Friday, February 29, 2008

Leap Year Error in Exchange 2007

Trouble with your Exchange 2007 list service failing to respond today? Go home and try again tomorrow - it's a leap year.


Users around the world are reporting in the Microsoft Exchange Server Admin forum that they are unable to create new email and domain acceptance policies today, February 29. When they advance the clock on the Exchange server to March 1, 2008 the policies work as expected.

The issue is preventing admins from moving mailboxes within their Exchange 2007 servers, getting the error:.

"The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error."

If you do decide to change your server time, be sure to stop and disable the Windows Time service on the Exchange server to prevent the time from resyncronizing with the Domain Controllers. Also be aware of other side effects, such as message tracking and log changes, etc.

Update: Nino Bilic from the Microsoft Exchange team has confirmed this problem on the Exchange Team Blog:

"After investigation of this problem we have learned that this problem would occur only if you have started or restarted the Microsoft Exchange System Attendant service between 12:00AM UTC , Feb 29, 2008 and 12:00AM UTC, Mar 1, 2008.

"If you are impacted by this, all that you have to do is restart the Microsoft Exchange System Attendant service after the midnight UTC, March 1, 2008. Restart of the System Attendant will not disrupt your Information Store service."

Thursday, February 28, 2008

Create a Saved Query that Displays Group Members


Saved Queries in Active Directory Users and Computers (ADUC) allow you to create simple or advanced LDAP queries against the Active Directory that can be saved, reused and edited. Examples might be a query displaying all locked out users in the domain or all the users who have a mailbox on a particular Exchange server and have the word "Manager" in their title.


A client I worked with needed a query that displayed all the members of a certain (large) group. This would allow him to select all the users at once and move their mailboxes to another server.


Try as he might, he couldn't get the query to display the group's members. It turns out this is because the group name must be entered using its distiguished name. Here's how to do it:


  • Use ADSIEdit.msc (in the Windows Support Tools) and navigate to the group

  • View the properties of the group to reveal the distinguishedName attribute value and copy it to the clipboard (shown above)

  • Open ADUC, right-click Saved Queries and select New query

  • Enter a name for your query, "Accounting Group Members"

  • Click the Define Query button

  • Select Users, Contacts, and Groups from the Find: dropdown list

  • Click the Advanced tab

  • Click Field > User > Member of

  • With the condition of "is (exactly)", paste the group's distinguishedName into the Value field and click Add

  • Click OK twice to complete the query

Wednesday, February 27, 2008

Handy UTC/GMT Time Converter Website

Don't you love it when you come across a nifty little tool that makes your life easier?

WorldTimeServer.com is a free web tool that offers lots of cool little tools that help you work with time around the world. Important to me, is the Time Zone Calculator that lets you enter a UTC time and it will convert it to you local time (or any other timezone, for that matter). This is extremely useful when troubleshooting SMTP headers, especially with all the changes in DST lately.

SCOM 2007 SP1 Upgrade Notes


I upgraded a client's SCOM 2007 infrastructure today from SCOM SP1 RC (build 6246) to SP1 RTM (build 6278).

No real problems encountered, except I should have followed my own #1 rule: Always restart your server before installing a major update. The only issue I ran up against was that the upgrade hung when installing the Management Packs on the Root Management Server (RMS). I reviewed the event logs during the install and found three of these events:
The OpsMgr Config Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Followed one minute later with:
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the OpsMgr Config Service service, but this action failed with the following error:
An instance of the service is already running.
I'm not sure that these caused the hang, but after I canceled the installation, restarted the RMS server and reinstalled SP1 again, it worked fine with no errors.


My biggest recommendation is to thoroughly read the online version of the SCOM SP1 Upgrade Guide before beginning your upgrade. The online version includes notes that didn't make it into the release notes included in the SP1 package itself. Particularly important are the notes about having to repair all agent installations if you are upgrading from SP1 RC, like I was.

The upgrade path for SP1 is very strict and must be performed in this order:
  1. Prerequisite work (expanding the database and logs), disabling notification subscriptions (why, oh why, can't we do this against multiple subscriptions at once!), and removing pending agent installations.


  2. Upgrade the RMS


  3. Upgrade the Reporting Server


  4. Upgrade stand-alone Management Consoles


  5. Upgrade Management Servers


  6. Upgrade Gateway Servers


  7. Upgrade (or in my case, repair) Agents on managed computers


  8. Upgrade the Audit Collection Service (ACS) server


  9. Reboot the SCOM servers (my suggestion, not required) and re-enable the subscriptions
The entire upgrade took about 3 hours to upgrade nine SCOM servers and 289 managed computers.


