Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Thursday, January 21, 2010

How to Configure Change Password for OWA 2003/2007/2010 Mixed Environments

The Change Password feature in OWA will break when you reconfigure the environment to use Exchange 2007 or Exchange 2010 CAS servers as front-end servers for Exchange 2003 mailbox servers.  This is because the the CAS server don't have the necessary ASP pages installed that OWA 2003 links to.

telnetPORT25 wrote a great article explaining the step-by-step process, along with screenshots, to fix this problem.  I'm listing the high-level steps here (mainly to act as my long-term memory).
  • Logon to the Exchange 2007/2010 CAS server
  • Copy the %SystemRoot%\System32\inetsrv\iisadmpwd folder and files from the OWA 2003 FE server to the CAS server's %SystemRoot%\System32\inetsrv folder
  • Open IIS Manager and add a new Virtual Directory off the Default Web Site named IISADMPWD with a physical path of %SystemRoot%\System32\inetsrv\iisadmpwd
  • Right-click the new IISADMPWD virtual directory and select Convert to Application
  • Select the MSExchangeOWAAppPool
  • Restart IIS (iisreset /noforce or select the server in IIS Manager and click Restart)

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 19, 2010

How to Fix Internet Explorer Cannot Download FileName from WebServer

You may find that when you create a link to a file from your web server that Internet Explorer cannot download or open the file.  When the user clicks the link, Internet Explorer returns the generic 404 error, as shown:

They also may receive an error stating, "Internet Explorer cannot download filename.ext from  Internet Explorer was not able to open this Internet site.  The requested site is either unavailable or cannot be found. Please try again later."

This happens when IIS doesn't understand the file extension and associated content type of the file.  Examples of such file extensions are .reg or .gadget.  To fix this problem you must add the extension and MIME type to IIS.

Here's how you do it in IIS 7.0 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2):
  • Open Internet Information Services (IIS) Manager
  • Expand servername > Sites > Default Web Site
  • Select the website you want to configure, or select Default Web Site if you want to configure all websites on the server
  • Double-click MIME Types in the IIS section of the center pane
  • Click Add in the Actions pane
  • Enter the extension you wish to add, including the . prefix (i.e., .reg or .gadget)
  • Enter the MIME type (i.e., text/plain for .reg files or application/x-windows-gadget for .gadget files)
  • Click OK
The changes go into effect immediately - there's no need to restart IIS.

For a quick reference of MIME types, see MIME Type Detection in Internet Explorer.

Labels: , ,

Subscribe in a reader Subscribe by Email

Exchange 2010 DAG Replication Port

Michel de Rooij, a Dutch technology consultant, posted a nice concise article about the port used by Exchange 2010 for DAG replication.
"... the port used for DAG log shipping and seeding, which is 64327 by default. Looking back at Exchange 2007 this is good; the port is static and DAGs use regular TCP, where CCR/SCR in Exchange 2007 uses 445 for log shipping (over SMB) and a dynamic port for seeding. And if it’s two things some network people hate it’s SMB and dynamic ports. On the other hand, 64327 in the dynamic range defined by IANA; according to IANA dynamic ports cannot be registered (claimed).
Fortunately, the port can be changed when required. To change the port for a DAG use the Set-DatabaseAvailabilityGroup cmdlet with the ReplicationPort parameter like this, where can be any number between 1 and 65535:
Set-DatabaseAvailabilityGroup -Identity DAGID -ReplicationPort

Note that Exchange will not adjust the Windows Firewall rules accordingly, so you need to create a firewall exception on each DAG member to make replication work. Even better, you should do this before changing the DAG port to prevent interrupting the replication longer than necessary."
For a full list of the ports used by Exchange 2010, see the Exchange Network Port Reference.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 5, 2010

How to Enable Reverse DNS Lookup in IIS

This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:
adsutil set w3svc/EnableReverseDNS TRUE
For IIS5 and IIS6 run:
cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"
In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:
ServerManagerCMD -install Web-IP-Security
In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:
Import-Module ServerManager
Add-WindowsFeature Web-IP-Security
Now that the role service is installed, you can configure reverse DNS lookups, as follows:
  • Open Internet Information Services (IIS) Manager.
  • Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
  • Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
  • Put a checkmark in Enable domain name restrictions and click OK.
You will see the following warning:
Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?
Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, January 1, 2010

How to Create a Boot VHD Step By Step

Windows 7 and Windows Server 2008 R2 allow you to create a bootable VHD (virtual hard disk) with its own operating system (also called Native Boot).  This is really useful when you need to run another operating system or platform on the same hardware.
Note: Native Boot is limited to the following operating systems: Windows 7 Enterprise (x86 or x64), Windows 7 Ultimate (x86 or x64), and Windows Server 2008 R2.
For example, my Dell workstation normally runs Windows 7 Ultimate x64.  I wanted to update the BIOS from Dell's support site, but the BIOS installer won't run in x64 operating systems.  I also wanted to update the firmware on my Parrot Minikit Slim bluetooth car kit, but the USB driver for the P5+ USB Stage1 device is only available for x86 computers.

In previous versions of Windows, the solution would be to make a dual-boot system.  The problem with this is that you and Windows will need to contend with similarly named folders (i.e., \Windows and \Program Files).  A bootable VHD is a discreet virtual disk that contains it's own OS.  The single VHD file can reside on your normal disk drive (for example, C: or D:), or even a USB drive.  The VHD will contain its own file structure, but you can still access the physical drives, folders and devices on the parent computer.

The walkthrough I'm documenting here will create a bootable VHD file that runs Windows 7 Enterprise x86.  Let's get started.

 Creating the VHD Drive
  • First, start up and login to the parent operating system (in my case, Windows 7 Ultimate x64).
  • Open Computer Management in Administrative Tools
  • Expand Storage and click Disk Management. You will see your normal physical drives.
  • Right-click Disk Management and select Create VHD
  • Enter the file path and name, size, and format for the VHD as show below:
  • Here, I'm creating a 20GB dynamically expanding VHD named D:\Win7x86.vhd.  A dynamic disk will start off very small (~42KB) and will grow as data is written to it, up to the maximum size specified (20GB).  Microsoft has made huge improvements in the performance of dynamic VHDs in Windows 7 and Windows Server 2008 R2, so they perform nearly the same as fixed size disks.
  • Click OK to create and mount the VHD volume.  The new disk will be listed in the bottom pane of the Disk Management console as an Unknown Disk.
  • Right-click the Unknown Disk and select Initialize Disk, as shown here:
  • Click OK to initialize the disk with an MBR partition.
  • Now right-click the Unallocated disk and create a New Simple Volume.  The New Simple Volume Wizard will run.  Assign the new volume as drive X:, give it the volume name, Win7x86, and quick format it with the NTFS file system.  The new volume will be displayed in Disk Management and the D:\Win7x86.vhd file will grow to about 77MB.
You now have a new 20GB virtual hard disk, drive X:  Next, we will prepare the disk to install Windows 7 Enterprise x86.

Preparing the VHD for the New Operating System
  • First, you need to download and install the Windows Automated Installation Kit (WAIK) for Windows 7 from Microsoft.  Be aware that this is a 1.7GB ISO and can take some time to download.  Burn the ISO to a DVD or mount it using virtual CD-ROM software like UltraISO, PowerISO, etc., and then install WAIK.
  • Open a CMD prompt as Administrator and change to the %SystemDrive%\Program Files\Windows AIK\Tools\ folder.  In my case, this is C:\Program Files\Windows AIK\Tools\amd64.
  • Mount the Windows 7 Enterprise Edition x86 media.  In my case, this is on the DVD drive E:
  • Run the following command to prepare drive X: for the new operating system:

imagex /apply E:\sources\install.wim 1 X:\
  • Imagex will apply the Windows 7 binaries to the VHD drive X:  The 1 specifies that the operating system is Enterprise Edition.  The application will begin, as shown below:
  • Imagex application normally takes about 7-8 minutes, despite what the progress bar shows.  When it completes, you will see several new folders on drive X:
  • Now you need to detach the VHD disk.  In Disk Management, right-click the VHD disk and select Detach VHD, as shown below:
  • You will notice that the D:\Win7x86.vhd file has grown to about 5.5GB.
We now have a VHD with the Windows 7 Enterprise x86 files installed on it.  We need to configure the computer so that it can boot to the VHD and complete the installation of Windows 7.

