Thursday, December 31, 2009

Leave your next job interview in a blaze of glory! Become the interviewer!

It's nearly the new year! It's nearly a new decade! Are you going to be looking for a new job? You might need some tips for how to interview the interviewer.

I just read this great article over at TheLadders.com concerning how to "Walk Out of Your Job Interview in a Blaze of Glory". In it are some great questions that you could ask the interviewer when you get the nearly inevitable question "Is there anything you'd like to as me?"

Here are some samples from the article that stood out to me:


  • Why is this position vacant?
  • How will I know that I have met your goals?
  • How will my performance be evaluated, and how often?
  • Will I be hearing from you or should I contact you?


And for the really daring among you:

  • Do you see any gaps in my qualifications that I need to fill?
  • Now that you’ve had a chance to meet and interview me, what reservations would you have in putting me in this position? (Ask it! I dare you!!)

Have a look at the article and decide for yourself if you dare be made memorable as the one who made the hiring manager stutter. If nothing else, they'll remember you. But will it be for the right reasons? I personally think it would be. What do you think? What was the craziest thing you've asked an interviewer? Did it work like you wanted it to?

Tuesday, December 22, 2009

What Exchange 2007 Service Pack am I running?

This blog post has been permanently moved to my new blog at www.TheNubbyAdmin.com. You can find this specific post here: What Exchange 2007 Service Pack am I running?

Wednesday, December 16, 2009

List of Portable Cooling Units




While perusing through the IT magazine "Processor", I discovered a listing of portable air conditioning units. I don't seem to find myself working in the midst of the most refined IT infrastructures, so I figured this list would come in handy the next time I find myself tasked with managing a broom closet-turned-server-room. For those situations in which you find your self a little "cold-air-challenged", have a look at the following list (as usual, any suggestions will be appreciated and I will continue to update this list when I find more options):


Exactly what the domain sounds like. They even have a subsection entirely dedicated to "Server Coolers". 




Exactly what the domain does not sound like. Topaz builds portable air conditioners. Period. Air cooled, or water cooled, they've probably got what you need. They are a part of TempAir Inc. which is ironically located in Minnesota, USA. Not exactly a place that you would think needs much cooling.


Yet another domain that doesn't exactly scream "We sell portable cooling units!!" Quite possibly the most thorough product offering of the portable A/C (and heating and dehumidifying!) manufacturers, they have units that are air-cooled, water-cooled, mobile (like, hauled-behind-a-pickup-truck kind of mobile), evaporative coolers, split systems, minis and ceiling mount units.


Make sure to check out the ones that evaporate their condensation so that you 1) don't have to change out the condensation tray as often if ever, and 2) don't dry out your server room too much. 






No discussion of environmental management is complete without mentioning APC. Specifically, APC's NetworkAIR Portable units.





They provide much, much more than simply air conditioning units, however units of note include:


ClimateCab NEMA 12 Standing and Wallmount Cabinets 

  • Small wall mount cabinets with 800 BTU A/C units attached to them up to 42U cabinets with a 6,000 or 8,500 BTU A/C unit attached to the side.




Yet another portable cooling systems manufacturer. You can easily search for products based on criterion like cooling capacity or voltage requirements. They also make ceiling mounted units. The company includes a section on their server room offerings, so you know that they understand that their products might be used to cool down servers (which is reassuring to me, for some reason). Note that the domain is "MovinCool.com" without a "g". Someone should tell their marketing department to buy the alternate "MovingCool" domains to prevent mistyped domain confusion.










Friday, December 11, 2009

Geek Desks!





Simplistic design... adjustable height... it has wheels! I want one! Apparently the selling point is that you can stay at your computer but periodically switch form sitting to standing to keep your body limber and prevent the strain associated with sitting in front of your computer for hours on end.

I type this after having been at my computers for hours on end.

Wednesday, December 2, 2009

El Grande list of Open Source Help Desk Software

Here I was, mulling over the idea of starting a large list of open source help desk software, when I stumble on this thread at ServerFault that included a link to a site dedicated to listing open source help desk software!

The site is aptly named http://www.opensourcehelpdesklist.com/ 

Three cheers for people who make things so I don't have to! =)

Monday, November 30, 2009

Open-Source Hardware?

As per this Wall Street Journal article, a company named Arduino has create a small microcontroller board, the schematics of which are freely available online. The two-man Italian company has gone from selling 34,000 of the $30 microcontrollers last year to a forecasted 60,000 microcontrollers this year. Other open source hardware projects of note include Chumby and Bug.

Personally, I wonder what the open-source hardware scene will really accomplish over time. Will it flourish as much as open-source software? Will it create as much innovation and competition as open-source software? Not being a hardware engineer, I can't speak with any authority. However, I doubt very highly that it will come close to the effects that open-source software has had on the world. Anyone can install software, however not just anyone can take advantage of circuit board schematics. The pool of potential project creators and contributors is drastically smaller. However the pool of potential consumers of products based on open-source hardware could conceivably be larger than that of open-source software. Interesting points to ponder.

Does anyone have experience with the open-source hardware "movement"? Any thoughts on the subject would be appreciated.

Saturday, November 28, 2009

A Macintosh is a Mac, not a MAC!!

If you are referrring to Macintosh computers in written word and truncate the brand name to "Mac", please refrain from capitalizing the three letters. "Mac" is simply a nickname, not an acronym. If you type MAC my brain jits it as Media Access Control, and that makes no sense when you say "I just bought a new MAC."

If anyone out there uses the capitalized "MAC" when referring to Macintosh computers, please explain it to me. I believe this is a fairly recent phenomena as I never recall seeing this behavior in the mid and late nineties when I was much more heavily involved in that brand.

Rant over. These aren't the droids you're looking for. You can go about your business.

