Is it down for just me?

Here's a great tip I got from my friend and co-worker, Pete Handley.

Have you ever gone to a website, found out it was down, and wondered if it was just you? Check out http://www.downforeveryoneorjustme.com. You enter a website to check and it'll tell you if it's down for everyone or just you!

Simple and elegant!

---

Subscribe in a reader Subscribe by Email

Failure of FSW Causes Cluster Group to Failover

The following information was written for Exchange 2007 CCR mailbox clusters, but it pertains to any clustering solution that uses the Windows Server 2008 Node and File Share Majority cluster quorum configuration.

How Does Node and File Share Majority Clustering Work?

Exchange 2007 CCR uses two clustered Exchange mailbox nodes, called a Clustered Mailbox Server (CMS). In order for Windows to know which node is active, it utilizes a File Share Witness (FSW) to maintain quorum. The FSW is a network share on a third computer (typically a Hub Transport server in the normally active node's physical site). The active node writes information to files in that share and locks them for writing, preventing the passive node from writing to the FSW and taking quorum. It always take two out of three votes to maintain quorum.

If the active node becomes unavailable, the passive node can write to the FSW and the cluster group fails over. In the case of a total site failure where both the active node and the FSW are offline, both the cluster group and the CMS will fail since there is no quorum (there's only one vote).

What Happens When the FSW Becomes Unavailable?

When the FSW fails, the active CMS node remains active (does not fail over) because there are still two votes (the active and passive nodes). However, the cluster group will fail over to the other node. This is because File Share Witness resource in Windows Server 2008 is configured to fail over the cluster group when the FSW fails, as shown below.

There really is no reason to fail over the cluster group when the FSW becomes unavailable. It also takes 15 minutes to an hour for the FSW cluster resource to come back online even after the FSW share is available. Here's how to fix this behavior:

• Open the Failover Cluster Management console
• Add the cluster name, if necessary, and select it
• Double-click Cluster Core Resources in the middle pane to expand it
• Right-click File Share Witness (\\servername\sharename) and select Properties
• Click the Policies tab
• Clear the checkbox for, "If restart is unsuccessful, fail over all resources in this service or application"
• For optimal restart performance, change the "Period for restarts (mm:ss)" to 1 minute and "If all the restart attempts fail, begin restarting again after the specified period (hh:mm)" to 1 minute, as shown below:

This configuration will cause the cluster group to remain on the currently active node if the FSW resource fails. It will also attempt to bring the FSW resource to online once every minute.

This is my current best practice for configuring the File Share Witness resource failure policy.

---

Subscribe in a reader Subscribe by Email

How to Verify the AD Schema Level on All Domain Controllers

Whenever I perform schema extensions in Active Directory, I always want to verify that the new schema attributes have replicated throughout the domain's Domain Controllers. Schema extensions are usually necessary for Exchange installations and upgrades, or to prepare a domain for a new version of Windows.

The following batch file will display the value of the rangeUpper attribute for the ms-Exch-Schema-Version-Pt object on every Domain Controller in the target domain.

@echo off
dsquery server -o rdn >DC.lst
FOR /F "tokens=1" %%i in (DC.lst) do (
echo %%i
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=yourdomain,dc=com -scope base -attr rangeUpper -server %%i
)

Modify dc=yourdomain,dc=com as necessary for the target domain and save this file as CheckSchemaVersion.bat.

The output will display the name of each Domain Controller and the rangeUpper value. You will know that the schema changes have replicated throughout the domain when each Domain Controller returns the same (highest) value.

---

Subscribe in a reader Subscribe by Email

Be Aware: Windows Server 2008 SP2 Re-enables Disabled NICs

Be aware installing Windows Server 2008 Service Pack 2 (SP2) will re-enable any network adapters that were disabled prior to the update. This will also affect computers updated with Windows Vista Service Pack 2.

[Before installing SP2]

[After installing SP2]

This is important for several reasons. It is best practice on Hyper-V servers to disable the virtual NIC assigned to VM guests, so that a host with a dedicated management NIC does not use the NICs assigned to VM guests. SP2 re-enables all these virtual NICs, as well.

Sometimes disabled NICs should only be enabled for disaster recovery purposes. Enabling these NICs at startup could have dire consequences in these rare situations.

It's important to understand that if you're using the Windows Firewall, the server uses the most secure firewall network profile for all NICs. If your domain joined computer has more than one NIC, but only the NIC that is used to connect to the domain is enabled, the Windows Firewall uses the Domain Network profile. However, after installing SP2 the computer will start up with all NICs enabled. If the previously disabled NICs are not connected, the Windows Firewall will use the Public Network profile, which uses much different firewall policies -- potentially causing service interruptions.

My advice is to document your network connections prior to installing Windows Server 2008 SP2, so you can reconfigure them when your done with the update.

---

Subscribe in a reader Subscribe by Email

Just Bing It

You know you've got a winner when your name becomes a verb. How many times have you heard, "Just Google it." Well, that parlance is about to change.

Bing, Microsoft's new search portal, debuted this week to rave reviews. Bing is different than other search engines because of what Microsoft calls Bing's Decision Engine. It gives much more useful and relevant information than competitors, without having to enter arcane search terms. Take a look at this example to see a side-by-side comparison of Bing and Google search results.

I especially love the travel results that Bing offers. Microsoft has merged several technologies together to give easy to consume results with truly meaningful information. For example, a search for airline flights on Bing not only returns the best flights, but predicts whether prices are going up or going down, similar to FareCast.

You can also check flight times simply by entering the airline and flight number in the search window, such as "United 9120" or simply "ua 9120".

The image and video results are very cool, too. Image search results are returned on a single scrollable page rather than dozens of pages you have to click through. Video search results actually play in the results window by simply hovering your mouse over the video.

I'd like to find a way to create a custom portal page that allows me to dashboard the information I'm interested in, such as news, market reports and RSS feeds. I'm still learning all the cool things Bing does, but so far I'm very impressed. I recommend you Bing it to find out for yourself.

Bing. It's not your father's search page.

---

Subscribe in a reader Subscribe by Email

Fix for having to supply credentials when connecting to a Hyper-V guest

One of my customers complained that he was getting the following prompt for credentials whenever he connected to a Hyper-V guest from the host.

Your credentials did not work
Your system administrator does not allow the use of default credentials to log on to the remote computer (computer name) because its identity is not fully verified. Please enter new credentials.

The host Hyper-V server is in a workgroup and the guests are in either a domain or workgroup.

The fix is to allow saved credentials with NTLM-only server authentication on the Hyper-V host. You can do this in the Local Group Policy Editor.

• Run GPEDIT.MSC on the Hyper-V host
• Expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation
• Double-click Allow Saved Credentials with NTLM-only Server Authentication
• Enable the policy
• Add servers to the list by clicking the Show button and adding your Hyper-V hostname
• Click OK twice and close Local Group Policy Editor

Now run GPUPDATE on the Hyper-V host to apply the new settings.

Connect to one of the Hyper-V guests, enter your username and password, and check the Remember my credentials checkbox. Hyper-V will no longer prompt for credentials when connecting to any of the guest VMs.

---

Subscribe in a reader Subscribe by Email

Stop Spamming Yourself!, Part 2

Frequently, you may receive spam from the Internet that appear to come from your own domain name. This is a common tactic used by spammers to bypass spam filters.

In an earlier article, I showed how to configure Exchange 2007 to reject all SMTP emails from the Internet that supposedly come from your own domain name. We did this by adding your domain name to the Sender Filtering / Blocked Senders configuration on the Edge server.

While this works perfectly, it goes against a Microsoft best practice and doesn't provide for any exceptions. This article will show how to accomplish the same thing using an Edge Transport Rule, as well as how to configure an exception. Let's get started.

• Logon to the Edge Transport server, open the Exchange Management Console, and navigate to Microsoft Exchange > Edge Transport > Transport Rules tab.
• Click New Transport Rule in the Actions pane to open the New Transport Rule wizard.
• Enter a name for the rule and any comments, as shown below, and click Next.

• For the Conditions in Step 1, click "when the From address contains text patterns" and "from users inside or outside the organization"
• In Step 2, click the words "text pattern" and add your domain name (i.e., extpa.com). Click the work "Inside" and change it to "Outside". Click Next

• Now we will set the Action to take upon these messages. In Step 1, click "set the spam confidence level to value" and "reject the message with status code and response"
• In Step 2, set the SCL to "-1". We do this so that the exceptions configured on the next page will not go to the users' Junk E-mail folders in Outlook. Click Next.

• For the Exceptions in Step 1, click "except when the text specified words appear in a message header"
• In Step 2, click "specific words" and add the domain of the sending server (i.e., opentable.com). OpenTable.com is an online restaurant reservation system that emails invitations to people when a reservation is made. It spoofs the emailed invitation to looks like it came from the sender. Because of this, it would normally be rejected if it weren't for this exception.
• Click "message header" and enter "Receive". Click Next.

• Click New and Finish to create the new Transport Rule.

The rule will now reject all emails from the Internet that claim to be from your domain name, unless the SMTP Receive header contains the text "opentable.com". It will also set the SCL so that the exception will not be classified as spam by Outlook.

The rule above can also be configured using the Exchange Management Shell using the following command:

new-TransportRule -Name 'Reject inbound emails from expta.com' -Comments 'Exception: Opentable.com' -Conditions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromAddressMatchesPredicate','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.FromScopePredicate'
-Actions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SetSclAction','Microsoft.Exchange.MessagingPolicies.Rules.Tasks.SmtpRejectMessageAction'
-Exceptions
'Microsoft.Exchange.MessagingPolicies.Rules.Tasks.HeaderContainsPredicate'
-Enabled $true -Priority '0'

The code above is meant to entered as one single line.

---

Subscribe in a reader Subscribe by Email

Fix for Duplicate Contacts Lists in Outlook

Sometimes you may find that a user has multiple Contacts address books listed in Outlook. This can occur when invalid references exist in the Outlook Address Books.

Remove the invalid reference to a contacts folder in Outlook:

Tools > E-mail Accounts > View or change existing directories or
address books > Outlook Address Book > Change... >

Select the duplicate Outlook Address Book(s) and click Remove Address Book for each duplicate.

---

Subscribe in a reader Subscribe by Email

Fix for 0x8024400E Errors on WSUS Clients

You may have problems with WSUS clients that are not able to download updates from WSUS. Check the %SystemRoot%\Windows\WindowsUpdate.log file for the following error:

2009-03-27 11:55:29:193 1044 afc PT WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

Resetting the client by clearing the SoftwareDistribution folder and forcing the Automatic Updates client to detect new updates results in the same error.

This is caused by a revision to the 'Office 2003 Service Pack 1' update. It results in some WSUS 3.0 servers enter an inconsistent state with respect to the update's approvals. When computers with products related to Office 2003 sync to a WSUS server with this revision, the web service is unable to process the approvals resulting in the detection failure.

To fix this problem, approve and then decline the Office 2003 Service Pack 1 update in WSUS. Here are the steps to do this:

• Open the WSUS Administration console


• Find the Office 2003 Service Pack 1 update in the updates list. You may have to change the Approval and Status filters to find it. Set the Status to Any and the Approval to Declined. If you still don't see it then set the Approval to Any except Declined.


• First, make sure the update is declined. If the update is not yet declined, right click on the update and decline it.


• Next, approve the update. Right-click the update and select the Approve... option in the context menu. Click OK in the Approve Updates dialog that opens (no need to change any options here). Dismiss the Approval Progress dialog that appears.


• Next, decline the update. Right-click the update and select Decline.

The computers that were failing detection will now successfully complete detection against the WSUS server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica downstream server, you must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog in the WSUS Administration console.

Also, take a look at KB 954960 - Some computers do not receive updates from the WSUS server. It includes a hotfix for WSUS 3.0 SP1 servers that prevents the problem from reoccurring.

---

Subscribe in a reader Subscribe by Email

How to Hide a User Account on the Logon Screen

Maybe you created a user account on your XP computer so your nephew could use it when he was visiting you. Now he's gone home and you really don't want to see that account choice every time you log on to Windows, but you also don't want to just delete the account because he'll probably be back again next year. Here's how to hide an account from the logon screen:

• Before editing the registry, always back it up just to be safe.


• Open the registry editor and navigate to the following key:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \
Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \
UserList

Note: The SpecialAccounts \ UserList keys may not exist on your computer. If they do not, create them.

• In the right pane, you'll see a list of items that correspond to the user accounts that exist on the computer but are not shown on the logon screen. You'll probably be surprised at how many there are.


• Right click an empty space in the right pane, select NEW and DWORD value.
  Right click the new value and rename it to the exact name of the user account you want to hide.


• Close the registry editor.

Now the account name won't show up on the logon screen. You can unhide the account at any time by deleting the registry key you created. Your nephew can still log onto the account while it's hidden. Just press CTRL+ALT+DEL twice in a row at the logon screen and you'll get the logon dialog box that allows you to type in the username.

Note: This tip works for Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. The SpecialAccounts key may not exist by default, but if you create it as specified above it works a treat!

Additional Note: I've discovered this tip does not work in Windows Vista because Microsoft removed the "Classic Logon" functionality from this OS. You can still hide the account, but you won't be able to logon as this hidden account by pressing Ctrl-Alt-Del twice. You can, however still switch to this account using user account switching.

Thanks to Deb Shinder for the tip!

---

Subscribe in a reader Subscribe by Email

Exchange Server Remote Connectivity Analyzer

More Exchange 2007 goodness from the Microsoft Exchange Team!

Have you ever installed an Exchange server and wanted to verify your Internet facing services were setup and configured properly? Things like Exchange ActiveSync, AutoDiscover, Outlook Anywhere (RPC/HTTP), and inbound email. Sure there are cmdlets included in Exchange 2007 like test-ActivesyncConnectivity and test-OWAConnectivity, but these tests can only be run inside your network and effectively only test your internal network connectivity. Or what if you get a call or an escalation regarding one of these services not working? How do you verify if just this user or everyone has a problem? And if there is a problem, where do you start troubleshooting? Is it a DNS problem? Is it a certificate problem? Is a port not open on the firewall?

I'd like to introduce you to the Exchange Remote Connectivity Analyzer (ExRCA) tool which can be accessed at https://www.TestExchangeConnectivity.com.

In this version, the tool will allow you to remotely test the following client types and services:

Exchange ActiveSync

• Windows Mobile 5, 3rd party devices


• Windows Mobile 6.1+ with AutoDiscover

Outlook Anywhere (aka RPC/HTTP)

• Outlook 2003


• Outlook 2007 with AutoDiscover

Inbound SMTP

The tool will simulate the protocol logic used by the specific client and not only tell you if the scenario was successful, but if it fails, it will tell you exactly where in the process it failed as well as try to guide you to the problem resolution.

Read more about the tool and how it works here!

---

Subscribe in a reader Subscribe by Email

Breaking the Artificial Database Size Limit in Exchange 2007 Standard Edition

Exchange Server 2007 has a theoretically unlimited database storage capacity. In reality the limit is 16TB, and this limit is the same in both Standard and Enterprise editions. The storage differences between these two editions have to do with the maximum number of storage groups and databases that can be placed on each server.

Exchange 2007 Standard Edition:
Storage Group – up to 5, Database per SG – up to 5, Database limit – 16 TB.

Exchange 2007 Enterprise Edition:
Storage Group – up to 50, Database per SG – up to 50, Database limit – 16 TB.