Adding the VHD to the Boot Menu
  •  Open an elevated CMD prompt and enter the following command:

bcdedit /copy {current} /d "Windows 7 Enterprise x86"
  • This will return the GUID of the Loader Object that you will use to replace in the following commands:
bcdedit /set device vhd=[driveletter:]\vhdpath\vhdfilename

bcdedit /set osdevice vhd=[driveletter:]\vhdpath\vhdfilename

bcdedit /set detectHAL on

The detectHAL command is used to force Windows to auto-detect the hardware abstraction layer. The commands I used are shown below:

Completing the Installation

Now we are ready to boot from the VHD. When you restart the computer you will see a new entry in the boot menu for Windows 7 Enterprise x86, along with the default Windows 7 or Windows Server 2008 R2 option.

Restart the computer and select the new Windows 7 Enterprise x86 option to complete the installation of Windows 7. The first time the new OS starts, the install process will install needed device drivers and restart the computer. The second time your start the OS, miniprep process will walk you through configuring the user name, password, computer name, and the network settings.

Congratulations! You have completed the boot to VHD process.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, December 30, 2009

Really, Really Good Advice

Sriram Krishnan works on the Windows Azure team at Microsoft. He recently published a post, Stuff I've learned at Microsoft, which gives great advice and commentary on things he learned in his five+ years at Microsoft.

I highly recommend taking a few minutes to read it.

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, December 29, 2009

TechEd Holiday Discount Ends Soon!

There's only a few more days left to register for TechEd North America 2010 and receive the $300 holiday discount. This discount is an extra $100 off the early bird discount and is scheduled to end on 12/31/2009.

At TechEd, you can learn about today’s cutting edge trends, helping make life easier for you (and everyone else) at work. But the most important benefit just might be the networking: you can build personal connections with Microsoft experts and peers that will last far beyond TechEd.

I'll be there. Will you?

Labels: ,

Subscribe in a reader Subscribe by Email

Hotfix ID – What Does This GUID Stand For?

Recently, I came across a problem when running the Cluster Validation Wizard where the two nodes did not match in the Validate Software Update Levels section.

You must run the Validate test on fully configured solutions before you configure the Failover Cluster to verify the proposed solution. All tests must pass with either a green checkmark (passed) or a yellow yield sign (warning), in order to obtain product support from Microsoft. See the Microsoft Support Policy for Windows Server 2008 Failover Clusters.

The yellow yield sign indicates that this particular aspect of the proposed solution is not in alignment with Microsoft best practices. However, this aspect will still work and will be considered a supported configuration. Personally, I never deploy a production cluster unless I get a completely green result.

As shown above, one of the Windows Server 2008 servers was indicating a warning of "Software Updates missing on 'servername'" and the missing updates are listed only as a GUIDs, with no description.

I searched the Interwebs for anything on related to either GUID, with no luck. Then I came across a nifty script by Guy Teverovsky, a Premier Field Engineer for Platforms at Microsoft Israel. You run the script on the node that's missing the updates.

Here's the syntax:

C:\>cscript GetPatchInfo.vbs /?
Displays details of installed patches/hotfixes
Usage: cscript GetPatchInfo.vbs [/guid:]
/guid: The GUID of the hotfix
Running the script without parameters will enumerate all
the patches installed.

Sample output:

C:\>cscript GetPatchInfo.vbs /guid:{47740627-D81D-4A45-A215-03B075A18EC7}
Patch Name: Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Patch Code: {47740627-D81D-4A45-A215-03B075A18EC7}
More Info URL:
State: Installed
Product Code:{90120000-00A4-0409-0000-0000000FF1CE}
Product Name: Microsoft Office 2003 Web Components

I'm also hosting the script here on my blog, just in case it becomes unavailable from his site sometime in the future.


In my case, the GUIDs {DEBD1C94-5AAB-4E46-A130-359A52D2bb65} and {2B3A711E-1265-4D05-ACBB-B7677EA6E860} refer to the SCOM 2007 agent, which was missing on one of the nodes.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, December 22, 2009

Fix for Cannot Logon to OWA Using ISA 2004

A client had a problem where users could not logon to Outlook Web Access (AKA, OWA or Webmail) from the Internet. Users would get the logon page, but would be returned to the same logon page after entering their correct username and password.

Accessing OWA from the internal network would present the same logon page, but the user can successfully logon and access their mailbox. It turns out that the fact that they get the same logon page internally is a clue to the solution. Internal (non-ISA) users will only see the OWA logon page if Exchange is configured to use Forms Based Authentication (FBA). In order for ISA to work properly with OWA, Exchange should NOT be configured for FBA. It should only be configured on the ISA server.

Here's how the two systems should be configured:
  • Install the Exchange server's SSL certificate in the ISA computer's Personal certificate store
  • On the ISA server, configure a Mail Server Publishing firewall rule to allow External users to access the OWA server using HTTPS. Configure an OWA web Listener for HTTPS using the Exchange server's SSL certificate that you imported. Configure the Listener's authentication to use OWA Forms-Based. Ensure that ISA is redirecting requests to the SSL port 443 on the Bridging tab.
  • Ensure that the Exchange server is NOT using Forms Based Authentication. In Exchange System Manager, go to [OrgName] > Administrative Groups > [AdminGroup] > Servers > [ServerName] > Protocols > HTTP. View the properties of the Exchange Virtual Server. Clear the Enable Forms Based Authentication checkbox on the Settings tab.

The customer was using ISA 2004 in front of Exchange 2003, but I assume this problem/solution will also occur with ISA 2006.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, November 24, 2009

NTFS Inheritance Rule Change

Up until recently, NTFS permissions have followed these inheritance rules:

  • If a file or folder is copied to some other location, it will inherit the new location's NTFS permissions.
  • If a file or folder is moved to some other location on a different disk drive, it will inherit the new location's NTFS permissions.
  • If a file or folder is moved to some other location on the same disk drive, it will retain the original location's NTFS permissions.

One of the NTFS inheritance rules changed in Windows 2008, R2, Windows Vista, and Windows 7. Now if you move a file or folder, it will inherit the new location's NTFS permissions, even if the new location is on the same disk drive. This is a radical shift that you need to taken into account when you're moving files.

You can find a reference to this change in the Notes section in the Microsoft article "Inherited permissions are not automatically updated when you move folders".

Thanks to Murat Yildirimoglu, an MCSE and MCT in Istanbul, Turkey, for the article.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, November 18, 2009

How to Test LDAP over SSL Connections

This article explains how to test that a directory server (typically, a Domain Controller or ADLDS server) is configured properly for LDAP/SSL connections. The tools described work with Windows-based systems (Windows XP and above).

First, you will need the LDP.exe utility. LDP is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory, ADLDS or ADAM.

LDP can be found for different platforms in the following locations:

To test LDAP over SSL connections, do the following:

  • Run the LDP utility (typically, click Start > Run > LDP)

  • In the LDP menu, click Connection > Connect

  • Enter the directory server name or IP address, the port (typically, 636 for secure LDAP), and check the SSL checkbox, as shown below, then click OK:

  • If the connection is successful, you will see a list of output similar to this:

  • Note that the connection string in the title of the LDP window indicates that the connection is made using ssl
  • If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port. Use "portqry /n servername /e 636" to check that servername is listening on endpoint (port) 636.

  • The following LDP output indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:

ld = ldap_sslinit("dc01", 636, 1);
Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: {empty}
Error <0x51>: Fail to connect to dc01.

I found a cool utility on Novell's website that can be used to view the SSL certificate on a remote directory server. Download the View Directory Certificate utility and extract the files to a temporary folder. Then run ViewDirCert.exe:

Specify the directory server or IP address and click View Certificate. The certificate details will be displayed in a new window. If the certificate was generated by an untrusted Certificate Authority (CA) or is a self-signed cert that the host does not trust, you will see a warning as shown below:

You can configure the host to trust this certificate by either adding the CA to the local machine's Trusted Root Certifications Authorities store or by importing the self-signed certificate into the local machine's Trusted Root Certifications Authorities store.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, November 11, 2009

Speed up Outlook 2007 Access

I've heard several clients complain that Outlook 2007 takes too long to start up compared to previous versions of Outlook. In most cases I've found that this is because Outlook 2007 is configured to connect to Exchange using Outlook Anywhere, even on their corporate LAN/WAN.

