June 2008 - Posts

Almost everyone has, at one time or another, wished that you could have multiple copies of Outlook running at the same time. After all, opening another mailbox within Outlook doesn't give you windows toast and calendar pops, etc.

The standard answer has always been "run Outlook for your primary mailbox and use OWA for all the other mailboxes", which works; but well, OWA just isn't Outlook.

That's still the official answer.

However, early this year a hacker known as "H.O.G." (for HammerOfGod) released a tool known as ExtraOutlook! This tool actually modifies the Outlook executable and causes Outlook to NOT check to see if another Outlook is running.

If you are "plug-in free", this is a great tool and it works really well.

However, it confuses quite a number of plugins (such as Xonbi) that attempt to open a "default MAPI profile" and find two (or more) running instead of just one.

I'm sure that modifying the Outlook executable puts you straight in the "not supported" arena as well. But if you need the tool - you probably don't care.  :-)

Give it a go. No promises, but it has worked for me.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 3 comment(s)
Filed under:

I was recently (ok, this morning) trying to find out about a vbscript (actually WMI) error that I was getting, with little success. However, in doing so, I found this forum posting: http://www.tutorials-win.com/WindowsServer/Services-Windows/

This irritates me a great deal. Matheiu Chateau, whoever he is, has taken one of my scripts and taken the credit for it.

I originally published that script in 2006, in my blog posting Finding Services Using non-System Accounts. I am MORE than happy that people use it. And I'm MORE than happy that other people recommend it. But doing so without giving proper credit is just wrong. If I could've located an e-mail address for him, I would've written him a scathing e-mail.

grrr....

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | with no comments
Filed under:

I don't often just link to another blog posting for MY blog posting, but this one deserves it. It's not new, but last year fellow Exchange MVP Glen Scales wrote a script which allows you to export large mailboxes to ANSI PSTs.

It does this by copying each item in a source mailbox to a destination PST; when the destination PST is too big (i.e., 1.8 GB in size) the PST is closed and a new one opened. So a mailbox of 10 GB would take 6 PSTs to dump.

In the past, the only real way to handle this with ANSI PSTs was to manually configure a date range for archiving, or selectively export specific folders. This is a real win!

So, see Glen's post: Exporting a mailbox larger then 2 GB and spanning it across multiple PST files with a script.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 1 comment(s)
Filed under: , ,

On Exchange Server 2007, especially post service pack 1 (I ran into this problem while installing service pack 1 update rollup 2), it appears that some of the assemblies (that is, parts of the various Exchange programs) are "signed with Authenticode". This is basically a public/private key infrastructure (PKI) supported by Microsoft to allow people to verify that the various Exchange programs have not been tampered with.

At this moment, you are either thinking "So what?" or "Sounds like a good idea."

Personally, I'm in the "sounds like a good idea" camp. But I'm not sure that the concept is fully baked.

Consider this: part of any PKI infrastructure is a way to indicated when a particular key is no longer valid. Without going into too many PKI details, a key is normally called a "certificate" and the way you check the validity of a key is by seeing if the key is on a CRL - a certificate revocation list.

The first time a managed and signed assembly loads, Windows Server needs to check and see whether the key (certificate) the assembly is signed with is valid. How does it do that? By checking the CRL - at Microsoft. Specifically, at http://crl.microsoft.com/pki/crl/products/CSPCA.crl.

Even if you are in the "sounds like a good idea" camp, you may be asking "what's wrong with that"?

So I'll tell you - many environments do not allow their mailbox servers to talk to the internet (just to the hubs and to clients on specific networks). Many environments do not allow their hub transport servers to talk to the Internet (just to the mailbox and client access and e-mail gateway servers). Etc. etc. In fact, controlling and minimizing access using IPSec to specific servers has long been considered a best practice.

But it won't work with Exchange Server 2007 any more. When installing rollup 2 on a mailbox server, the "Microsoft Exchange Service Host" will fail to start. It will simply time out. No error messages. No log messages. No nothing.

I suspect that it could be any Exchange service that has this problem. This was just the one I happened to run into.

Debugging this was painful. Eventually, after a couple of hours, you do a "netstat -an" and say WTF???!!! in regards to a SYN-SENT to crl.microsoft.com and then you can start backtracking. This is not really documented directly (that is, that an Exchange server has to be able to access the Internet), but there is some information in KB 944752.

You may also find that if you are using a non-NAT proxy that this doesn't work for you. More on that in my next blog post.

Bottom line: after installing patches on your Exchange server, your Exchange server will have to "check in at home" before those patches can start running and you'll have to enable Internet access for that to happen. After they've "checked in", you can disable Internet access again.

What a management nightmare.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Update on June 19, 2008; for those folks who want for at least some of their Exchange servers to be fully isolated from the Internet, there is a workaround. See KB 936707. However, an easier (and apparently undocumented) workaround is to put crl.microsoft.com in your local hosts file - and point it to localhost (127.0.0.1)!

Posted by michael | 2 comment(s)
Filed under: ,

Sorry for the dead-silence this past week...between meetings and parties and certification tests and working and talking....it was a busy time at Tech-Ed.