Friday, November 27, 2009

List of Network Inventorying Software (Update Revision 2)

This thread over at Security-Forums.com sparked me to create a post where I can list the various IT asset inventorying software that I'm aware of.

Total Network Inventory
Manage Engine (Has multiple tools that could be in this category)
SpiceWorks
Network Inventory Advisor
LANrev
OCS Inventory (Would have been funnier if it was named "OCD Inventory". Commentor Matt recommends using GLPI as an interface for the poorly designed (as of this writing in November 2009) OCS interface. )
Open-AudIT
i-doit (Open and pro versions available. Is it disconcerting to anyone else what the product name turns into when you simply swap the "i" and "o"?)
Lansweeper (Recommended by commenter Chris. Windows only freeware.)

Please contribute if you know of other similar software! Close-source or open-source, it makes no difference.

Tuesday, November 24, 2009

How to send mail via Telnet

I've seen a number of tutorials on how to send email using a Telnet session, but the one over at wikiHow.com is the bee's knees. I post the link here as a memory aid, but hope it can help you as well:

http://www.wikihow.com/Send-Email-Using-Telnet

Friday, November 20, 2009

OpenDNS interferes with Outlook Anywhere

My Problem:
In an office using OpenDNS for name resolution, Outlook Anywhere retrieves an SSL certificate from OpenDNS rather than searching for and using the SSL certificate installed on your Exchange serve.


My Solution:
Use conditional forwarding for your SMTP domain in your internal DNS server to divert DNS queries for your SMTP domain away from OpenDNS.


The Long Story:
One of my users reported seeing a certificate error after I switched my SBS 2008 machine from using root hints to OpenDNS servers. Strangely, I did not have those errors when I used my offsite laptop which was also using OpenDNS servers. To attempt to reproduce the error, I connected to the network with a VPN and changed my DNS server to point to the SBS 2008 server. Sure enough, I got a certificate error.



When I clicked "View Certificate", I saw that I was somehow picking up an OpenDNS cert.




I reasoned that the problem was due to Outlook 2007's hard-coded behavior of attempting to connect to it's list of autodiscover subdomains such as autodiscover.SMTP-domain.com before finally settling on the domain's SRV record. Since we're using OpenDNS, the service tries to be helpful and returns a response when it sees we've requested a domain that does not exist (the IP returned for autodicsover.my-SMTP-domain.com is 208.69.36.132 which is an opendns IP)


Once again, I found it strange that if I use OpenDNS servers directly on my laptop I did not get that IP returned and Outlook Anywhere worked perfectly. I assumed it hadto do with the office having an OpenDNS account tied to that office IP whereas my laptop was not behind an IP address that had a OpenDNS accout. I did not create an OpenDNS account for my IP to see if the problems would suddenly start for me at home.


I logged into the office's free OpenDNS account but did not see any option to prevent a domain or subdomain from being resolved. I found it rather funny... I actually wanted OpenDNS to stop resolving DNS.


Several options presented themselves to me.




  1. Create a split DNS zone on the SBS server that made it authoritative for our public SMTP domain. This split DNS setup is fairly common, but requires you to manually maintain DNS entries that you create in your public zone in your private zone as well. Split DNS would casuse all clients in the building to receive a definitive resolution failure when requesting the autodiscover.my-SMTP-domain.com.
  2. Use conditional forwarders to forward queries for our domain to DNS servers other than OpenDNS's.
  3. Figure out a way to prevent Outlook from querying for the nonexistant domains.
Option 1 seemed viable, and I actually tried it half-heartedly. The added complexity scared me away from it and I ended up deleting the zone. Conditional forwarders won out after the thought of tweaking clients manually for anyone who ever used out email server from within the building made me break out in a rash.


I simply created a conditional forwarder that used our ISP's DNS servers for any query for our public domain name. That did the trick. Incidentally, I had attempted to put in the actually authoritative name servers as targets for the forwarder, but for some reason the targets would not resolve queries. Not willing to burn any more daylight on this problem, I settled for the ISP's DNS servers and all was well in the land.




P.S. I've also heard that the practice of returning helpful hints for non-resolving domain names that some ISPs do will also cause problems. I haven't had to deal with that yet and hope I never do.

Wednesday, November 18, 2009

List of Outlook Anywhere autodiscover DNS query attempts

This is a list of the various DNS queries that Outlook Anywhere clients will attempt to make before finally searching out a SRV record in the domain. This is taken directly from Microsoft KB940881. I reprint it here because I've already spent an embarrassing amount of time searching for this article after I forgot where I documented it. Hopefully I'll never forget again.



The succession of autodiscover attempts done by an Outlook 2007 SP1 client is now thus:

  1. Autodiscover posts to https://contoso.com/Autodiscover/Autodiscover.xml. This fails.
  2. Autodiscover posts to https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml. This fails.
  3. Autodiscover performs the following redirect check:
    GET http://autodiscover.contoso.com/Autodiscover/Autodiscover.xml
    This fails.
  4. Autodiscover uses DNS SRV lookup for _autodiscover._tcp.contoso.com, and then "mail.contoso.com" is returned.
  5. Outlook asks permission from the user to continue with Autodiscover to post to https://mail.contoso.com/autodiscover/autodiscover.xml.
  6. Autodiscover's POST request is successfully posted to https://mail.contoso.com/autodiscover/autodiscover.xml.

Monday, November 16, 2009

Autodiscover clients are bringing back a strange certificate

The Problem:
Outlook Anywhere clients are returning a strange certificate (possibly from Plesk or cPanel) when attempting to connect to your SBS 2008 machine running Exchange 2007 using your public domain name.


The Solution:
Check your domain's DNS settings to see if you have a * record that handles all queries for subdomains that don't explicitly exist. For example *.mydomain.com. Remove it if it exists.


