Monday, January 26, 2009

How to Disable Subnet Prioritization

Windows uses a scheme called "subnet prioritization" to attempt to reduce network traffic by re-ordering DNS round-robin records so that the records that are "closest" to the host are the only records used.

For example, suppose there are three A records for the same name in DNS, appserver.domain.com. One with IP 10.0.8.100, one with 10.0.15.100, and one with 10.0.26.100.


If a Windows client with the IPv4 address of 10.0.15.20 performs a DNS query for appserver.domain.com, subnet prioritization will re-order the IP addresses so that it will always use the 10.0.15.100 address.


Subnet prioritization is enabled by default in both the Windows DNS server and the DNS client.


DNS server subnet prioritization (AKA, netmask ordering) can be demonstrated using the Windows NSLOOKUP command. Repeated lookups of appserver.domain.com from the client always give the same results:


C:\nslookup appserver.domain.com
Server: dns.domain.com
Address: 10.1.1.10

Name: appserver.domain.com
Addresses: 10.0.15.100, 10.0.8.100, 10.0.26.100


Here, the DNS server is reordering the IP addresses, based on the requestor's IP address. If true DNS round-robin is working, the records would rotate in a (A, B, C), (B, C, A), (C, A, B) fashion. Subnet prioritization obviously throws a wrench in round-robin DNS if you're using that as your load balancing or fault tolerance solution.



To disable subnet prioritization on DNS servers:
  • Open the DNS Management console

  • Navigate to the DNS server and open its properties

  • Click the Advanced tab

  • Uncheck Enable netmask ordering and check Enable round robin

  • Click OK

But this only solves half the problem because the Windows client will reorder the DNS results, too. Repeated nslookups will now show that the IP address for appserver.domain.com is rotating correctly, but pinging appserver.domain.com from the client will still always resolve to 10.0.15.100. You must still disable subnet prioritization on the client.

To disable subnet prioritization on Windows DNS clients:

  • Run Regedit

  • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

  • Click Edit > New > DWORD Value

  • Name the new value PrioritizeRecordData (its value data will be 0)

  • Close Regedit

Note: Both of these changes go into effect immediately. There is no need to restart services or the computers.


Thursday, January 22, 2009

Automating Exchange 2007 Prerequisites for Windows Server 2008


Each server role in Exchange 2007 requires Windows prerequisite software before the Exchange role can be installed on a Windows 2008 server.

All Exchange server roles require the Windows PowerShell feature. Other server roles and features are required, depending on the Exchange role(s) you are installing:

  • The Exchange Hub Transport role requires only the Windows PowerShell feature.
  • The Exchange Client Access role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, Web Digest Authentication, Web Windows Authentication, and Web Dynamic Compression role services. It also needs the Windows PowerShell feature. If the CAS will support Outlook Anywhere clients, it will also need the RPC over HTTP Proxy feature.
  • The Exchange Edge Transport role requires the Active Directory Lightweight Directory Services role and the Windows PowerShell feature.
  • The Exchange Mailbox Server role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, and Web Windows Authentication role services. It also needs the Windows PowerShell feature. If the mailbox server will be clustered, it will also need the Failover Clustering feature.
  • The Exchange Unified Messaging role requires the Windows PowerShell and Desktop Experience features.

These server roles and features can be added using the Server Manager UI, but this post focuses on automating the installation from the command line using the ServerManagerCmd utility.

I have created answer files to use with ServerManagerCmd for each Exchange server role:

Note that I have added the Active Directory Domain Services Tools feature to the All-in-One and Mailbox answer files, since most administrators usually install them with these roles. You can remove this from these answer files if you wish.

Also note that the all of these Exchange roles will work for the Hub Transport role, since the Hub role only requires PowerShell. It is common to combine the Hub and CAS roles on a single server. You only have to use the appropriate CAS answer file in this case.

To use these answer files, right-click the answer file above and save it to C:\ on the target Windows 2008 server. Open a Command Prompt and run the following command:

ServerManagerCmd -InputPath C:\answerfile.xml -WhatIf

This will test the answer file you specified and display what operation will do. Review the output and then run it again without the -WhatIf switch to actually perform the installation. Then install the appropriate Exchange 2007 server role from the DVD.

Monday, January 19, 2009

The Case of the Missing E-Mail Addresses Tab

Recently a customer came to me with a problem. One of his users was missing the E-mail Addresses tab on the user object in Active Directory.

