Tuesday, August 19, 2008

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.


Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

Labels: , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:18 PM   0 Comments Links to this post

Thursday, July 31, 2008

It's Not Exchange 2007 Enterprise Until You Enter the Product Key

According to the Microsoft article, "Exchange Server 2007: Platforms, Editions, and Versions":

"When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation."

This means that you will be unable to add additional storage groups, managed folders, or use any of the Exchange Enterprise features until you enter the Enterprise product key.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 10:03 AM   0 Comments Links to this post

Thursday, July 24, 2008

Free/Busy Information in Exchange 2000/2003/2007


What is Free/Busy?
Users' availability information is stored in Exchange in a hidden system public folder. This information is used by Outlook and OWA to tell other users if they are free or busy (hence, the term Free/Busy information). Normally this information is displayed as color-coded blocked out areas in a user's calendar, as show above. If users have extended rights, they can right-click another user's blocked out time to view the subject of the busy time.

The Free/Busy information is posted as a single message that contains data for the entire Free/Busy duration. The default to publish is 2 month's worth of information, configurable in Outlook Options or via Group Policy. Every time the Free Busy information is updated, the message is overwritten.

Publishing Free/Busy Information
The way Free/Busy information is published to Exchange depends on the method used to update the user's calendar. The Outlook client is usually responsible for generating Free/Busy information. Outlook will read the calendar and generate Free/Busy every 15 minutes by default if the information has been changed. This schedule can be changed in Outlook options or via Group Policy. Outlook also republishes the Free/Busy information whenever Outlook is shut down.

So what happens when the user updates their calendar using Outlook Web Access (OWA) or some other non-MAPI client? In this case, Free/Busy information is updated by a background process called MSExchangeFBPublish (MadFB). This process runs under the System Attendant mailbox and updates Free/Busy every 5 minutes for OWA, OMA, and Entourage clients. When a change is made to the calendar, a Free/Busy message is submitted to the System Attendant mailbox on the mailbox server for the user. The MadFB process polls this mailbox and picks up that there has been a change. MadFB then publishes the user's full Free/Busy message to the Free/Busy folder overwriting the existing message.

Replicating Free/Busy Information
The short answer is don't do it. The only reason to replicate Free/Busy information is when you frequently have users accessing Free Busy information of users in another site, and those sites are separated by a slow or lossy network link. Replicating Free/Busy information introduces inherent latency and causes inaccuracy in the Free/Busy information. Users in one site may see information from a site that has not replicated yet.

Where is Free/Busy Information Stored?
As mentioned earlier, Free/Busy information is stored in a system public folder. You can view all the Free/Busy information in the org by opening the following URL in a web browser: "http(s)://ServerName/Public/Non_IPM_Subtree/SCHEDULE%2B%20FREE%20BUSY/".

Here, you will see a folder under SCHEDULE+ FREE BUSY for each Administrative Group in the format, "EX:/o=/OU=". Each folder contains messages for each user. These messages are the Free Busy information for the user. The messages are formatted as, "USER-/CN=RECIPIENTS/CN=".

Free/Busy message placement is based on the user's legacyExchangeDN attribute in AD. For example, if my legacyExchangeDN is /o=CompanyABC/ou=Paris/cn=Recipients/cn=jsguillet", my Free Busy information will be stored in the "USER-/CN=RECIPIENTS/CN=jsguillet" message in the "/EX:/o=CompanyABC/ou=Paris" folder.

You are unable to view the contents of the message, but you can delete it. Doing so will remove all Free Busy information from Exchange until it is republished using one of the methods explained above. If Free/Busy information is not available to other users, they will see black and white hash marks across your calendar and Outlook will say that Free/Busy information is not available for this user.

How to Republish Free/Busy Information
On occasion Free/Busy information may not be published correctly in Exchange. There are many reasons that this can occur. Examples include errors in Public Folder replication (if Free Busy is being replicated, another reason to not do this), network errors, and incorrect shutdown of Outlook or Windows.