The Long Story:
Outlook Anywhere Queries several subdomains of your main SMTP domain looking for the autoconfiguration information. After the queries for domains like autoconfigure.my-SMTP-domain.com fail, then Outlook will query for a SRV record. SBS 2008 relies on a SRV record to point the Outlook Anywhere clients to the proper URL using the proper hostname that was registered in your SSL cert.

My clients were returning a certificate error with a host of problems.




After some heart palpitations in which I fretted that I had munged the certificate creation process somehow, I clicked "View Certificate" and found something puzzling:




The certificate was issued to Plesk! Plesk is the control panel that our domain is managed with. Somehow or another, Outlook was getting sent to something on our domain that was returning our control panel's certificate.

I tried some things, and then realized that I could type any nonsense gibberish as a subdomain of my main domain and be sent to our website. That caused a few minutes of childish fun as I typed silly subdomains in just to see them successfully bring up the organization's web site. That still didn't clue me in to the real problem though... because I'm a nublet and was not aware of DNS * records. After some sleuthing I happened to come across a forum that mentioned a "*" record which jogged my memory. I had actually seen a * record in our DNS control panel and hadn't thought much about it.

I quickly deleted the * record from our DNS control panel and after DNS propagated, Outlook Anywhere worked for my clients.

Personally, I think Outlook's requirement that DNS resolution fails for certain subdomains before it seeks out the SRV record is a bit flakey and error prone. In fact, you will see exactly why that might cause grief for some people that use OpenDNS or even certain ISPs in a post later this week...


The succession of autodiscover attempts done by an Outlook 2007 SP1 client is now thus:
  1. Autodiscover posts to https://contoso.com/Autodiscover/Autodiscover.xml. This fails.
  2. Autodiscover posts to https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml. This fails.
  3. Autodiscover performs the following redirect check:


    GET http://autodiscover.contoso.com/Autodiscover/Autodiscover.xml
    This fails.


  4. Autodiscover uses DNS SRV lookup for _autodiscover._tcp.contoso.com, and then "mail.contoso.com" is returned.
  5. Outlook asks permission from the user to continue with Autodiscover to post to https://mail.contoso.com/autodiscover/autodiscover.xml.
  6. Autodiscover's POST request is successfully posted to https://mail.contoso.com/autodiscover/autodiscover.xml.

Thursday, November 12, 2009

Google Dashboard; more convenience than transparency

Some news headlines are touting Google Dashboard as a step towards transparency concerning the data that Google is collecting on you. After some research on the product (including using it for myself), it seems to be nothing more than a simple web page that lists all of the Google products that your account has activated with links to configuration pages for those products as well as some summary information.


Open Boston Media has a good review of the product that seems to put things in perfect context. This is certainly a convenience, but hardly worth labeling "transparency". As some have pointed out, this seems more like conditioning people for a single-sign-on experience which will either encourage people to use more of Google's existing services or be more likely to opt in for future services (or probably both).


Nonetheless, it can be useful for people who use a Google account to see what is publicly visible. Check it out for yourself and you just might discover that more about you was available than you first thought.

Wednesday, November 11, 2009

VMWare View 4 touted as "Disruptive, Game-Changing"; Uhhh... ever heard of Terminal Services?




Accorind to this ChannelInsider.com article, VMWare View 4 "could revolutionize how IT infrastructure is deployed today." Yet reading on, it seems to simply be another way of deploying a desktop computing experience to thin clients or home users' PCs ala Terminal Services or Citrix XenApp (née MetaFrame Server, née Presentation Server). The only difference being that View 4 would be based on virtual machines rather than different interactive sessions on the same server. Is that difference enough to call this "revolutionary"? I'm not hugely familiar with TS or Citrix products, but this seems to be pure, unadulterated hype. Cool hype... but hype nonetheless. 


As always, I'm eager to be proven wrong. Anyone want to step up and school me?


P.S. Not that I'm complaining about good hype for VMWare. Anything that raises the price of my VMW stock makes me smile. =)

Monday, November 9, 2009

Updated! Appending Whitelisted Domains to Exchange 2007's BypassedSenderDomain variable

My Problem:
I added a few domains to Exchange 2007's domain white list via the Exchange Management Shell using the cmdlet, Set-ContentFilterConfig -bypassedSenderDomains domain1.tld,domain2.tld. However, running the same command with domain3 as a variable will overwrite domain1.tld and domain2.tld. I needed to add domain3.tld to the existing whitelisted domains.

The Solution:
Nov 11, 2009 Update: Thanks to a tip in the comments section from one of my readers ( ::waves at Sharon:: ), I now use Glen Scales's PowerShell script that creates a simple GUI interface which allows you to update both the bypassedSenders and the bypassedSenderDomains list.







Before that GUI script, I would dump the existing contents of the bypassedSenderDomains variable to a new variable, add information to the new variable and then run Set-ContentFilterConfig using the newly modified variable:
$varWhitelist = (get-contentFilterConfig).bypassedSenderDomains
$varWhitelist.add("domain3.tld")
Set-ContentFilterConfig -bypassedSenderDomains $varWhitelist
There! It's so simple... or, not?



Etcetera:
As an addendum to this post, I have a complaint to lodge. Firstly, I don't mind a CLI/shell. I like PowerShell. I feel ashamed that I'm such a GUIfied Windows admin and sincerely want to get proficient with the command line, preferably PowerShell. However, the fact that certain functions in Exchange can only be done via the Management Shell and not the Console confutes me. Especially since the Console was touted as being built 100% on PowerShell.

Would someone in Microsoft's development department have their head melt like that guy at the end of Raiders of the Lost Ark if they added a simple GUI interface for the whitelisted domains feature? This seems like such a oft-used feature that it makes no sense to me to hide it in the shell. That's like taking something as commonplace to use as configuring your desktop picture and hiding it in a command line interface while leaving other similar options such as resolution and desktop icons in the GUI interface.