The user had been sending and receiving email for months without a problem, and the other Exchange tabs in AD Users and Computers (Exchange General, Exchange Features, and Exchange Advanced) were present. Here's an example:

This happens because the Exchange Alias is missing and the Exchange Recipient Update Service (RUS) cannot update the email addresses. The fix for this is simple -- enter an Alias for the user on the Exchange General tab. Once you do this, the E-mail Addresses tab becomes visible, as shown below.




Sunday, January 18, 2009

Microsoft Begins 20-Part Webcast on Virtualization

Microsoft kicked off a 20-part virtualization webcast series last week on TechNet.

The series covers a wide array of subjects, from "What is virtualization?" to managing your virtual infrastructure. It's presented by Microsoft virtualization evangelists and covers Hyper-V virtualization, as well as System Center Virtual Machine Manager 2008 (VMM 2008).

The series objectives are to not only help you develop technical depth on various virtualization solutions, but to appreciate the essentials of a typical virtualization project in a real world implementation.

Each webcast is about 90 minutes long and is geared toward level 300 technical detail. This looks to be an interesting series.

The series includes the following live webcasts:

If you should miss any one of these webcasts, the content will be recorded and available within a few days from the same site.

Thursday, January 15, 2009

How to Install a new Certificate on ISA 2004

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

  • Click Start > Run and enter MMC
  • Click File > Add/Remove Snap-in and add the Certificates snap-in
  • Select Computer account > Next > Finish > OK
  • Now your should see Certificates MMC for the local computer, as shown here:
  • Expand Certificates (Local Computer) > Personal
  • Right-click Personal and select All Tasks > Import
  • Browse to the C:\Webmail.cer file you saved earlier
  • Click Next to store it in the Personal store and Finish to complete the import
  • Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

  • Open IIS Manager and navigate to the Default Web Site that uses SSL
  • In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
  • In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

  • Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
  • Select the certificate you imported
  • Right-click the certificate and select All Tasks > Export
  • Click Next and choose Yes, export the private key
  • Click Next twice and enter a password for the exported file.
  • Complete the wizard, saving the PFX file in a temporary location
  • Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

  • On the ISA server, double-click the PFX file you exported
  • Follow the Certificate Import Wizard and place the file in the computer's Personal store
  • Now open the ISA Server Management Console
  • Select the Firewall Policy
  • Click the Toolbox tab on the right and expand Web Listeners
  • Double-click the web listener you want to update to edit it
  • Click the Preferences tab and click Select
  • Select the new certificate and close the listener properties
  • Apply the ISA changes

Finally, you're done!!!

Tuesday, January 13, 2009

Editing the 32-bit Registry on a 64-bit computer

or: How to Stop Worrying and Learn to Love Wow6432Node *

Have you ever edited the registry on a 64-bit computer, but the changes don't seem to go into effect? This usually happens with a 32-bit application (often a 32-bit COM app). Here's why:

Windows normally uses the HKEY_LOCAL_MACHINE\SOFTWARE subkey for 32-bit applications that run on a 64-bit version of the operating system. But when a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\ subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey. A "registry reflector" copies certain values between the 32-bit and 64-bit registry views and resolves any conflicts using a "last writer wins" approach.

So if your 32-bit application is not reading the registry correctly (often because you're enforcing a setting through Group Policy), ensure the setting is being written to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey on 64-bit computers.

Monday, January 12, 2009

How to Move the SMTP Queue in Exchange 2007

Unlike previous versions of Exchange, all SMTP queue activity in Exchange Server 2007 happens in a new ESE database.

By default, this database (and its logs) exists in the C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue folder. You may wish to move this database and its logs to a seperate physical volume for better performance. Here's how to do this:

To Change the Database Path:

1. Open the EdgeTransport.exe.config file in the C:\Program Files\Microsoft\Exchange Server\Bin folder using Notepad

2. Edit the value of the line containing add key="QueueDatabasePath" to reflect the new path. For example:

add key="QueueDatabasePath" value="D:\QueueDB"

To Change the Database Logs Path:

3. Edit the value of the line containing add key="QueueDatabaseLoggingPath" to reflect the new path. For example:

add key="QueueDatabaseLoggingPath" value="D:\QueueLogs"

4. Save the file and restart the Microsoft Exchange Transport service