So how do you republish Free/Busy information? The easiest way to do this for individual users is to have them run Outlook with the /CleanFreeBusy switch:

  • Close Outlook

  • Click Start, Run, enter "start outlook /cleanfreebusy" and click OK

  • Outlook will start, generate the Free/Busy information from the Outlook calendar and republish it to Exchange within 5 minutes. It will overwrite any existing Free/Busy message or publish a new one if it doesn't exist.

While this is easy to do for one or two users, it isn't a good solution for all users in the enterprise since it requires user intervention.

Microsoft KB article 294282 details how to use Updatefb.exe to regenerate Free/Busy information from the calendar information contained in each user's mailbox. You run this utility under the context of a user or service account that has full mailbox access to the affected users. It reads a comma delimited file containing the alias and home mailbox server of each user (i.e., alias, mailbox1) and logs in as that user using Collaboration Data Objects (CDO). It then creates a single appointment for the user for today at 11:00pm. This marks the Free/Busy information as "dirty". It then logs off the MAPI connection, causing the Free/Busy information to republish to Exchange. Note that Updatefb will be unable to open disabled user's or hidden mailboxes, so be sure to exclude them from the CSV input file.

Updatefb.exe is an unsupported utility written by Microsoft and is only available through Microsoft Product Support Services. There are two versions of the utility, Updatefb.exe is the GUI version and CPPCDO.exe is a command line version. I have used it in several environments with no issues.

What About Exchange 2007?
Exchange 2007 uses an entirely new and different way to manage Free/Busy information, so the above does not apply in a pure Exchange 2007/Outlook 2007 environment. When using Exchange 2007 with Outlook 2007 Free/Busy information will no longer come from a Public Folder, but will instead use the Microsoft Exchange 2007 Availability Service. This web service will provide a direct look at the user's Free/Busy information without the need of a client publishing any data. Outlook 2007 and Exchange 2007 can still use (and will still have) the Free/Busy public folder for backwards compatibility with older Outlook clients.

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 2:25 PM   3 Comments Links to this post

Wednesday, July 23, 2008

Your Troubleshooting PAL


How many times have you been faced with a performance issue with a computer and you don't really know where to start? Sure, you can fire up Performance Monitor (perfmon) and start collecting data for analysis, but which counters do you collect and how do you identify a bottleneck?

Perfmon can gather tons of information and pouring over all that data for analysis can be a daunting task. Enter Performance Analysis of Logs (PAL), a new and powerful tool that reads in a performance monitor counter log in any known format and analyzes it using complex, but known thresholds. The tool produces an HTML report which reports important performance counters and displays alerts when thresholds are exceeded.

PAL is a free open source application developed by Microsoft and is hosted on CodePlex, Microsoft's open source project hosting web site. It requires two other free pieces of software on the computer where PAL will run:

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.

Note: Because there is no 64-bit version of the Microsoft Office Web Components, PAL only runs on x86 platform computers.

To use PAL, you begin by collecting performance data from the target machine using perfmon. Typically, I collect the Memory, Network Interface, Physical Disk, Processor and System counters to begin with. Once you've collected some data run PAL and walk through the wizard. Be sure to answer the Question Variable Names at the bottom of the Threshold File page. The variables are Number of Processors, use of the /3GB switch, is the target a 64-bit computer, total RAM and whether it has a kernel dump configured. Step through the rest of the wizard and PAL will create a batch file, run it and display the output as a graphical report in your web browser. Very cool!!!

You can view a LiveMeeting streaming video training of PAL here.

Labels: , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:08 PM   0 Comments Links to this post

Wednesday, June 25, 2008

Fix for Self-Update is Not Working in WSUS 3.0


I've noticed a number of WSUS 3.0 servers are coming up with the following error in the Application event log:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 13042
User: N/A
Computer: WSUS01
Description: Self-update is not working.

To fix the issue, follow these steps:
  • Open IIS Manager and ensure there is a Selfupdate virtual directory in the Default Web Site. If not, create it with the Local Path pointing to C:\Program Files\Update Services\Selfupdate

  • Click the Directory Security tab and ensure that Anonymous Access is allowed

  • Restart IIS

Verify that the problem is fixed by running the following command at the command prompt:

C:\Program Files\Update Services\Tools\wsusutil.exe healthcheck

Then examine the Application event log for the following event:

Event Type: Error
Event Source: Windows Server Update Services
Event Category: Clients
Event ID: 10000
User: N/A
Computer: WSUS01
Description: WSUS is working correctly.