Furthermore, adding new domains shouldn't take three lines of script to do. I'm sure I could cram it on one line, but it's still three separate expressions. What's up with that? Maybe I'm just a whiny Windows admin.

Tuesday, November 3, 2009

Adding an RDNS record for a SBS 2008 environment

My Situation:
I was reading about the various kinds of DNS records needed for email to flow properly in an SBS 2008 environment and decided to create a simple RDNS record for mail server. My confusion came when I wasn't sure if the RDNS record should contain the name of the server as seen on the local network or as seen from  public DNS.

The Solution:
When creating an RDNS record, the hostname should match both the external A record for the IP where email exits your network as well as the FQDN that your MTA presents to SMTP servers. Most SBS 2008 admins will use remote for the external hostname A record and thus the RDNS record that they create should resolve to that same IP address. The FQDN in the internet send connector should be "remote.yourdomain.TLD"

The Long Story:
When creating a RDNS record, you need to supply the name of the server that is seen in Exchange 2007's send connector. However, when you use the Exchange Management Shell cmdlet "get-sendconnector | select name" you get a different name than if you look at the "specify the FQDN this connector will provide in response to HELO or EHLO" (that can be found by going to the Exchange Management Console >> Organization Configuration >> Hub Transport >> Send Connectors Tab >> right click the Windows SBS Internet Send [server name] connector and select properties >> General Tab)

The cmdlet returns the local DNS name of the Exchange server but the Send Connector properties box shows the external DNS name of the server; remote.compayname.com.

Questions started to arise in my head when I arealied that I've seen email headers stamped with the local DNS names of the email server and not the public DNS names. I wondered if I needed to create an RDNS record using the internal name of the server which would require me to create an A record in the public DNS zone named with the same name or if I shuold just create the RDNS record to point to the already existing "remote" A record.

After some research (the specific documents that I found were not recorded so I can't give links here; I'm a bad, bad researcher =( ), I discovered that the proper configuration does not include the name of the server on your local network in any way.

Monday, November 2, 2009

APC creates unobtrusive equipment racks that look like furniture.

Plenty of admins/consultants have to deal with small offices and branch offices that need a server or three, a firewall and maybe some switches. But where to put them? Usually those devices end up being bunkmates with mops and 5-gallon containers of Janitor in a Drum. However, APC has created their NetShelter CX series that  looks like an unobtrusive pieces of office cabinetry.




I have two concerns however:

  1. What about airflow? I see that the back is a screen but is there sufficient room on the front for intake? Being that it's produced by APC, I would give them the benefit of the doubt that they would take that into consideration.
  2. What about cooling? Does this thing trap heat more than a normal server rack would? That faux wood paneling must surely be more of a heat trap than the simple aluminum sides real server racks have. A subpoint of this issue is: Would it make people take the need for proper A/C flow on the unit even less seriously than people already do? Does making it look like a piece of furniture encourage equipment to be placed out in the open office where dust and heat roam unchecked??
Nonetheless, I'll look into one of these devices if the need for one at a small office rises.

Saturday, October 31, 2009

Adding a Small Business Server 2008 Autodiscover SRV record using the Plesk Control Panel

My Problem:
When I went to create a SRV record for my SBS 2008 machine in the domain's Plesk control panel, I was confused by the wording that Plesk uses concerning the record's options. I had to map the four required pieces of information to the seven available options.


My Solution:
The four required pieces of information as per KB 940881 are Service, Protocol, Port Number and Host. Those map to the following inputs in the Plesk control panel.
  • "Service: _autodiscover" maps to "Service Name" in the Plesk control panel. Do not manually type the leading underscore; only type "autodiscover" (minus the quotes, of course)
  • "Protocol: _tcp" maps to the "TCP" radio button in the Plesk control panel.
  • "Port Number: 443" maps to "Target Port" in the Plesk control panel.
  • "Host: mail.contoso.com" maps to "Target Host" in the Plesk control panel. Use whatever hostname you have on your SSL cert. For the majority of SBS 2008 scenarios it will be remote.yourdomain.com.
The Long Story:
I had come to the point in my SBS 2008 implementation where I needed to create the autodiscover SRV record. However, when I logged into the Plesk control panel for the domain I was a bit puzzled. The wording for the various options was a bit ambiguous.

This helpful simplification of the facts surrounding the SRV record helped me get an initial grasp of the topic. According to the official KB article on the SRV record, I need the following information in the record:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.contoso.com
So, I see a total of 7 possible options in the Plesk control panel and only 4 pieces of information that I'm supposed to feed it. Time to try and map the two categories to eachother.

I assumed that the "Services Name" area was simply a place to put a friendly name for me to reference the record by. I first tried "Outlook/Exchange Autodiscover" as the name, but that was reject. I assumed it was the '/' that caused issues, but taking it out didn't resolve it. I took out all spaces and that allowed the record to be created but not in the way that I thought it should be.

 

After some thought, I realized that the "Domain Name" section did not have an asterisk and was not necessary. Therefore, the Service Name section was probably where _autodiscover went and the domain name section should be left blank! I just that and received this confirmation:





That almost looked perfect... but that underscore in front of autodiscover seemed a tad too long. I then noticed that the underscore in the tcp portion of the record was not something that I supplied. Apparently, the underscore is not supplied for any of the information but is autocreated by the DNS service. I simply used "autodiscover" as the service name and that looked better:



The "Protocol" input seemed to be self explanatory. "Enter Domain Name" puzzled me a bit. Looking down, I saw the options "target host" which I figured would be the name of the subdomain that points to the mail server; remote.domain.com. Therefore I figured that the "Enter domain name" section was only if you had a very subdivided domain namespace.

The "Priority" and "Relative weight for records with the same priority" sections completely baffled me. I left them at their defaults. I placed "remote.domain.com" in the "Target Host" section (the domain that was registered in the SSL certificate) and "443" in the target port section.