Even though E2K7 Standard has a hard 16TB database size limit, there is an artificial limit imposed in the registry. The default cap in RTM is 50GB and the default cap in SP1 is 150GB. Here's how to change this artificial limit:

• Open RegEdit and navigate to:

HKLM \ SYSTEM \ CurrentControlset \ Services \ MSexchangeIS \ servername \ Private-{respective-DB-GUID}

• Create a new DWORD value "Database Size Limit in Gb"



• Assign its decimal value (in GB). For example, enter decimal 200 for a 200GB artificial limit.



• Restart the Microsoft Exchange Information Store service

Note: E2K7 Enterprise Edition does not have an artificial limit.

Note: If the Exchange Server Best Practices Analyzer (ExBPA) finds that the Database Size Limit in Gb value is present and configured, the Exchange Server Analyzer displays a non-default configuration message.

---

Subscribe in a reader Subscribe by Email

How to Invoke the Window Update Dialog from the Command Line

To run the Windows Update client from the command line, run the command WUAUCLT /ShowWU.

This is useful when the Windows Update icon disappears when you click it. Typically, this means that the Windows Update client is corrupt. When you run wuauclt /ShowWU on these machines, it will bring up the Windows Update dialog box above, but it will show some type of error indicating that it could not download updates. Installing the current Windows Update client will fix this.

You can download the latest Windows Update client (7.2.6001.788) from these locations:

• WindowsUpdateAgent30-x86.exe
• WindowsUpdateAgent30-x64.exe

---

Subscribe in a reader Subscribe by Email

How To Enable Change Notification On All Site Links

Normally, there are two replication intervals for Active Directory in a Windows domain: Intra-site (replication between DCs in the same site) and Inter-site (replication between DCs in different Active Directory sites).

Intra-site replication is very fast - typically around 15 seconds. This schedule can be configured via the registry using the following values in the HKLM\SYSTEM\CurrentControlSet\Service\NTDS\Parameters key:

Replicator notify pause after modify (secs)
It is a REG_DWORD value of 15 by default

Replicator notify pause between DSAs (secs)
It is a REG_DWORD value of 3 by default

See Microsoft TechNet (Active Directory Replication Tools and Settings) for a thorough explanation of what these keys do.Inter-site replication is dictated by the schedule associated with the replication connection in Active Directory Sites and Services. Using this GUI you can specify that the connector never replicates or to replicate once, twice or four times per hour.

Note: The inter-site replication schedule runs based on the server startup time. For example, if the DC starts up at 12:10pm and the replication connector's schedule is set to twice per hour, replication on this connector will occur at 12:10pm, 12:40pm, etc.

But what if you want Intersite replication to occur more frequently than every 15 minutes? For this, you must enable Change Notification on the Active Directory site link. How you do this depends on which OS is on your DC.

For Windows 2003 Domain Controllers:

• Open ADSIEdit.msc (in the Windows Support Tools) as a Domain Admin


• Open the Configuration naming context


• Navigate to Sites > Inter-Site Transports > IP


• Right-click the siteLink to modify in the results pane and click Properties


• Locate the options attribute and edit the value from to 1


• Click OK and repeat for other siteLinks, as necessary.

For Windows 2008 and Windows 2008 R2 Domain Controllers:

You can use the same method as Windows Server 2003 DCs or you can edit the values directly from AD Sites and Services, as follows.

• Locate the Site Link to modify in AD Sites and Services


• Right-click the Site Link and choose Properties


• Click the Attribute Editor tab


• Locate the options attribute and edit the value from to 1


• Click OK and repeat for other Site Links, as necessary.

I also wrote two VBScripts for displaying and configuring Change Notification:

• DisplayChangeNotification.vbs displays the current value of the options attribute on each site link in the Active Directory domain where it is run.


• EnableChangeNotification.vbs will enable Change Notification on all site links in the Active Directory domain where it is run by changing the options value to 1.

Both scripts are in the ChangeNotificationScripts.zip file, located here.

---

Subscribe in a reader Subscribe by Email

How to Install Windows 7 from a USB Stick

Helmer Zandbergen is a Dutch IT pro who wrote an excellent article that explains how to how to install Windows 7 from a USB stick in 11 easy steps.

All you need is a PC with USB boot-support (any modern PC), Windows 7 installation files, and a USB stick with at least 4 GB free space.

I used this method to install Win7 on my new Asus Eee PC 1000HE netbook and it works great!

• Plug in your USB stick
• Open Command Prompt with admin rights (Start –> enter cmd –> press CTRL-SHIFT+ENTER and click Yes at the UAC prompt)
• Run Diskpart by typing diskpart and press enter
• Now type List disk (and press enter). My USB stick is Disk 2.
• Enter the following commands, where I assume that your USB stick is also Disk 2. If your USB stick is Disk 5, just use Disk 5 instead of my Disk 2! Enter the following commands one by one, each followed by Enter:

Select Disk 2

Clean

Create Partition Primary

Select Partition 1

ActiveFormat FS=FAT32 (depending on the size of your USB stick this can take a moment)

Assign

Exit

• Now copy the entire content of your Windows 7 DVD (or Windows 7 source folder, if you extracted the ISO) to the root of your USB stick.
• Now we still have to make the USB stick bootable. Note: If you are currently running a 64-bit OS and the source (on the USB stick) is 32-bit, you can’t run the following command. Just be sure the source (on the USB stick) and the currently running OS are of the same type!
• In the Command Prompt (which you didn’t close, I hope) type P: (the drive letter of your USB stick) followed by Enter
• Type CD\Boot followed by Enter
• To create a bootsector on the USB stick enter Bootsect /NT60 P: (your USB drive letter) followed by Enter.
• Reboot your PC and change the boot order (in the BIOS) if needed, so the USB stick is first in the boot order.

---

Subscribe in a reader Subscribe by Email

Changing the Default Users and Computers Containers in AD

In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container.

If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container. Also, whenever you join a new computer to the domain the computer object will always be created in the default Computers container, unless you pre-stage the computer object in an OU.

It's important to note that the Computers and Users containers are just that, containers. They are not OUs. Consequently, you cannot apply Group Policy objects directly to these containers. These containers will, however, inherit GPOs from parent objects, such as the Default Domain Policy.

A lot of my customers have large OU structures where user and computer objects are always placed in specific OUs so that the objects get the correct GPOs. Typically, the default Users and Computers containers are empty for these customers. Even so, user or computer objects will sometimes be created in the default containers for various reasons. This can cause problems for these objects because GPOs are not applied correctly.

Here's how to change the default container that Active Directory will use for new user and computer objects:

• Log into a Domain Controller (Windows Server 2003, 2008 or 2008 R2) as a Domain Admin
• Open a CMD prompt
• To change the default container for user objects, enter:

ReDirUsr Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created user objects.

For example:

ReDirUsr "OU=Managed Users,DC=mydomain,DC=com"

• To change the default container for computer objects, enter:

ReDirCmp Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.

For example:

ReDirCmp "OU=Managed Computers,DC=mydomain,DC=com"

Please note that the domain functional level must be at least Windows Server 2003 for these commands to work.

---

Subscribe in a reader Subscribe by Email

Add RunAs Functionality to Windows Server 2008 for All Users

You may be aware that Windows Server 2008 does not allow you to "Run As a Different User", only "Run As Administrator."

You may also be aware of ShellRunAs, by Sysinternals. ShellRunAs adds command-line RunAs funtionality to the context menu of executable programs. Once installed using the command "ShellRunAs /reg", you can right-click on any program, select "Run as a different user," and enter the credentials of the user you want to run the program as.

This RunAs functionality allows you to logon to a server with low level permissions and still run programs that require higher permissions, thereby keeping your server safe and happy.

The only problem with ShellRunAs is that it is a per user installation. That means that it needs to be "installed" for each user on the server. This is because "ShellRunAs /reg" actually updates the registry for the current user (HKCU) hive. This can be a real problem for servers where a lot of different people logon, such as a Terminal Server.

So how do you provide this functionality for all users on the server? Read on to find out how.

• Download ShellRunAs from Sysinternals and extract ShellRunAs.exe to %SystemRoot%\System32


• Use Notepad to create a reg file called ShellRunAs.reg with the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" "%1\"%*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

• Finally, double-click the ShellRunAs.reg file to import it into the registry.

Now right-click an application or program and you will see the new "Run as a different user" menu option. Best of all, it will work for all users on the server without having to register it for each user.

Note: When a user selects Run as a different user for the first time, they will have to accept the end user license agreement. This only happens once because the EULA acceptance is written to the HKCU hive for each user.

By the way, this Run as a different user and Run as Administrator functionality is native in Windows Server 2008 R2.

---

Subscribe in a reader Subscribe by Email

New Hyper-V Dedicated Network is Coming

Windows Server 2008 R2 will offer Hyper-V V2, the second version of Microsoft's hypervisor virtualization solution.

Among the new features, Hyper-V V2 will feature a new "Dedicated" virtual network type. This will be in addition to the External, Internal, and Private networks currently available in Windows Server 2008.

As background, when you create a new virtual network in Windows Server 2008 Hyper-V converts the physical network adapter to a Microsoft Virtual Switch. It also creates a new virtual network adapter attached to the new virtual switch.

In the example above, we see a Hyper-V host with four physical NICs. The first NIC is dedicated to the host, as per best practice, and is attached to the corporate LAN. The other three NICs have been configured as External virtual networks using the Hyper-V Virtual Network Manager.

You will note that there are three disabled virtual NICs at the bottom of the image for the host to use. These virtual NICs were automatically created by Hyper-V when you configure the External virtual network, and are normally enabled by default. I've renamed each NIC and virtual switch on my host server for clarity.

If you're following the best practice of using a dedicated NIC for the Hyper-V host, as above, there normally would be no reason to use these virtual NICs. If you leave them enabled, it can cause a number of problems for the Hyper-V host:

• The virtual NICs will attempt to get DHCP addresses. If no DHCP server is available, it will get the automatic private IP address (169.254.x.x).
• The network binding order may be out of order, causing network inefficiencies.
• The Windows Firewall will apply vastly different settings (I'll blog more on this later).
• Trying to sort out an IPCONFIG /ALL is a mess

The current recommended way of dealing with this in the Windows Server 2008 version of Hyper-V is to remove all the connections for the new virtual NIC (IPv6, IPv4, etc.) and then disable the virtual NIC. Finally, you should check the network bindings to ensure that the host's NIC is at the top, followed by the virtual switches, and then the disabled NICs.

In Windows Server 2008 R2, Microsoft introduces the Dedicated virtual network type. When you create a Dedicated virtual network, Hyper-V does not automatically create a corresponding virtual NIC. It simply converts the selected physical NIC to a Microsoft Virtual Switch for the VM(s) to use. No need to disable anything or change network binding orders. Very cool!

Note that you will be unable to create a Dedicated virtual network on a single NIC Hyper-V host. If you did, the host would be unable to connect to the corporate LAN since there would be no NIC (physical or virtual) for it to use.

This new network will be a welcome addition to Hyper-V!

---

Subscribe in a reader Subscribe by Email

Fix for Paused-Critical Virtual Machine State

Your Hyper-V virtual machines may be happily running along, when suddenly they go into a "Virtual machine state : Paused-Critical" condition. If you resume them, they run for a few seconds and then pause again.

This happens when the volume hosting your dynamically expanding VHDs runs low on disk space.

Either free up space on the host volume, move one or more VHDs to another volume with sufficient space, or free space in the child partition and compact the VHD.

To compact a Hyper-V VHD, shutdown the virtual machine and open its Settings. Select the VHD and click the Edit button. Select Compact > Next > Finish.

Ben Armstrong also has an excellent article explaining how to compact a VHD file using PowerShell or VBScript.

---

Subscribe in a reader Subscribe by Email

Windows 2008 Default Background Colors

Have you ever changed the default Windows Server 2008 desktop color and wanted to change it back? The blueish-green color is not shown in the default palette, so you have to enter the RGB values manually.

Red = 29
Blue = 95
Green = 122

While I'm at it, here is the formula for the cool smokey blue background for Windows PowerShell 2:

Red = 1
Blue = 36
Green = 86

---

Subscribe in a reader Subscribe by Email

How to Enable Aero Glass on Windows Server 2008 and R2

Some of us geeks like to use Windows Server 2008 or R2 as our desktop operating system. It's rock solid and offers more features and better perfomance than Windows Vista.

If you're missing the Vista Aero Glass interface on your Windows Server 2008, here's how to enable all that eye candy goodness.

First, you need to install the Desktop Experience feature using Server Manager, or with the following command line:

ServerManagerCmd -i Desktop-Experience

This will install the Windows Aero and other desktop themes, along with a lot of other programs that go into Vista by default (Windows Media Player, Windows Photo Gallery, etc.).

Next, you need to set the Themes service to Automatic and start it.

If you're running Windows Server 2008 (not Windows Server 2008 R2):

• Click Control Panel > Personalization
• Click Windows Color and Appearance and select the Windows Aero color scheme
• (To turn Aero off, click Theme and select the Windows Classic theme)

For Windows Server 2008 R2:

• Click Control Panel > Appearance and Personalization
• Click Personalization and select the Aero Theme

---

Subscribe in a reader Subscribe by Email

How to Configure the Default OS to the Current OS on Multi-boot Systems

Here's a handy tip to automatically configure the default OS if you have a computer with a dual or multi-boot operating system.

Normally, when you configure a system with two or more operating systems, you select the default OS within Windows using Advanced System Settings > Startup and Recovery > System Startup. Whenever the computer is restarted it will boot to this OS automatically when the timer runs out.

If you're like me, you tend to work with one OS for a while and through several restarts. If the default OS is Windows 7, but I'm working with the Windows Server 2008 R2 OS, the computer will always default to Windows 7 on a reboot unless I manually select Windows Server 2008 R2. This is annoying since reboots are the time I usually use to get a cold drink or go to the bathroom.

Here's how to configure the computer to change the default OS to the current OS:

• Create a new batch file called DefaultOS.bat using Notepad


• Add the following line:

bcdedit /default {current}

• Save the file to the Windows directory on each operating system drive

Now do the following in each Windows OS:

• Run gpedit.msc to edit the Local Computer Policy


• Expand Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)


• Double-click Startup in the details pane


• Click Add to add a new script


• Browse to %WINDIR%\DefaultOS.bat and click OK


• Click OK to close Startup Properties


• Repeat these steps for each Windows operating system

Now Windows will configure the default OS to the current OS whenever the computer starts up. You can also apply this Startup script to all computers in the domain using Group Policy. It will not affect single boot systems.

---

Subscribe in a reader Subscribe by Email

Windows 7 Problem Steps Recorder

Here's a 4-1/2 minute video by Keith Combs showing a great new feature in Windows 7, the Problem Steps Recorder, or PSR.

PSR allows end users to record the actions they took to produce a problem.

The user enters PSR in the start menu, clicks Record, and then performs the steps to produce the problem. When the user clicks Stop Record, they can optionally enter comments and save the recording to a single ZIP file. Then they email it to the support staff.

The ZIP file contains an MHT file with screen shots and written actions that documents everything the user typed or clicked during the recording session.

This will be very useful for help desk and support staff in corporate environments, not to mention all those calls I get from my parents.

---

Subscribe in a reader Subscribe by Email

New Keyboard Shortcuts in Windows 7

Windows 7 beta 1 includes some handy new shortcut key combinations that allow you to navigate and manage the Windows workspace more efficiently.

Here are 10 new Windows 7 shortcuts that will help you speed up your workflow (“Win” means the Windows Key):

• Win+Home: Clear all but the active window


• Win+Space: All windows become transparent so you can see through to the desktop (requires the Aero interface)


• Win+Up arrow: Maximize the active window


• Win+Down arrow: Minimize the active window or restore the window if it's maximized


• Win+Left/Right arrows: Dock the active window to each side of the monitor


• Win+Shift+Left/Right arrows: If you've got dual monitors, this will move the active window to the adjacent monitor (love this one!)