(One of my editors is peeved at me - I missed a chapter deadline too!) :-(

So, I'm just going to ramble on here for a bit...

Lots of folks say that Orlando in June is just "too hot". I guess that depends on where you are coming from. I flew down from virginia, and I think that it was cooler in Orlando than it was in Virginia - of course, Virginia was going through a "heat wave". But I found Orlando quite comfortable for the entire week.

However - when I was doing my daily run (ok, it's a jog - I about three and a half miles a day and it takes me 45 minutes - you can figure out that I'm slow!) - there is no question that the humidity was higher. I always sweat - but not quite so much as I did there!

On Monday night, I met with an editor from O'Reilly Media plus a whole bunch of Active Directory folks - collectively "Team A/D" for O'Reilly (those that were present at Tech-Ed anyway). I'm doing tech.review on a couple of A/D books these days. There were some old faces and some new faces - a really good time with a bunch of geeks. Speaking of geeks - expect to hear about GEEC '09 this week from those fine folks at NetPro who bring you DEC (Directory Experts Conference).

Tech-Ed itself ran Tuesday through Friday. I won't bore you with what you've probably already read elsewhere.

But, as expected, Windows 2008 was big news, IIS 7.0, and SQL 2008. Nothing surprising there. Hyper-V of course.

I spent a lot of time talking about deployments, upgrades, and migrations with lots of customers. I think the message behind read-only DCs and server-core has confused a bunch of folks; as has the "story" behind Hyper-V. Many people thought that with server-core coming that they HAD to use it. And lots of folks didn't understand that server-core doesn't support the .NET Framework (and thus it doesn't support PowerShell or the .NET extensions to IIS 7.0!).

Most folks also didn't understand that Hyper-V doesn't do much by itself - it takes an OS to layer on top of it. oh! And NT 4.0 is NOT supported on Hyper-V. That doesn't mean it doesn't work - but it isn't supported (ok ok - NT 4 isn't officially supported anyway - but this means that the Hyper-V folks have not "qualified" NT 4.0 to work properly on Hyper-V - if you want that, you have to stay with Virtual Server 2005).

During one of my talks about upgrade/migration, I went through the entire set of domain functional levels, forest functional levels, Exchange functional levels, and how Outlook functionality was impacted. My head hurt by the time I was done with that talk. It is downright confusing by this point.

I was able to meet and talk with the folks from AppAssure, who have a killer product in their Replay for Exchange. I hope to talk more about that in the future.

I met with the VP from Wiley/Sybex who signed me up for the book I'm working on right now. Unfortunately, I was never able to connect with my current editor for the book. :-(

I also had the fine fortune to be able to meet with Tony Davis of the Simple-Talk online journal. I hope to be able to start doing some work with him soon.

Unfortunately, I didn't get to meet with any of my contacts with Penton Media (the Windows IT Pro/Outlook IT Pro) folks, and Diane from EMO wasn't able to come to Tech-Ed this year.

There were lots of new products and lots of old products. I was shocked to see Syncsort. For no reason whatsoever, really. I can just remember using them in my mainframe days, over 20 years ago....they are still alive and well. I didn't know they had made the transition to client/server.

I took six certification tests while I was there. They offer Tech-Ed attendees a discount for taking tests onsite: $50 per test. So instead of $750 for those tests, I only paid $300. I wasn't able to schedule the final one I need: 70-620 (Vista) because of scheduling conflicts but once I take that one (week after next, I think), I'll also finish up the two Windows Server 2008 MCITP certifications. I'm already "MCITP: Enterprise Messaging Administrator", those two will add "MCITP: Enterprise Administrator" and "MCITP: Server Administrator".

I'm looking forward to the class-work for the Microsoft Certified Master programs. I hope they will fit in the budget of a self-employed consultant! (Check here if you haven't heard about the Master's programs: http://www.microsoft.com/learning/mcp/master/products/default.mspx#EZ).

After the conference I hung around Orlando for a couple of extra days just to relax. It was a good time. I look forward to it next year.

Enough rambling for today. I best go try to bill a few hours tonight to help pay for this trip!

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | with no comments
Filed under: ,

Later this afternoon I'll be hopping in my car and heading for the airport to travel to Orlando for Tech-Ed 2008 IT Pro.

I'll be part of "ask the experts". I signed up for Exchange and PowerShell - somehow I ended up in Server 2008??!!

Come by and say "hi"!

Posted by michael | with no comments

One of the mailing lists I read and occaisionally post on is named ActiveDir. A lot of heavy-hitters in the AD world hang-out around there. I've learned quite a bit by lurking there.

A recent poster had wanted to create a few thousand accounts for testing purposes, and have them all follow a certain format for the samaccountname, the mailnickname, and the e-mail address. That's tough to do with the standard tools (if you are on Exchange 2007, with "new-mailuser" this can be done in a couple of lines of PowerShell, but the poster was on Exchange 2000).