As background, WSUS clients must connect to the SelfUpdate virtual directory to check for a new version of the WSUS client before checking for new updates. This always happens anonymously over port 80, even if WSUS is configured to use a custom port, such as port 8530.

Labels: ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:13 AM   0 Comments Links to this post

Outlook Calendar Delays Explained


Some customers experience performance issues when opening other user’s calendars. A delay occurs the first time they open the calendar, but subsequent access is fine. At random times the performance issue occurs again. Here’s why this happens.

When Outlook accesses another user’s calendar, Exchange applies a view which restricts the user from viewing private items. This happens regardless of whether there are any private items or not. This process is run on, and controlled by, the Exchange server. The act of applying a view to a folder creates search folders in the Exchange store. Once the search folder has been created, it is cached for later use, which makes subsequent viewings faster.

Exchange doesn’t cache all search folders forever. Doing so would cause server-side delays since the cache folders are continuously updated by Exchange.

The number of search folders (also known as views) is defined at the store level in Exchange. The default is 11 and the best practice is to set it between 5 to 20 views, per mailstore. It’s important to note that this number is global for the mailstore and views are not shared between users.

To demonstrate, suppose John is an administrative assistant and manages 10 separate calendars. The first time he accesses each calendar, there is a delay as Exchange creates the view. After the views have been built, subsequent access is fast. Now another user, Linda, opens 6 other calendars, including the first 3 calendars that John accessed. John and Linda are in the same mailstore. In this example, calendars 1-3 are cached for Linda, 4-7 are cached for John and 8-11 are cached for Linda. John will have to wait to access to access the first calendar while the view is rebuilt for him. By increasing the number of views stored on the Exchange server to 20, this will not occur (10+6=16, which is less than 20).

The number of views stored on the Exchange server is held in the msExchMaxCachedViews attribute in AD. To adjust the value, use ADSIEdit to navigate to dn: CN=Mailbox Store,CN=Storage Group,CN=InformationStore,CN=Server NAME,CN=Servers,CN=AG Name,CN=Administrative Groups,CN=Orgname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Company,DC=com. Right-click the mailbox store to adjust on the right pane and edit the msExchMaxCachedViews attribute.

Setting the value too low will cause more frequent delays for users as the views are built more often. Setting the value too high will cause slow overall Exchange performance as more views are continously updated. It should never be set higher than 50.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 4:02 AM   0 Comments Links to this post

Thursday, June 5, 2008

VMM 2008 Managed Hyper-V 's Won't Start


This evening our neighborhood took a large power surge due to a car hitting a power pole. Everything in the house shutdown abruptly, including my local network running Hyper-V hosts and Virtual Machine Manager 2008 (beta).

When the power returned about 60 seconds later, all my physical servers turned back on, but the Hyper-V VMs would not start. The following events were logged in the Hyper-V Event Log:

Log Name: Microsoft-Windows-Hyper-V-Worker-Admin
Source: Microsoft-Windows-Hyper-V-Worker
Date: 6/5/2008 8:36:30 PM
Event ID: 17040
Task Category: None
Level: Error
Keywords:
User: NETWORK SERVICE
Computer: VM.expta.com
Description:The authorization store could not be initialized from storage location 'msxml://C:\ProgramData\Microsoft\Virtual Machine Manager\HyperVAuthStore.xml'. Error: General access denied error (0x80070005).

Log Name: Microsoft-Windows-Hyper-V-VMMS-Admin
Source: Microsoft-Windows-Hyper-V-VMMS
Date: 6/5/2008 8:36:44 PM
Event ID: 15500
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: VM.expta.com
Description:'EDGE STD x64' failed to start worker process: The extended attributes are inconsistent. (0x800700FF). (Virtual machine ID 118D4321-2B6D-4DE3-B1F0-E55BCD1DCD60)

To fix this problem, uninstall the VMM 2008 Local Agent and reinstall it. Catastrophe averted!