• Win+T: Shift focus to and scroll through items on the taskbar


• Win+P: Adjust presentation settings for your display


• Win+(+/-): Zoom in/out


• Shift+Click a taskbar item: Open a new instance of that particular application

Thanks to Stephen Rose, the Senior Community Manager for the TechNet Springboard Series for the tips.

---

Subscribe in a reader Subscribe by Email

How to Configure IPv6 Using Group Policy

By default, Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista enable and use IPv6 as the default protocol. These versions of Windows will normally use IPv6 for all network communication and will step down to IPv4 as necessary.

You may decide to disable Windows IPv6 for several reasons. Perhaps your IPv4 network doesn't support it, and you want to disable unnecessary protocols. You may have also read that IPv6 breaks Outlook Anywhere on Exchange 2007 Client Access servers.

Most people think that you disable IPv6 by simply unchecking the Internet Protocol Version 6 (TCP/IPv6) checkbox, as shown above. This method disables IPv6 on the particular LAN interface and connection. For other network adapters or connections, users have to repeat the steps to disable IPv6. However, disabling IPv6 this way does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. It also must be done manually and cannot be instrumented or enforced using Group Policy.

In order to truly disable IPv6, you must disable it in the registry in the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents

Normally, the DisabledComponents value does not exist. If the value does not exist or the value data is 0, IPv6 is enabled on all interfaces.

Microsoft wrote KB article 929852 to document how to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista (and later) manually using the registry. At the end of the article, Microsoft helpfully wrote, "Note: Administrators must create an ADMX file in order to expose the settings in step 5 in a Group Policy setting." Nice. So, I decided to do just that.

I wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy. Copy each file to the computer you will use to configure the policy.

IPv6Configuration.zip - This ZIP file contains both the ADMX and ADML files:

• IPv6Configuration.admx - Copy this file to %SYSTEMROOT%\PolicyDefinitions
• IPv6Configuration.adml - Copy this file to %SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country's language, as necessary)

Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:

Here, you can configure the following IPv6 settings:

• Enable all IPv6 components (Windows default)
• Disable all IPv6 components (the setting you probably want)
• Disable 6to4
• Disable ISATAP
• Disable Teredo
• Disable Teredo and 6to4
• Disable all tunnel interfaces
• Disable all LAN and PPP interfaces
• Disable all LAN, PPP and tunnel interfaces
• Prefer IPv4 over IPv6

Note that you must restart the computer for the configuration to go into effect.

Please to enjoy!

---

Subscribe in a reader Subscribe by Email

How to Configure the Filter Limit in ADSIEdit

When viewing a container with a large number of items in ADSIEdit, you may receive the following error:

There are too many items in the folder DC=xxxxxx. Please refine the query parameters or increase the maximum number of items per folder.

The default filter for each container is 10,000 items. To increase the filter, select the parent naming context (Domain, Configuration, Schema, etc.) and click View > Filter in the menu bar. Then enter an appropriate value.

---

Subscribe in a reader Subscribe by Email

How to Disable Subnet Prioritization

Windows uses a scheme called "subnet prioritization" to attempt to reduce network traffic by re-ordering DNS round-robin records so that the records that are "closest" to the host are the only records used.

For example, suppose there are three A records for the same name in DNS, appserver.domain.com. One with IP 10.0.8.100, one with 10.0.15.100, and one with 10.0.26.100.


If a Windows client with the IPv4 address of 10.0.15.20 performs a DNS query for appserver.domain.com, subnet prioritization will re-order the IP addresses so that it will always use the 10.0.15.100 address.


Subnet prioritization is enabled by default in both the Windows DNS server and the DNS client.


DNS server subnet prioritization (AKA, netmask ordering) can be demonstrated using the Windows NSLOOKUP command. Repeated lookups of appserver.domain.com from the client always give the same results:

C:\nslookup appserver.domain.com
Server: dns.domain.com
Address: 10.1.1.10

Name: appserver.domain.com
Addresses: 10.0.15.100, 10.0.8.100, 10.0.26.100

Here, the DNS server is reordering the IP addresses, based on the requestor's IP address. If true DNS round-robin is working, the records would rotate in a (A, B, C), (B, C, A), (C, A, B) fashion. Subnet prioritization obviously throws a wrench in round-robin DNS if you're using that as your load balancing or fault tolerance solution.



To disable subnet prioritization on DNS servers:

• Open the DNS Management console


• Navigate to the DNS server and open its properties


• Click the Advanced tab


• Uncheck Enable netmask ordering and check Enable round robin


• Click OK

But this only solves half the problem because the Windows client will reorder the DNS results, too. Repeated nslookups will now show that the IP address for appserver.domain.com is rotating correctly, but pinging appserver.domain.com from the client will still always resolve to 10.0.15.100. You must still disable subnet prioritization on the client.

To disable subnet prioritization on Windows DNS clients:

• Run Regedit


• Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters


• Click Edit > New > DWORD Value


• Name the new value PrioritizeRecordData (its value data will be 0)


• Close Regedit

Note: Both of these changes go into effect immediately. There is no need to restart services or the computers.

---

Subscribe in a reader Subscribe by Email

Automating Exchange 2007 Prerequisites for Windows Server 2008

Each server role in Exchange 2007 requires Windows prerequisite software before the Exchange role can be installed on a Windows 2008 server.

All Exchange server roles require the Windows PowerShell feature. Other server roles and features are required, depending on the Exchange role(s) you are installing:

• The Exchange Hub Transport role requires only the Windows PowerShell feature.
  
• The Exchange Client Access role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, Web Digest Authentication, Web Windows Authentication, and Web Dynamic Compression role services. It also needs the Windows PowerShell feature. If the CAS will support Outlook Anywhere clients, it will also need the RPC over HTTP Proxy feature.
  
• The Exchange Edge Transport role requires the Active Directory Lightweight Directory Services role and the Windows PowerShell feature.
  
• The Exchange Mailbox Server role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, and Web Windows Authentication role services. It also needs the Windows PowerShell feature. If the mailbox server will be clustered, it will also need the Failover Clustering feature.
  
• The Exchange Unified Messaging role requires the Windows PowerShell and Desktop Experience features.

These server roles and features can be added using the Server Manager UI, but this post focuses on automating the installation from the command line using the ServerManagerCmd utility.

I have created answer files to use with ServerManagerCmd for each Exchange server role:

• All-in-One.xml (Hub, CAS and Mailbox roles)


• All-in-One-OA.xml (Hub, CAS with Outlook Anywhere, and Mailbox roles)


• Hub.xml (Hub Transport role)
  
• CAS.xml (CAS role)
  
• CAS-OA.xml (CAS with Outlook Anywhere role)
  
• Edge.xml (Edge Transport role)
  
• Mailbox.xml (Mailbox role)
  
• Mailbox-Cluster.xml (Clustered Mailbox role)
  
• UM.xml (Unified Messaging role)

Note that I have added the Active Directory Domain Services Tools feature to the All-in-One and Mailbox answer files, since most administrators usually install them with these roles. You can remove this from these answer files if you wish.

Also note that the all of these Exchange roles will work for the Hub Transport role, since the Hub role only requires PowerShell. It is common to combine the Hub and CAS roles on a single server. You only have to use the appropriate CAS answer file in this case.

To use these answer files, right-click the answer file above and save it to C:\ on the target Windows 2008 server. Open a Command Prompt and run the following command:

ServerManagerCmd -InputPath C:\answerfile.xml -WhatIf

This will test the answer file you specified and display what operation will do. Review the output and then run it again without the -WhatIf switch to actually perform the installation. Then install the appropriate Exchange 2007 server role from the DVD.

---

Subscribe in a reader Subscribe by Email

The Case of the Missing E-Mail Addresses Tab

Recently a customer came to me with a problem. One of his users was missing the E-mail Addresses tab on the user object in Active Directory.

The user had been sending and receiving email for months without a problem, and the other Exchange tabs in AD Users and Computers (Exchange General, Exchange Features, and Exchange Advanced) were present. Here's an example:

This happens because the Exchange Alias is missing and the Exchange Recipient Update Service (RUS) cannot update the email addresses. The fix for this is simple -- enter an Alias for the user on the Exchange General tab. Once you do this, the E-mail Addresses tab becomes visible, as shown below.

---

Subscribe in a reader Subscribe by Email

Microsoft Begins 20-Part Webcast on Virtualization

Microsoft kicked off a 20-part virtualization webcast series last week on TechNet.

The series covers a wide array of subjects, from "What is virtualization?" to managing your virtual infrastructure. It's presented by Microsoft virtualization evangelists and covers Hyper-V virtualization, as well as System Center Virtual Machine Manager 2008 (VMM 2008).

The series objectives are to not only help you develop technical depth on various virtualization solutions, but to appreciate the essentials of a typical virtualization project in a real world implementation.

Each webcast is about 90 minutes long and is geared toward level 300 technical detail. This looks to be an interesting series.

The series includes the following live webcasts:

• 01/14/2009, TechNet Webcast: Virtualization in a Nutshell


• 01/16/2009, TechNet Webcast: Selecting the Right Candidates for Virtualization


• 01/21/2009, TechNet Webcast: Virtualizing Test and Development Environments for a Quick Return on Investment


• 01/23/2009, TechNet Webcast: Managing the Virtualized Test and Development Environment


• 01/28/2009, TechNet Webcast: If I Virtualize It, How Do I Manage It?


• 01/29/2009, TechNet Webcast: Consolidation and Rapid Provisioning


• 02/04/2009, TechNet Webcast: Building on Your Existing Virtual Environment


• 02/06/2009, TechNet Webcast: Virtualization Solutions for High Availability


• 02/11/2009, TechNet Webcast: Client-Side Virtualization


• 02/13/2009, TechNet Webcast: Using Presentation Virtualization


• 02/18/2009, TechNet Webcast: Scaling Terminal Services Out (1/2)


• 02/20/2009, TechNet Webcast: Scaling Terminal Services Out (2/2)


• 02/25/2009, TechNet Webcast: Running Legacy Applications with Virtualization (1/2)


• 02/27/2009, TechNet Webcast: Running Legacy Applications with Virtualization (2/2)


• 03/04/2009, TechNet Webcast: Creating a Virtual Desktop Infrastructure


• 03/06/2009, TechNet Webcast: Securing the Virtual Environments


• 03/11/2009, TechNet Webcast: Virtualization with Centralized, Policy-Based Management


• 03/13/2009, TechNet Webcast: Virtualization Solutions in Branch Offices


• 03/20/2009, TechNet Webcast: Road Map for the Future of Virtualization


• 03/24/2009, TechNet Webcast: Managing Virtual Solutions

If you should miss any one of these webcasts, the content will be recorded and available within a few days from the same site.

---

Subscribe in a reader Subscribe by Email

How to Install a new Certificate on ISA 2004

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:

-----BEGIN CERTIFICATE-----
.....
.....
-----END CERTIFICATE-----

You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

• Click Start > Run and enter MMC
• Click File > Add/Remove Snap-in and add the Certificates snap-in
• Select Computer account > Next > Finish > OK
• Now your should see Certificates MMC for the local computer, as shown here:

• Expand Certificates (Local Computer) > Personal
• Right-click Personal and select All Tasks > Import
• Browse to the C:\Webmail.cer file you saved earlier
• Click Next to store it in the Personal store and Finish to complete the import
• Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

• Open IIS Manager and navigate to the Default Web Site that uses SSL
• In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
• In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

• Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
• Select the certificate you imported
• Right-click the certificate and select All Tasks > Export
• Click Next and choose Yes, export the private key
• Click Next twice and enter a password for the exported file.
• Complete the wizard, saving the PFX file in a temporary location
• Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

• On the ISA server, double-click the PFX file you exported
• Follow the Certificate Import Wizard and place the file in the computer's Personal store
• Now open the ISA Server Management Console
• Select the Firewall Policy
• Click the Toolbox tab on the right and expand Web Listeners
• Double-click the web listener you want to update to edit it
• Click the Preferences tab and click Select
• Select the new certificate and close the listener properties
• Apply the ISA changes

Finally, you're done!!!

---

Subscribe in a reader Subscribe by Email

Editing the 32-bit Registry on a 64-bit computer

or: How to Stop Worrying and Learn to Love Wow6432Node *

Have you ever edited the registry on a 64-bit computer, but the changes don't seem to go into effect? This usually happens with a 32-bit application (often a 32-bit COM app). Here's why:

Windows normally uses the HKEY_LOCAL_MACHINE\SOFTWARE subkey for 32-bit applications that run on a 64-bit version of the operating system. But when a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\ subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey. A "registry reflector" copies certain values between the 32-bit and 64-bit registry views and resolves any conflicts using a "last writer wins" approach.

So if your 32-bit application is not reading the registry correctly (often because you're enforcing a setting through Group Policy), ensure the setting is being written to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey on 64-bit computers.

---

Subscribe in a reader Subscribe by Email

How to Move the SMTP Queue in Exchange 2007

Unlike previous versions of Exchange, all SMTP queue activity in Exchange Server 2007 happens in a new ESE database.

By default, this database (and its logs) exists in the C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue folder. You may wish to move this database and its logs to a seperate physical volume for better performance. Here's how to do this:

To Change the Database Path:

1. Open the EdgeTransport.exe.config file in the C:\Program Files\Microsoft\Exchange Server\Bin folder using Notepad

2. Edit the value of the line containing add key="QueueDatabasePath" to reflect the new path. For example:

add key="QueueDatabasePath" value="D:\QueueDB"

To Change the Database Logs Path:

3. Edit the value of the line containing add key="QueueDatabaseLoggingPath" to reflect the new path. For example:

add key="QueueDatabaseLoggingPath" value="D:\QueueLogs"

4. Save the file and restart the Microsoft Exchange Transport service

---

Subscribe in a reader Subscribe by Email

How to Modify the All Users Startup Menu

As you no doubt know, Windows Server 2008 and Windows Vista have modified the locations for user profiles. They are no longer in %SystemDrive%\Documents and Settings and exist in the %ProgramData%\Users folder.

However, to modify the All Users profile to add a shortcut to the Startup menu you actually need to access the %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup folder.

See Peter Fitzsimon's blog for all the gory details.

---

Subscribe in a reader Subscribe by Email

Incorrect userAccountControl Attribute value causes error in DCDIAG

When you run DCDIAG for a domain controller your may see the following error reported:

Starting test: MachineAccount
Checking machine account for DC MYDC01 on DC MYDC01.
Warning: Attribute userAccountControl of MYDC01 is: 0x82020 = ( UF_PASSWD_NOTREQD , UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
......................... MYDC01 passed test MachineAccount

This typically occurs when the computer account was pre-staged in Active Directory before the computer was joined to the domain. It also may occur if you use the Active Directory Migration Tool (ADMT) to migrate to a new domain. When you do this, the 0x20 attribute is assigned to the UserAccountControl attribute, indicating that the computer account does not require password changes. It really doesn't matter, as Windows will use a password (and change it every 30 days) regardless of this setting.

The error is still annoying, so here's how to fix it:

• Open ADSIEdit.MSC (install the Support Tools if ADSIEdit is not installed)
• Connect to the Domain naming context
• Expand the domain and navigate to the Domain Controllers container
• Select the problem Domain Controller
• Right-click the Domain Controller and select Properties
• Scroll to the userAccountControl attribute and click the Edit button
• Change the decimal value to 532480 (0x82000 hex)
• Click Ok twice and close ADSIEdit

Wait for the change to replicate and re-run DCDIAG to confirm the error has cleared.

