7 Now Available

Spiceworks 1.7 is now available for download. The upgrade process is as painless as can be. Simply right click on the spiceworks tray icon and select restart. When the restart process is finished you will have the newest version.

Tuesday, September 11, 2007

Using the Powershell to check for mounted mailbox databases

If you want to quickly check to see what mailbox databases are mounted (or not mounted) there is a simple command that you can run from the Exchange Management Shell.

Get-Mailboxdatabase -status | where {$_.Mounted -eq $true}

To see what mailboxdatabaes are not mounted you can do:
Get-Mailboxdatabase -status | where {$_.Mounted -eq $false}

Let's break down what is going on here.
Get-MailboxDatabase will generally just return the list of mailbox databases in the organization.
The -Status switch will tell the command to get the status (Mounted, Last Full backup, et cetera).
We then pipe this into the where command to do the searching. The variable we are looking for here is Mounted and we need it to be equal (-eq) to True ($true).

Wednesday, August 22, 2007

Microsoft Exchange 2007: Autodiscovery

An interesting thing I learned with Exchange 2007 and Outlook 2007, If you are running the latter than Exchange 2007 must have Autodiscovery installed and configured properly. Microsoft Technet has a decent article on how to set up and properly configure Autodiscovery.

It is importent to note that autodiscover.yourdomain.com has it's own seperate SSL certificate for things to work properly. This is an additional certificate to the one Outlook Web Access and Outlook Anywhere require to work properly.

Monday, July 23, 2007

How to: Fix Background Cleanup Errors

During my morning checks of the servers I run the command Test-Systemhealth on my Microsoft Exchange 2007 server and I was getting the error "The 'Background Cleanup' value for mailbox store '[Mailbox Store Name]' on Server '[Exchange Server Name]' is missing. This will cause mailbox size discrepancies.

To fix this I found a Microsoft Technet Article "Background Cleanup interval for a mailbox store is missing". It supplies an easy fix for my problem.

Open a registry editor, such as Regedit.exe or Regedt32.exe.
Navigate to: HKLM\System\CurrentControlSet\Services\MSExchangeIS\\Private-

Create a DWORD value called Background Cleanup with value data of 60000 (decimal) or 0xEA60 (hexadecimal). Do this for each mailbox on the server.

Close the registry editor. To make the changes take effect, do one of the following:
Dismount and mount the affected information stores.
Restart the Microsoft Exchange Information Store service.

Thursday, July 19, 2007

552 5.3.4 Message size exceeds fixed maximum message size

If you are running Exchange 2007 and you are getting the above error message from users outside your organization there is a very simple fix.

Set-ReceiveConnector -identity "Default [SERVERNAME]" -maxmessagesize 20MB

That will double your receive limit from the internet. Now if you want to go bigger you could do:
Set-ReceiveConnector -identity "Default [SERVERNAME]" -maxmessagesize 1GB
but that is not recommened at all.
The available options for the size are: B (bytes), KB (kilobytes), MB (megabytes), & GB (gigabytes). The maximum you can do is 2GB and any unqualified sizes are treated as bytes.

If there are other options you want to change with your Receive Connectors check out Set-ReceiveConnector on TechNet.

Tuesday, July 17, 2007

Troubleshooting Tips: RPC over HTTP

While getting "Outlook Anywhere" to work in our Microsoft Exchange 2007 environment I had to do a little trouble shooting. Here are some things to look for if things are not working.

Make sure you are using Basic Authentication with the RPC proxy.
Triple check that Outlook Anywhere is enabled on the Microsoft Exchange 2007 server and that the RPC Proxy is installed.
Close Outlook and open it backup with the switch /rpcdiag (Start, Run, Outlook.exe /RPCDIAG).

Also since you are using Basic Authentication you must be using SSL. The SSL certificate must be trusted by the computer that is running Outlook, so I suggest it is a third party certificate that came from a reputable online source. You can only use self-signed certificates if all the computers that will be connecting to Outlook Anywhere are also part of the domain that created them.

Maybe I should do a complete series of how to's in regards to Outlook Anywhere and RPC over HTTP.

Wednesday, July 11, 2007

Microsoft Exchange 2007 Distribution Group Security

Today I found out that Distribution Groups within Microsoft Exchange 2007 have security placed on them that requires users to authenticate when sending emails to them. I understand having this feature, but I would argue against it being on by default.
With this setting on users outside your company cannot email to the distribution group. For some of my groups this is what I want. But for specific groups I want people outside my enterprise to be able to send them email.

To change this setting open up the "Exchange System Console" and go to the Recipient Configuration, Distribution Group. Then right click on the distribution group you wish to edit and choose properties. Next click the "Mail Flow Settings" tab and select the "Message Delivery Restrictions" and then hit the "Properites" button. On the "Message Delivery Restrictions" screen uncheck the "Require that all senders are authenticated" option and you will be all set.