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 8:45 PM   2 Comments Links to this post

Tuesday, May 20, 2008

Quickly installing MOSS 2007 with SP1 on Windows Server 2008

If you try to install MOSS 2007 on Windows Server 2008, you are going to get an error that there is an incompatibility. To install, you need SP1 for MOSS.

You can slipstream SP1 yourself, but it turns out there's an easier way. First, install the trial version of MOSS 2007 with SP1 (32 bit or 64 bit). After you install the trial version, upgrade from the trial version.
  1. In Central Administration, on the top link bar, click Operations.
  2. On the Operations page, in the Upgrade and Migration section, click Convert license type.
  3. On the Convert License Type page, in the Enter the Product Key box, type the new product key.

Thanks to Kirk Allen for the tip!

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 8:24 PM   0 Comments Links to this post

Unable to Successfully Promote SCOM RMS Server

If the root management server (RMS) in a System Center Operations Manager 2007 (SCOM 2007) implementation fails or becomes unavailable for some reason the entire SCOM system will fail. Well, not exactly. The managed agents will still collect performance and alert data and will either queue this data or forward it to its management server. The management servers will be unable to forward this information to the SQL database and administrators will be unable to launch either the Operations or web consoles, so it's as good as dead.

There are two ways to rectify this -- bring the RMS server back online or promote an existing SCOM management server to an RMS. Microsoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a good job of explaining the steps required, so I won't go through them here. But what happens if you get the following error when promoting the new RMS?

The machine managementserver is a server for multiple management groups (not supported)!

This occurs when the registry contains extra "Parent Health Service" or "Send Priority" keys under the Server Management Groups key. Navigate to:

HKLM-Software-Microsoft-Microsoft Operations Manager-3.0-Server Management Groups

Under this key you should see a key that matches the name of your SCOM management group. There should not be any other keys at the same level as the management group name. Back them up and delete them. In the example below, backup and delete the "Send Priority" key and its subkeys.

Run the same ManagementServerConfigTool.exe PromoteRMS command and it should work now.


Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:28 PM   0 Comments Links to this post

Thursday, May 15, 2008

SQL Exceptions during SCOM 2007 RMS Promotion

The Micosoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a pretty good job of explaining how to promote a SCOM 2007 management server to a root management server.

While performing a disaster recovery test today, I found that I was getting the following SQL exceptions when I ran the ManagementServerConfigTool.exe PromoteRMS command:

The type initializer for 'Microsoft.MOMv3.Setup.MOMv3ManagedCAs' threw an exception.

Turns out this is because I ran the ManagementServerConfigTool.exe PromoteRMS command directly from the SCOM SP1 Support Tools folder, which is missing some of the DLLs required to run the command.

Simply copy the files from the Support Tools folder on the SP1 CD to the local \Program Files\System Center Operations Manager 2007 folder and re-run the command.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:16 PM   0 Comments Links to this post

Wednesday, May 14, 2008

Error Running SecureStorageBackup


When backing up or restoring the RMS keys using the SecureStorageBackup utility in SCOM SP1, you may come across the following error:

Could not load file or assembly 'Microsoft.Mom.Common, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

To fix this, copy Microsoft.Mom.Common.dll from C:\Program Files\System Center Operations Manager 2007 to the same folder where SecureStorageBackup.exe is run. Then run SecureStorageBackup again.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 1:23 PM   0 Comments Links to this post

Sunday, May 11, 2008

Failure installing VMM2008


When installing the server component of Microsoft System Center Virtual Machine Manager 2008, you may come across the following error:

Microsoft System Center Virtual Machine Manager 2008 installation did not complete successfully. Review the error log for information, and then try Setup again.
ID: 205. Details: Fatal error during installation

Virtual Machine Manager Server installation did not successfully install. All items that were copied during the installation process have been removed, however some required prerequisite software is still present on the machine. It is not necessary to remove the remaining software before you run Setup again. But you can uninstall the prerequisite software by going to Add or Remove Programs.
For error details, click the Error tab.