---

Subscribe in a reader Subscribe by Email

Stop Spamming Yourself!

We all knew that the huge decrease in spam that occurred after mccolo.com was shutdown would be short-lived.

Recently, I've a seen large increase in the amount of spam to me apparently coming from me.

Note: Exchange 2003 and 2007 displays the "from" address
of these emails as the full SMTP address (i.e., jeff@expta.com), rather than the resolved name (Jeff Guillet), to show that the email actually came from outside the company.

To stop spamming yourself, configure your SMTP gateway server to reject all external emails from your domain(s). Here's how to do this using the Exchange 2007 Edge Transport server:

1. Open the Exchange Management Console (EMC) on the Exchange Edge Transport server


2. Expand Microsoft Exchange and select Edge Transport


3. Double-click Sender Filtering to open its properties


4. Click the Blocked Senders tab and click Add


5. Select Domain, enter your SMTP domain name, Include all subdomains, and click OK


6. Click OK again to close the Sender Filtering Properties window

Now the Edge server will not accept non-authenticated emails from your domain to your domain. Note that this does not affect any external Windows Mobile or Outlook Express clients from sending email into your domain, as long as these users are authenticated.

You can use the following VB script to test the new settings:

'VBScript to test SMTP email

CONST mailServer = "incoming.mydomain.com"
CONST emailAddress = "user@expta.com"

Set objEmail = CreateObject("CDO.Message")
objEmail.From = emailAddress
objEmail.To = emailAddress
objEmail.Subject = "Test Message"
objEmail.Textbody = "This is a test message."
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = mailServer
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send
MsgBox "SMTP Email sent successfully to " & emailAddress, vbInformation, "TestSMTP"

Change the mailServer variable to use your Edge Transport server name and the emailAddress variable to use your internal SMTP address. The script will send SMTP email to the email address from the same email address.

Before Sender Filtering is enabled, the script will return a success message:

After Sender Filtering is enabled, the script will return a Sender Denied message:

---

Subscribe in a reader Subscribe by Email

New Windows Update Client Available

Microsoft is releasing a new version of the Windows Automatic Update client, version 7.2.6001.788, for Windows XP, Vista, and Windows Server 2000, 2003 and 2008.

This update includes the same performance enhancements available in the last client:

• Improves scan times for Windows Update
• Improves the speed at which signature updates are delivered
• Enables support for Windows Installer reinstallation functionality
• Improves error messaging

This version also fixes a bug that limited the client to only downloading 80 updates at a time. This is important when trying to update an XP RTM computer, for example, since there are far more than 80 updates for this build.

The update will be slowly rolled out via Windows Update and WSUS over the next two months. You can also download the update directly from Microsoft here.

It may be important to know that Windows Update will automatically update the Windows Automatic Update client software, even if the computer is configured not to download automatic updates. The only way to prevent this is to completely turn off Automatic Updates (not recommended).

---

Subscribe in a reader Subscribe by Email

Cannot Add a Site to Trusted Sites

I ran into a weird problem today with a Windows Server 2003 SP2 server, where I could not add a site to the Trusted Sites zone. The error I got was, "There was an unexpected error with your zone settings. Unable to add this zone."

To fix the issue, enable Internet Explorer Enhance Security Configuration in Add/Remove Windows Components, add the desired site to the Trusted Sites zone, and then disable Internet Explorer Enhance Security Configuration again. That seems to fix the corruption in the Trusted Sites zone information. Future sites can then be added without issue.

---

Subscribe in a reader Subscribe by Email

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 2)

This is part 2 of my series, where I show you how to configure Windows Mobile to send and receive email from Exchange 2007 using IMAP4 and SMTP.

Part 1, where we configured Exchange 2007, can be read here.

Now that Exchange 2007 is configured, we need to configure a new email account in Windows Mobile. How you do this depends on the version of Windows Mobile on your device, but the essential steps are as follows:

• Enter your email address and password to access the new account


• Select Internet e-mail from the dropdown box for Your e-mail provider


• Enter your name as you want it to appear to recipients and choose an account display name on the device (i.e., IMAP Email)


• Enter the FQDN for the Exchange 2007 server that holds the Client Access (CAS) role (i.e., cas.mydomain.com) for the Incoming mail server.


• Choose IMAP4 as the Account Type


• Enter your account logon (domain\username) for the User Name and enter the network password


• Enter the FQDN for the Exchange 2007 server that holds the Hub Transport role, followed by :587 (i.e., smtp.mydomain.com:587) for the Outgoing (SMTP) mail server. See the figure above. If you don't follow the FQDN with :587, the Windows Mobile device will use the standard port 25 for SMTP communication.


• Select Outgoing server requires authentication


• Under Advanced Settings, select both the Require SSL for Incoming e-mail and Require SSL for Outgoing e-mail checkboxes to encrypt the traffic between the Windows Mobile device and Exchange 2007


• Configure your Automatic Send/Receive schedule

Important Note: You must enter the FQDN:587 correctly the first time for the Outgoing (SMTP) mail server field. You cannot edit it later once you've clicked off that field -- if you do, Windows Mobile will still use port 25. This seems to be a bug in Windows Mobile 6.1 and may happen in other versions, as well. If you don't enter it correctly the first time, you will either need to cancel the setup wizard and start over again or delete the email account and recreate it.

Now test your new settings by synchronizing the mail account and test sending
an email. If you get an error saying,

Message not sent. The message 'Test email' was not sent and has been moved to the Drafts folder. The server returned the following error message:

550 5.7.1 Unable to relay

It means that the Windows mobile device is trying to send SMTP email over port 25 through your Exchange server to a remote address, which is relaying. Delete the account you just created and do it again, making sure to enter :587 after the FQDN of the SMTP server.

I hope this two-part series helps you get IMAP and SMTP working properly between Exchange 2007 and your Windows Mobile device!

---

Subscribe in a reader Subscribe by Email

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 1)

This is the first of a two-part article that describes how to enable Windows Mobile devices to receive email from Exchange 2007 using IMAP4 and send email using SMTP.

As you probably know, Windows Mobile can only have one connection agreement with Exchange at a time. That means that if you want to access additional email accounts you must use POP3 or IMAP4 for incoming email and SMTP for outgoing email on your device.

In part 1, I will describe how to set up IMAP4 and SMTP client email submission in Exchange 2007. Part 2 will describe how to configure the Windows Mobile client.

Configuring IMAP4 in Exchange 2007
POP3 offers simple email retrieval services from a user's Inbox in Exchange. IMAP4 offers a few more extensive features, including access to all the folders in the user's mailbox. Neither of these services are enabled in Exchange 2007 by default. To enable POP3 or IMAP4 (usually one or the other), simply change the appropriate service from Manual to Automatic on your Exchange 2007 Client Access server (CAS) and then start it. In this article I will be using IMAP4 for Windows Mobile access.

The next step is to configure the logon authentication mechanism for IMAP4. I strongly recommend using TLS to secure logons so that usernames and passwords are not transmitted in plain text.

• Open the Exchange Management Console (EMC)
• Navigate to Server Configuration, Client Access and view the POP3 and IMAP4 properties of the CAS
• Double-click the IMAP4 protocol and select the Authentication tab
• Select Secure Logon. A TLS connection is required for the client to authenticate to the server.
• Select the appropriate X.509 certificate to use and click OK to close the properties window

Configuring SMTP Client Submissions in Exchange 2007
Now we need to configure the Exchange 2007 Hub Transport (HT) server to accept (receive)inbound SMTP connections from clients.

• Open the Exchange Management Console (EMC)
• Navigate to Server Configuration, Hub Transport and select the HT server
• Click New Receive Connector from the Action pane
• Give the new Receive Connector a name such as, "Mobile Clients"
• Select Client as the intended use for this receive connector and click Next
• Click Next to allow all remote networks to use this receive connector
• Click New to create the new Receive Connector
• Now open the properties of the Mobile Clients connector
• Click the Network tab and notice that the port the connector uses is 587
• Click the Authentication tab. Ensure that Transport Layer Security (TLS), Basic Authentication, Offer basic authentication only after starting TLS, and Integrated Windows Authentication are checked.
• Click the Permissions Groups tab. Ensure that only Exchange users is checked and click OK to close the properties window.

Name Resolution and Port Forwarding
The FQDN of the CAS (i.e., cas.mydomain.com) and the HT server (i.e., smtp.mydomain.com) must be resolvable from your Windows Mobile device on the Internet. The CAS must also accept IMAP4 requests and the HT must accept SMTP submissions from your Windows Mobile device. This may require you to configure port forwarding from your external firewall. You will need to forward TCP port 143 for IMAP4 to the CAS and port 587 for client SMTP message submission to the HT server.

Port 25 is fast becoming the port used exclusively for server to server SMTP traffic and port 587 is becoming the standard for client to server SMTP traffic.

So far, we have configured Exchange 2007 to allow secure IMAP4 and SMTP client access. In part 2 of this series I will discuss how to enable IMAP4 and SMTP access to Exchange from a Windows Mobile device.

---

Subscribe in a reader Subscribe by Email

Fix for 0x8024400E Errors on WSUS Clients

I've seen this happen with two customers over the past few weeks, so I figure it might be prevalent enough to blog about it.

Symptom:
Some, but not all, WSUS clients begin to fail when checking for updates. The %windir%\WindowsUpdate.log file shows errors such as:

• WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200


• WARNING: PTError: 0x8024400e


• WARNING: Failed to synchronize, error = 0x8024400E


• WARNING: WU client failed Searching for update with error 0x8024400e

According to the Comprehensive List of WSUS Codes page hosted on this blog, the 0x8024400e error means "SUS_E_PT_SOAP_SERVER: The message was OK but server couldn't process at the moment. Same message *may* succeed at a later time." Huh? I already took a shower this morning! What's with this SOAP business?

The Fix:
This problem is due to problem with a recent revision to the Office 2003 Service Pack 1 update on the WSUS server. It results in some WSUS 3.X servers syncing that revision to an inconsistent state. When computer with products related to Office 2003 communicate to one of these WSUS servers, the web service is unable to process the approvals resulting in detection failure.

In order to reset the approvals to a consistent state on the WSUS server, follow these steps from the WSUS Administration Console:

1. Find the 'Office 2003 Service Pack 1' update in the updates list. This may involve changing the Approval and Status filters in the update UI (set the Status to "Any" and the Approval to "Declined" -- if you don't see it then set the Approval to "Any except Declined"


2. Perform the following steps:


• First, make sure the update is declined. If the update is not yet declined, right-click on the update and decline it.


• Next, approve the update:


• Right-click on the update and select the 'Approve...' option in the context menu.


• In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.


• Next, decline the update.


• Right-click on the update and select the 'Approve...' option in the context menu.


• In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.

The computers that were failing detection will now successfully complete detection against the server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica child, one must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog.

---

Subscribe in a reader Subscribe by Email

Fix for Large Framework.log files

The WMI service maintains text log files for all operating systems earlier than Windows Vista and Windows Server 2008. These log files are stored in the %SystemRoot%\System32\WBEM\Logs folder. The log files include:

• Wbemcore.log


• Wbemess.log


• Mofcomp.log


• Wmiadap.log


• Wbemprox.log


• Framework.log


• Winmgmt.log

Most of these log files are configured to automatically wrap every 64KB. When the log file reaches this limit, it is renamed to logfile.lo_ and a new log file is created. Unfortunately, this does not happen with the Framework.log file - it will continue to grow indefinitely. This came to light recently at a client site when the backup team noticed that this file was taking a very long time to back up on Exchange servers. The Framework.log files on these servers exceeded 800MB.

Microsoft wrote a TechNet support article, "The Framework.log file grows larger than 64 KB when you use WMI on a Windows Server 2003 or Windows XP computer," which explains that this is due to permissions problem with the Network Service. As the article explains, the fix is to grant the Network Service account the Delete right on the %SystemRoot%\System32\WBEM\Logs folder.

Here's how to do this for all machines in the domain using Group Policy:

1. Edit the appropriate Group Policy object for the managed computers. I used the Default Domain Policy.
   
2. Navigate to Computer Configuration, Windows Settings, Security Settings, File System
   
3. Right-click File System and select Add File...
   
4. Navigate to the %SystemRoot%\System32\WBEM\Logs folder and click OK. A security window will appear.
   
5. Add the LOCAL SERVICE and NETWORK SERVICE accounts, giving both accounts only Read and Write permissions.
   
6. Click the Advanced button.
   
7. Clear the "Inherit from parent the permission entries that apply to child objects" checkbox.
   
8. Select the NETWORK SERVICE account and click Edit.
   
9. Check Delete under the Allow column and click OK. Repeat for the LOCAL SERVICE account.
   
10. Click OK four times to close all the dialog boxes.

The new security settings will be enforced on target computers on the next Group Policy refresh. After that, the large Framework.log file will be renamed to Framework.lo_ and a new Framework.log file will be created. Once that new logfile grows beyond 64KB it will replace the large file.

---

Subscribe in a reader Subscribe by Email

Unlocked Workstation

I found this great graphic at http://www.unlockedworkstation.com/.

Next time you come across an unlocked workstation, just open a browser on it and go to the website. Don't forget to lock the workstation when you're done.

---

Subscribe in a reader Subscribe by Email

Fix for "Could not start the Automatic Updates service on local computer"

You may find that the Automatic Updates service on Windows XP is stopped with the following error:

Could not start the Automatic Updates service on local computer. Error 0×80004015: The class is configured to run as a security ID different from the caller.

This can happen when Windows XP clients attempt to start the Automatic Updates service and is due to a permissions issue. The quickest and the easiest solution would be to reset the permissions for the Automatic Updates service on the client and then start the service.

To display the current permissions of the Automatic Updates service and fix them:

1. Click Start, Run and type “cmd” to launch the Command prompt
2. From the command prompt, type: SC sdshow wuauserv
   The output will look like: D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)
3. Now, reset the permissions as follows from the command prompt (single line, wrapped for clarity):
   SC sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

We can now start the service and try to detect the Automatic Updates from the command prompt:

C:\>wuauclt.exe /detectnow

This should fix the problem.

---

Subscribe in a reader Subscribe by Email

How to Delegate the Right to Unlock User Accounts

In order to delegate the right to unlock locked user accounts to a user or group in Active Directory, you first need to make the right visible in Active Directory Users and Computers (ADUC).

The %windir%\System32\dssec.dat file contains all the rights attributes that can be exposed in ADUC. These rights attributes are grouped under headings surrounded by square brackets, such as [user] or [computer]. Each attribute is assigned a value (filter) as follows:

0 - Read and Write is exposed
1 - Write is exposed
2 - Read is exposed
7 - Hide the attribute

To modify the filter, open dssec.dat in Notepad. Find the lockoutTime attribute under the [user] heading. Be careful to select the [user] heading, as there's another lockoutTime attribute under [computer]. Change the value of the filter from 7 to 0 (lockoutTime=0) and save the changes.

To delegate the right right to unlock user accounts in ADUC:

1. Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
2. Click Next on the Welcome dialog
3. Click Add to select the user or group and click OK
4. Click Next
5. Select Create a custom task to delegate and click Next
6. Select Only the following objects in the folder. In the list, check User objects and click Next
7. Clear the General checkbox and check the Property-specific box
8. Check both the Read lockoutTime and Write lockoutTime boxes and press Next
9. Click Finish

Note: You only need to edit the dssec.dat file on the computer where you are performing the delegation. You do not need to modify it from any other machine, including the one where the user administration will occur.