Here's how to correct this:

  • Open Outlook and click Tools > Account Settings, or in Control Panel open Mail and click E-mail Accounts.
  • Double-click the Email account name that's using Exchange to edit its properties
  • Click the More Settings button
  • Click the Connection tab
  • Clear the Outlook Anywhere checkbox that reads, Connect to Microsoft Exchange using HTTP
  • Click OK > Next > Finish
  • Restart Outlook

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, November 6, 2009

Fix for 'The server name is invalid' error when installing Exchange 2007 Management Tools

You may receive the following error when installing the Exchange 2007 management tools on a computer:

The server name is invalid. It contains characters other than 'A'-'Z', 'a'-'z', '0'-'9' and "-".

While the error indicates that the problem is with the server, it's actually with the name of the local computer where the Exchange 2007 management tools are being installed. The most common reason for this I've seen is when there's a underscore "_" in the local computer name.

The fix for this is to replace the exbpa.prereqs.xml file on the Exchange Server 2007 installation source with the RTM version of the file.  Here are the steps to do this:
  • Download the RTM version of exbpa.prereqs.xml from this blog (right-click the link and choose Save target as...) and save it to a temporary location
  • Disable automatic updating for Exchange 2007 setup. Otherwise, setup will automatically download the most recent version of the file and replace it. Run the following command at the CMD prompt:
reg add "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /t REG_DWORD /d 0 /f
  • Copy the exbpa.prereqs.xml file you downloaded earlier to the \setup\serverroles\common\en folder on your Exchange 2007 installation media.
  • Now run setup and install the Management Tools, as usual.  You will still see the same error message, as shown above, but you will see an Install button instead of a Retry button.
When the installation is complete, remove the VersionCheckAlways registry key to reenable the automatic update feature using the following command:

reg delete "HKCU\Software\Microsoft\Exchange\ExBPA" /v "VersionCheckAlways" /f
Keep in mind that you may have to do this same procedure again in future update rollups and/or service pack updates.

Labels: , ,

Subscribe in a reader Subscribe by Email

Fix for Remote Desktop Gateway authentication error from clients

If you use Remote Desktop Gateway Manager (formerly, Terminal Services Gateway) in Windows Server 2008 R2, you may find that Windows clients are unable to authenticate to the RD Gateway server.

This happens because the default configuration in Windows Server 2008 R2 Remote Desktop Gateway is to request that clients send a statement of health before the connection can be made. If this option is selected and you do not have a Remote Desktop connection authorization policy (RD CAP) for Network Access Protection (NAP) configured, clients will be unable to connect to the RD Gateway. They will repeatedly be prompted for Gateway Server Credentials as shown below:

To fix this issue, ensure that you have a valid statement of health configured in NAP. Alternatively, as in the case of clients that cannot or do not provide a statement of health (I'm looking at you, Windows XP), you can disable requesting statements of healthy entirely. Here's how to do that:
  • Logon to the Remote Desktop Gateway computer and open the RD Gateway Manager (Start > Administrative Tools> Remote Desktop Services > Remote Desktop Gateway Manager)
  • Right-click the RDG server and select Properties
  • Click the RD CAP Store tab and clear the checkbox for "Request clients to send a statement of health", as shown below and click OK.

It may take a moment for the change to go into effect. Occacionally, I've had to restart the Remote Desktop Services service.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 30, 2009

How to Use a Recovery Database in Exchange 2010

This is another in my series of articles on Exchange 2010.  In this post I'll be writing about the Recovery Database feature in Exchange 2010.

Exchange 2010 no longer has the notion of Storage Groups, which were used in Exchange 2007 and 2003 to contain logical groupings of databases.  E2010 now simply lets you create databases on mailbox servers.  E2010 Standard Edition lets you create up to 5 databases per server. The Enterprise Edtion scales up to 100 databases per server.

In Exchange 2003/2007 you could restore a database "on top" of an original database to replace the existing database, or you could restore the database "along side" the existing database to recover select mailboxes or items.  You can do the same thing with Exchange 2010.  The difference is that in Exchange 2003/2007, you created a Recover Storage Group (RSG) to restore the database into.  In Exchange 2010, you simply restore the database and connect to it as a Recovery Database (RDB).  Here's how you do it in Exchange 2010.
Note: Ross Smith IV has a great article on single item recovery in Exchange 2010.  This assumes that the item can be recovered from the dumpster.  This article covers how to restore from a backup when the item cannot be recovered from the dumpster.  For example, on the rare occasion when a user realizes he/she deleted a folder or item past the dumpster retention period.
First, you have to have a good backup that contains the item to be recovered.  Windows Server 2008 and Windows Server 2008 R2 have the built-in Windows Server Backup feature.  I cover how to use WSB to backup Exchange here.

Now you must restore the data, but redirect it to another location.  In Windows Server Backup, this is done by choosing to recover the Exchange application (detailed in my previous article) and recovered to another location.  Typically, this is a new folder on the same Exchange server:

Once the recovery is complete, the database (EDB file) and transaction logs (LOG files) will reside in the new recovery D:\Recovery folder.  Note that WSB will not create this folder, it must already exist.

Now you need to add this database to the Exchange mailbox server as a Recovery Database. Currently, this is done using the Exchange Management Shell (EMS), as there is no way to do this from the GUI.  Run the following command to create a Recovery Database:
New-MailboxDatabase -Recovery -Name RDB1 -Server EX1 -EdbFilePath "D:\Recovery\Mailbox Database 1882717321.edb" -LogFolderPath "D:\Recovery"
This will cause Exchange to create a new recovery database named RDB1 on server EX1 using the database and logs in D:\Recovery.  Once this command is run, you will see the recovery database in the Exchange Management Console (EMC), but it must be brought into a clean shutdown state before it can be mounted.

To bring the database into a clean shutdown state, use ESEUTIL /R to perform a recovery of the database.  Often, I've seen that Exchange is unable to perform a successful recovery, giving the following error:
Operation terminated with error -1216 (JET_errAttachedDatabaseMismatch, An outstanding database attachment has been detected at the start or end of recovery, but database is missing or does not match attachment info) after 11.625 seconds.
In these cases, I have run an ESEUTIL /P (repair) to force the database into consistency.  Once the database has been successfully recovered or repaired, mount the database in EMC or using the Mount-Database cmdlet.

Now we're ready to recover deleted items from the recovery database.  In order to do this, though, you need Organization Management rights in Exchange 2010.  The following are cmdlet examples for recovering items from the RDB:

This example restores a mailbox for user Keith Johnson, overwriting the existing mailbox:
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1
This example restores Keith Johnson's mailbox content into an Investigation mailbox:
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1 -RecoveryMailbox Investigation
This example restores only the mail with the word "contract" in the subject and the word "CompanyABC" in the body of the message from the Inbox or Saved folders.
Restore-Mailbox -ID 'Keith Johnson' -RecoveryDatabase RDB1 -SubjectKeywords 'contract' -ContentKeywords 'companyabc' -IncludeFolders \Inbox,\Saved
There are a lot of different options in the Restore-Mailbox cmdlet and recovery databases that make it a powerful tool for recovery.  Take the time to learn them before you need to use them.

Labels: , ,

Subscribe in a reader Subscribe by Email

How to Backup Exchange 2010 RTM at Release Timeframe

As with any other major release of Exchange, there will be a gap in third-party vendor support for Exchange 2010 when it is released to general availability next month.

One of those gaps will be supported backup solutions for Exchange 2010.  Thankfully, Microsoft recognized this and added VSS backup support to the built-in Windows Server Backup feature in both Windows Server 2008 and Windows Server 2008 R2.  This capability has been introduced in Exchange 2007 SP2 and Exchange 2010 RTM, allowing you to backup Exchange 2007 SP2 and Exchange 2010 using a native VSS application provider.

Exchange automatically registers its application provider in VSS when Exchange 2010 is installed or when the Exchange 2007 server is upgraded to SP2.  This happens even if the Windows Server Backup feature isn't installed on the server yet.  You simply need to add the Windows Server Backup feature using Server Manager to your Exchange server to enable the Exchange aware VSS backup capability. 