To do all of the above from the "Exchange Management Shell" you can use the one-liner below.
Set-DistributionGroup -identity "DisplayNameOfDistributionGroup" -RequireSenderAuthenticationEnabled $False
It's really that easy.

When I first got my hands on Microsoft Exchange 2007 I did not like the idea of doing alot of things by the command line, but as time goes on I have found out that the Management Shell is a very powerful tool that every Exchange admin should learn how to use and fall in love with.

How to: Verify nessesary Microsoft Exchange services are running

Every monrning as part of my daily routine I check to make sure all the nessesary services are running for Microsoft Exchange 2007 to run properly and respond to client requests. In the past I have been opening the Services.msc and visually verifying that all of the services are indeed running. But today while I was looking over the list of CMDLETS I found my time saver, Test-ServiceHealth.
This command will test all of the services that should be running and report back what is and is not running. Since I keep the Exchange Management Shell open at all times I can quickly type this command and verify that way that everything is running as normal.

Complete List of Microsoft Exchange 2007 CMDLETS

Microsoft has a complete list of cmdlets you can use in the Exchange Management Shell. This list has come in handy when attempting to do something for the first time and not too sure where to start.

I would suggest anyone running Microsoft Exchange 2007 add this link to their favorites as it comes in handy often. Also if you are running OpenDNS on your network you could setup a OpenDNS shortcut to make it even easier!

Tuesday, July 10, 2007

How to: Update the Global Address List in Microsoft Exchange 2007

This is a simple one liner that you can use to update the default Global Address List when running Microsoft Exchange Server 2007. It should be noted that this can take a long time in a large enterprise so use with caution during normal business hours.

Update-GlobalAddressList -identity "Default Global Address List"

Bulk importing contacts from CSV to Exchange 2007

When doing a bulk import of contacts you can use the following Powershell command to read a CSV file.
Import-Csv contacts.csv | ForEach { New-MailContact -Name $_.displayName -Firstname $_.FirstName -LastName $_.LastName -ExternalEmailAddress $_.EmailNddress -OrganizationalUnit "YourDomain.Local/Contacts" }

For an excellent list of what else you can import with the New-MailContact command (everything after the "|" character) you can go to the linked web site.

As something I found out while trying to use this command you must have the same capitalization in _.Variable as you do for your column headers in the CSV file. Also you cannot have the CSV file open while you are doing your import.

Monday, July 09, 2007

How to: Recreate Outlook Web Access Virtual Directory in Exchange 2007

Last week after another round of Microsoft update I rebooted our Microsoft Exchange 2007 server. After the reboot Outlook Web Access was no longer working. I could see in Event Viewer a bunch of errors relating to .Net 1.1 and a few other DLL files relating to authentication.

After a lot of looking around online I figured out a few things.
You cannot install .Net 1.1 on the OWA server. OWA requires IIS to be running in 64-bit mode (x64), while .Net requires 32-bit mode (x86). So I un-installed the .Net framework since I didn't need it any how and rebooted.

Things still where not working, so I tried to delete the Virtual Directory right from the IIS admin screen. That didn't work so I restored the Virtual Directory from a back up I had made right before (Trust me this is always a good idea!).

I also found out that with good examples and the proper references that the new PowerShell interface for Exchange is very powerful. However I am still looking forward to Exchange 2007 SP1 when Microsoft brings some things missing from the GUI back.

Today I found the proper way to recreate the Virtual Directory.
Step one is to view all of the Virtual Directories on the server.
Get-OwaVirtualDirectory will display a list of all the Exchange Virtual Directories on that server. The one you are looking for here is "OWA (Default Web Site)" on a default install.

Step two is to remove the default OWA Virtual Directory with:
Remove-OwaVirtualDirectory -identity "owa (Default Web Site)"

The next step is to recreate the OWA Virtual Directory with:
New-OWAVirtualDirectory -OWAVersion "Exchange2007" -Name "owa (Default Web Site)"

Now go into the Exchange 2007 Management Console and setup the correct internal and external URLs and any other settings you may have changed the first time around. One of the changes I recommend is on the "Authentication" tab the Logon Format for Forms based authentication to "User name only" and then setting the domain. This will make it easier for your users to login by not having to remember the domain or typing domain\username.


I see that I haven't posted in a good long time (almost a month.) And that is because I have been busy getting our Microsoft Exchange 2007 server up and running.

It's been a busy week since we went live and I have learned a lot about Exchange and email in general. I have some hints and tips to post about things that can go wrong, and more importantly how to fix them when they do go wonky.

Thursday, June 14, 2007

Microsoft Exchange TCP/IP Ports List

This is just going to be a list of all the TCP & UDP IP ports that you could possibly need to use (or open in your firewall(s)).