The ServerSetup.log file also references error 1603 in various places. This is caused by name resolution (DNS lookup) failures. Examine your DNS configuration for any or more of the following errors:
  • Misconfigured TCP/IP settings
  • Primary DNS is misconfigured on the VMM server
  • The VMM server is unable to resolve the DC by name
  • The VMM server does not have a record in DNS
  • The DC is unable to get proper name resolution of the VMM server
  • Incorrect DNS forwarding
  • DNS is not functioning correctly on the DNS server

Once the errors have been corrected, reinstall the VMM server component.

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:24 PM   0 Comments Links to this post

Monday, May 5, 2008

Well, that was painful...

I'm installing a new SCOM 2007 SP1 infrastructure in a test environment.

I built up a couple of SQL 2005 database servers and two management servers, one of each in each of two sites. I installed the SCOM database on the first SQL server and then installed SCOM on the first management server, making it the root management server (RMS).

After SCOM installs, setup asks if you want to run the Operations Console. I cleared the checkbox to do so and began to immediately upgrade to SCOM 2007 SP1. Big mistake. Now I couldn't log into the console with any account. It seems that SCOM needs to do some more setup when you run the console for the first time.

I ended up completely uninstalling SCOM from the RMS and deleting the OperationsManager database from the SQL server, then I reinstalled everything. This time I launched the console before upgrading to SP1. It worked, but wasted about an hour and a half.

Learn from my mistake.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 2:09 PM   0 Comments Links to this post

Tuesday, April 29, 2008

How to Enable Autologon for Windows Server 2008 Member Servers



In a previous post I showed how to enable Autologon for workgroup servers.

Once you join a server to a domain, Windows will automatically delete the AutoAdminLogon value from the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. This causes the userpasswords2 control to hide the "Users must enter a user name and password to use this computer" checkbox shown above.

Here's how to get the missing checkbox back and configure Autologon:
  • Open a CMD prompt and enter the following (all on one line):
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d "1" /f
  • Click Start, Run and enter control userpasswords2
  • Clear the checkbox for Users must enter a user name and password to use this computer and click OK
  • Enter the user name and password that will be used for Autologon and click OK

When the server starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 3:16 PM   5 Comments Links to this post

Tuesday, April 15, 2008

Fix for Failed Security Update for Microsoft XML Core Services 4.0 Service Pack 2

I recently built up a new Hyper-V virtual domain environment based on a single server image. Unfortunately, my base image had a problem downloading and installing the Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181). The yellow Windows Update shield would pop up in the notification area to say the update was ready to install. I would install it, but Automatic Updates would download it again and say it needed to be installed again.

Here's what the event logs looked like:

Event Type: Information
Event Source: Windows Update Agent
Event Category: Installation Event
ID: 19
Date: 4/15/2008 Time: 7:11:59AM
User: N/A
Computer: HOSCOM
Description:Installation Successful:
Windows successfully installed the following update: Security Update for
Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)
... and then almost immediately,

Event Type: Information
Event Source: Windows Update AgentEvent
Category: Installation Event
ID: 18
Date: 4/15/2008 Time: 7:12:50AM
User: N/A
Computer: HOSCOM
Description:Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Wednesday, April 16, 2008 at 3:00 AM: - Security Update for Microsoft XML Core Services 4.0 Service Pack 2(KB936181)
Very annoying. To fix this issue, download the update from Microsoft and manually install it. The update can be found here.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 7:26 AM   1 Comments Links to this post

Thursday, April 10, 2008

Comprehensive List of WSUS Error Codes

I came across a web page a long time ago that lists all(?) of the cryptic WSUS error codes, such as 0x0000041D. This is extremely helpful when troubleshooting WSUS logs and WindowsUpdate.log files. I've found that it's helpful for lots of other Microsoft products, as well! I saved it as a portable MHT file that you can download.

If I could remember where I found this, I would gladly give them credit.

Please to enjoy. WSUS Error Codes

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 1:24 PM   0 Comments Links to this post

Monday, April 7, 2008

Getting Exchange 2007 to work with SBC Yahoo DSL


First, let me say that SBC Yahoo is less than helpful on any assistance with configuring Exchange (any version) to work with their SMTP gateways. Really, I can't blame them too much because of the potential to hammering of their systems with large quantities of email from businesses using a "home"level of service.