---

Subscribe in a reader Subscribe by Email

Getting NumLock to Stick

Here's a tip on how to get the Num Lock key to stay on (or off) every time a user logs on.

Simply set the NumLock key to the desired status (on or off), press Ctrl-Alt-Delete (Ctrl-Alt-End in a Hyper-V guest, Ctrl-Alt-Ins in a VMware guest), and select Log off.

This will set the HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators to 0 (OFF) or 2 (ON), depending on your preference. The next time you logon, the NumLock setting will stick.

---

Subscribe in a reader Subscribe by Email

Fallback Printer Drivers in RDP and Terminal Server Sessions

Microsoft Remote Desktop Connection provides the ability for users to use the printers installed on their local computer within a Terminal Server session. This behavior is enabled by default, and can be changed in MSTSC (the Remote Desktop Connection client) in Options, Local Resources tab, Printers.

In order for this to work, a printer driver must be installed on the Terminal Server that matches the driver installed on the local computer. This is problematic, since you can't always be sure which printer is installed on connecting computers. If there is no matching printer driver on the server, the user will be unable to print to that printer within the RDP session. You will also see an error in the System Event Log similar to the following when the user
logs into the Terminal Server:

Event Type: Error
Event Source: TermServDevices
Event Category: None
Event ID: 1111
Date: 7/8/2008
Time: 12:51:15 PM
User: N/A
Computer: HOFS01
Description:
Driver HP LaserJet 4250 PCL 5e required for printer !!SERVER1! NetPrinter2 is unknown. Contact the administrator to install the driver before you log in again.

To handle this issue without having to install tons of drivers on your server, you can tell the server to use a "fallback printer driver." If the exact driver is not installed, the server will offer a fallback PCL or PS driver (or both) to use instead. This is configured in Group Policy as shown below. Note that this requires Windows Server 2003 SP1 or later.

For Windows Server 2003, open Group Policy and navigate to Computer Settings, Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection, and configure the Configure Terminal Server Fallback Printer Driver Behavior option.

For Windows Server 2008, open Group Policy and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Terminal Services, Terminal Server, Printer Redirection and configure the Specify Terminal Server Fallback Printer Driver Behavior option.

Configure the Terminal Server Fallback Printer Driver Behavior to Enabled, Show both PCL and PS if one is not found, as shown below.

When a client logs into the Terminal Server, you will now see the following event in the System Event Log and the client will be able to use their printer.

---

Subscribe in a reader Subscribe by Email

Exchange Server Virtualization Support Policy Summary

Microsoft released their Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments document this month. I reviewed the support document and summarized the salient facts here.

Exchange 2007 Virtualization

Host Requirements:

• A hypervisor virtualization solution that has been validated by the Windows Server Virtualization Validation Program
• Adequate storage space to accommodate the host OS and components, paging file, management software and crash recovery (dump) files
• Storage space must be allocated for Hyper-V temporary memory storage (BIN) files, equal to the amount of RAM allocated to each guest

Guest Requirements:

• Exchange 2007 SP1 (or later) deployed on Windows Server 2008
• Cannot have the Unified Messaging Role installed
• The total maximum number of virtual processors cannot exceed the twice the number of physical cores.Typically 2 virtual processors are required for each Exchange server guest, but use this as a baseline
• Large mailboxes (1GB and larger) require the use of Cluster Continuous Replication (CCR)
• CCR nodes must be hosted on separate physical host servers to provide true redundancy and high availability
• Mixing physical and virtual nodes is supported for CCR and SCC environments
• Exchange supported backups must be run from the guest
• Both legacy backups (using ESE streaming APIs) and Exchange-aware software-based VSS backups (Data Protection Manager) are supported
• VSS backups of the an Exchange guest is supported if the guest uses only VHDs (not pass-through disks)

Guest Storage Requirements:

• Supports fixed size VHDs, SCSI pass-through and iSCSI storage
• Storage must be dedicated to one guest machine
• Guest OS must use a minimum fixed-size VHD of 15GB plus the size of virtual RAM allocated to the guest
• VHD limit is 2,040GB (nearly 2TB) in Hyper-V
• Hub and Edge Transport servers require sufficient storage for message queues and log files
• Mailbox servers require sufficient storage for databases and log files
• iSCSI storage using an iSCSI initiator within the guest is supported. This offers greater portability, but decreased performance

Not Supported:

• Dynamically expanding VHDs are not supported
• Snapshots or differencing disks are not supported
• Virtualization high availability solutions, such as Hyper-V Quick Migrations, are not supported. Only Exchange aware HA solutions (SCC, LCR, CCR and SCR) are supported.
• VSS backups of the Exchange guest machine's pass-through disk from the host are not supported

Recommendations:

• Storage should be hosted on separate disk spindles from the guest's OS
• Use SCSI pass-through storage to host transport and mailbox databases and transaction logs
• When using iSCSI storage, configure the iSCSI Initiator on the host and present it as a pass-through disk to the guest
• Use dedicated NICs with jumbo frames and not bound to a Virtual Network Switch, Gigabyte Ethernet, and isolated networks for iSCSI storage

Exchange 2003 Virtualization

Host Requirements:

• The hardware virtualization software is Microsoft Virtual Server 2005 R2 or any later version of Microsoft Virtual Server

Guest Requirements:

• Exchange Server 2003 SP2 (or later)
• Microsoft Virtual Server 2005 R2 Virtual Machine Additions must be installed on the guest operating system
• Exchange Server 2003 is configured as a stand-alone server and not as part of a Windows failover cluster
• Each guest must have only one CPU

Guest Storage Requirements:

• The SCSI driver installed on the guest operating system is the Microsoft Virtual Machine PCI SCSI Controller driver
• The virtual hard disk Undo feature is not enabled for the Exchange virtual machine

Recommendations:

• Consider adding a dedicated virtual network adaptor for Exchange Server backups
• Create separate fixed-size VHDs for Exchange Server databases and log files and store them on separate physical drives on the host
• Exchange Server performance should be validated before production by using the Exchange Server 2003 Performance Tools
• Make sure that the host server is sized correctly to handle the number of virtual machines that you plan to deploy
• Use a storage solution that enables fast disk access
• Antivirus programs should be configured to not scan VHD files

---

Subscribe in a reader Subscribe by Email

Best. Birthday Present. Ever.

My family decided to celebrate my birthday by pushing me out of a perfectly good airplane.

Bay Area Skydiving, in Byron, CA. I highly recommend this.

---

Subscribe in a reader Subscribe by Email

How to Determine if a PST is ANSI or Unicode

PSTs created in Outlook 2002 and earlier versions are saved in ANSI format, which has a 2.1GB limit. Outlook 2003 and later offer both ANSI and Unicode formats for PST creation. Unicode PSTs have a theoretical 36TB limit which makes them a better choice, providing that backward compatibility is not an issue.

So how can you tell if a PST is in ANSI or Unicode format?

One way is to download a free utility called ListPSTs from http://www.maclean.com. You run this utility from the command line against the file or folder that contains the PST(s). The output displays the format of the PST files, as shown above.

Another way to tell without having to use a separate utility is by viewing the properties of the PST from within Outlook, itself. When you add the PST to Outlook, pay attention to the Format field of the PST, as shown below:

Unicode formatted PSTs will display the format, "Personal Folders File". ANSI formatted PSTs will display the format, "Personal Folders File (Outlook 97-2002)".

---

Subscribe in a reader Subscribe by Email

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.

Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

---

Subscribe in a reader Subscribe by Email

It's Not Exchange 2007 Enterprise Until You Enter the Product Key

According to the Microsoft article, "Exchange Server 2007: Platforms, Editions, and Versions":

"When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation."

This means that you will be unable to add additional storage groups, managed folders, or use any of the Exchange Enterprise features until you enter the Enterprise product key.

---

Subscribe in a reader Subscribe by Email

Customizing Server Manager in Windows Server 2008

This article explains how to create a customized Server Manager console for Windows Server 2008 that displays more (or less) MMC snap-ins and extensions. The example above shows the default Server Manager console with the Microsoft Exchange 2007 and Queue Viewer snap-ins added to it. Note that you can't customize the default Server Manager console in Windows Server 2008, but you can create a new one that you can customize.

To begin, use Windows Explorer to navigate to the %WINDIR%\System32 folder, right-click ServerManager.msc, and select Author. This will open the MSC for editing.

Click File, Options and set the Console Mode to User mode - full access. This will cause the new console to automatically save and remember views and changes you make to the console in the future. Click OK.

To add new snap-ins to the console, click File, Add/Remove Snap-in. Now click the Advanced button and select the checkbox to Allow changing the parent snap-in and click OK. Select Server Manager from the Parent snap-in drop-down box. This is where the new snap-ins will be added.

Now select the additional snap-in(s) you want to add to the console. In my example, I double-clicked Exchange Server 2007 and Queue Viewer to add them below the Server Manager snap-in, as shown below.

If you want to remove extensions (or features) from a snap-in, select the snap-in under Selected snap-ins and click the File Extensions button. Click Enable only selected extensions and clear the check-box for the extensions you want to hide, such as Component Services and Disk Management Extension in the example below, and click OK.

Once you've added and configured the snap-ins you want to add to the console, you have to save it. Click File, Save as and give the new console a unique name, such as ServerManager1.msc. Windows will save the new console in the %WINDIR%\System32 folder by default.

Now modify the Server Manager icon in the Windows task bar to launch the new console. Right-click the Server Manager icon in the Quick Launch toolbar and select Properties. Change the Target path to read %SystemRoot%\system32\ServerManager1.msc and click OK, as shown below.

Now when you click the Server Manager icon in the task bar, your new Server Manager console will be displayed with the new snap-ins. Not only that, Server Manager will remember states of extensions (such as always displaying the Standard view of Windows Services, a pet peeve of mine) and will also open to the last extension you viewed. If you decide you want to add or remove snap-ins from this console in the future, simply right-click the console icon and select Author to make your changes.

Hope this helps you out!

---

Subscribe in a reader Subscribe by Email

Free/Busy Information in Exchange 2000/2003/2007

What is Free/Busy?
Users' availability information is stored in Exchange in a hidden system public folder. This information is used by Outlook and OWA to tell other users if they are free or busy (hence, the term Free/Busy information). Normally this information is displayed as color-coded blocked out areas in a user's calendar, as show above. If users have extended rights, they can right-click another user's blocked out time to view the subject of the busy time.

The Free/Busy information is posted as a single message that contains data for the entire Free/Busy duration. The default to publish is 2 month's worth of information, configurable in Outlook Options or via Group Policy. Every time the Free Busy information is updated, the message is overwritten.

Publishing Free/Busy Information
The way Free/Busy information is published to Exchange depends on the method used to update the user's calendar. The Outlook client is usually responsible for generating Free/Busy information. Outlook will read the calendar and generate Free/Busy every 15 minutes by default if the information has been changed. This schedule can be changed in Outlook options or via Group Policy. Outlook also republishes the Free/Busy information whenever Outlook is shut down.

So what happens when the user updates their calendar using Outlook Web Access (OWA) or some other non-MAPI client? In this case, Free/Busy information is updated by a background process called MSExchangeFBPublish (MadFB). This process runs under the System Attendant mailbox and updates Free/Busy every 5 minutes for OWA, OMA, and Entourage clients. When a change is made to the calendar, a Free/Busy message is submitted to the System Attendant mailbox on the mailbox server for the user. The MadFB process polls this mailbox and picks up that there has been a change. MadFB then publishes the user's full Free/Busy message to the Free/Busy folder overwriting the existing message.

Replicating Free/Busy Information
The short answer is don't do it. The only reason to replicate Free/Busy information is when you frequently have users accessing Free Busy information of users in another site, and those sites are separated by a slow or lossy network link. Replicating Free/Busy information introduces inherent latency and causes inaccuracy in the Free/Busy information. Users in one site may see information from a site that has not replicated yet.

Where is Free/Busy Information Stored?
As mentioned earlier, Free/Busy information is stored in a system public folder. You can view all the Free/Busy information in the org by opening the following URL in a web browser: "http(s)://ServerName/Public/Non_IPM_Subtree/SCHEDULE%2B%20FREE%20BUSY/".

Here, you will see a folder under SCHEDULE+ FREE BUSY for each Administrative Group in the format, "EX:/o=/OU=". Each folder contains messages for each user. These messages are the Free Busy information for the user. The messages are formatted as, "USER-/CN=RECIPIENTS/CN=".

Free/Busy message placement is based on the user's legacyExchangeDN attribute in AD. For example, if my legacyExchangeDN is /o=CompanyABC/ou=Paris/cn=Recipients/cn=jsguillet", my Free Busy information will be stored in the "USER-/CN=RECIPIENTS/CN=jsguillet" message in the "/EX:/o=CompanyABC/ou=Paris" folder.

You are unable to view the contents of the message, but you can delete it. Doing so will remove all Free Busy information from Exchange until it is republished using one of the methods explained above. If Free/Busy information is not available to other users, they will see black and white hash marks across your calendar and Outlook will say that Free/Busy information is not available for this user.

How to Republish Free/Busy Information
On occasion Free/Busy information may not be published correctly in Exchange. There are many reasons that this can occur. Examples include errors in Public Folder replication (if Free Busy is being replicated, another reason to not do this), network errors, and incorrect shutdown of Outlook or Windows.

So how do you republish Free/Busy information? The easiest way to do this for individual users is to have them run Outlook with the /CleanFreeBusy switch:

• Close Outlook


• Click Start, Run, enter "start outlook /cleanfreebusy" and click OK


• Outlook will start, generate the Free/Busy information from the Outlook calendar and republish it to Exchange within 5 minutes. It will overwrite any existing Free/Busy message or publish a new one if it doesn't exist.

While this is easy to do for one or two users, it isn't a good solution for all users in the enterprise since it requires user intervention.

Microsoft KB article 294282 details how to use Updatefb.exe to regenerate Free/Busy information from the calendar information contained in each user's mailbox. You run this utility under the context of a user or service account that has full mailbox access to the affected users. It reads a comma delimited file containing the alias and home mailbox server of each user (i.e., alias, mailbox1) and logs in as that user using Collaboration Data Objects (CDO). It then creates a single appointment for the user for today at 11:00pm. This marks the Free/Busy information as "dirty". It then logs off the MAPI connection, causing the Free/Busy information to republish to Exchange. Note that Updatefb will be unable to open disabled user's or hidden mailboxes, so be sure to exclude them from the CSV input file.

Updatefb.exe is an unsupported utility written by Microsoft and is only available through Microsoft Product Support Services. There are two versions of the utility, Updatefb.exe is the GUI version and CPPCDO.exe is a command line version. I have used it in several environments with no issues.

What About Exchange 2007?
Exchange 2007 uses an entirely new and different way to manage Free/Busy information, so the above does not apply in a pure Exchange 2007/Outlook 2007 environment. When using Exchange 2007 with Outlook 2007 Free/Busy information will no longer come from a Public Folder, but will instead use the Microsoft Exchange 2007 Availability Service. This web service will provide a direct look at the user's Free/Busy information without the need of a client publishing any data. Outlook 2007 and Exchange 2007 can still use (and will still have) the Free/Busy public folder for backwards compatibility with older Outlook clients.

---

Subscribe in a reader Subscribe by Email

Your Troubleshooting PAL

How many times have you been faced with a performance issue with a computer and you don't really know where to start? Sure, you can fire up Performance Monitor (perfmon) and start collecting data for analysis, but which counters do you collect and how do you identify a bottleneck?