TCP port 25 - SMTP
TCP port 26 - SSL secured SMTP
TCP port 110 - Post Office Protocol v. 3 (POP3)
TCP port 995 - SSL secured POP3
TCP port 143 - Internet Message Access Protocol v. 4 (IMAP4)
TCP port 993 - SSL secured IMAP4
TCP port 80 - HTTP for Outlook Web Access
TCP port 443 - SSL secured HTTP for Outlook Web Access (HTTPS)
TCP/UDP port 389 - Lightweight Directory Access Protocol (LDAP)
TCP port 3268 - LDAP communications with an Active Directory Global Catalog Server
TCP port 119 - Network News Transfer Protocol (NNTP)
TCP port 563 - SSL secured NNTP
TCP port 135 - Remote Procedure Protocol (RPC) however it will also use ports 1024 and up as needed.
TCP/UDP port 53 - Domain Name System (DNS)
TCP port 102 - Mail Transfer Agent (MTA) *Only used in X.400 connections.
Additionally if you are secureing any servers such as front-end / back-end servers with IPSEC you will need to allow IP protocol 51 for the Authenitcation Header, IP protocol 50, TCP/UDP port 88 for KERBEROS, and UDP port 500 for Key Exchanges.

That's a pretty decent sized list "JUST" for one network service. On the plus side most of those are not needed in a default setup as POP3 and IMAP4 are rarely used in a pure Microsoft network.

Also hopefully this will help me remember some of the less used ports and let me ace my test!

-EDIT: Thanks to the commenter I updated this post to have the correct Global Catalog server port.

Tuesday, June 12, 2007

Follow up to Safari for Windows!

To be blunt, I am already un-installing this piece of software (POS). The two biggest keyboard shortcuts I use don't work. It may be faster at rendering, but our website looks bad in it. If I had to use a Mac or run Linux, I would be using Firefox for sure. On Windows however I am still sticking by Internet Explorer 7.

The install process went smooth, just the standard Next, Next, Next, Finish sort of thing. Let me know what you think if you have had the unfortunate time with Safari as I have.

Safari for Windows!

Apple has released their Safari web browser for Windows. I haven't had a chance to install it yet but I will report back on how the install went and my first impressions.

Friday, June 08, 2007

Doing a 301 Redirect on IIS

301 Redirect Using IIS
In internet services manager, right click on the file or folder you wish to redirect.
Select the radio button titled "a redirection to a URL".
Enter the page that the page will be redirected to.
Check "The exact url entered above" and the "A permanent redirection for this resource".
Click on 'Apply'.

How to Delete the Undeletable File!

There comes a point in every Network Admins life that you must delete a file that is always locked, even those pesky files that won't go away after a reboot or going into safe mode.

Geeks are Sexy has a good article on how to delete pesky undeletable files. I already knew about #1. I always first try to kill "Explorer.exe" from task manager before I do anything drastic. If that doesn't work I move on to number three if I have Unlocker handy.

I typically have either unlocker installed or an Internet connection to download a copy so I have never had to resort to using the Recovery Console on my computer. Also it is far more likely that I would have those then a Windows CD around to use the recovery console as I always forget to install it before hand.

Monday, June 04, 2007

Microsoft Settles TestKing Case

Microsoft has settled their suit with leading "braindump" site TestKing.com. This will hopefully be the start of other braindumps going down as well. For those of you that don't know, or haven't taken a certification test, you must agree to a Non-Disclosure Agreement (NDA) to not discuss or disseminate the material in any way out side of the testing room. This is to protect the value of the certifications. Read more about the settlement here.

Wednesday, May 30, 2007

Thursday, May 24, 2007

How to Use Nslookup to Verify MX record configuration

As I have been installing, configuring, and testing our Microsoft Exchange Server 2007 I have had to test the DNS system to ensure our domain is registared and working properly. This is something that all system administrators should know how to do, but the exact syntax is often forgotten.

  1. Open a Command Prompt (Start, Run, cmd, [Enter])
  2. Type nslookup.
  3. Server (The DNS server that you want to use. This is optional.)
  4. Set q=mx (This sets the query type to "MX" {Mail Exchanger}.)
  5. (The domain name you want to lookup the mail exchanger to.)

This operation can be done on Windows XP, Windows Server 2003, and Windows Vista. There are similar options if you are doing this from Linux.

  1. Open up a terminal (Differs by distribution)
  2. Type nslookup.
  3. Set type=mx (This sets the query type to "MX" {Mail Exchanger}.)
  4. (The domain name you want to lookup the mail exchanger to.)

Thursday, May 17, 2007

Microsoft Exchange 2003 Send as vs. Send on behalf of

Neil Hobson over at MSExchange.org has a very good article about the differences of "Send as" vs. "Send on behalf of".

The key difference is how the reciever sees the message come in. When using "Send as" the reciever thinks it really came from the sender, but when using "Send on Behalf of" it comes across as "Steve Lippert sent on behalf of Steve's Manager".