After all this, I had a properly formed SRV record for my Outlook 2007 clients to use.

Friday, October 30, 2009

SBS 2008 by default bounces messages to postmaster and abuse accounts

I wonder how many SBS 2008 boxes do not have properly funcitoning postmaster@ and abuse@ email addresses. Why? Because by default, emails to those accounts from external addresses are bounced. The short story is that the postmaster@ and abuse@ email addresses are assigned to the "Postmaster and Abuse Reporting" distribution group. By default, the only member of that distribution group is the "Windows SBS Administrators" group which by default requires that all senders must be authenticated! Doh!

Much thanks to Mariette Knapp over at SmallBizServer.net for her bite-sized article concerning the issue and how to fix it:http://www.smallbizserver.net/Forums/tabid/53/forumid/104/postid/110738/view/topic/Default.aspx

Saturday, October 24, 2009

Configuring RDNS records for a Qwest.net business accout

To set up RDNS records for a Qwest.net business class network connection (mine is a DSL line), you must first log into Qwest.net using your account information. Next, select "Manage your account", then select "Configure your DNS Records" and finally "Configure Reverse DNS Records"





You would use this process regardless of if your donain's DNS records are hosted at a different provider such as your web host or domain registrar. In my case, our domain's DNS records were hosted on our web host's name servers. However, reverse lookups are a function of the ISP and not typically the name servers that are authoritative for your domain unless you've explicitly told your ISP to delegate RDNS authority to different DNS servers.

Thursday, October 22, 2009

Exchange 2007: Sending as a certain user fails because you do not have the proper permissions

My Problem:
Even after being granted the Full Access, Send As and Send on Behalf Of rights, my emails from that user account were being rejected with the following error message:


Delivery has failed to these recipients or distribution lists:
You are not allowed to send this message because you are trying to send on behalf of another sender without permission to do so. Please verify that you are sending on behalf of the correct sender, or ask your system administrator to help you get the required permission.


My Solution:
This was a rather silly error. When creating a new mail, I was typing in the email address into the "From:" field of the new message. That is, I was typing in the full email address in the form of "emailAddress@mydomain.com". To send as the user, you need to either click the "From:" button and select the user from the address list or type the users Alias and let Exchange resolve it (E.g. emailAddress without the "@mydomain.com" part --> click Check Names).

Tuesday, September 29, 2009

Managed vs. Unmanaged Code

While reading through the Internet Information Services 7.0 Resource Kit, I repeatedly came across the concept of unmanaged and managed code. A quick Google search later and it all makes sense (almost)! Thanks Kate Gregory!!

Monday, September 28, 2009

Installing a SSL Certificate on SBS 2008

The Short Story:
Want a cheap but trusted SSL certificate for SBS 2008? GeoTrust's RapidSSL certs are $19.95 per year through eNomCentral and seem to be trusted by enough devices to make me a happy camper. eNomCentral has a few minor downsides (see below for the whole story), but all in all it was a fine experience. The remote site works, Connect to a Computer works, the only thing left to test is Outlook Anywhere, but that is for another day (EDIT: Outlook Anywhere works flawless!). You can test out the RapidSSL cert for free for 30 days using the FreeSSL option just to make sure it fits your needs.

The Long Story:
The time has come to install a SSL certificate on my SBS 2008 server. I recommend reading this amazing post by Sean Daniel which held my hand through most of my ordeal. I decided to go to enomcentral.com to get my cert since it's one of the three major registrars that SBS 2008 supports for automatically handling your public DNS settings. While I don't plan on using that service, at least I know there's a relationship between SBS 2008 and enomcentral.com. I hoped that that would bode well for me.

On enomcentral's site, I perused through the available SSL certificates and honed in on GeoTrust's RapidSSL certificate. Verisign certs were absurdly expensive and SBS Certificates (The SBS stands for Secure Business Services and not Small Business Server -- that was a bit confusing at first) seemed just a tiny but seedy based on my limited research. I know the name GeoTrust and figured that there was no doubt it would be trusted by most devices. Also, GeoTrust RapidSSL certs were $19.99 as opposed to SBS Instant certs being $29.95. I picked a 5 year certificate.

Saturday, September 26, 2009

"Connect to a Computer" link not visible across the WAN, but can see it on the LAN

My Problem
When a user connects to the "remote.companydomain.com" site remotely, they can see the "Check Email" and "Internal Web Site" links, but not the "Connect to a Computer" link. When connecting to the site from within the company's LAN the link appears.

My Solution
Use Internet Explorer as your web browser. My problem was that I was using every browser under the sun except IE. How do I loathe IE? let me count the ways.

Thursday, September 24, 2009

Dear receptionist Ashley at Bethesda Medical Center at Arrow Springs

Dear receptionist Ashley at Bethesda Medical Center at Arrow Springs,

I spoke to you over the phone today to make an appointment. You are the most pleasant doctor's receptionist I have ever spoken to. This is either due to you being fresh out of school and not being dragged down by the dragons that double as receptionists or you found where the doctor keeps the Vicodin samples. Or maybe your parents were Care Bears. Speaking to you was like running through the end of the rainbow with a bubble machine.

Thank you Ashley. It's two hours after we spoke and I still feel all warm and fuzzy.

Solving local users not appearing in the Connect Computer application when adding a computer to the SBS 2008 domain; Part 2

My Problem
(In reference to this issue I had) A user will not show up in the Connect Computer application. After creating a brand new user and ensuring that the new local user can be seen by the Connect Computer application I then moved the old user profile data to the new user profile folder. However, the formerly visible new user profile then becomes invisible to the connect computer app. Removing those files causes the profile to reappear in the Connect Computer app.

In other words, the solution that I used for a previous user account on another computer (documented in the link above) did not work on this machine.