And there was great rejoicing


Mark Rossinovich (Computer God Extraordinaire) released a free Microsoft plugin that provides right-click Run-as functionality for any application.


Now when you right-click any application a Run as and Run as different user option will be displayed in the actions menu. Sweet!

Tuesday, February 26, 2008

SCOM SP1 Released

In case you didn't know (I didn't until today), Microsoft quietly released System Center Operations Manager 2007 SP1 on February 22nd.

If you're upgrading from SP1 RC1, like I am, be sure to read important information about upgrading from the Operations Manager Product Team Blog:
If users are upgrading from SP1 RC (6246) to SP1 RTM (6278) then will need to run repair to upgrade the agents rather than approve them from pending management view. This was not called out in the upgrade document we shipped in SP1. We have updated the web version of the upgrade guide as well as the release notes.
I'm hopeful that this release will fix a bunch of issues I've been having.

Teched 2008 ITPro Conference Sessions

The Microsoft TechEd 2008 ITPro Conference Session Catalog is now online! You can browse over 770 different session types for TechEd IT Professionals. You can rate each session (1-5 stars) to supposedly allow Microsoft to fine tune the session(s) to fit your needs.

Top Ten Reasons to Move to Exchange 2007

Here are some key features and technologies Exchange Server 2007 provides that make a good business case for its use:
  • Fault Tolerance -- Exchange 2007 offers several forms of fault tolerance, right out of the box:

    • Local Continuous Cluster (LCR) maintains a continuously updated copy of the active mailbox database on a different LUN to provide immediate failover capability if the active database becomes corrupt. The second copy is activated manually by the administrator.

    • Cluster Continuous Replication (CCR) is a local cluster model where each node maintains its own database and replication is performed using log shipping. In the event of failure of a service, the cluster services immediately failover to the passive node and continue servicing client requests, minimizing client downtime. CCR clusters can be stretched over distance, providing a geographically dispersed clusters.

    • Standby Continuous Replication (SCR) is similar to CCR, but the failover node resides in a different geographic location. It utilizes log shipping for replication and the Hub Transport servers "fill in the blanks" for messages that may not have replicated since the time the active node went offline.


  • Disaster Recovery -- Outlook 2003 and Outlook 2007, along with the fault tolerance technologies listed above, provide a quick and easy disaster recovery strategy for nearly any outage. Outlook Exchange cached mode is another key technology to making disaster recovery as seemless as possible.


  • Mailbox Server Consolidation -- As a 64-bit messaging platform, Exchange 2007 is able to accommodate much larger mailboxes and mailstore databases than ever before. This allows you to greatly consolidate the number of mailbox servers needed to support the same number of users.


  • Exchange Edge Server -- Edge Server for Exchange is a non-domain server that acts as the SMTP gateway between the Internet and SCIF's internal network. It replaces both the current SMTP gateway and Interscan servers, saving both hardware and software costs. It provides anti-spam and anti-virus services for the organization. EdgeSync is a process that synchronizes the email addresses in AD and the user Junk Mail safe lists/block lists with the Edge server to reduce spam at the network edge.


  • Better Integration with Outlook -- Suspected spam that is not blocked by the Edge server is delivered to Outlook's built-in Junk E-mail folder. Users can choose to block or allow emails from users or domains directly from Outlook without the need for third-party software.


  • Forefront Security for Exchange -- Forefront antivirus is included with the Exchange 2007 Enterprise CAL. Forefront allows you to choose up to five different antivirus engines (from a collection of nine) that all emails are scanned against. This provides more defense in depth than previously possible.


  • Corporate Manage Folders -- Managed folders allow administrators to configure common corporate folders that will display in users' Outlook and OWA that have specific retention periods. For example, a folder named Legal may have a seven year retention policy. Any items in this folder older that 7 years will automatically be purged to maintain the company's corporate retention policy.


  • Improved Outlook Web Access -- Outlook Web Access (OWA) has been improved to provide much better performance and usability. The Private computer security setting now allows you to stay logged in for up to 24 hours. Calendaring and scheduling has been greatly improved. OWA now provides the ability to open another user's mailbox (assuming you have the appropriate rights to do so). Public Folders now open in the same OWA window. Searching for an email items takes only seconds, no matter how large the mailbox is.


  • Remote Access to Network Shares -- OWA provides the ability to "translate" UNCs to internal network shares. For example, if you click a link for //hofs01/share/CIOMeeting.ppt, OWA will fetch the document from the internal network (assuming you have rights to the document) and deliver it to you in OWA. You can also open a Windows SharePoint Services or file share by typing the address of the share to open directly in OWA.