Monday, May 14, 2007

Microsoft WSUS 3.0 is finally released!

This is just a quick link to Petri IT Knowledgebase with a nice article on WSUS 3.0 and whats new.

Thats all!

Microsoft Visual Studio Express Editions Codename: "Orcas"

Microsoft recently release a Community Technical Preview (CTP) of it's next Visual Basic Express Edition (also C#, C++, and Web Developer). You can go to the Visual Studio Express Editions Codename: "Orcas" to see what they have changed in the new version(s).

I am currently downloading just the installs and not the MSDN Library, SQL Compact, or SQL Express Editions and it's over 870MB. I *MIGHT* update you when I have everything installed and working to see how my programs moved over and such.

**Please note there is also a patch to download if you are unfortunate and are running Windows Vista**

Thursday, May 10, 2007

Recovering a failed Exchange 2007 server!

Monday morning I came into work to find that I could not get Microsoft Outlook to play with our Microsoft Exchange Server 2007 as it had on Friday afternoon when I left for the week. As it turns out the RAID controller decieded it didn't want to see two of the hard disks. Result: Rebuild RAID array, format and reinstall Windows.

After I got Microsoft Windows Server 2003 R2 reinstalled and fully updated I had to reinstall Exchange. This being my first time recovering a failed server I was a bit nervious to say the least. I tried to just run Setup.exe but it said "Exchange is in an inconsistent state" or something very similar. So I opened up a command prompt and ran "setup /?". After reading through the help file I saw the holy grail of commands. "Setup /mode:RecoverServer" will do just that. Recover your server (Installed and configured as it had been.) Too bad our backups of the mail stores where bad otherwise I could have had everything back up and running within a matter of hours.

Trojan Virus Spoofs Windows Activation

This is more of a heads up than anything, aparently there is a new virus / trojan out this spoofs the Windows Activation Screen. They did a pretty good job except for the misspelling of "you" instead of "your". I fear many people new to the online world will actually give this information away in part because apparently you cannot close the window without filling in the information.
Photo Sharing and Video Hosting at Photobucket

Microsoft Silverlight Developer Reference

Quoted from www.silverlight.net
"Microsoft® Silverlight™ is a cross-browser, cross-platform plug-in for delivering the next generation of .NET based media experiences and rich interactive applications for the Web. Silverlight offers a flexible programming model that supports AJAX, VB, C#, Python, and Ruby, and integrates with existing Web applications. Silverlight supports fast, cost-effective delivery of high-quality video to all major browsers running on the Mac OS or Windows."

And here is a Developer Reference that you can print out to use while programming in this new framework.

Wednesday, May 02, 2007

MC MCSE: A resource for aspiring MCSEs

I just found MC MCSE yesterday while looking for tips to pass my up and coming 70-284 exam. They offer:
Free Practice Exams - 44 free practice tests with over 4,300 total questions.
Free Study Guides - 110 study guides and tutorials to help you pass your exams.
Find Training Materials - Find the best books and training products for your studies.
Free Tech Magazines - Free subscriptions to ComputerWorld, eWeek and many more.
I took my first free test yesterday and got a 76% on it, passing, but not excellent. I find that most of the questions are well written but there where a few that needed some work. (Much like this blog I know!)

Dell to offer Ubuntu Linux Pre-installed

Well it looks like Dell finally caved and will be offering PCs and Laptops with Ubuntu Linux pre-installed. Lets just hope that the option to get Ubuntu Linux is not burried as it has been in the past to get a PC with out Windows on it.

Tuesday, May 01, 2007

70-284 Exam Prep Problem Question Number 1

This is a question I keep getting wrong while studying for my 70-284 Microsoft Exchange 2003 Certification Exam.
Basically you need to migrate from Lotus cc: Mail to Microsoft Exchange 2003, but the catch is that your Microsoft Exchange Server is not available yet. To complete this question you must correctly add in the necessary steps and what order they go in.
Step one is a simple, you must choose to do a Two-Step migration because your Microsoft Exchange Server is not available. Step two: you must specify a path to the migration files so that you can use them when your new Microsoft Exchange Server is ready. Step three: you must specify the Lotus cc: Mail Post Office and password to export the mailboxes with. Step four: here you select the information to migrate over to Microsoft Exchange. Step five: The final step in all of this is to select the users to export.
Hopefully now that I have written this out I can remember it at least long enough to get a question like this right on my Exam!

Tuesday, April 24, 2007

ISINTEG for Microsoft Exchange: a Troubleshooting Tool

ISINTEG (Information Store Integrity checker) is a useful and potentially dangerous tool for checking the integrity of an Information Store and fixing it (the potentially hazardous part).

Much like its cousin ESEUTIL you have to run it from the /bin directory of the c:\Program Files\exchsrvr directory as it is not added to the PATH system variable by default.