My Solution
This was a bit sneaky and probably not the best way to do it, but I was desperate and so far it seems to work. Created a new local user account and then run the Connect Computer application. The new account should be visible to map a domain account to. Then, without exiting the app, delete all files in the new user profile folder, move all files over from the old user profile folder, switch back to the still running Connect Computer application and clicked "next" without rescanning the profile folders.

This may have some undesirable effects. For instance, The Outlook 2002 preferences of the user were reset, but the pst file was fine. I had to re-create the POP3 mail accounts and reset some of the visual preferences.

The Long Story

When I noticed that the existing user account was not visible in Connect Computer, I created a new local user account (after banging my head on the keyboard) and then checked to make sure the new account was visible in the Connect Computer application. I then deleted all files in the new user profile folder, moved all files over from the old user profile folder, switched back to the still running Connect Computer application and clicked "next" without rescanning the profile folders.

It hung for a while at the "assigning users" step which worried me. I did a ctrl-alt-del from the minimal user interface that the SBS application presents and noticed that it said a user nameed __sbs_netsetup__ was logged on. I launched Task Manager and noticed that MoveUser.exe was indeed taking up CPU cycles. Hmmm... maybe it was just taking a little while because the user's profile was over 60GB. After almost 10 minutes it finished and automatically rebooted.

After rebooting it was logged in automatically as the domain administrator and not the user account that I had ported over. That worried me since all my previous experience had involved the user account that was ported over being logged in after the first reboot.

I logged off and tried to log on as the user and was mercifully greeted with their desktop icons. All looked well, except Outlook (version 2002!) behaved strangely. The POP3 accounts were gone and I had to recreate them. The visual elements like which folder Outlook went to on startup was changed back to default. All in all I accepted it as a success. It's certainly not the most elegant solution and I hope to get to the bottom of things, but it could have been worse...

Tuesday, September 22, 2009

Monday, September 21, 2009

Security logs on client PCs fill up after joining a SBS 2008 domain

The Problem:
After joining a PC to a SBS 2008 domain, you may soon notice that users cannot log into the machine and the following error is displayed on the logon box: "The security log on this system is full. Only administrators can log on to fix the problem." Or if you log in via RDP you will see the logon message "The security log on this system is full."

The Solution:
Change the log size and/or retention settings for the security log. You can either do this locally or via a GPO.

Locally: Open event viewer (run >> eventvwr), right click the security log, select properties and edit the appropriate settings under the "Log Size" section. Increase the log size for a temporary fix or select "Overwrite events as needed" or "Overwrite events older than" and select a value in days that you're sure won't cause the log to fill up before that number of days has passed.

From a GPO: Look at the options for Security Logs in the following GPO node: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Event Log. Specifically, I chose to edit the "Maximum Security Log Size" and "Retention Method for Security Log" options.

The Long Story:
After I joined the very first client to my new SBS 2008 domain, I noticed an error upon logging in via RDP: "The security log on this system is full." It was an XP SP2 machine and when I checked the security log I noticed a ton of event numbers 538, 540 and 576 (Logon/Logoff and Privilege Use events). They were logged for users MyServerName$ and SBSMonAcct.


A quick search of the SBSMonAcct user reveals that it is a special account that is created, used and deleted on the fly by SBS 2008. So apparently there's a lot more interaction on the SBS machine's behalf with the client PCs than I first knew about. The security log settings on the XP client were set to cap the security log at an underwhelming 64K and to retain the log for 7 days. With all of those logon/logoff events the log was filling up well before the 7 day limit. I wanted to make sure this didn't happen on any other machines on the domain.

On the SBS box, I edited the "Windows SBS Client Policy" GPO that is created by default and linked to the default SBSComputers OU. I moved to the following GPO node: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Event Log. I edited the following options:

  • Maximum Security Log Size: 16,384 kilobytes (the default when you enable this policy)
  •  Retention Method for Security Log: Overwrite events as needed (This place isn't a high security environment and I think 16 megs of security events should be enough. If I need to retain more than that I can change the settings as needed.)
And all was well in the land.

Saturday, September 19, 2009

Joing a Server 2003 computer to a SBS 2008 domain

My Problem:
Trying to join a Server 2003 machine to the domain via the SBS Connect Computer application resulted in the following error:

This computer does not meet the requirements necessary to connect to the network. Supported Operating System Not Found. To joing your computer to the Windows SBS network using the Connect Computer program, you must be running...

My Solution:
Simply add the Server 2003 computer to the domain manually using the "Computer Name" tab in "System Properties". Once the member server has been added, go into Active Directory Users and Computers and move the server from the SBSClient OU to the SBSServers OU. This TechNet document is my source: http://technet.microsoft.com/en-us/library/dd469602%28WS.10%29.aspx


The Long Story:
While attempting to join a Server 2003 machine to my new SBS 2008 domain, I received the above error. For a split second I panicked thinking that for some strange reason Server 2003 could not be joined to the domain. I knew this to be absurd... and yet I didn't want to assume that Microsoft was more sane in some of its practices than what prior experience had proven. Some quick Googling proved that indeed Server 2003 can be a member server. However, the only trick to the process is to make sure you move the newly joined server to the SBSServer OU to keep the client PC GPOs from applying to the Server.

Thursday, September 17, 2009

Solving local users not appearing in the Connect Computer application when adding a computer to the SBS 2008 domain

The Problem:
When joining a computer to a SBS 2008 domain using the Connect Computer application, you may not see some or any local user profiles in the "Move existing user data and settings" dialog box. This can happen even if the "Make this folder private" option is deselected for the user's profile folder within Documents and Settings.

The Solution:
Copy the user profile folder to a new place (I used System Properties >> Advanced Tab >> User Profiles >> Settings >> Copy To) and then delete the original user profile folder. Log in with the user account so that a new profile folder is created. Delete all contents of the new user profile and copy over all contents of the old user profile. You will now be able to see the profile in the SBS Connect Computer application.