Perfmon can gather tons of information and pouring over all that data for analysis can be a daunting task. Enter Performance Analysis of Logs (PAL), a new and powerful tool that reads in a performance monitor counter log in any known format and analyzes it using complex, but known thresholds. The tool produces an HTML report which reports important performance counters and displays alerts when thresholds are exceeded.

PAL is a free open source application developed by Microsoft and is hosted on CodePlex, Microsoft's open source project hosting web site. It requires two other free pieces of software on the computer where PAL will run:

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.

Note: Because there is no 64-bit version of the Microsoft Office Web Components, PAL only runs on x86 platform computers.

To use PAL, you begin by collecting performance data from the target machine using perfmon. Typically, I collect the Memory, Network Interface, Physical Disk, Processor and System counters to begin with. Once you've collected some data run PAL and walk through the wizard. Be sure to answer the Question Variable Names at the bottom of the Threshold File page. The variables are Number of Processors, use of the /3GB switch, is the target a 64-bit computer, total RAM and whether it has a kernel dump configured. Step through the rest of the wizard and PAL will create a batch file, run it and display the output as a graphical report in your web browser. Very cool!!!

You can view a LiveMeeting streaming video training of PAL here.

---

Subscribe in a reader Subscribe by Email

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:

Received: from ex01.companyabc.com (10.12.1.81) by edge.companyabc.com (12.5.1.168) with Microsoft SMTP Server id 8.1.278.0; Fri, 20 Jun 2008 15:17:46 -0700

Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id 8.1.278.0 tells me that edge.companyabc.com at public IP 12.5.1.168 is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing

Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.

---

Subscribe in a reader Subscribe by Email

New PowerShell Scriptomatic

For those of you who are familiar with the the WMI Scriptomatic tool (and those of you who aren't), check out this awesome new version for Windows PowerShell -- The PowerShell Scriptomatic!

This tool will have you writing PowerShell scripts like a pro with absolutely NO experience. Imagine the fun you'll have deleting all the user accounts in the domain without having to write a single line of code yourself! Well, errr, maybe that was a bad example.

Actually, this really is a great tool to use to create PowerShell scripts without having to know the classes and objects necessary to access. Just select the WMI namespace and WMI class to access, and the PowerShell Scriptomatic will generate the correct PowerShell code. Then use this code to experiment with or add to other snippets. Brilliant!

It's great for those new to PowerShell and seasoned veterans who are just plain lazy.

---

Subscribe in a reader Subscribe by Email

TechEd Newbie Resource Posts

---

---

As TechEd 2008 ITPro week approaches, I thought I'd provide links to the posts I've made that will help first time TechEd attendees. A sort of one stop shopping blog entry, if you will.

• TechEd 2008 Tips
• TechEd 2008 - Gear to Bring
• TechEd 2008 Group, Calendar and more
• TechEd Tips for Families
• TechEd - Feeding the Masses
• TechEd Attendee Party - What to Expect
• TechEd 2008 Schedule Builder
• TechEd Session Question
• TechEd for Novices

If you have a suggestion for future articles, let me know by posting a comment.

---

Subscribe in a reader Subscribe by Email

New TechEd Airline Check-in Service

Open Thursday, June 12 and Friday, June 13
7:00am–6:00pm
South Hall A1 next to Registration

New this year for TechEd attendees!

Airline Check-in is a full-service, multi-airline remote skycap operation that offers issuance of boarding pass and luggage receipts. The next time you’ll have to think about your luggage will be at your final destination!

Airline Check-in service is available to all attendees departing on domestic flights from Orlando International Airport on American, Alaska, Air Tran, Continental, Delta, JetBlue, Northwest and United Airlines. You must have your luggage checked in a minimum of three hours before your flight departure time.

Remember, this service is only valid for flights departing on June 12-13.

Check Your Bags
Enter Event ID: 15019 and Passcode: microsoft to check your baggage and receive your boarding pass. Online check-in service fee is US$5 per person.

Walk-up airline check-in at the OCCC is US$10 per person.

Airline Check-in is also available at the Rosen Centre and Rosen Plaza hotels.

Check your bags here!

---

Subscribe in a reader Subscribe by Email

Outlook Calendar Synchronization Cookbook

I carry an AT&T 8525 Windows Mobile device as my phone and PDA. It’s connected to my company’s Exchange 2007 server back in the office, but as a consultant I’m nearly always at a client site.

When I’m onsite for any length of time the client usually provides me with an email account on their network so that I can more easily communicate with teams and accept meeting invitations. The trouble for me has always been how to synchronize calendar data between the two calendars. There are lots of hard and messy ways to do this – I can forward the appointments to my WM device or type them in manually, or I can use Google calendar to do a “middle man” synchronization.

What I’ve discovered that does a really good job is a software and service called Funambol. This free service is made up of three components:

• The Funambol client for Windows Mobile
  
• The Funambol client for Windows Outlook
  
• The myFunambol Portal, the hosted server that holds the synchronized data
  

Funambol can perform synchronization of email, contacts, calendar items, tasks, notes and briefcases. Synchronization can be one-way (from Funambol server to phone only or from phone to server only) or two-way. Since I only perform calendar synchronization this article only covers this, but the other types of synchronization can be setup the same way.

To begin, sign up for a free myFunambol account at http://my.funambol.com. This creates a personal database account for you that will hold the synchronized data. The myFunambol portal also offers a web interface where you can view and manage your synchronized data stored on the server.

Next, download the Funambol Outlook Plugin from https://www.forge.funambol.org/download and install it on the computer with Outlook that you want to sync with your mobile device. Follow the Wizard to install the plugin. I won’t list them here because Funambol updates their software regularly and the steps may change, but here are the settings I use in the version I’m currently using:

• Account and password are the same as the myFunambol account
  
• Sync Calendar; One-way: Outlook -> Server; Synchronize every 2 hours

Test the synchronization from Outlook. The plugin may warn you that it needs to perform a full sync the first time. Once the sync completes, log into the myFunambol portal to ensure that your data is there.

Now download and install the correct Funambol client for your mobile device from https://www.forge.funambol.org/download. Funambol makes one for Windows Mobile PocketPC, Windows Mobile Smartphone, Blackberry, Java based phones and even the Apple iPod.

Install the client on your device and configure it thusly:

• Account and password are the same as the myFunambol account
  
• Synchronize all items in: Calendar
  
• PIM options – Sync Direction: Server to Phone only
  
• Sync Method: Scheduled Sync, Sync every 2 hours

Now sync your mobile device. The device will tell you that it needs to perform a full sync the first time and begin syncing the data from the myFunambol portal.

Viola!!! Calendar synchronization made easy!

For this solution to work, your Outlook client must be running and have Internet access.

---

Subscribe in a reader Subscribe by Email

Teched 2008 Extracurricular Activities Map

At the request of geniph on the Extracurricular Activities group on the Microsoft TechEd Connect site, I created the Teched 2008 Extracurricular Activities Map.

This map is based on the events in the TechEd 2008 Extracurricular Activities Calendar to help show the distances between each event.

If you know of an event, party or activity not listed on the calendar, please leave a comment and I'll add it.


View Larger Map

Since everything's pretty close to each other, click View Larger Map to open it in a new window. Then you can use your mousewheel to zoom in and out, and to drag the map around.

---

Subscribe in a reader Subscribe by Email

TechEd Attendee Party - What to Expect

Here's a little write up of what to expect for the TechEd Attendee Party at Universal Studios Orlando.

Around 6:00 at the convention center there will be more buses in one place than you've probably ever seen before. In the past, buses leave from the conference center to Universal Studios theme park, but last year they picked us up at the same bus stops in front of the hotel that we use to go to the convention center. Buses will run every 10 minutes or so. There will be many more people in line waiting for a bus than the buses can hold. Just be patient and meet some new friends while you wait. Hopefully it won’t rain while we’re waiting, like it did last year. :)

Remember to wear comfortable shoes and clothes, You’ll be doing a lot of walking and standing (after a full day of walking the TechEd floor).

When you arrive at Universal, there will be lots of staff on hand to usher you into the park or answer questions. All the rides, food and drink that are open are free. There will be soda and beer stands setup along the walkways. It’s a very festive, fun and family friendly atmosphere.

The big rides, like The Simpsons Ride, Shrek 4-D, and Revenge of the Mummy, are very popular, but the lines move pretty quick. The park is open to us from 6:30-11:00pm, so be sure to scope out the rides and restaurants you want to visit before getting to the park. Not all rides may be open, however, due to maintenance or weather.

The park will close sharply at 11:00pm, which leads us to the most thrilling ride of the them all… Getting back to the hotel! This is probably my least favorite part of TechEd. Thousands of people, all as tired as you, descending on an extremely crowded area filled with buses. You have to find the one that’s going back to your hotel region and fight to get on board. Keep your kids close (if they were lucky enough to come with you).

Some people choose to skip the throngs of people by hanging out along Universal City Walk. Here, you can browse shops and maybe get a drink of something stronger at one of the bars, like Jimmy Buffett’s Magaritaville. Just be sure not to miss the last bus or you'll be calling a cab! Which come to think of it, isn't such a bad idea...

Update: Microsoft just changed the hours for the Attendee Party to run from 8:00pm-12:00am this year. :(

---

Subscribe in a reader Subscribe by Email

Quickly installing MOSS 2007 with SP1 on Windows Server 2008

If you try to install MOSS 2007 on Windows Server 2008, you are going to get an error that there is an incompatibility. To install, you need SP1 for MOSS.

You can slipstream SP1 yourself, but it turns out there's an easier way. First, install the trial version of MOSS 2007 with SP1 (32 bit or 64 bit). After you install the trial version, upgrade from the trial version.

1. In Central Administration, on the top link bar, click Operations.
2. On the Operations page, in the Upgrade and Migration section, click Convert license type.
3. On the Convert License Type page, in the Enter the Product Key box, type the new product key.

Thanks to Kirk Allen for the tip!

---

Subscribe in a reader Subscribe by Email

PowerShell on Windows Server 2008 Server Core!

Yes, it is possible.

No, it is not supported. Don't even ask...

---

Subscribe in a reader Subscribe by Email

Unable to Successfully Promote SCOM RMS Server

If the root management server (RMS) in a System Center Operations Manager 2007 (SCOM 2007) implementation fails or becomes unavailable for some reason the entire SCOM system will fail. Well, not exactly. The managed agents will still collect performance and alert data and will either queue this data or forward it to its management server. The management servers will be unable to forward this information to the SQL database and administrators will be unable to launch either the Operations or web consoles, so it's as good as dead.

There are two ways to rectify this -- bring the RMS server back online or promote an existing SCOM management server to an RMS. Microsoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a good job of explaining the steps required, so I won't go through them here. But what happens if you get the following error when promoting the new RMS?

The machine managementserver is a server for multiple management groups (not supported)!

This occurs when the registry contains extra "Parent Health Service" or "Send Priority" keys under the Server Management Groups key. Navigate to:

HKLM-Software-Microsoft-Microsoft Operations Manager-3.0-Server Management Groups

Under this key you should see a key that matches the name of your SCOM management group. There should not be any other keys at the same level as the management group name. Back them up and delete them. In the example below, backup and delete the "Send Priority" key and its subkeys.

Run the same ManagementServerConfigTool.exe PromoteRMS command and it should work now.

---

Subscribe in a reader Subscribe by Email

TechEd Tips for Families

Today we have a special guest article from my wife, Amy!

She wrote the following helpful tips for families who will be accompanying their significant other to TechEd in Orlando:

Kids and Tech Ed Tips and Tricks

You’ll most likely be in a hotel on or near International Drive. There is a trolley that runs up and down the street. Buy the 7 day ticket pass at your hotel's concierge. The trolleys run about every 15 to 20 minutes at stops all along the drive. There are well marked signs for the trolleys and they are so much more comfortable than walking in the heat with kids.

There's tons to do on International Drive. Lots of different themed mini golf places, a water slide park, an upside down museum (Wonderworks), and a go-kart park.

There are not a lot of “kid” places to eat, just a Denny’s, Chuck E. Cheese's, and a *big* McDonald's. If you order in like pizza or something, remember that there are thousands of guests in town for the conference and it could, and probably will, take well over an hour to get the food delivered. The other restaurants get very busy in the evening so call ahead for reservations. No grocery stores are nearby.

Take advantage of the breakfasts at your hotel and grab a few extra pieces of fruit for the room and hungry kids for later. Have your husband bring back extras of all the snack handouts from the conference. You could practically feed off of these alone for the week. It’s all grab and go, prepackaged stuff from granola bars, to cookies, to Power Bars.

Remember it’s hot, so be realistic about how much you and your children can do. I find that mine are very happy to get the afternoon off to just play in the pool at the hotel. It also helps if your hotel offers an adult “happy hour.” :)

Most hotels offer shuttle service to Disney World and other parks (Universal Studios, Islands of Adventure, Epcot, Sea World, etc). Check at the front desk the day before as you might need to reserve a seat.

Theme parks are all fun but choose wisely based on your children’s ages. If they are over 10 then Animal Kingdom in Disney World would be OK, but might be bored with the rest of the “princess” thing. Universal is fun for older kids, but not for younger ones due to height requirements on most rides. Islands of Adventure is a good dual choice with things for older and younger kids and a nice “downtown” area with restaurants and shops just outside the park.

If you have a car, Kennedy Space Center at Cape Canaveral is not that far away. It’s only about 40 minutes, but remember that there are toll roads all over the state so have lots of change handy. The Kennedy Center is amazing and worth going to if you can make it. You can spend the whole day there. If no car, check with the concierge for a tour group. Allow a full day to enjoy it all. It will be in the mid 90’s and humid so hats, sun block and lots of water are a necessity.

Amy
TechEd veteran and mother of an 8 and 12 year old

---

Subscribe in a reader Subscribe by Email

SQL Exceptions during SCOM 2007 RMS Promotion

The Micosoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a pretty good job of explaining how to promote a SCOM 2007 management server to a root management server.

While performing a disaster recovery test today, I found that I was getting the following SQL exceptions when I ran the ManagementServerConfigTool.exe PromoteRMS command:

The type initializer for 'Microsoft.MOMv3.Setup.MOMv3ManagedCAs' threw an exception.

Turns out this is because I ran the ManagementServerConfigTool.exe PromoteRMS command directly from the SCOM SP1 Support Tools folder, which is missing some of the DLLs required to run the command.

Simply copy the files from the Support Tools folder on the SP1 CD to the local \Program Files\System Center Operations Manager 2007 folder and re-run the command.

---

Subscribe in a reader Subscribe by Email

Microsoft Exchange Server 2007 Management Tools (32-Bit) Released

Microsoft has released a 32-bit version of the Microsoft Exchange Server 2007 Management Tools.

Exchange Server 2007 is a native 64-bit application that includes 64-bit management tools. You can use the management tools to administer your Exchange Server environment remotely. If your remote computer is running a 32-bit operating system, you will need to download the 32-bit management tools.

The Exchange management tools include the Exchange Management Console (EMC), the Exchange Management Shell (EMS), the Exchange Help file, the Microsoft Exchange Best Practices Analyzer Tool, and the Exchange Troubleshooting Assistant Tool.

Get the 32-bit Exchange management tools here.

---

Subscribe in a reader Subscribe by Email

Error Running SecureStorageBackup

When backing up or restoring the RMS keys using the SecureStorageBackup utility in SCOM SP1, you may come across the following error:

Could not load file or assembly 'Microsoft.Mom.Common, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

To fix this, copy Microsoft.Mom.Common.dll from C:\Program Files\System Center Operations Manager 2007 to the same folder where SecureStorageBackup.exe is run. Then run SecureStorageBackup again.