Windows Server Backup (WSB) will allow you to perform Exchange aware backups, similar to NTBackup, with a few notible points:
  • Legacy (streaming) backups are not supported.
  • Since Windows Server Backup performs volume-only Volume Snapshot Service (VSS) backups, there is no specific "Exchange only" backup capability.  When you perform a backup of a volume that contains Exchange data (EDB and log files), WSB automatically performs an Exchange aware backup.  The only visual queue you will see is this, just before the data is backed up:
  • Once WSB notifies Exchange that the VSS Full Backup has completed successfully, Exchange will truncate the log files for all the Exchange 2010 databases or Exchange 2007 SP2 Storage Groups.
Note: The default behavior of WSB is to perform a VSS Copy Backup, which will not truncate the logs. To configure a VSS Full Backup you must configure a Custom backup (not Full Server), add the volumes that contain the Exchange data, click Advanced Settings, and select VSS Full Backup on the VSS Settings tab.
  • Backups must be run against the active node on Database Availability Groups (DAGs) or the active node in an Exchange 2007 CCR cluster.  When the backups complete successfully and the logs are truncated on the active node, the same operation will occur on the passive node.
  • You can backup either to a local hard drive or a network share
  • There is no remote server backup functionality. You must perform the backup from the Exchange server.
  • You can schedule the backups using WSB or install the WSB command line extensions to run a backup from the command line.
  • When restoring, you do not have to restore the whole backed up volume. You can choose to restore only Exchange application data by choosing to recover only the Exchange application, as shown:

And then select Exchange:

  • Recovery can be performed to the original location (overwriting the existing data) or to a new folder or location.  If you choose to recover to another location, WSB will copy just the application data, not recover the Exchange application itself.  You can then use this data in an Exchange 2010 Recovery Database (RDB) or an Exchange 2007 Recovery Storage Group (RSG).
  • You can redirect the restore of an Exchange application to another server.
  • Microsoft Data Protection Manager (DPM) 2010 is also in beta and is available for download.
In a future article, I will explain the process of using an Exchange 2010 Recovery Database (RDB) to recover data from a backup set.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, October 27, 2009

Windows 7 Interoperability Pack Released

Microsoft announced today the release of the Platform Update for Windows Server 2008 and Windows Vista, as well as Remote Desktop Connection Client 7.0 and Windows Management Framework.  This was previously known as the Windows 7 Interoperability Pack.

Please see the following Microsoft Knowledge Base articles for more information.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Windows Management Framework Released

Windows Management Framework, which includes Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0, was officially released to the world this morning. By providing a consistent management interface across the various flavors of Windows, we are making our platform that much more attractive to deploy. IT Professionals can now easily manage their Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 machines through PowerShell remoting – that’s a huge win!

You can download the packages here:

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, October 26, 2009

Paused Hyper-V VMs Do Not Release RAM

Windows Server 2008 Hyper-V allows the administrator to pause a running Hyper-V virtual machine.  When a VM is paused, the VM system state is written to a file on the host server and the VM no longer will process operations.  This is similar to the sleep feature in other versions of Windows.

When the VM is resumed, Hyper-V will read this saved state information back into its working set and the VM will continue to function as it was when the VM was paused.  This is a very quick operation.

Pausing a VM is handy when you want to quickly and temporarily take a machine offline without shutting it down.  For example, you may want to test cluster failover or you may need to briefly free up main processor resources.

Be aware, however, that pausing a VM does not free up the RAM associated with the VM.  I've seen several customers make this mistake, thinking that they could essentially "over-subscribe" their Hyper-V host server by pausing running VMs to free up resources (RAM) and run other VMs.

When you pause a virtual machine, the RAM allocated to the paused VM is not released back to the host.  Take a look at the sample perfomance monitor screenshot below:

This perfmon example shows available megabytes free on a Windows Server 2008 Hyper-V host server with 8GB RAM.  RAM drops when a 4GB VM is started up, as expected.  The VM is then pause and the available megabytes free remains steady at about 3289MB free.  RAM utilization remains steady when the VM is resumed a short time later.  RAM is only released back to the Hyper-V host when the VM is powered off.

If you want to free up RAM from a running VM, you need to either turn off the VM or use the Hyper-V "Save" action.  Save is similar to the Windows hibernate feature, where both the system state and the RAM working set are written to disk files and then released to the host server.  When the VM is started, it will read these files back into memory and restore the VM to its previous state.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, September 4, 2009

Getting Information About User's Exchange Mailbox Using VBScript and PowerShell

Here are two short scripts, one in VBScript and the other in PowerShell that search Active Directory and display a user's Exchange server, storage group, and mailbox store.  They work on against any version of Exchange 20xx.

First, the VBScript:
'Mailbox.vbs, v1.00

'This script will display a user's current mailbox server and storage group

Set theArgs = WScript.Arguments
If theArgs.Count > 0 Then strSearch = theArgs.Item(0)
If strSearch = "" Then
    strSearch = InputBox("Please enter the user ID to look up.", "Mailbox Search")
    If strSearch = "" Then WScript.Quit
End If

Set con = CreateObject("ADODB.Connection")
con.Provider = "ADsDSOObject"
con.Open "DS Query"
Set command = CreateObject("ADODB.Command")
Set command.ActiveConnection = con
Command.Properties("searchscope") = 2

command.CommandText = "SELECT AdsPath,homeMDB,name FROM 'LDAP://DC=domain,DC=com' WHERE sAMAccountName = '" & strSearch & "' AND objectclass='User'"

Set rs = Command.Execute

If NOT rs.EOF Then
    mailbox = rs.Fields(1).Value
    mailbox = Left(mailbox, Instr(mailbox, "CN=InformationStore") - 2)
    msg = "User: " & rs.Fields(0) & vbCRLF & "Mailbox: " & mailbox
    MsgBox msg, vbInformation, "Mailbox Search"
    MsgBox "User '" & strSearch & "' not found!", vbCritical, "Mailbox Search"
End If

And here's the same script in PowerShell:
$sam = Read-Host "Enter the user logon name"

$searcher=New-Object DirectoryServices.DirectorySearcher
if ($result -eq $null)
    Write-Host "Logon name not found"
    $a = [string] $
    $b = $a.split(",")
    Write-Host "Exchange Mailbox Server: " $b[3]
    Write-Host "Storage Group: " $b[1]
    Write-Host "Mailbox Database: " $b[0]

Both scripts will take an argument (the user's logon name), and will prompt for it if it was not supplied in the command line.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, August 31, 2009

Convert Your Windows 7 ISO to a Universal ISO Disk

When you download Windows 7 ISOs from MSDN or TechNet, you'll notice that there are several versions of the same disk. These downloads include the Home Premium, Professional, and Ultimate editions.

An ISO-9660 image file is an exact representation of a CD or DVD, including the content and the logical format. The Windows 7 binaries for each edition are identical, it's the product key that unlocks the various features that make each edition what it is.

There is a small file called ei.cfg in the \sources folder of each ISO that "locks" them to each edition. If this file is deleted, it unlocks the ISO and allows you to select to edition of the Windows 7 operating system to install, as shown below:

As you can see, this not only allows you to install Home Premium, Professional, or Ultimate editions, it also allows you to install Starter or Home Basic editions. Starter and Home Basic editions are less featured and are designed for emerging markets and low powered netbooks and laptops.

You can edit the ISO to remove the ei.cfg file using any ISO editor, such as PowerISO or UltraISO. Keep in mind that you will have to rebuild (save) the new ISO, which can take some time and disk space.

An even better way to do this is by using a cool little utility called eicfg_remover from The utility disables the ei.cfg file by toggling the deletion bit in the UDF table in the ISO to treat it like it no longer exists. This eliminates the need to rebuild the ISO and makes it possible to reverse the patch, restoring it to its original state. Just run eicfg_remover again to do so.

By creating a "universal" Windows 7 disk, you'll save disk space and increase the ISO's versatility.

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, August 28, 2009

How to Find a MAC Address

Most of us are familiar with using the IPCONFIG /ALL command to display the full IP configuration, including the MAC address of each network adapter. The trouble with using this command to get the MAC address is that it displays too much information, especially if your computer has multiple NICs. Another problem is that it can only be run on the local machine - you cannot use it to get the MAC address of a remote computer or server.

That's where a little known utility, GETMAC, comes in. GETMAC has been included in every Windows build since at least Windows XP, up through Windows 7 and Windows Server 2008 R2.

The command:


will display the name and MAC (Physical Address) each local network adapter.

You can get the same information about a remote computer using the command:

GETMAC /S [ComputerName] /V

Note that you must have administrator rights on the remote machine.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 25, 2009

How to Create Custom Error Notifications for IP Block List Providers in Exchange 2007

This doesn't seem to be documented anywhere in Microsoft TechNet, so I figured I'd write up a post about it.

IP Block List Providers in Exchange 2007 are a means to reduce spam from entering your organization. They are configured on the Edge Transport servers, which is detailed in TechNet here. This article explains how to use variables to create a custom error message when an email is rejected by an IP Block List filter.