NOTE: You may want to first try renaming the NTUSER.DAT file as well as the NTUSER.DAT.LOG and NTUSER.INI files. However, that did not work in my situation and I had to completely recreate the user profile folder.


The Long Story:
I was attempting to join a user's computer to my SBS 2008 domain with the Connect Computer program. On the "Move existing user data and settings" dialog box I was dismayed to find that the drop down lists underneath the "Old logon name" heading were not populated with any user accounts. It was as if it didn't see any local user profiles.

The standard thing to check at this point is if the user profile folders that you are interested in have the "Make this folder private" option enabled which enacts "Level 1 Security" on the folder. Simple file sharing needs to be turned on to see that exact option. In my case, that option was deselected like it should have been.

I went to a different computer and ran the Connect Computer app and on the "Move existing user data and settings" dialog box I was able to see two of the eight profiles! I tried to figure out why those 6 profiles were not visible to the SBS app. Of the 8 total profile folders, only three of the corresponding accounts still existed on the local computer. Of those three accounts on the computer, only two were shown in the Connect Computer app. At this point I suspected that for the profile to be seen, the corresponding user account had to exist on the local computer. This might seem obvious at first, but initially I thought it would search for profile folders regardless of the user account existence.

First in my troubleshooting efforts was to create a brand new local user. After I logged in as that user to create the profile folder, I was able to then choose that profile in the Connect Computer app. I then deleted the newly created user and could not see that profile as an option in the Connect Computer app. That proved that in order for the profile to show up in Connect Computer, there had to be a corresponding user in the local SAM. However, this concept seemed to be thwarted by the fact that there was one profile that was not displayed in Connect Computer even though the user account still existed on the machine.

I decided to investigate that one user account that still existed on the machine but wasn't showing up in Connect Computer. When I logged in I saw the "Personalized settings... setting up personalized settings for Themes Setup" dialog box as if I was logging into a profile for the first time. Hmmm... maybe somehow the connection between the user account and the profile had been broken? But just what is that connection between the account and the profile folder? I didn't know enough about Windows accounts to know. I had a vague idea that it might have something to do with the NTUSER.DAT file.

After that user had logged in, I checked the Docs and Settings folder and noticed a new user profile folder in the format of [username].[computername]. Ouch. It had indeed created a new user profile. Somehow the connection between the original profile folder and the user account had been broken. I deleted the entire [username].[computername] folder and then went into the original [username] folder and deleted the NTUSER.DAT and NTUSER.DAT.LOG files hoping that it would create a new set of files. It didn't work. Logging in caused the creation of a new profile folder.

After much frustration and hacking, it seems that the only way to get an existing user account to use the information in an older profile is to move the profile folder to a different place, log in with the user to have a brand new profile folder created, delete all of the newly created files and folders in the profile and move over all of the old files from the old profile folder. You should now be able to see the user account in the Connect Computer app.

For more information about moving profile information, read MS KB 811151.

Sunday, September 13, 2009

Solution to error 0xc0000135 with SBS 2008 Connect Computer application

The Short Story:
At least version 2.0 of the .NET Framework is required to run the Connect Computer application. Install the latest .NET framework (Microsoft .NET Framework 3.5 Service Pack 1 in my case).



The Long Story:
I have a Windows XP SP2 machine that I browsed to the SBS 2008 connect computer web site with. I downloaded launcher.exe and opened it. After a few brief moments I was met with the error "The Application failed to initialize properly (0xc0000135). Click on OK to terminate the application." Super!

A quick Google search of that error number revealed a simple solution. It appears that that error message is indicative of the .NET framework not being installed. $60 billlion in yearly revenue and Microsoft can't at least mention ".NET Framework" somewhere in that error message?

I went to the Windows Update site and installed the Microsoft .NET Framework 3.5 Service Pack 1 and all was well. Huzzah!

Friday, September 11, 2009

Antivirus exceptions after moving Exchange 2007 files on SBS 2008

When using the SBS Management Console to move Exchange files, it moves the mailbox and public folders stores. Much of the files, folders and file types that need to be excluded remain on the original drive (the system drive by default) so many of the exceptions shouldn't change. However, to make it easier after moving the Exchange files, I simply masked out the entire "Exchange Server" on the drive that I moved the Exchange data to. E.g.: "E:\Program Files\Microsoft\Exchange Server\"

Not that I'm suggesting that this is the best way to handle things, but it seems to simplify the exclusion process without any unwanted side effects.

Wednesday, September 9, 2009

Antivirus Process Exclusions for Exchange 2007 on SBS 2008 Standard Edition

I blogged about a mammoth list of file, folder, process and extension exceptions that are needful for Microsoft's Small Business Server 2008 Standard Edition over here. However, the process exclusions list for Exchange 2007 requires a more thorough treatment.

I use Kaspersky Antivirus for Windows Servers Enterprise Edition on the SBS 2008 machine and it requires me to feed it the actual executable file in order to exempt it from the real-time scanner. This posed something of a problem as I was then required to track down the path to each individual executable file. Here's the list of executables the need to be exempted and where you can find them. The list is broken into two categories: Those that I could find and those that I could not.