---

Subscribe in a reader Subscribe by Email

TechEd 2008 Group, Calendar and more

Just a reminder to all Teched 2008 attendees to visit my Extracurricular Activities group on TechEd Connect. Here, you'll read about any parties, get togethers and activities outside the event itself. Recent discussions have been around golf and poker.

You can also view the Extracurricular Activities Calendar to see which activities to join. If you have an event, no matter how small, you'd like to add to the calendar please let me know.

And be sure to check out Microsoft TechEd Online, a site devoted to TechEd 2008 Developers and IT Pros. Here, you can read about the event itself as well as what other TechEd bloggers are blogging about.

---

Subscribe in a reader Subscribe by Email

Failure installing VMM2008

When installing the server component of Microsoft System Center Virtual Machine Manager 2008, you may come across the following error:

Microsoft System Center Virtual Machine Manager 2008 installation did not complete successfully. Review the error log for information, and then try Setup again.
ID: 205. Details: Fatal error during installation

Virtual Machine Manager Server installation did not successfully install. All items that were copied during the installation process have been removed, however some required prerequisite software is still present on the machine. It is not necessary to remove the remaining software before you run Setup again. But you can uninstall the prerequisite software by going to Add or Remove Programs.
For error details, click the Error tab.

The ServerSetup.log file also references error 1603 in various places. This is caused by name resolution (DNS lookup) failures. Examine your DNS configuration for any or more of the following errors:

• Misconfigured TCP/IP settings
• Primary DNS is misconfigured on the VMM server
• The VMM server is unable to resolve the DC by name
• The VMM server does not have a record in DNS
• The DC is unable to get proper name resolution of the VMM server
• Incorrect DNS forwarding
• DNS is not functioning correctly on the DNS server

Once the errors have been corrected, reinstall the VMM server component.

---

Subscribe in a reader Subscribe by Email

Can my system support Hyper-V?

This is a common question. Hyper-V requires three things: processor virtualization support, BIOS virtualization support and Windows Server 2008 with Hyper-V.

Processor virtualization is provided by Intel (Intel VT) and AMD (AMD-T) processors. You can check each of these websites to see if a processor supports virtualization. AMD offers an AMD Virtualization™ Technology and Microsoft® Hyper-V™ System Compatibility Check Utility that will tell if the installed AMD CPU supports it.

BIOS virtualization support, however, can be dicey. Normally, a BIOS manufacturer will offer the ability to turn virtualization on or off -- but not always. I have a Dell Dimension E521, for example, that doesn't offer virtualization configuration. Thankfully, it's enabled by default in this BIOS.

So how do you tell if your machine will support Hyper-V? Well, the easiest way by far is to use a utility by Gibson Research called SecurAble. This handy little program will quickly tell you if your computer is 64bit, running hardware DEP and is virtulization capable.

Note that SecurAble will report that Hardware Virtualization is "No" if you run it on a Windows Server 2008 computer that has the Hyper-V role installed. This is because Hyper-V capability is "hidden" once it's installed. See the Virtual PC Guy's WebLog for more details about this.

---

Subscribe in a reader Subscribe by Email

Well, that was painful...

I'm installing a new SCOM 2007 SP1 infrastructure in a test environment.

I built up a couple of SQL 2005 database servers and two management servers, one of each in each of two sites. I installed the SCOM database on the first SQL server and then installed SCOM on the first management server, making it the root management server (RMS).

After SCOM installs, setup asks if you want to run the Operations Console. I cleared the checkbox to do so and began to immediately upgrade to SCOM 2007 SP1. Big mistake. Now I couldn't log into the console with any account. It seems that SCOM needs to do some more setup when you run the console for the first time.

I ended up completely uninstalling SCOM from the RMS and deleting the OperationsManager database from the SQL server, then I reinstalled everything. This time I launched the console before upgrading to SP1. It worked, but wasted about an hour and a half.

Learn from my mistake.

---

Subscribe in a reader Subscribe by Email

The Official TechEd 2008 Bag!

Here it is! The official bag for TechEd 2008!

Brian Marble, Content Lead for TechEd, says it looks much better in person and the pictures don't do it justice.

---

Subscribe in a reader Subscribe by Email

How to Enable Autologon for Windows Server 2008 Member Servers

In a previous post I showed how to enable Autologon for workgroup servers.

Once you join a server to a domain, Windows will automatically delete the AutoAdminLogon value from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. This causes the userpasswords2 control to hide the "Users must enter a user name and password to use this computer" checkbox shown above.

Here's how to get the missing checkbox back and configure Autologon:

• Open a CMD prompt and enter the following (all on one line):

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f

• Click Start, Run and enter control userpasswords2
• Clear the checkbox for Users must enter a user name and password to use this computer and click OK
• Enter the user name and password that will be used for Autologon and click OK

When the server starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

---

Subscribe in a reader Subscribe by Email

TechEd - Feeding the Masses

Logistically, it's an enormous task to keep over 10,000 people fed and watered, but Microsoft does an absolutely awesome job of it at TechEd.


Breakfast and lunch is provided in the dining area, which is a huge area central to the Orlando convention center. Friendly and professional staff will direct you in the dining area to the food tables where you grab a plate and dish up. At the end of the line you can grab something to drink. Take out containers are also available if you're on the run to a breakfast or lunch session.


Breakfast normally includes danishes, bagels, fresh fruit, cereal and two or three hot dishes like eggs, potatoes and a meat. The cold food stays cold and the hot food stays hot. Servers are regularly changing out trays in prompt fashion. Coffee carafes are usually available on the table at breakfast and lunch. You will find other cold drink stations amongst the tables, as well, offering bottled water, sodas and teas. Grab an extra bottle or can to drink in the sessions.


If you're running late or don't want to take the time for a sit down breakfast you can grab a granola or cereal bar, piece of fruit or danish from any of the many tables throughout the venue. These tables are constantly restocked. Coffee is usually setup throughout the conference center, as well, in the morning. There are usually espresso stands setup in the Microsoft area of the main floor, hosted by one or two Microsoft product groups. These are pretty popular and may have a line so be patient.


Lunch is provided in the same area and usually includes salad and dressing, a hot pasta dish, a hot vegetable or two, two different hot entrees and bread or a roll. This is all handled with even more efficiency than breakfast, due to the even larger number of people being served. You may note how the staff is very friendly and directs you to the most efficient route to your food and table without making you feel like herd animal. They also do a great job of clearing the tables and keeping things tidy.


If you have special dietary needs (low sodium, vegetarian, allergies, etc.) you can specify this at registration. Special menu tables are provided at the breakfast and lunch dining area for this. You must have specified you dietary requirements at registration to be served from this table.


Refrigerated drinks of water, fruit drinks, sodas, etc. are available throughout the venue.


Throughout the day you will see the feed at the snack tables located all over the conference center change. Around lunch time the snacks and potato chips come out, with more granola bars, Power Bars, fruit, etc. Later in the afternoon comes the always popular ice cream. Dove bars, Haagen dazs, frozen fruit bars, etc. are available, but go really fast.


In short, you'll nearly always find something to eat and drink and it won't cost you a dime.

---

Subscribe in a reader Subscribe by Email

TechEd 2008 - Gear to Bring

When you go to TechEd, there are going to be hundreds of computers available for you to use on the show floor and directly outside the session rooms. These computers are part of CommNet, the managed network that drives TechEd. They all have fast Internet access so you can check your email, sports scores, etc., but they also provide access to the post-session surveys and allow you to download the PPT presentation decks from any session, even the ones you don't personally attend.

For this reason, I never bring a laptop computer with me anymore. I find them too bulky and distracting in the sessions. I use my Windows Mobile 6 device to take quick notes that I email to myself and carry a small pad of paper for more extensive notes, if necessary. Bring a few USB thumb drives to download presentations onto from the kiosks. You'll get the PPTs on DVD serveral weeks (months?) after TechEd, but it's better to get that content while you're there.

If you need to bring a laptop, CommNet does a pretty good job of setting up access points all throughout the venue. You will notice flat panel displays in various areas and levels of the conference center that show you realtime coverage maps and signal strength. The biggest problem I've heard is that the APs don't provide good coverage inside the session areas. If you need Internet access in a session, sit closer to the back of the room (closer to the APs). Better yet, use one of the CommNet computers outside so you don't distract others around you - you're probably not paying attention to the session anyway.

I typically carry my empty TechEd backpack. The best was the one from San Diego, which I use every year, the worst was the infamous TechEd "man purse" from Boston, 2006. The only thing I carry in it is a pen, pad of paper and my mobile device. Magically it's filled with t-shirts, books, pens and other swag when I return to my hotel room at the end of the day. Don't bother bringing food or drinks with you to the conference center. There will always be food and drinks available there throughout the day. I'll blog about the food in a future post.

I usually come to TechEd with two suitcases, one inside the other. That way I can load the empty suitcase with my body weight in t-shirts and swag for my colleagues that couldn't attend.

---

Subscribe in a reader Subscribe by Email

Fix for Failed Security Update for Microsoft XML Core Services 4.0 Service Pack 2

I recently built up a new Hyper-V virtual domain environment based on a single server image. Unfortunately, my base image had a problem downloading and installing the Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181). The yellow Windows Update shield would pop up in the notification area to say the update was ready to install. I would install it, but Automatic Updates would download it again and say it needed to be installed again.

Here's what the event logs looked like:

Event Type: Information
Event Source: Windows Update Agent
Event Category: Installation Event
ID: 19
Date: 4/15/2008 Time: 7:11:59AM
User: N/A
Computer: HOSCOM
Description:Installation Successful:
Windows successfully installed the following update: Security Update for
Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)

... and then almost immediately,

Event Type: Information
Event Source: Windows Update AgentEvent
Category: Installation Event
ID: 18
Date: 4/15/2008 Time: 7:12:50AM
User: N/A
Computer: HOSCOM
Description:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, April 16, 2008 at 3:00 AM: - Security Update for Microsoft XML Core Services 4.0 Service Pack 2(KB936181)

Very annoying. To fix this issue, download the update from Microsoft and manually install it. The update can be found here.

---

Subscribe in a reader Subscribe by Email

TechEd Session Question

I recently answered a question from a first time TechEd attendee about sessions.

"I will be a Tech-Ed newbie in Orlando, FL. I have attended VMware conferences and VMware allows you to sign-up for sessions (sign-ups get in first).With 10,000 attendees, I don't want to be at the end of long lines. Is there a sign-up website for registered attendees? Or how do I avoid the long lines to get into a session? Or are the "session" room space large enough to accommodate big groups?

Thanks,Ben (age 55 with bad feet)"

The TechEd 2008 Session Builder is now open. This is where you can register for the sessions you'd like to attend and gives Microsoft advanced notice how to schedule the rooms. However, when you add a session to your schedule by using the Schedule Builder tool, you are not guaranteed a seat in your selected session. Sessions are filled on a first-come, first-seated basis.

There is very rarely a problem attending any session you want. The Orlando Convention Center is HUGE and has very large rooms capable of holding 300+ people. Of course, some rooms are smaller and hold less, but generally MS does a very good job of "sizing" the room for the number of people who show interest in a topic. In the 5 years I've gone, I've only been turned away from one session that was too full.

By signing up for your conference sessions early, MS can gauge the interest and set the right room size. Often they will offer multiple sessions on the same topic if interest is great enough.

To be honest, I usually double or triple book myself for different sessions at the same time. That allows me to jump out of a session that isn't up to snuff and go to my second (or third) choice. All they do is read your name badge with an RFID scanner as you go in. This isn't to make sure that you've already registered, it's to track interest. I've had no trouble going into a session I didn't register for.

Hope this helps and have a great time!

---

Subscribe in a reader Subscribe by Email

TechEd 2008 Schedule Builder

The TechEd 2008 Schedule Builder is now online!

Use the Schedule Builder to mark and plan the sessions you plan to take. Once you have built your schedule, you can add the sessions you want to attend to your personal Microsoft Outlook Calendar.

Keep in mind that when you add a session to your schedule by using the Schedule Builder tool, you are not guaranteed a seat in your selected session. Sessions are filled on a first-come, first-seated basis, although this has rarely happened to me.

---

Subscribe in a reader Subscribe by Email

Comprehensive List of WSUS Error Codes

I came across a web page a long time ago that lists all(?) of the cryptic WSUS error codes, such as 0x0000041D. This is extremely helpful when troubleshooting WSUS logs and WindowsUpdate.log files. I've found that it's helpful for lots of other Microsoft products, as well! I saved it as a portable MHT file that you can download.

If I could remember where I found this, I would gladly give them credit.

Please to enjoy. WSUS Error Codes

---

Subscribe in a reader Subscribe by Email

Getting Exchange 2007 to work with SBC Yahoo DSL

---

Update: Beginning yesterday, November 14, 2008, the smtpauth.sbcglobal.net email relay servers began NDRing emails sent from AT&T customers. Again, this information was not passed on to its customers.

I've updated the instructions below to use the smtp.att.yahoo.com servers, which are now accepting authenticated connections.

---

First, let me say that SBC Yahoo is less than helpful on any assistance with configuring Exchange (any version) to work with their SMTP gateways. Really, I can't blame them too much because of the potential to hammering of their systems with large quantities of email from businesses using a "home"level of service.

In any event, here's how to configure Exchange 2007 with Edge services to send email through SBC Yahoo's email servers.

Configure the outbound Send Connector

• Logon to the server hosting the Hub Transport role


• Open the Exchange Management Console (EMC)


• Expand Microsoft Exchange\Organization Configuration\Hub Transport


• Click the Send Connectors tab


• Double-click your outbound SMTP connector to open its properties. Mine is named "EdgeSync - expta to the Internet"


• Click the Network tab


• Select "Route email through the following smart hosts" and click the Add button


• Select "Fully qualified domain name (FQDN)" and enter smtp.att.yahoo.com as the smart host. Click OK
  
• Select Basic Authentication (do not check Basic Authentication over TLS)


• Enter your SBC username (i.e., username@pacbell.net) and SBC password. Click OK

Configure the Edge server to use port 587

• Yes, yes, I know that SBC's documentation says SSL port 469, but trust me, it's 587...


• On the Hub Transport server, open the Exchange Management Shell (EMS)


• Type Get-SendConnectors and make note of the name of the send connector you just configured. Again, mine is "EdgeSync - expta to the Internet"


• Type Set-SendConnector "EdgeSync - expta to the Internet" -port 587 to change the port. Obviously, change the name in quotes to the name of your Send Connector.


• Type Start-EdgeSynchronization to force a sync with the Edge server

Force the Send Connetor to Retry

• Open EMC on the Edge server and click Toolbox


• Double-click Queue Viewer


• On the Queues tab, select the outbound SMTP queue and click the Retry action

Notes: TLS is not the same thing as SSL. TLS creates a secure connection between servers, while SSL creates a secure connection between a client and a server. TLS is capable of reverting back to SSL 3.0 if TLS doesn't work, but this is not an RFC requirement. At the time of this writing, Microsoft's implementation of TLS does not revert to TLS.

You should also register your external email address with SBC Yahoo's email system. This will ensure that email from your external account won't be NDR'd back to you when you send it. See http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html

---

Subscribe in a reader Subscribe by Email

Cloning Windows Server 2008 Disks with Norton Ghost

Just in case you're wondering, Norton Ghost 11.0.2 works just fine on Windows Server 2008 formatted disks.

I cloned a simple volume 160MB Western Digital disk to a new Western Digital 500MB disk in 47 minutes. I swapped the cables and booted up to the new drive without a hitch.