In Exchange 2003, you can pass parameters to the custom error message using the %0, %1 and %2 variables.

  • %0 = IP address of the sending mail server
  • %1 = Rule name of the connection filter (Provider name)
  • %2 = The RBL provider (Lookup domain)

In Exchange 2007 the variables are the same, but the way you call the variables has changed.

  • {0} = IP address of the sending mail server
  • {1} = Rule name of the connection filter (Provider name)
  • {2} = The RBL provider (Lookup domain)

Using these variables we can craft more helpful error messages, in the event that a real person (not a spammer) is blocked by your block list (aka, RBL) provider.

In the custom error message example above, the following error message would be returned from blocked server

Host was blocked by Trend Micro Email Reputation Services (ERS). Please see

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, August 21, 2009

Name that Port, Powershell Style!

In a previous post, I presented a VBScript that displays the service assigned to common port numbers. You can also enter a search string to find any ports whose service (protocol) contain the search string.

Richard Siddaway suggested that the script should be written in Powershell instead, so here it is: Get-Port.ps1


Get-Port.ps1 portnumber
This command gets the specified port number and displays the associated service

Get-Port.ps1 searchstring
This command displays all ports and services that match the search string. Searchstring is case insensitive.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, August 20, 2009

Name that Port!

I wrote a simple VBScript that helps you identify TCP/UDP ports and their well known services.

Download port.vbs and place it anywhere in your system path.

To use it, enter port [portnumber] (i.e., port 389) and the script will display the well known service associated with the port, as shown above.

Alternatively, you can enter port [searchstring] and the script will show all ports that contain that search string. For example, port ldap will show all the ports with ldap in the service name.

The script works best from the command line when WScript is set to be your default script handler. Simply enter wscript from the command line to do this. Otherwise, you'll need to type cscript port [search] from the command line.

Update! See this post for the same script in Powershell.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 11, 2009

Windows 7 Feature Matrix

Windows 7 is available in 6 different SKUs, but for the most part it boils down to three major editions: Windows 7 Home Premium, Windows 7 Professional, and Window 7 Ultimate / Enterprise.

The Ultimate and Enterprise editions both have the same features, the difference is how Windows 7 is purchased. Ultimate is for the retail (individual user) channel and Enterprise is for volume licensing customers. Enterprise customers with Software Assurance also benefit from the features in the Microsoft Desktop Optimization Pack (MDOP).

Each edition is available for both x86 (32-bit) and x64 (64-bit) platforms.

The following table lists the new features in Windows 7 for each edition (SKU).

Choosing the correct version of Windows 7 is made easier when you look at the features available in each version. Most small and medium-sized customers will choose Windows 7 Professional.

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, July 24, 2009

How to Tell Which Version of PowerShell is Installed

One of the easiest ways I've found to determine which version of PowerShell is installed on a computer is to run the $host.version command.

The output will display the Major version, Minor version, Build, and Revision number. For example, here is the output from a computer with PowerShell V1 installed:

And here is the output from a Windows Server 2008 R2 beta computer, which has PowerShell V2 integrated into the operating system:

Note that the Build and Revision numbers are -1, indicating that the PowerShell V2 CTP (beta) is installed. Once PowerShell V2 RTW (Release to Web) is available, the Build and Revision numbers should both be zero.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, July 13, 2009

How to turn off the "Do you want to view only the webpage content that was delivered securely?" security warning in IE8

A common question I hear from users of Internet Explorer 8 is, "How do I disable the 'Do you want to view only the webpage content that was delivered securely' in IE8?", as shown below.

Before I explain how, you should understand what it's warning you about. You will see this warning whenever HTTP (non-secured) elements are displayed on an HTTPS (secured) web page, which means these elements are not encrypted. Typically, these elements are just embedded images, but they could also be areas of the page where information can be entered.

By clicking Yes (the default), you will only see the secure areas of the page and will know what areas are secured. If you disable the warning, you will not know which (if any) of the elements are the page are not secured.

To disable the security warning, follow these steps:

  • Click Tools > Internet Options
  • Click the Security tab
  • Click the Internet zone and click the Custom Level button
  • Scroll down to the Miscellaneous area and change Display mixed content (shown on the left) from Prompt to Enable
  • Click OK

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 17, 2009

Is it down for just me?

Here's a great tip I got from my friend and co-worker, Pete Handley.

Have you ever gone to a website, found out it was down, and wondered if it was just you? Check out You enter a website to check and it'll tell you if it's down for everyone or just you!

Simple and elegant!

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, June 12, 2009

Failure of FSW Causes Cluster Group to Failover

The following information was written for Exchange 2007 CCR mailbox clusters, but it pertains to any clustering solution that uses the Windows Server 2008 Node and File Share Majority cluster quorum configuration.

How Does Node and File Share Majority Clustering Work?

Exchange 2007 CCR uses two clustered Exchange mailbox nodes, called a Clustered Mailbox Server (CMS). In order for Windows to know which node is active, it utilizes a File Share Witness (FSW) to maintain quorum. The FSW is a network share on a third computer (typically a Hub Transport server in the normally active node's physical site). The active node writes information to files in that share and locks them for writing, preventing the passive node from writing to the FSW and taking quorum. It always take two out of three votes to maintain quorum.

If the active node becomes unavailable, the passive node can write to the FSW and the cluster group fails over. In the case of a total site failure where both the active node and the FSW are offline, both the cluster group and the CMS will fail since there is no quorum (there's only one vote).

What Happens When the FSW Becomes Unavailable?

When the FSW fails, the active CMS node (Exchange) does not fail over because there are still two votes (the active and passive nodes). However, the Windows cluster group will fail over to the other node if the FSW does not come back online within 60 seconds. This is because File Share Witness resource in Windows Server 2008 is configured to fail over the cluster group when the FSW fails, as shown below.

Worse, the FSW resource will not come back online for another 60 minutes. During this time, a failure of either one of the nodes will cause the cluster to fail, even if the FSW is back online.

These default settings are provided so that the cluster event logs don't fill up with constant "Trying to start the resource", "The resource failed to start" events during a prolonged outage.

This is what happens when the FSW server is rebooted (during patch management, for example):

  • The server holding the FSW resource is rebooted.
  • The cluster tries to connect to the FSW one minute after failure is detected.
  • If the FSW is still unavailable (which usually happens - most servers take longer than 60 seconds to restart), the cluster group fails over to another node.
  • Wait one hour and try connecting to the FSW again. The FSW is finally brought online.
Note: This behavior only pertains to Windows Server 2008. Windows Server 2008 R2 does not have this issue.

It's important to know that even though the cluster group fails over, there really is no effect on Exchange, even with a geographically disbursed CCR cluster (geo-cluster). However, if you're like me, you like symmetry and order. The cluster group should be with the active CMS node.

Here's how to minimize the time that the cluster group is on the (normally) passive node:

  • Open the Failover Cluster Management console
  • Add the cluster name, if necessary, and select it
  • Double-click Cluster Core Resources in the middle pane to expand it
  • Right-click File Share Witness (\\servername\sharename) and select Properties
  • Click the Policies tab
  • For optimal restart performance, change "If all the restart attempts fail, begin restarting again after the specified period (hh:mm)" to 15 minutes, as shown below:

This configuration will cause the cluster service to attempt to bring the FSW resource to online once every 15 minutes, instead of an hour.

Next, logon to the server holding the FSW resource (typically a Hub Transport server in the active site and install the Failover Clustering Tools feature. You'll find it in Remote Server Administration Tools > Feature Administration Tools.

Now create a batch file called FSW_Online.bat. Enter the following two lines:

  • cluster EXCLUSTER1 res "File Share Witness (\\server\mns_fsw_excluster1)" /online
  • cluster EXCLUSTER1 group “Cluster Group” /

Note: Replace EXCLUSTER1 with your cluster name. Replace \\server\mns_fsw_excluster1 with the name of your FSW resource (enter "cluster res" at a command prompt to find it). Replace with the FQDN of the CMS node you want to keep the cluster group on.

Lastly, configure FSW_Online.bat to run at startup on the FSW resource server:

  • Open Local Group Policy Editor
  • Navigate to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown) > Startup
  • Click Add and browse to the FSW_Online.bat file you created
  • Click OK twice and close Local Group Policy Editor

This is my current best practice for configuring the File Share Witness resource failure policy.