The easiest and safest option with ISINTEG is -test. Also don't forget to use -s [SERVERNAME] as this will tell ISINTEG what server to run the test on.

There are other flags that ISINTEG can use such as -patch, -verbose, and -l [LogFile]. But the one that you should be especially careful of is -fix. This has been know to kill an Exchange server, so make sure you have a back up of you Information Store before running this, as a bad store is still better than a bad installation of Exchange. You have been warned!

Windows XP Myths

Andrew K over at Optimize Guides has a very good article on some very common Windows XP myths. It is a suggested read for any Microsoft administrator. I have read many of the myths in the past and tried them out on my computers, or my users computers and for many of the "improve performance" settings have never seen any difference.

I learned a bit today after reading all of the myths, and as stated previously don't use anything the myths try to sell you. Most of the time the settings they are telling you to change simply do not get read by Windows XP, and if they do, hopefully they won't harm you system in any way.

Monday, April 23, 2007

ESEUTIL for Microsoft Exchange, Part 1 The Basics

ESEutil (Extensible Storage Engine utility) is the sister EXE to NTDSutil (New Technology Directory Service I believe). There are three sides to this utility that any Microsoft Exchange administrator should know how to use. The harmless checking options, the hairier defragmentation option, and finally the scariest restore options.

On a side note it should be mentioned to any new Microsoft Exchange administrators that ESEUTIL is not a part of the PATH system variable, and as such must be run from the Exchange/bin folder. If you find yourself using ESEUTIL frequently I would suggest adding it to your path as I have.

First there is the mostly harmless options /k, /mh, and /cc. These flags will do various things that Microsoft Exchange will normally do for you, such as re-run log files after you remount a store. The /mh flag will check the store to see if it was properly shut down and along the way will tell you when the last time it was backed up. This is an easy way to start learning how to use ESEUTIL properly.

Example: “eseutil /mh "d:\program files\exchsrvr\mdbdata\priv1.edb" (Assuming Exchange 2003 is installed on the d:\ drive.)”

This command should return “State: Clean Shutdown” within its output. Also you can use /mh to see how many /r commands have been run against it, with anything greater than zero being your number.

There are other simple flags to use such as /ml to check log files, /mm to dump the metadata (not truly useful to most administrators, but interesting to see none the less.), /mk to see information about the checkpoint file (.chk files).

ESEUTIL /k will run a similar function to running a checksum against a file to verify its integrity. It will only VERIFY the database, not repair as that is what /p and /r are for. This is most often used when Microsoft Exchange has been shut down improperly. On another side note it worth mentioning that hundreds of uninitialized pages are normal, but bad checksums or wrong page numbers are bad. Also you can verify log files with /k in the same way you verify stores.

Example: “eseutil /k "d: \program files\exchsrvr\mdbdata\priv1.edb" “

Just as easy to run is ESEUTIL with the /d flag. This will defragment the .edb file and recover lost disk space. This is much akin to running jetpack against the DHCP.mdb file to defragment the DHCP database in Microsoft Windows Server 2003 and not so much like defragmenting you hard drive with Windows built in defragmenter. You must dismount the store in order to run eseutil /d, but you do not need to stop the Information Store service to do so.

The last function of ESEUTIL, and by far the scariest function set is the restore options. The /r and /p flags can really muck up a Microsoft Exchange store quickly. These options will require their own blog entry so stay tuned for more.

A quick over view of all the options for Microsoft Exchange’s ESEUTIL.
Eseutil /cc Performs a hard recovery after a database restore.
Eseutil /d Performs an offline compaction of a database.
Eseutil /g Verifies the integrity of a database.
Eseutil /k Verifies the checksums of a database.
Eseutil /m Generates formatted output of various database file types. e.g. /mh
Eseutil /p Repairs a corrupted or damaged database.
Eseutil /r Performs soft recovery to bring a single database into a consistent or clean shutdown state.
Eseutil /y Copies a database, streaming file, or log file.

Tuesday, April 17, 2007

Using Webmin to install Software

Today as I was building a new server running Debian that I needed to install ProFTPD. While I was in the Webmin interface poking around I saw this line:
" The ProFTPd package can be automatically installed by Webmin. Click here to have it downloaded and installed using APT."
Unfortunally I found out that I already have an FTP server installed on the box, but I like the forward thinking of the Webmin crew to offer such an easy way to install software!

Tuesday, April 03, 2007

Password Strength Checker

Today I StumbledUpon a Password Strength Checker. It will tell you just how strong your password it. Now I thought my standard password was pretty strong. It's eight characters with numbers thrown in elite haxor style, but I found out my password is only "Medium".

I did however find out that the current administrative password is strong, which is good news, now I just need to work on getting a stronger base password, and then go trough all of my accounts and make the necessary changes.

How strong is your password?