  • WebReady Document Viewing -- WebReady Document Viewing renders common document types for you to view within OWA, even if the application is not installed on that computer. For example, if you want to view an Excel attachment from a machine that does not have Excel installed, click the "View as web page" link next to the attachment. Exchange 2007 will convert the spreadsheet to a web page for you to review.




Monday, February 25, 2008

TechEd for Novices

Scott Dorman published a GREAT article, TechEd for Novices, 2008 Edition. Lots of good information here for the novice and pro alike!

He covers session types, information on building your schedule, CommNet and dealing with information overload. Be sure to check it out!

Ease up on Silverlight already!

It seems you can't use any Microsoft website anymore without being nagged to install Silverlight.

While I love "the next generation of media experiences and rich interactive applications for the Web" as much as the next guy, I don't know what value it's going to bring to sites like TechNet, MSDN, etc. My chief complaint is the slow performance of Silverlight on RDP sessions. Most administrators perform their work using RDP and the abysmal performance of Silverlight enabled websites (or any website that uses transition effects) prevents administrators from getting their job done.

It might be nice if there were an option in the RDP client to allow Silverlight, just like there is one to allow menu and window animation. Just thinking out loud here...

Friday, February 22, 2008

Troubleshooting Exchange 2007 9646 Errors

I client has users who have been migrated from Exchange 2003 to Exchange 2007 SP1, running on Windows Server 2003 SP2.

After a while, users are no longer able to connect via Outlook to Exchange - OWA continues to function, but Outlook (2K3 and 2K7) stops working.

This is because of a new feature in Windows 2003 SP2 that enables "Scalable Networking" - In short, it shuts down closed connections to the server, but it doesn't play well with Exchange. When Outlook connects over several MAPI sessions, the unused ones are shut down by Windows, but they aren't closed cleanly and Exchange still sees them as open sessions.

Once the user has 32 open sessions (a combination of valid and invalid ones) - Exchange cuts them off and event ID 9646 errors are seen on the mailbox server event log:
Mapi session "/O=BLATHER/OU=PACIFICA/cn=Recipients/cn=CooperH" exceeded the maximum of 32 objects of type "session".

A hotfix will be released in late March that addresses the issue, but the short term fix is to run the following command from the command line on all Exchange 2007 mailbox servers:

Netsh int ip set chimney DISABLED

The following articles discuss the technology and the issue:

Friday, February 15, 2008

The Games have begun!

The Microsoft 2008 Scripting Games begin today!
Be sure to log in and download your Competitor’s Pack, review the events, take a look at the challenges and prizes.
Good luck!

Thursday, February 14, 2008

Vista SP1 is available!

Happy Valentine's Day!

Microsoft has released Windows Vista SP1 for your download pleasure. Technet subscribers can go to the Technet website and view the "Top Subscriber Downloads" section.



MSDN subscribers can download it from MSDN from here.



If you're not a TechNet or MSDN subscriber, expect to see it show up in Windows Update in March. It will first be an optional update and later a critical update.



Fix for SCOM Aggregate Health State Errors


Microsoft System Center Operations Manager (SCOM) sometimes displays that the aggregate state of the Health Service is unhealthy, but each of the component states are healthy as in the example above. If you open Health Explorer everything looks healthy and there doesn't seem a way to clear this condition.

There are other times when the Health Rollup state is in an unhealthy state, but all the child items are healthy, as shown in this example:



To fix both of these conditions, you need to put the server, Health Service and Health Service Watcher into maintenance mode for 5 minutes. Here's how to do it:

  • Open the SCOM 2007 Operations Console and configure two new state views. You'll only need to do this once:

    • Open the Monitoring node

    • Right-click Monitoring and create a new state view called Health Service, show data related to: Health Service. Click the Display tab and sort columns by State, Descending

    • Right-click Monitoring and create a new state view called Health Service Watcher, show data related to: Health Service Watcher. Click the Display tab and check Agent. Sort columns by State, Descending

  • Now put the affected servers and their Health Services and Health Service Watchers into maintenance mode for 5 minutes (the minimum duration)

Once the servers come out of maintenance mode the condition will be cleared. This problem is expected to be resolved in SP1, which is due very soon.

Tuesday, February 12, 2008

New File Extensions Blocked in Outlook 2003 SP3

 
After several months of testing, a client recently deployed Service Pack 3 for Microsoft Office 2003 to nearly 10,000 clients via WSUS. They have a scripted routine that they follow during testing of patches and updates to ensure that there are no interoperability issues, but of course, you can't test everything. I mean, how are you going to know that a certain update will prevent an HP 4200 printer from feeding from the secondary paper tray? And yes, I've actually seen that happen.