Special thanks go to Tim McMichael, Senior Support Escalation Engineer on the Exchange product support team, for assisting me with this article.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, June 11, 2009

How to Verify the AD Schema Level on All Domain Controllers

Whenever I perform schema extensions in Active Directory, I always want to verify that the new schema attributes have replicated throughout the domain's Domain Controllers. Schema extensions are usually necessary for Exchange installations and upgrades, or to prepare a domain for a new version of Windows.

The following batch file will display the value of the rangeUpper attribute for the ms-Exch-Schema-Version-Pt object on every Domain Controller in the target domain.

@echo off
dsquery server -o rdn >DC.lst
FOR /F "tokens=1" %%i in (DC.lst) do (
echo %%i
dsquery * CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=yourdomain,dc=com -scope base -attr rangeUpper -server %%i

Modify dc=yourdomain,dc=com as necessary for the target domain and save this file as CheckSchemaVersion.bat.

The output will display the name of each Domain Controller and the rangeUpper value. You will know that the schema changes have replicated throughout the domain when each Domain Controller returns the same (highest) value.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 10, 2009

Be Aware: Windows Server 2008 SP2 Re-enables Disabled NICs

Be aware installing Windows Server 2008 Service Pack 2 (SP2) will re-enable any network adapters that were disabled prior to the update. This will also affect computers updated with Windows Vista Service Pack 2.

[Before installing SP2]

[After installing SP2]

This is important for several reasons. It is best practice on Hyper-V servers to disable the virtual NIC assigned to VM guests, so that a host with a dedicated management NIC does not use the NICs assigned to VM guests. SP2 re-enables all these virtual NICs, as well.

Sometimes disabled NICs should only be enabled for disaster recovery purposes. Enabling these NICs at startup could have dire consequences in these rare situations.

It's important to understand that if you're using the Windows Firewall, the server uses the most secure firewall network profile for all NICs. If your domain joined computer has more than one NIC, but only the NIC that is used to connect to the domain is enabled, the Windows Firewall uses the Domain Network profile. However, after installing SP2 the computer will start up with all NICs enabled. If the previously disabled NICs are not connected, the Windows Firewall will use the Public Network profile, which uses much different firewall policies -- potentially causing service interruptions.

My advice is to document your network connections prior to installing Windows Server 2008 SP2, so you can reconfigure them when your done with the update.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, June 4, 2009

Just Bing It

You know you've got a winner when your name becomes a verb. How many times have you heard, "Just Google it." Well, that parlance is about to change.

Bing, Microsoft's new search portal, debuted this week to rave reviews. Bing is different than other search engines because of what Microsoft calls Bing's Decision Engine. It gives much more useful and relevant information than competitors, without having to enter arcane search terms. Take a look at this example to see a side-by-side comparison of Bing and Google search results.

I especially love the travel results that Bing offers. Microsoft has merged several technologies together to give easy to consume results with truly meaningful information. For example, a search for airline flights on Bing not only returns the best flights, but predicts whether prices are going up or going down, similar to FareCast.

You can also check flight times simply by entering the airline and flight number in the search window, such as "United 9120" or simply "ua 9120".

The image and video results are very cool, too. Image search results are returned on a single scrollable page rather than dozens of pages you have to click through. Video search results actually play in the results window by simply hovering your mouse over the video.

I'd like to find a way to create a custom portal page that allows me to dashboard the information I'm interested in, such as news, market reports and RSS feeds. I'm still learning all the cool things Bing does, but so far I'm very impressed. I recommend you Bing it to find out for yourself.

Bing. It's not your father's search page.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, June 3, 2009

Fix for having to supply credentials when connecting to a Hyper-V guest

One of my customers complained that he was getting the following prompt for credentials whenever he connected to a Hyper-V guest from the host.

Your credentials did not work
Your system administrator does not allow the use of default credentials to log on to the remote computer (computer name) because its identity is not fully verified. Please enter new credentials.

The host Hyper-V server is in a workgroup and the guests are in either a domain or workgroup.

The fix is to allow saved credentials with NTLM-only server authentication on the Hyper-V host. You can do this in the Local Group Policy Editor.

  • Run GPEDIT.MSC on the Hyper-V host
  • Expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation
  • Double-click Allow Saved Credentials with NTLM-only Server Authentication
  • Enable the policy
  • Add servers to the list by clicking the Show button and adding your Hyper-V hostname
  • Click OK twice and close Local Group Policy Editor

Now run GPUPDATE on the Hyper-V host to apply the new settings.

Connect to one of the Hyper-V guests, enter your username and password, and check the Remember my credentials checkbox. Hyper-V will no longer prompt for credentials when connecting to any of the guest VMs.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, April 20, 2009

Stop Spamming Yourself!, Part 2

Frequently, you may receive spam from the Internet that appear to come from your own domain name. This is a common tactic used by spammers to bypass spam filters.

In an earlier article, I showed how to configure Exchange 2007 to reject all SMTP emails from the Internet that supposedly come from your own domain name. We did this by adding your domain name to the Sender Filtering / Blocked Senders configuration on the Edge server.

While this works perfectly, it goes against a Microsoft best practice and doesn't provide for any exceptions. This article will show how to accomplish the same thing using an Edge Transport Rule, as well as how to configure an exception. Let's get started.
  • Logon to the Edge Transport server, open the Exchange Management Console, and navigate to Microsoft Exchange > Edge Transport > Transport Rules tab.
  • Click New Transport Rule in the Actions pane to open the New Transport Rule wizard.
  • Enter a name for the rule and any comments, as shown below, and click Next.

  • For the Conditions in Step 1, click "when the From address contains text patterns" and "from users inside or outside the organization"
  • In Step 2, click the words "text pattern" and add your domain name (i.e., Click the work "Inside" and change it to "Outside". Click Next

  • Now we will set the Action to take upon these messages. In Step 1, click "set the spam confidence level to value" and "reject the message with status code and response"
  • In Step 2, set the SCL to "-1". We do this so that the exceptions configured on the next page will not go to the users' Junk E-mail folders in Outlook. Click Next.

  • For the Exceptions in Step 1, click "except when the text specified words appear in a message header"
  • In Step 2, click "specific words" and add the domain of the sending server (i.e., is an online restaurant reservation system that emails invitations to people when a reservation is made. It spoofs the emailed invitation to looks like it came from the sender. Because of this, it would normally be rejected if it weren't for this exception.
  • Click "message header" and enter "Receive". Click Next.

  • Click New and Finish to create the new Transport Rule.

The rule will now reject all emails from the Internet that claim to be from your domain name, unless the SMTP Receive header contains the text "". It will also set the SCL so that the exception will not be classified as spam by Outlook.

The rule above can also be configured using the Exchange Management Shell using the following command:

new-TransportRule -Name 'Reject inbound emails from' -Comments 'Exception:' -Conditions
-Enabled $true -Priority '0'

The code above is meant to entered as one single line.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, April 15, 2009

Fix for Duplicate Contacts Lists in Outlook

Sometimes you may find that a user has multiple Contacts address books listed in Outlook. This can occur when invalid references exist in the Outlook Address Books.

Remove the invalid reference to a contacts folder in Outlook:

Tools > E-mail Accounts > View or change existing directories or
address books > Outlook Address Book > Change... >

Select the duplicate Outlook Address Book(s) and click Remove Address Book for each duplicate.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, April 3, 2009

Fix for 0x8024400E Errors on WSUS Clients

You may have problems with WSUS clients that are not able to download updates from WSUS. Check the %SystemRoot%\Windows\WindowsUpdate.log file for the following error:

2009-03-27 11:55:29:193 1044 afc PT WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

Resetting the client by clearing the SoftwareDistribution folder and forcing the Automatic Updates client to detect new updates results in the same error.

This is caused by a revision to the 'Office 2003 Service Pack 1' update. It results in some WSUS 3.0 servers enter an inconsistent state with respect to the update's approvals. When computers with products related to Office 2003 sync to a WSUS server with this revision, the web service is unable to process the approvals resulting in the detection failure.

To fix this problem, approve and then decline the Office 2003 Service Pack 1 update in WSUS. Here are the steps to do this:

  • Open the WSUS Administration console

  • Find the Office 2003 Service Pack 1 update in the updates list. You may have to change the Approval and Status filters to find it. Set the Status to Any and the Approval to Declined. If you still don't see it then set the Approval to Any except Declined.

  • First, make sure the update is declined. If the update is not yet declined, right click on the update and decline it.

  • Next, approve the update. Right-click the update and select the Approve... option in the context menu. Click OK in the Approve Updates dialog that opens (no need to change any options here). Dismiss the Approval Progress dialog that appears.