Monday, April 02, 2007

A simple way to Secure Microsoft Exchange 2003

One of the easiest ways to secure Microsoft Exchange 2003 is to not run Microsoft Exchange 2003 on an Active Directory Domain controller. This way IF your Microsoft Exchange 2003 Server is compramised you will not have to worry about your Active Directory data being compramised as well.

Small Business Server users should take note of this as the default install of Small Business Server has Microsoft Exchange 2003 Server running on your Active Directory Domain Controller with Microsoft SQL Server running as well. Also more than likely this same server is also running your Active Directory DNS server, DHCP server, WINS server and in some cases even your public Web Site running on IIS and an FTP server also running on IIS.

Secure Multi-Purpose Internet Mail Extension also known as S/MIME

S/MIME protects the integrity and confidentiality of e-mail messages. It only protects the message itself, while using SSL is suggested to protect the transmission channel. S/MIME REQUIRES the use of certificates issued through the use of a Public Key Infrastructure (PKI).

Using a Public Key Infrastructure to secure Microsoft Exchange Server 2003

Public Key Infrastructures (PKI from here on out!) use two mathematically related keys, a Public Key, and a Private Key. The public key is as it's name describes public and thus shared with others so they can Verify your Private key (Message Signing) and Encrypt messages to you. You keep the Private Key private and can then decrypt the messages sent to you with your key and sign outgoing messages to prove they came from you & where not tampered with in transit.

For all of this to work you need a client that supports S/MIME such as Outlook, Outlook Web Access, and most 3rd Party POP3 & IMAP4 clients. Also you need to both trust the same Certificate Authority (CA).

PKI's are best used with-in the same Active Directory Domain/Forest with a Windows 2003 Certificate Authority as the CA for the domain. Also Auto Enrollment must be enabled or all certificates would need to be manually approved by a CA administrator.

Using a Front-end / Back-end to secure Microsoft Exchange 2003

One of the best practices often talked about is the "Front-end / Back-end" topology, where by the Front-end server sits outside of the main network separated by a firewall (known as the "internal firewall"), but protected from the Internet by a separate firewall. The Back-end server meanwhile is within the confines of the internal network.

This configuration allows more ports opened on the external firewall and fewer ports opened on the internal firewall. Also, the data and log files that Exchange needs are keep more secure behind two firewall and no direct access from the Internet. The front-end server will then respond to all Internet SMTP requests and then forward them on to the back-end servers for delivery to users mailboxes.

While this method may be a "Best Practice" it requires at least twice as much hardware and software. You now need at least two servers, two firewalls, and two copies of Windows Server 2003 and Exchange server 2003. To allow this setup to withstand even more abuse you should then also Cluster the Exchange back-end server requiring Windows 2003 Enterprise Edition and Exchange Enterprise edition on the two back-end servers.

A heavily suggested setup is to have the Front-end server running Outlook Web Access (OWA) with a widely know Certificate Authority SSL certificate to provide data encryption to the clients over the public Internet. This requires TCP port 443 (for default installs). Also since the whole reason to have Microsoft Exchange is to send and recieve email with other organizations via the Internet you will need SMTP running over TCP port 25, with Anonymous Access allowed. These would then be the only two ports open on the public/external firewall. On the internal firewall you would need to open TCP port 80 to allow OWA access to the back-end servers, TCP/UDP ports 389 for LDAP (Lightweight Directory Access Protocol), TCP port 3268 for LDAPGC (Global Catalog), and all of this is running with in the confines of IPSEC which would need IP Protocol 51 for Authenticating Header, IP Protocol 50 for Encapsulating Security Protocol, UDP port 500 for the key exchange and TCP/UDP port 88 for KERBEROS.

Making the Jump to Vista!

This morning, I finally made the jump to Windows Vista! It was about two hours to upgrade (didn't have the time to do a clean install) and so far everything is working well. I will try to report back any findings I have after I have really used it.

Friday, March 30, 2007

My Google Homepage Themes!

I noticed today that Google added a "Select Theme" option to their Personalized Home. They have seven different themes, with more to come I hope! Also you can enter your ZIP code so the theme can change through out the day! Check it out if you have a Personalized Home page, and get one if you don't!

Wednesday, March 21, 2007

Flexable Single Master Operation (FSMO) Roles

Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.

Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.

Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
· Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
· Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
· Account lockout is processed on the PDC emulator.
· Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
· The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

Decommissioning Small Business Server 2000 Part 1

When decommissioning a Small Business Server (or any Windows Server) you need to make sure that any FSMO roles hosted on the server are moved off the server before you decommission it. If you fail to do this you can seize the FSMO role(s) later but the best practice is to move it before hand.

Petri IT Knowledgebase has a good selection of articles on how to Determine FSMO Role Holders, Transfer FSMO Roles, and Microsoft has a good Knowledge base article on how to Size the roles.

Later I will explain how to Decommission Exchange 2000 running on Small Business Server 2000.