Executables that I could find:
•    edgetransport.exe  ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    mad.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Microsoft.Exchange.Antispamupdatesvc.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Microsoft.Exchange.Cluster.Replayservice.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Microsoft.Exchange.Edgesyncsvc.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Microsoft.Exchange.imap4.exe (as per this article it can be found in C:\Program files\Microsoft\exchange server\clientaccess\popimap\ )
•    Microsoft.Exchange.imap4service.exe (see above)
•    Microsoft.exchange.pop3.exe ( C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\ )
•    Microsoft.exchange.pop3service.exe  (see above)
•    Microsoft.Exchange.Search.Exsearch.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Microsoft.Exchange.Servicehost.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msexchangeadtopologyservice.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msexchangefds.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msexchangemailboxassistants.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msexchangemailsubmission.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msexchangetransport.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )   
•    Msexchangetransportlogsearch.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    Msftefd.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    msftesql.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    oleconverter.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    PowerShell.exe ( C:\WINDOWS\System32\WindowsPowerShell\v1.0 )
•    transcodingservice.exe ( C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\bin\DocumentViewing\TranscodingService.exe )
•    store.exe ( C:\Program Files\Microsoft\Exchange Server\Bin\ )
•    w3wp.exe ( C:\Windows\System32\inetsrv\ )

Executables that I could not find:
•    cdb.exe (Symbolic debugger for Windows. This doesn't seem to be a big deal that I couldn't find it. In fact, it might be something that's not included with Windows but something that you have to download and add on.)
•    cidaemon.exe (cidaemon.exe is an indexing service which catalogues files on your computer to enable for faster file searches. According to what-is-exe.com it should be at c:\windows\system32\cidaemon.exe but it is not there on my installation of SBS)
•    cluster.exe (Seems to be only applicable if Exchange is in a cluster which, in my case, it is not so I didn't worry about it)
•     dsamain.exe (dsamain.exe is a AD/AM Active Directory Application Mode from Microsoft Corporation belonging to ADAM Active Directory Application Mode. This worries me a little bit that I can't it.)
•     edgecredentialsvc.exe (It keeps the track of any credential changes on ADAM. It will update the credential changes on Edge Transport. It's supposedly in C:\Program Files\Microsoft\Exchange Server\Bin\EdgeCredentialSvc.exe but it's not in my installation of SBS 2008 for some reason )
•    galgrammargenerator.exe (As per this KB article, it appears that it should be in the :\Program Files\Microsoft\Exchange Server\Bin folder but it's not for my installation)
•    microsoft.exchange.contentfilter.wrapper.exe (I have no idea what this is or where this is supposed to be)
•    microsoft.exchange.infoworker.assistants.exe (as per this thread it should be found at C:\Program Files\Microsoft\Exchange Server\Bin\ but I didn't see it on my installation. Closest thing I have is Microsoft.Exchange.InfoWorker.AssistantsClientResources.dll )
•    Microsoft.Exchange.Monitoring.Exe (C:\Program Files\Microsoft\Exchange Server\Bin)
•    sesworker.exe (As per this article it is involved in the speech server portion of exchange. I'm not sure if SBS can do that or not so I'm not sure if it would even exist on my installatoin. sesworker.exe.config files are in C:\Program Files\Microsoft\Exchange Server\UnifiedMessaging but no sign of the executable )
•    speechservice.exe (According to this KB article the speechservice.exe file is located in %Programfiles%\Microsoft\Exchange Server\UnifiedMessaging . It's not in that folder on my installation. )
•    umservice.exe (According to this thread it should be located at E:\Program Files\Exchange server\bin\umservice.exe but I couldn't find it there even though the UMService.exe.config was there. )
•    umworkerprocess.exe (According to this page The default location is at C:\Program Files\Microsoft\Exchange Server\bin but I can only find the UMWorkerProcess.exe.config file and not the actual exe )

Executables that are really, really weird: (Okay, I lied. There are three categories)
•    inetinfo.exe (inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services is the IIS web server service. I was confused as to it's debugging properties as a result of some threads on the web. Thanks to commenter "Joe Webster" for pointing that out. As per this thread it appears that it should be in the following location: C:\WINDOWS\system32\inetsrv\inetinfo.exe In fact I did find the executable there [as per this page, it could also be in the following locations: C:\Windows\inetinfo.exe, C:\Windows\system32\inetinfo.exe, C:\Program files\%subfolder%\inetinfo.exe, C:\inetinfo.exe]. However, for some strange reason I cannot see the .exe file when I browse to it in the kaspersky MMC console's dialog box to add it to the process exclusion list. It can be seen in Windows Explorer, but not from within Kaspersky's application to browse to the file. It does not help to run the Kaspersky MMC snap-in as an administrator. )

Tuesday, September 1, 2009

Default gateway disappears on Broadcom NC Series 1Gb integrated NIC in HP ML115 G5 Server

I have an HP ML 115 G5 server using the integrated Broadcom NC Series NIC. The operating system is Windows Small Business Server 2008 Standard Edition. I noticed that the static default gateway set in the TCP/IPv4 settings would disappear after a reboot. All other statically assigned TCP/IP information remained such as the IP, subnet mask and DNS servers. I was using the 12.0.0.x Broadcom drivers supplied by HP and also tried the 11.7.0.x version drivers. I then used the Windows built-in Microsoft Broadcom NetXtreme Gigabit Ethernet driver (date 8/1/2006) version 10.10.0.1 and the symptom did not exist.

The solution for me was to use the HPSUM utility to check for drivers and install version 12.2.0.3 of the HP Broadcom driver. The server now retains the static default gateway information after a reboot.

Saturday, August 29, 2009

Public DNS resolution problems on a Small Business Server 2008 machine; "Standard Query Response, Server Failure"



The problem: When using a Small Business Server 2008 machine as your DNS server, DNS resolution is extremely unreliable oftentimes not working at all. Using root hints may offer more reliability than using forwarders which will rarely work at all. When inspecting the TCP/IP dataflow with a protocol analyzer, the SBS machine will query DNS forwarders or root hints servers and either receive no response from them, receive a very delayed response (2 to 6 seconds) or return "Standard Query Response, Server Failure" to the client.
The solution: DNS packets are being interfered with by some gateway device. In my case it was a LinkSys RV082 firewall/router at the edge of the network. The problem was solved by replacing the device with a SonicWall TZ 180.