In any event, here's how to configure Exchange 2007 with Edge services to send email through SBC Yahoo's email servers.


Configure the outbound Send Connector

  • Logon to the server hosting the Hub Transport role

  • Open the Exchange Management Console (EMC)

  • Expand Microsoft Exchange\Organization Configuration\Hub Transport

  • Click the Send Connectors tab

  • Double-click your outbound SMTP connector to open its properties. Mine is named "EdgeSync - expta to the Internet"

  • Click the Network tab

  • Select "Route email through the following smart hosts" and click the Add button

  • Select "Fully qualified domain name (FQDN)" and enter smtpauth.sbcglobal.net as the smart host. I know that SBC says to use smtp.att.yahoo.com, but if that worked you wouldn't be reading this, would you? Click OK

  • Under "Smart host authentication" click the Change button

  • Select Basic Authentication (do not check Basic Authentication over TLS)

  • Enter your SBC username (i.e., username@pacbell.net) and SBC password. Click OK

Configure the Edge server to use port 587

  • Yes, yes, I know that SBC's documentation says SSL port 469, but trust me, it's 587...

  • On the Hub Transport server, open the Exchange Management Shell (EMS)

  • Type Get-SendConnectors and make note of the name of the send connector you just configured. Again, mine is "EdgeSync - expta to the Internet"

  • Type Set-SendConnector "EdgeSync - expta to the Internet" -port 587 to change the port. Obviously, change the name in quotes to the name of your Send Connector.

  • Type Start-EdgeSynchronization to force a sync with the Edge server

Force the Send Connetor to Retry

  • Open EMC on the Edge server and click Toolbox

  • Double-click Queue Viewer

  • On the Queues tab, select the outbound SMTP queue and click the Retry action

Notes: TLS is not the same thing as SSL. TLS creates a secure connection between servers, while SSL creates a secure connection between a client and a server. TLS is capable of reverting back to SSL 3.0 if TLS doesn't work, but this is not an RFC requirement. At the time of this writing, Microsoft's implementation of TLS does not revert to TLS.

You should also register your external email address with SBC Yahoo's email system. This will ensure that email from your external account won't be NDR'd back to you when you send it. See http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom-07.html

Labels: , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 2:48 PM   2 Comments Links to this post

Thursday, April 3, 2008

Hyper-V Integration Components For Windows 2003 SP1


Well, kinda.

Big Red Disclaimer: The steps listed here are not supported by Microsoft (or me). I've tested it several times and have not found any issues. If it doesn't work for you - well, sorry.

The Integration Components for Hyper-V RC0 are only avaialable for Windows XP 32-bit with SP3 or later, Windows Server 2003 with SP2 or later, Windows Vista 32-bit with SP1 or later , all versions of Windows Server 2008 and, just recently, Linux.

So what do you do if you want to virtualize a Windows 2003 SP1 server? After all, you may have a legacy application that won't run on SP2 and one of the hopes of virtualization is to move these servers off of dedicated hardware. Here's how to do it:

  • Gather your CDs. You'll need the following:
    • Windows 2003 Server CD (RTM or SP1 - make sure it doesn't have SP2 slipstreamed into it)
    • Windows Server 2003 SP2 upgrade CD or ISO (available here from Microsoft)
  • Create a new Windows 2003 virtual server using the Hyper-V New Virtual Machine Wizard
  • Upgrade the virtual machine to SP2 using the SP2 CD or ISO.
  • From the Hyper-V Action menu, insert the Integration Services Setup disk and install the Integration Components. The installation will require a restart when it's complete.
  • After the restart, uninstall Windows Server 2003 SP2 using Add or Remove Programs in Control Panel. The uninstall will warn you that KB943295 and the Integration Components may not work if you continue the uninstallation. Click Continue.
  • Restart the virtual machine to complete the uninstallation.

Now you have a Windows 2003 VM with SP1 which runs the Integration Components! You can use this base image to make as many servers as you like. Be sure to use a tool like NewSID to generate unique SIDs for each clone, otherwise you'll run into problems in a domain.

Note: I haven't tested this for Windows Server 2003 RTM, Vista RTM or Windows XP RTM/SP1/SP2, but I expect it will work. Please post a comment if you have success or failure.