Thursday, March 15, 2007

Deploying printers with Active Directory

I was looking for a way to ease printer deployment in our network. I found a nice article over at http://www.windowsnetworking.com that explains how to deploy printers in Active Directory. FINALLY!

One caveat about this is that it only works on Windows 2003 R2 domain controllers. So I will have to wait a few weeks until ours is all set up and ready to go in order to use this.

Also for these options to be available you need to upgrade your Active Directory Schema to version 31. My previous posts tells you how.

Upgrading Active Directory Schema to Version 31 (To support Windows 2003 R2 Domain Controllers)

If you run adprep.exe /forestprep from the Windows 2003 R2 disk it will tell you that is has already been run (if you are running in a Windows 2003 domain.) To upgrade the Active Directory Schema to allow for the new options in R2 you need to run adprep.exe from the second disk for Windows 2003 R2. You can find adprep.exe in Drive:\CMPNENTS\R2\ADPREP\adprep.exe. Now all you need to do is run adprepe.exe /forestprep and you will get the additional options.

Tuesday, March 13, 2007

Creating Google Suggest Style Text Boxes with Visual Basic 2005

I have created a simple tool that makes specific directories for our company when we get a new project in to scan. I have integrated a database to keep the information for searching and billing purposes. When we get updates to the projects I don't want to type everything again, so I looked into changing the text boxes to suggest project names from the database and such.

It really is very simple to do this.
Set the "AutoCompleteMode" of the text box to SuggestAppend (There are other options but this is the one that worked best for me.)

Set the "AutoCompleteSource" to "CustomSource".

In the "Form1_Load" add in the appropiate commands. I will explain this line by line below.

Create a connection to the database.
Dim MyConnection As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\databases\scanning.mdb")

Open the Connection

Use SQL here to select only unique (DISTINCT) Project Names and Scanning Numbers from the workflow table. Use the open connection above to execute the command.
Dim MyCommand As New OleDbCommand("SELECT DISTINCT Project_Name, DR_Number from Workflow", MyConnection)

Create a data reader and put the data returned from the connection in to it.
Dim MyReader As OleDbDataReader = MyCommand.ExecuteReader()

While the reader is being read populate the Text boxes "AutoCompleteCustomSource" with the unique data returned. The (0) and (1) is because the SQL command above puts the results of the query into an Array. This extracts just column "0" or "1" from the query array.

While MyReader.Read()
End While

There may be a better/more efficient way to do this task, but with my simple programming skills it works for me and is very responsive!

Uninstalling SQL Server Embedded Edition (SSEE)

To uninstall the SSEE that comes with WSUS 3 BETA do the following.
For 32-bit Platforms (x86)
msiexec /x {CEB5780F-1A70-44A9-850F-DE6C4F6AA8FB} callerid=ocsetup.exe

For 64-bit platforms(x64/AMD64)
msiexec /x {BDD79957-5801-4A2D-B09E-852E7FA64D01} callerid=ocsetup.exe

*However, the removal of the application may not remove the default .mdb and .ldb files, which will cause a subsequent WSUS 3.0 installation to fail. These files can be deleted from the %windir%\SYSMSI\SSEE directory.

These instructions where found on Microsoft Web Site.

Issues with Windows Update Services 3 Beta

While trying to troubleshoot our WSUS 3 Beta install today I found a long list of issues with the beta. I now know why our installation failed and the date it failed.

Issue 6: Remote SQL limitations and requirements
WSUS 3.0 offers support for running database software on a computer separate from the computer with the rest of the WSUS 3.0 application.
• You cannot use a server configured as a domain controller for either for either the front-end WSUS server or the back-end SQL server.

My WSUS server is a Domain Controller, WSUS server (our only one at the current time), and it's SQL server. It looks like I will be going back to WSUS 2 for the time being untill I can get this all figured out.

By the way this is a perfect example of why one should not use BETA software in a production environment.

Also it is important to note that the Embedded Edition of SQL Server is not uninstalled when you uninstall WSUS 3 Beta.

Monday, March 12, 2007

Howto Forge

Over the years I have frequently looked up "Howto" do something. Then recently I noticed a trend. Most of the "Howto's" I was viewing were on Howto Forge.

Howto Forge is mostly for Linux and variants of BSD. They break things down to the OS and then also to specific software, such as Apache, DNS, sendmail, and other common *nix applications/services. I highly recommend this site to anyone that is trying to do something for the first time. Also newbies should read over as much of this as possible to get a feel for how things are done.

The one area I wish they had is Howto's for Windows and Windows based applications such as Microsoft Exchange or Microsoft SQL Server. I know there are sites out on the internet that have the content I am looking for, but I would really like to build a Über-IT knowledge site.

The New Blogger!

Today I noticed that my theme was looking a little funny, (I don't read my own blog very often.) so I went looking at some of the different theme options available. Then I noticed a setting to upgrade my theme (which would probably break some stuff). I decided that I don't have that much in the way of customization going on so what the heck.