Well, shortly after deployment they start getting complaints that emails with links to Public Folders (XNK files) can't be opened on Outlook 2003. Could it be that Microsoft actually did this on purpose? After an hour or so of re-reading all the scattered documentation for Office SP3, including Information about certain file types that are blocked after you install Office 2003 Service Pack 3 and the Downloadable list of issues that the service pack fixes, I couldn't find anything that documented this change.

I opened a case with Microsoft and found that not only are XNK extenstions blocked, but several others are as well. Here's an unofficial list of the extensions blocked by Outlook 2003 SP3:


File ExtensionFile Type
.adeAccess Project Extension (Microsoft)
.adpAccess Project (Microsoft)
.appExecutable Application
.aspActive Server Page
.basBASIC Source Code
.batBatch Processing
.cerInternet Security Certificate File
.chmCompiled HTML Help
.cmdDOS CP/M Command File, Command File for Windows NT
.comCommand
.cplWindows Control Panel Extension (Microsoft)
.crtCertificate File
.cshcsh Script
.derDER Encoded X509 Certificate File
.exeExecutable File
.fxpFoxPro Compiled Source (Microsoft)
.gadgetWindows Vista gadget
.hlpWindows Help File
.htaHypertext Application
.infInformation or Setup File
.insIIS Internet Communications Settings (Microsoft)
.ispIIS Internet Service Provider Settings (Microsoft)
.itsInternet Document Set, Internet Translation
.jsJavaScript Source Code
.jseJScript Encoded Script File
.kshUNIX Shell Script
.lnkWindows Shortcut File
.madAccess Module Shortcut (Microsoft)
.mafAccess (Microsoft)
.magAccess Diagram Shortcut (Microsoft)
.mamAccess Macro Shortcut (Microsoft)
.maqAccess Query Shortcut (Microsoft)
.marAccess Report Shortcut (Microsoft)
.masAccess Stored Procedures (Microsoft)
.matAccess Table Shortcut (Microsoft)
.mauMedia Attachment Unit
.mavAccess View Shortcut (Microsoft)
.mawAccess Data Access Page (Microsoft)
.mdaAccess Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdbAccess Application (Microsoft), MDB Access Database (Microsoft)
.mdeAccess MDE Database File (Microsoft)
.mdtAccess Add-in Data (Microsoft)
.mdwAccess Workgroup Information (Microsoft)
.mdzAccess Wizard Template (Microsoft)
.mscMicrosoft Management Console Snap-in Control File (Microsoft)
.mshMicrosoft Shell
.msh1Microsoft Shell
.msh2Microsoft Shell
.mshxmlMicrosoft Shell
.msh1xmlMicrosoft Shell
.msh2xmlMicrosoft Shell
.msiWindows Installer File (Microsoft)
.mspWindows Installer Update
.mstWindows SDK Setup Transform Script
.opsOffice Profile Settings File
.pcdVisual Test (Microsoft)
.pifWindows Program Information File (Microsoft)
.plgDeveloper Studio Build Log
.prfWindows System File
.prgProgram File
.pstMS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.regRegistration Information/Key for W95/98, Registry Data File
.scfWindows Explorer Command
.scrWindows Screen Saver
.sctWindows Script Component, Foxpro Screen (Microsoft)
.shbWindows Shortcut into a Document
.shsShell Scrap Object File
.ps1Windows PowerShell
.ps1xmlWindows PowerShell
.ps2Windows PowerShell
.ps2xmlWindows PowerShell
.psc1Windows PowerShell
.psc2Windows PowerShell
.tmpTemporary File/Folder
.urlInternet Location
.vbVBScript File or Any VisualBasic Source
.vbeVBScript Encoded Script File
.vbsVBScript Script File, Visual Basic for Applications Script
.vsmacrosVisual Studio .NET Binary-based Macro Project (Microsoft)
.vswVisio Workspace File (Microsoft)
.wsWindows Script File
.wscWindows Script Component
.wsfWindows Script File
.wshWindows Script Host Settings File
.xnkExchange Public Folder Shortcut

Nothing p$%#es me off more than undocumented changes in functionality. At this point in time, this information is not documented ANYWHERE on Microsoft's website.

I certainly don't mind Microsoft fixing security holes, but for crying out loud, DOCUMENT IT!!! How do they expect us to roll out critical patches and updates if they change functionality and don't tell anyone? No one looks good when that happens.