  • Next, decline the update. Right-click the update and select Decline.

The computers that were failing detection will now successfully complete detection against the WSUS server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica downstream server, you must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog in the WSUS Administration console.

Also, take a look at KB 954960 - Some computers do not receive updates from the WSUS server. It includes a hotfix for WSUS 3.0 SP1 servers that prevents the problem from reoccurring.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Saturday, March 28, 2009

How to Hide a User Account on the Logon Screen

Maybe you created a user account on your XP computer so your nephew could use it when he was visiting you. Now he's gone home and you really don't want to see that account choice every time you log on to Windows, but you also don't want to just delete the account because he'll probably be back again next year. Here's how to hide an account from the logon screen:

  • Before editing the registry, always back it up just to be safe.

  • Open the registry editor and navigate to the following key:

Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \

Note: The SpecialAccounts \ UserList keys may not exist on your computer. If they do not, create them.

  • In the right pane, you'll see a list of items that correspond to the user accounts that exist on the computer but are not shown on the logon screen. You'll probably be surprised at how many there are.

  • Right click an empty space in the right pane, select NEW and DWORD value.
    Right click the new value and rename it to the exact name of the user account you want to hide.

  • Close the registry editor.

Now the account name won't show up on the logon screen. You can unhide the account at any time by deleting the registry key you created. Your nephew can still log onto the account while it's hidden. Just press CTRL+ALT+DEL twice in a row at the logon screen and you'll get the logon dialog box that allows you to type in the username.

Note: This tip works for Windows XP, Windows 7, Windows Server 2008 and Windows Server 2008 R2. The SpecialAccounts key may not exist by default, but if you create it as specified above it works a treat!

Additional Note: I've discovered this tip does not work in Windows Vista because Microsoft removed the "Classic Logon" functionality from this OS. You can still hide the account, but you won't be able to logon as this hidden account by pressing Ctrl-Alt-Del twice. You can, however still switch to this account using user account switching.

Thanks to Deb Shinder for the tip!

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Friday, March 27, 2009

Exchange Server Remote Connectivity Analyzer

More Exchange 2007 goodness from the Microsoft Exchange Team!

Have you ever installed an Exchange server and wanted to verify your Internet facing services were setup and configured properly? Things like Exchange ActiveSync, AutoDiscover, Outlook Anywhere (RPC/HTTP), and inbound email. Sure there are cmdlets included in Exchange 2007 like test-ActivesyncConnectivity and test-OWAConnectivity, but these tests can only be run inside your network and effectively only test your internal network connectivity. Or what if you get a call or an escalation regarding one of these services not working? How do you verify if just this user or everyone has a problem? And if there is a problem, where do you start troubleshooting? Is it a DNS problem? Is it a certificate problem? Is a port not open on the firewall?

I'd like to introduce you to the Exchange Remote Connectivity Analyzer (ExRCA) tool which can be accessed at

In this version, the tool will allow you to remotely test the following client types and services:

Exchange ActiveSync

  • Windows Mobile 5, 3rd party devices

  • Windows Mobile 6.1+ with AutoDiscover

Outlook Anywhere (aka RPC/HTTP)

  • Outlook 2003

  • Outlook 2007 with AutoDiscover

Inbound SMTP

The tool will simulate the protocol logic used by the specific client and not only tell you if the scenario was successful, but if it fails, it will tell you exactly where in the process it failed as well as try to guide you to the problem resolution.

Read more about the tool and how it works here!

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, March 26, 2009

Breaking the Artificial Database Size Limit in Exchange 2007 Standard Edition

Exchange Server 2007 has a theoretically unlimited database storage capacity. In reality the limit is 16TB, and this limit is the same in both Standard and Enterprise editions. The storage differences between these two editions have to do with the maximum number of storage groups and databases that can be placed on each server.

Exchange 2007 Standard Edition:
Storage Group – up to 5, Database per SG – up to 5, Database limit – 16 TB.

Exchange 2007 Enterprise Edition:
Storage Group – up to 50, Database per SG – up to 50, Database limit – 16 TB.

Even though E2K7 Standard has a hard 16TB database size limit, there is an artificial limit imposed in the registry. The default cap in RTM is 50GB and the default cap in SP1 is 150GB. Here's how to change this artificial limit:

  • Open RegEdit and navigate to:

HKLM \ SYSTEM \ CurrentControlset \ Services \ MSexchangeIS \ servername \ Private-{respective-DB-GUID}

  • Create a new DWORD value "Database Size Limit in Gb"

  • Assign its decimal value (in GB). For example, enter decimal 200 for a 200GB artificial limit.

  • Restart the Microsoft Exchange Information Store service

Note: E2K7 Enterprise Edition does not have an artificial limit.

Note: If the Exchange Server Best Practices Analyzer (ExBPA) finds that the Database Size Limit in Gb value is present and configured, the Exchange Server Analyzer displays a non-default configuration message.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 25, 2009

How to Invoke the Window Update Dialog from the Command Line

To run the Windows Update client from the command line, run the command WUAUCLT /ShowWU.

This is useful when the Windows Update icon disappears when you click it. Typically, this means that the Windows Update client is corrupt. When you run wuauclt /ShowWU on these machines, it will bring up the Windows Update dialog box above, but it will show some type of error indicating that it could not download updates. Installing the current Windows Update client will fix this.

You can download the latest Windows Update client (7.2.6001.788) from these locations:

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, March 18, 2009

How To Enable Change Notification On All Site Links

Normally, there are two replication intervals for Active Directory in a Windows domain: Intra-site (replication between DCs in the same site) and Inter-site (replication between DCs in different Active Directory sites).

Intra-site replication is very fast - typically around 15 seconds. This schedule can be configured via the registry using the following values in the HKLM\SYSTEM\CurrentControlSet\Service\NTDS\Parameters key:

Replicator notify pause after modify (secs)
It is a REG_DWORD value of 15 by default

Replicator notify pause between DSAs (secs)
It is a REG_DWORD value of 3 by default

See Microsoft TechNet (Active Directory Replication Tools and Settings) for a thorough explanation of what these keys do.Inter-site replication is dictated by the schedule associated with the replication connection in Active Directory Sites and Services. Using this GUI you can specify that the connector never replicates or to replicate once, twice or four times per hour.

Note: The inter-site replication schedule runs based on the server startup time. For example, if the DC starts up at 12:10pm and the replication connector's schedule is set to twice per hour, replication on this connector will occur at 12:10pm, 12:40pm, etc.

But what if you want Intersite replication to occur more frequently than every 15 minutes? For this, you must enable Change Notification on the Active Directory site link. How you do this depends on which OS is on your DC.

For Windows 2003 Domain Controllers:

  • Open ADSIEdit.msc (in the Windows Support Tools) as a Domain Admin

  • Open the Configuration naming context

  • Navigate to Sites > Inter-Site Transports > IP

  • Right-click the siteLink to modify in the results pane and click Properties

  • Locate the options attribute and edit the value from to 1

  • Click OK and repeat for other siteLinks, as necessary.

For Windows 2008 and Windows 2008 R2 Domain Controllers:

You can use the same method as Windows Server 2003 DCs or you can edit the values directly from AD Sites and Services, as follows.

  • Locate the Site Link to modify in AD Sites and Services

  • Right-click the Site Link and choose Properties

  • Click the Attribute Editor tab

  • Locate the options attribute and edit the value from to 1

  • Click OK and repeat for other Site Links, as necessary.

I also wrote two VBScripts for displaying and configuring Change Notification:

  • DisplayChangeNotification.vbs displays the current value of the options attribute on each site link in the Active Directory domain where it is run.

  • EnableChangeNotification.vbs will enable Change Notification on all site links in the Active Directory domain where it is run by changing the options value to 1.

Both scripts are in the file, located here.

Labels: , , , , , , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, March 10, 2009

How to Install Windows 7 from a USB Stick

Helmer Zandbergen is a Dutch IT pro who wrote an excellent article that explains how to how to install Windows 7 from a USB stick in 11 easy steps.

All you need is a PC with USB boot-support (any modern PC), Windows 7 installation files, and a USB stick with at least 4 GB free space.

I used this method to install Win7 on my new Asus Eee PC 1000HE netbook and it works great!