Labels: , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:30 AM   3 Comments Links to this post

Monday, March 31, 2008

Fix for Error 0x80004015 on WSUS Clients


When you try to start the Automatic Updates service on a computer you may encounter an error stating,

Could not start Automatic Updates service on the local computer. Error 0x8000415: The class is configured to run as a security id different from the caller

I've found that this is usually caused when the service was previously configured as Disabled via Group Policy.

When you configure a service startup mode in Group Policy (Computer Configuration\Windows Settings\Security Settings\System Services), Group Policy first has you configure the security of the service in the registry. The default security settings (before you configure it in the GPO) normally includes Authenticated Users with Read and Start, Stop and Pause permissions. When you configure the service in Group Policy, Authenticated Users have no permissions. This prevents normal users from reconfiguring the service back to Automatic and starting it.

To fix this issue, set the service permissions so that Authenticated Users have Read and Start, Stop and Pause permissions on the service. This can be done the following ways:

  • To reconfigure the service in Group Policy, reconfigure the service startup type to Automatic and click the Edit Permissions button. Add Authenticated Users with Read and Start, Startup and Pause permissions. Run GPUPDATE on the client machine or restart it to get the new GPO settings.

  • Manually set permissions on the service using Regedit. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\wuauserv. Right-click wuauserv and select Permissions. Add Authenticated Users with Read permissions.

This tip applies to any other service configured via Group Policy.

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:18 AM   0 Comments Links to this post

Tuesday, March 25, 2008

How to Enable RDP Remotely on XP Computers


In a previous article I explained how to enable Remote Desktop access on a remote computer.

I've noticed that these steps do not work on Windows XP computers. It turns out that you need to set two registry keys:
  • HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections should be changed from 1 to 0 (zero)
  • HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections should be changed from 1 to 0 (zero)

The first setting enables the RDP protocol on the computer to listen on TCP port 3389. The second setting allows users to login via Remote Desktop. Both settings go into effect immediately and do not require a restart.

Note: If the second setting is not changed to 0 you will get a logon message saying, "Unable to log you on because of an account restriction." You will also get this same logon message if you attempt to logon via RDP with an account that has a blank password. The account you use must have a password to logon using Remote Desktop.

I wrote a batch file that will easily enable or disable Remote Desktop on a remote machine. The syntax is: RDP [computername] [ON | OFF]. Copy the code below and save it as RDP.BAT somewhere in your system path (I use C:\Windows).

---Begin Code---

@echo off
SET RemoteComputer=%1
SET RemoteComputer=%RemoteComputer:\=%
if /i "%2"=="on" goto EnableRDP
if /i "%2"=="off" goto DisableRDP
goto Syntax

:EnableRDP
REG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
echo.
echo Remote Desktop has been enabled on %RemoteComputer%
goto End

:DisableRDPREG ADD "\\%RemoteComputer%\HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 1 /f
if ERRORLEVEL==1 goto Error
REG ADD "\\%RemoteComputer%\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
echo.
echo Remote Desktop has been disabled on %RemoteComputer%
goto End

:Error
echo.
echo ======================================================================
echo Make sure the remote computer is online and you have sufficient rights
echo to modify its registry.
echo ======================================================================
echo.

:Syntax
echo.
echo RDP enables or disables Remote Desktop on a remote computer
echo Visit http://www.expta.com for details
echo.
echo RDP [computername] [ON ^| OFF]
echo.
echo ON - Disable RDP on the remote computer
echo OFF - Enable RDP on the remote computer
echo.

:End
SET RemoteComputer=

---End Code---

Note that if Group Policy is configured to disable Remote Desktop (Computer Configuration Administrative Templates Windows Components Terminal Services Allow users to connect remotel using Terminal Services) the HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections setting will revert back to 1 after a Group Policy refresh.

Labels: , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 12:27 PM   2 Comments Links to this post

Thursday, March 20, 2008

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

  • Create or select the virtual directory in Internet Information Services (IIS) Manager
  • Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
  • Select the Vdir again and double-click Directory Browsing. Click the Enable action
  • Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:18 AM   8 Comments Links to this post