After the upgrade I was amazed at the simplicity of adding in new content such as AdWords or a RSS feed. It is much the same as using a Personalized Google Homepage. I can create a new page element, move it around, save it, and BOOM my template is updated and ready to go!

I will continue to look around the new Blogger to see what else they have changed on me!

Spiceworks has grown up!

Today Spiceworks has been upgraded to version 1.5!
The biggest (and most requested) feature they brought into this release is Multi-user support. Now my boss has access to the same information that I do. (Weather or not he ever uses it is another story. ;) ) They also now allow users to send an email to a specific email address and have it alert me to a new help ticket. I have started putting all help requests into Spiceworks and any maintenance tasks that I need to do as well for better tracking / record keeping of what I do to specific systems.

I hope that this wonderful product continues to grow and become even better. They have a large (and growing) community of IT professionals requesting features and asking for support with their networks. I have yet to ask a question my self, but I try to browse them in order to help other users.

I have talked about Spiceworks in a past post. For those of you that don't know Spiceworks is Information Technology Management software, but is free to use. It is geared to small companies with less than 250 devices (like ours, though not by much).

There are a few things that I would like to see come into this software in future versions, but none of them are show stoppers. Also a few of the new features still need some polish put on to them before I would have external (to our company) using this software.

Thursday, March 08, 2007

Test driving Microsoft Server Software

Have you ever wanted to see what Microsofts newest software is like, but don't want to muck up your current system? Visit the Microsoft Download Center to download some Virtual Hard Drives of their newest (mostly server) software. You will need to have Microsoft Virtual Computer to enable these Virtual Hard Drives.

Via the link you can test out Microsoft Server 2003 R2, Microsoft Exchange Server 2007, Microsoft Internet Sercurity and Acceleration Server 2006, and Microsoft SQL Server 2005.

For me this is awesome because it allows me to play with this new software before I see it in the enterprise and allows me to become aclamated to it before I start studying for it's certification. Also the temptation to pirate software is no longer there for many IT professionsals since they can get their hands on it legally now.

Monday, January 22, 2007

File Upload Dangers

Recently I wrote a little bit of ASP.net software to allow our customers to upload files. I set the program to email me a copy of everything to ensure that things are working properly and to track it's usage. Over the weekend someone uploaded a file called "titshell.aspx".

I opened the file in Microsoft Visual Web Developer 2005 Express to see if I could understand what it was trying to do. Only to see what I tought was Russian text (now I think it might be Turkish but to be honest I am not sure). I read trough the code some more and saw a link for titsecurity.com. I went to the web site but was unable to read any of the forums, except for links to screen shots, the file, and a video on how to use it.

Apparenlty (though I haven't been able to make it work) it can create a user, add a user to the Local Administrators Group, Create/Edit/Delete Files & Folders, Delete IIS Log files, Run SQL commands, Disable the Windows Firewall, Enable Remote Desktop, Get System Information (this one works), and upload more files to what ever folder they desire (allowing permissions of course) which is all scary stuff for someone to be able to do remotly.

To test the program out (how could I not?) I tested the file on a Virtual Machine so IF it did work I would have been able to revert back to a working server quickly.

So how do you guard aginst this type of attack?


Thankfully Microsoft has taken most of these actions and broken them becuase they rely on admin privleges on the server (Deleting the IIS logs for example). But when I wrote the upload program I told it to store the files in a non-IIS shared folder (some where else on the network). The person that uploaded the file was hoping it would be accessable from the web, which would have allowed them to do anything the program was set to do.

Tuesday, January 09, 2007

Windows Sofware Update Services 3.0 Beta 2

For those of you out there that are using the Current WSUS 2 be warned that 3.0 is coming your way. The good news is that you want this version. If you are still (god forbid) running SUS you will be happy to know that Microsoft has extended it's life until July 10th 2007. You can read more about the extension here.

The feature that I am most exited about in WSUS 3 is seperate metadata and content channels. This means that I can sync my downstream server with the master server in headquarters and download the actual patches from Microsoft. Why might I want to do this? Because we only have a T-1 line to the net in HQ but our branch office has a Cable connection with 5 mbps down. It will be way faster for the branch office to download from Microsoft than from HQ.

Also the API allows for support of "Optional Installations" so I can approve IE7 for my users and those that want it can install it and those that dont want it or cannot use it don't have to worry about it.

The single biggest change in WSUS 3 over WSUS 2 is that instead of a web interface (which also requires IIS to be installed) you can use a MMC to control the WSUS server. The MMC must also be Version 3 on the server and on the client if you want to remotly administer WSUS.

You can read more about WSUS 3.0 here or you can download it here. (After registering for the beta, which ends on January 19th 2007.) Also note that there are two prerequesets for WSUS 3. You will need to have MMC 3.0 installed on your Windows 2003 Server and Microsoft Report Viewer.