---

Subscribe in a reader Subscribe by Email

RSAT Released for Windows Server 2008

The Windows Remote Server Administration Tools (RSAT) have been release for Windows Server 2008. These tools allow you to manage remote Windows Server 2008 computers from a Windows Vista SP1 x86 client. The Vista SP1 x64 version is available here.

These tools are designed to provide the same functionality as the familiar Windows Server 2003 Administration Tools Pack. But sorry, no XP for you!

---

Subscribe in a reader Subscribe by Email

Hyper-V Integration Components For Windows 2003 SP1

Well, kinda.

Big Red Disclaimer: The steps listed here are not supported by Microsoft (or me). I've tested it several times and have not found any issues. If it doesn't work for you - well, sorry.

The Integration Components for Hyper-V RC0 are only avaialable for Windows XP 32-bit with SP3 or later, Windows Server 2003 with SP2 or later, Windows Vista 32-bit with SP1 or later , all versions of Windows Server 2008 and, just recently, Linux.

So what do you do if you want to virtualize a Windows 2003 SP1 server? After all, you may have a legacy application that won't run on SP2 and one of the hopes of virtualization is to move these servers off of dedicated hardware. Here's how to do it:

• Gather your CDs. You'll need the following:
• Windows 2003 Server CD (RTM or SP1 - make sure it doesn't have SP2 slipstreamed into it)
• Windows Server 2003 SP2 upgrade CD or ISO (available here from Microsoft)
• Create a new Windows 2003 virtual server using the Hyper-V New Virtual Machine Wizard
• Upgrade the virtual machine to SP2 using the SP2 CD or ISO.
• From the Hyper-V Action menu, insert the Integration Services Setup disk and install the Integration Components. The installation will require a restart when it's complete.
• After the restart, uninstall Windows Server 2003 SP2 using Add or Remove Programs in Control Panel. The uninstall will warn you that KB943295 and the Integration Components may not work if you continue the uninstallation. Click Continue.
• Restart the virtual machine to complete the uninstallation.

Now you have a Windows 2003 VM with SP1 which runs the Integration Components! You can use this base image to make as many servers as you like. Be sure to use a tool like NewSID to generate unique SIDs for each clone, otherwise you'll run into problems in a domain.

Note: I haven't tested this for Windows Server 2003 RTM, Vista RTM or Windows XP RTM/SP1/SP2, but I expect it will work. Please post a comment if you have success or failure.

---

Subscribe in a reader Subscribe by Email

Windows Core GUI Configurator

This totally rocks!!!

Guy Teverovsky, an MVP for Windows Server - Directory Services in Isreal, wrote a GUI application that helps you configure a Windows 2008 Server Core installation without having to go to the dark place.

While I still recommend you thoroughly know and understand how to configure server core from the command line (after all, this isn't going to be installed on every server core installation you come across), this certainly makes it easy.

Download it here.

---

Subscribe in a reader Subscribe by Email

Fix for Error 0x80004015 on WSUS Clients

When you try to start the Automatic Updates service on a computer you may encounter an error stating,

Could not start Automatic Updates service on the local computer. Error 0x8000415: The class is configured to run as a security id different from the caller

I've found that this is usually caused when the service was previously configured as Disabled via Group Policy.

When you configure a service startup mode in Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services), Group Policy first has you configure the security of the service in the registry. The default security settings (before you configure it in the GPO) normally includes Authenticated Users with Read and Start, Stop and Pause permissions. When you configure the service in Group Policy, Authenticated Users have no permissions. This prevents normal users from reconfiguring the service back to Automatic and starting it.

To fix this issue, set the service permissions so that Authenticated Users have Read and Start, Stop and Pause permissions on the service. This can be done the following ways:

• To reconfigure the service in Group Policy, reconfigure the service startup type to Automatic and click the Edit Permissions button. Add Authenticated Users with Read and Start, Startup and Pause permissions. Run GPUPDATE on the client machine or restart it to get the new GPO settings.


• Manually set permissions on the service using Regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\wuauserv. Right-click wuauserv and select Permissions. Add Authenticated Users with Read permissions.

This tip applies to any other service configured via Group Policy.

---

Subscribe in a reader Subscribe by Email

How to Enable RDP Remotely on XP Computers

In a previous article I explained how to enable Remote Desktop access on a remote computer.

I've noticed that these steps do not work on Windows XP computers. It turns out that you need to set two registry keys:

• HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections should be changed from 1 to 0 (zero)
• HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections should be changed from 1 to 0 (zero)

The first setting enables the RDP protocol on the computer to listen on TCP port 3389. The second setting allows users to login via Remote Desktop. Both settings go into effect immediately and do not require a restart.

Note: If the second setting is not changed to 0 you will get a logon message saying, "Unable to log you on because of an account restriction." You will also get this same logon message if you attempt to logon via RDP with an account that has a blank password. The account you use must have a password to logon using Remote Desktop.

I wrote a batch file that will easily enable or disable Remote Desktop on a remote machine. The syntax is: RDP [computername] [ON | OFF]. Copy the code below and save it as RDP.BAT somewhere in your system path (I use C:\Windows).

---Begin Code---

@echo off
SET RemoteComputer=%1
SET RemoteComputer=%RemoteComputer:\=%
if /i "%2"=="on" goto EnableRDP
if /i "%2"=="off" goto DisableRDP
goto Syntax

:EnableRDP
REG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
echo.
echo Remote Desktop has been enabled on %RemoteComputer%
goto End

:DisableRDPREG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
echo.
echo Remote Desktop has been disabled on %RemoteComputer%
goto End

:Error
echo.
echo ======================================================================
echo Make sure the remote computer is online and you have sufficient rights
echo to modify its registry.
echo ======================================================================
echo.

:Syntax
echo.
echo RDP enables or disables Remote Desktop on a remote computer
echo Visit http://www.expta.com for details
echo.
echo RDP [computername] [ON ^| OFF]
echo.
echo ON - Disable RDP on the remote computer
echo OFF - Enable RDP on the remote computer
echo.

:End
SET RemoteComputer=

---End Code---

Note that if Group Policy is configured to disable Remote Desktop (Computer Configuration Administrative Templates Windows Components Terminal Services Allow users to connect remotel using Terminal Services) the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections setting will revert back to 1 after a Group Policy refresh.

---

Subscribe in a reader Subscribe by Email

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

• Create or select the virtual directory in Internet Information Services (IIS) Manager
• Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
• Select the Vdir again and double-click Directory Browsing. Click the Enable action
• Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

---

Subscribe in a reader Subscribe by Email

How to Add SMTP Verb Commands to ISA Server 2006

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:

• PIPELINING


• DSN


• ENHANCEDSTATUSCODES


• STARTTLS


• X-ANONYMOUSTLS


• AUTH


• X-EXPS NTLM


• 8BITMIME


• BINARYMIME


• CHUNKING


• XEXCH50


• SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

---

Subscribe in a reader Subscribe by Email

How to Enable Autologon in Windows Server 2008 Workgroup Servers

---

Note: Click here for instructions for enabling AutoLogon for Windows Server 2008 member servers.

---

There may be times that you want/need to enable Autologon for Windows Server 2008. Examples may be lab machines or kiosks. Here's how to do it:

• Click Start Run and enter control userpasswords2


• Clear the checkbox for Users must enter a user name and password to use this computer and click OK. If this checkbox is missing, see my article about enabling Autologon on member servers.


• Enter the user name and password that will be used for Autologon and click OK

When the server starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

---

Subscribe in a reader Subscribe by Email

40% off code for new Microsoft Technet Subscriptions

Here's a 40% off code for NEW Microsoft Technet Subscriptions. It will work with either the Direct or DVD option.

Use coupon code: TMSAL06

---

Subscribe in a reader Subscribe by Email

Automatically Reset the FTP Service in Windows Server 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:

net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc

The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

• Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task


• Name the task, "Reset FTP Service" and click Next


• Choose When a specific event is logged as the Task Trigger, click Next


• Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next


• Select Start a program and click Next


• Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next


• Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish


• In the Properties window select Run whether user is logged on or not and Run with highest privileges


• Click OK


• Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

---

Subscribe in a reader Subscribe by Email

Create a Saved Query that Displays Group Members

Saved Queries in Active Directory Users and Computers (ADUC) allow you to create simple or advanced LDAP queries against the Active Directory that can be saved, reused and edited. Examples might be a query displaying all locked out users in the domain or all the users who have a mailbox on a particular Exchange server and have the word "Manager" in their title.

A client I worked with needed a query that displayed all the members of a certain (large) group. This would allow him to select all the users at once and move their mailboxes to another server.

Try as he might, he couldn't get the query to display the group's members. It turns out this is because the group name must be entered using its distiguished name. Here's how to do it:

• Use ADSIEdit.msc (in the Windows Support Tools) and navigate to the group


• View the properties of the group to reveal the distinguishedName attribute value and copy it to the clipboard (shown above)


• Open ADUC, right-click Saved Queries and select New query


• Enter a name for your query, "Accounting Group Members"


• Click the Define Query button


• Select Users, Contacts, and Groups from the Find: dropdown list


• Click the Advanced tab


• Click Field User Member of


• With the condition of "is (exactly)", paste the group's distinguishedName into the Value field and click Add


• Click OK twice to complete the query

---

Subscribe in a reader Subscribe by Email

Handy UTC/GMT Time Converter Website

Don't you love it when you come across a nifty little tool that makes your life easier?

WorldTimeServer.com is a free web tool that offers lots of cool little tools that help you work with time around the world. Important to me, is the Time Zone Calculator that lets you enter a UTC time and it will convert it to you local time (or any other timezone, for that matter). This is extremely useful when troubleshooting SMTP headers, especially with all the changes in DST lately.

---

Subscribe in a reader Subscribe by Email

SCOM 2007 SP1 Upgrade Notes

I upgraded a client's SCOM 2007 infrastructure today from SCOM SP1 RC (build 6246) to SP1 RTM (build 6278).

No real problems encountered, except I should have followed my own #1 rule: Always restart your server before installing a major update. The only issue I ran up against was that the upgrade hung when installing the Management Packs on the Root Management Server (RMS). I reviewed the event logs during the install and found three of these events:

The OpsMgr Config Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Followed one minute later with:

The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the OpsMgr Config Service service, but this action failed with the following error:
An instance of the service is already running.

I'm not sure that these caused the hang, but after I canceled the installation, restarted the RMS server and reinstalled SP1 again, it worked fine with no errors.

My biggest recommendation is to thoroughly read the online version of the SCOM SP1 Upgrade Guide before beginning your upgrade. The online version includes notes that didn't make it into the release notes included in the SP1 package itself. Particularly important are the notes about having to repair all agent installations if you are upgrading from SP1 RC, like I was.

The upgrade path for SP1 is very strict and must be performed in this order:

1. Prerequisite work (expanding the database and logs), disabling notification subscriptions (why, oh why, can't we do this against multiple subscriptions at once!), and removing pending agent installations.



2. Upgrade the RMS



3. Upgrade the Reporting Server



4. Upgrade stand-alone Management Consoles



5. Upgrade Management Servers



6. Upgrade Gateway Servers



7. Upgrade (or in my case, repair) Agents on managed computers



8. Upgrade the Audit Collection Service (ACS) server



9. Reboot the SCOM servers (my suggestion, not required) and re-enable the subscriptions

The entire upgrade took about 3 hours to upgrade nine SCOM servers and 289 managed computers.

---

Subscribe in a reader Subscribe by Email

And there was great rejoicing

Mark Rossinovich (Computer God Extraordinaire) released a free Microsoft plugin that provides right-click Run-as functionality for any application.

• Download ShellRunas v1.0 from http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx


• Extract ShellRunas.exe to your C:\Windows folder


• Run ShellRunas /reg from the command line to register it in the Windows shell

Now when you right-click any application a Run as and Run as different user option will be displayed in the actions menu. Sweet!

---

Subscribe in a reader Subscribe by Email

Fix for SCOM Aggregate Health State Errors

Microsoft System Center Operations Manager (SCOM) sometimes displays that the aggregate state of the Health Service is unhealthy, but each of the component states are healthy as in the example above. If you open Health Explorer everything looks healthy and there doesn't seem a way to clear this condition.

There are other times when the Health Rollup state is in an unhealthy state, but all the child items are healthy, as shown in this example:

To fix both of these conditions, you need to put the server, Health Service and Health Service Watcher into maintenance mode for 5 minutes. Here's how to do it:

• Open the SCOM 2007 Operations Console and configure two new state views. You'll only need to do this once:


• Open the Monitoring node


• Right-click Monitoring and create a new state view called Health Service, show data related to: Health Service. Click the Display tab and sort columns by State, Descending


• Right-click Monitoring and create a new state view called Health Service Watcher, show data related to: Health Service Watcher. Click the Display tab and check Agent. Sort columns by State, Descending


• Now put the affected servers and their Health Services and Health Service Watchers into maintenance mode for 5 minutes (the minimum duration)

Once the servers come out of maintenance mode the condition will be cleared. This problem is expected to be resolved in SP1, which is due very soon.

---

Subscribe in a reader Subscribe by Email

Using SMS Trace to View Log Files

I wind up looking at a lot of text logs during troubleshooting. While opening a log in Notepad is quick, it’s also tough to look at a lot of log entries that way. I use the SMS Trace (aka, Trace32) log viewer from the Configuration Manager 2007 Toolkit.

With it, you can easily:

• Find any log line with a specific text


• Highlight lines with specific text


• Filter out lines that contain text to reduce the volume of what you see

Lines with the word "warning" are automatically highlighted in yellow and lines with the word "error" are highlighted in red. It even updates the log every 500 milliseconds to get new entries, which you can adjust.

The System Center Configuration Manager 2007 Toolkit is available here. There is an exe which unpacks to two msi packages. Use the CcmTools.msi which installs the core tools.

When you launch the SMS Log Viewer for the first time, it will prompt you with:

Do you want to make SMS Trace the default log viewer?

I always make it my default viewer.

---

Subscribe in a reader Subscribe by Email

TechEd 2008 Tips

This year will be my fifth TechEd. Here are my tips for a happy and productive experience.

• Book your hotel through the MS TechEd site. These are the best rates and any of these hotels will have guaranteed (free) bus service to the conference (unless TechEd is being held in Boston. Those of you who were there know what I'm talking about.). I like the Embassy Suites on Jamaican Court. It's close, nice rooms and has a great free breakfast (although food is NEVER a problem at TechEd).


• Pack your suitcase inside another suitcase to travel to TechEd. That way you will have a another BIG suitcase to bring back your swag.


• Don't rent a car unless you need one. Some hotels offer transportation to/from the airport, otherwise take a cab. Most hotels have car rentals in the lobby, so you can always rent one if needed.


• When the TechEd courses go online on the Connect site, review them and sign up for all the ones you want to attend, even if they overlap times. That way, you can always leave a session that doesn't live up to your expectations for a different one. Be aware that some sessions book up full.


• Wear comfortable clothes and shoes. The venue is climate controlled, so dress for 20C/72F.


• Try to stay a couple of days before or after the event to visit some sites. I HIGHLY recommend renting a car and visiting the Kennedy Space Center in Cape Canaveral (about 40 minutes away). We got to see Atlantis launch last year and it was absolutely awesome!


• Plan on and attend the appreciation party on Thursday night.


• Visit this blog often for pictures, reviews and commentary.


• If you're from Europe and you're a guy, DO NOT wear capris. I will point at you and laugh out loud.

Got more tips? Leave them as a comment below!

---

Subscribe in a reader Subscribe by Email