Joe Richards ('joe'), author of admod and adfind (two truly invaluable tools - if you don't have them, get them), said that his admod tool was perfect for this, and offered up the following command line (you'll have to scroll to the right to see it all):

admod -add -autobase 40:cn=Test,ou=test,dc=eng,dc=myco,dc=com -counterstart 23001 -bmod cn={{*cnt*}}_{{*name*}},{{*parent*}} -expand -csv -kerbenc samaccountname::{{*cnt*}}_{{*name*}} mailnickname::{{*cnt*}}_{{*name*}} unicodepwd::MyPassword1! objectclass::user useraccountcontrol::512 msExchHomeServerName::"::"/o=Org/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=mail1"

So the basic assumption here is that 40 users are going to be created in a particular OU. The name of the users are going to be of the format 230xx_Test, the accounts are going to be enabled, have a password set, have a mailnickname set, and a particular Exchange server set.

(By the way - setting mailnickname and msExchHomeServerName will cause RUS to stamp a user object on Exchange 2000 and Exchange 2003. It's not documented. SSSssshhhhh.)

What can you say? That's an amazing command line. But in his post, joe made a negative comment about PowerShell, so I had to respond. (Completely friendly rivalry there...)

Here is PowerShell code to do the same thing. As I shared in my response post - it's a few lines longer, but much easier to read!!! (If you wanted to do it all on one line - you could - but it would be impossible to read.)

function createUsers([string]$base,[string]$userPrefix,[string]$userSuffix,[string]$homeServer,[string]$password,[int]$baseCount,[int]$count)
{
	$objBase = [adsi]('LDAP://' + $base)
	[int]$top = $baseCount + $count
	for ([int]$i = $baseCount; $i -lt $top; $i++)
	{
		[string]$user = $userPrefix + $i.ToString() + $userSuffix
		$objUser = $objBase.Create("user", "cn=" + $user)
		$objUser.Put("sAMAccountName",       $user)
		$objUser.Put("mailNickName",         $user)
		$objUser.Put("msExchHomeServerName", $homeServer)
		$objUser.SetInfo()
		$objUser.psbase.Invoke("SetPassword",           $password)
		$objUser.psbase.InvokeSet("useraccountcontrol", 512)
		$objUser.psbase.CommitChanges()
	}
	$objBase = $null
}

createUsers 'ou=OUtest,dc=essential,dc=local' '' '_Test' `
	'/o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=WIN2003-EXCH' `
	'MyPassword1!' 23001 4

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Exchange has caught a lot of crap for publishing the fact that it doesn't work in branch office locations where only Windows Server 2008 read-only domain controllers (RODCs) are available. Exchange simply requires read-write domain controllers. It's a fact.

However, it's been a poorly kept secret that Windows XP and Windows Server 2003 don't work well either in branch locations with only RODCs. You have needed Vista or Windows Server 2008 in those locations for all things to be happy.

Until now: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients. KB 944043 fixes many of the issues with Windows XP (service pack 2 or service pack 3 only) and Windows Server 2003 (service pack 1 and service pack 2).

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | with no comments

If you want to write client applications to run on computers that use MAPI or CDO (for example, web servers) and you don't want to install (or can't install) either the Outlook client or the Exchange management tools, then you need to install the MAPI/CDO libraries.

These were released just last week for Windows Server 2008 and Windows Vista. You can get them here.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | with no comments
Filed under: ,

We consultants help each other out, of course. I know Exchange and Active Directory pretty well, but put me in front of Citrix or a big T/S farm or a PKI implementation - heck, I'll scream for help without any qualms whatsoever.

So, a consultant I share favors with called me this week - quite perplexed.

He was working at a company and they were working on a hardware migration - Exchange Server 2003 to Exchange Server 2003. They had a 50 GB store and a few hundred mailboxes.

This company had an onsite junior technician who wanted to help out, so my comrade-in-arms had given this junior tech a list of things to do, in order to prepare for the migration. Off the junior tech went to do them...

...and he came back and said "all done, but would you move the mailboxes? I don't feel comfortable with that...."

So....a couple hundred mailboxes moved later, and no more mailboxes would move. <scratch head>

Outlook connects, but no e-mail is being delivered to or from those folks who have been moved. <scratch head some more>

<investigate, investigate, investigate>

<give up>

<IM Michael on MSN Messenger...hey dude....>

So I remote in, and five minutes later, I'm laughing so hard I almost split a gut.

The instructions my friend had given the junior tech. included how to install Exchange Enterprise and to install service pack 2.

Well, the junior tech. couldn't find the media for service pack 2. So, almost correctly, the junior tech. assumed he could just install Exchange Standard and set the registry key so that it would support a larger mailbox store.

So that's what he did. A perfectly good Exchange Standard install and he set the "Database Size Limit in Gb" to 75 - no problem for a 50 GB store.

BUT....(you knew this was coming, right?)

....wait for it....

he forgot to install service pack 2

So the store would mount...say oops! too big....dismount.

Lather, rinse, repeat.

The moral of the story? Well, I guess there are a couple:

1) Trust...but verify - ensure that what you think was done was actually done. Like Gregory House says, "People always lie." I would add - even when they don't mean to (it isn't always malicious).

2) Use your Event log. If it is telling you things that don't make sense - see moral 1. Occam's Razor almost always applies.

3) It's ok to ask your friends for help. :-)

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Posted by michael | 1 comment(s)