  • Plug in your USB stick
  • Open Command Prompt with admin rights (Start –> enter cmd –> press CTRL-SHIFT+ENTER and click Yes at the UAC prompt)
  • Run Diskpart by typing diskpart and press enter
  • Now type List disk (and press enter). My USB stick is Disk 2.
  • Enter the following commands, where I assume that your USB stick is also Disk 2. If your USB stick is Disk 5, just use Disk 5 instead of my Disk 2! Enter the following commands one by one, each followed by Enter:

Select Disk 2


Create Partition Primary

Select Partition 1


Format FS=FAT32 (depending on the size of your USB stick this can take a moment)



  • Now copy the entire content of your Windows 7 DVD (or Windows 7 source folder, if you extracted the ISO) to the root of your USB stick.
  • Now we still have to make the USB stick bootable. Note: If you are currently running a 64-bit OS and the source (on the USB stick) is 32-bit, you can’t run the following command. Just be sure the source (on the USB stick) and the currently running OS are of the same type!
  • In the Command Prompt (which you didn’t close, I hope) type P: (the drive letter of your USB stick) followed by Enter
  • Type CD\Boot followed by Enter
  • To create a bootsector on the USB stick enter Bootsect /NT60 P: (your USB drive letter) followed by Enter.
  • Reboot your PC and change the boot order (in the BIOS) if needed, so the USB stick is first in the boot order.

Labels: ,

Subscribe in a reader Subscribe by Email

Thursday, March 5, 2009

Changing the Default Users and Computers Containers in AD

In Active Directory, the default container for user objects is the Users container and the default container for computer objects is the Computers container.

If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container. Also, whenever you join a new computer to the domain the computer object will always be created in the default Computers container, unless you pre-stage the computer object in an OU.

It's important to note that the Computers and Users containers are just that, containers. They are not OUs. Consequently, you cannot apply Group Policy objects directly to these containers. These containers will, however, inherit GPOs from parent objects, such as the Default Domain Policy.

A lot of my customers have large OU structures where user and computer objects are always placed in specific OUs so that the objects get the correct GPOs. Typically, the default Users and Computers containers are empty for these customers. Even so, user or computer objects will sometimes be created in the default containers for various reasons. This can cause problems for these objects because GPOs are not applied correctly.

Here's how to change the default container that Active Directory will use for new user and computer objects:

  • Log into a Domain Controller (Windows Server 2003, 2008 or 2008 R2) as a Domain Admin
  • Open a CMD prompt
  • To change the default container for user objects, enter:

ReDirUsr Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created user objects.

For example:

ReDirUsr "OU=Managed Users,DC=mydomain,DC=com"

  • To change the default container for computer objects, enter:

ReDirCmp Container-DN

where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.

For example:

ReDirCmp "OU=Managed Computers,DC=mydomain,DC=com"

Please note that the domain functional level must be at least Windows Server 2003 for these commands to work.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, March 3, 2009

Add RunAs Functionality to Windows Server 2008 for All Users

You may be aware that Windows Server 2008 does not allow you to "Run As a Different User", only "Run As Administrator."

You may also be aware of ShellRunAs, by Sysinternals. ShellRunAs adds command-line RunAs funtionality to the context menu of executable programs. Once installed using the command "ShellRunAs /reg", you can right-click on any program, select "Run as a different user," and enter the credentials of the user you want to run the program as.

This RunAs functionality allows you to logon to a server with low level permissions and still run programs that require higher permissions, thereby keeping your server safe and happy.

The only problem with ShellRunAs is that it is a per user installation. That means that it needs to be "installed" for each user on the server. This is because "ShellRunAs /reg" actually updates the registry for the current user (HKCU) hive. This can be a real problem for servers where a lot of different people logon, such as a Terminal Server.

So how do you provide this functionality for all users on the server? Read on to find out how.

  • Download ShellRunAs from Sysinternals and extract ShellRunAs.exe to %SystemRoot%\System32

  • Use Notepad to create a reg file called ShellRunAs.reg with the following content:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" "%1\"%*"

[HKEY_LOCAL_MACHINE\Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command]
@="\"C:\\Windows\\System32\\ShellRunas.exe\" \"%1\" %*"

  • Finally, double-click the ShellRunAs.reg file to import it into the registry.

Now right-click an application or program and you will see the new "Run as a different user" menu option. Best of all, it will work for all users on the server without having to register it for each user.

Note: When a user selects Run as a different user for the first time, they will have to accept the end user license agreement. This only happens once because the EULA acceptance is written to the HKCU hive for each user.

By the way, this Run as a different user and Run as Administrator functionality is native in Windows Server 2008 R2.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, February 24, 2009

New Hyper-V Dedicated Network is Coming

Windows Server 2008 R2 will offer Hyper-V V2, the second version of Microsoft's hypervisor virtualization solution.

Among the new features, Hyper-V V2 will feature a new "Dedicated" virtual network type. This will be in addition to the External, Internal, and Private networks currently available in Windows Server 2008.

As background, when you create a new virtual network in Windows Server 2008 Hyper-V converts the physical network adapter to a Microsoft Virtual Switch. It also creates a new virtual network adapter attached to the new virtual switch.

In the example above, we see a Hyper-V host with four physical NICs. The first NIC is dedicated to the host, as per best practice, and is attached to the corporate LAN. The other three NICs have been configured as External virtual networks using the Hyper-V Virtual Network Manager.

You will note that there are three disabled virtual NICs at the bottom of the image for the host to use. These virtual NICs were automatically created by Hyper-V when you configure the External virtual network, and are normally enabled by default. I've renamed each NIC and virtual switch on my host server for clarity.

If you're following the best practice of using a dedicated NIC for the Hyper-V host, as above, there normally would be no reason to use these virtual NICs. If you leave them enabled, it can cause a number of problems for the Hyper-V host:

  • The virtual NICs will attempt to get DHCP addresses. If no DHCP server is available, it will get the automatic private IP address (169.254.x.x).
  • The network binding order may be out of order, causing network inefficiencies.
  • The Windows Firewall will apply vastly different settings (I'll blog more on this later).
  • Trying to sort out an IPCONFIG /ALL is a mess

The current recommended way of dealing with this in the Windows Server 2008 version of Hyper-V is to remove all the connections for the new virtual NIC (IPv6, IPv4, etc.) and then disable the virtual NIC. Finally, you should check the network bindings to ensure that the host's NIC is at the top, followed by the virtual switches, and then the disabled NICs.

In Windows Server 2008 R2, Microsoft introduces the Dedicated virtual network type. When you create a Dedicated virtual network, Hyper-V does not automatically create a corresponding virtual NIC. It simply converts the selected physical NIC to a Microsoft Virtual Switch for the VM(s) to use. No need to disable anything or change network binding orders. Very cool!

Note that you will be unable to create a Dedicated virtual network on a single NIC Hyper-V host. If you did, the host would be unable to connect to the corporate LAN since there would be no NIC (physical or virtual) for it to use.

This new network will be a welcome addition to Hyper-V!

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, February 23, 2009

Fix for Paused-Critical Virtual Machine State

Your Hyper-V virtual machines may be happily running along, when suddenly they go into a "Virtual machine state : Paused-Critical" condition. If you resume them, they run for a few seconds and then pause again.

This happens when the volume hosting your dynamically expanding VHDs runs low on disk space.

Either free up space on the host volume, move one or more VHDs to another volume with sufficient space, or free space in the child partition and compact the VHD.
To compact a Hyper-V VHD, shutdown the virtual machine and open its Settings. Select the VHD and click the Edit button. Select Compact > Next > Finish.

Ben Armstrong also has an excellent article explaining how to compact a VHD file using PowerShell or VBScript.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, February 22, 2009

Windows 2008 Default Background Colors

Have you ever changed the default Windows Server 2008 desktop color and wanted to change it back? The blueish-green color is not shown in the default palette, so you have to enter the RGB values manually.

Red = 29
Blue = 95
Green = 122

While I'm at it, here is the formula for the cool smokey blue background for Windows PowerShell 2:

Red = 1
Blue = 36
Green = 86

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, February 15, 2009

How to Enable Aero Glass on Windows Server 2008 and R2

Some of us geeks like to use Windows Server 2008 or R2 as our desktop operating system. It's rock solid and offers more features and better perfomance than Windows Vista.

If you're missing the Vista Aero Glass interface on your Windows Server 2008, here's how to enable all that eye candy goodness.

First, you need to install the Desktop Experience feature using Server Manager, or with the following command line:

ServerManagerCmd -i Desktop-Experience
This will install the Windows Aero and other desktop themes, along with a lot of other programs that go into Vista by default (Windows Media Player, Windows Photo Gallery, etc.).

Next, you need to set the Themes service to Automatic and start it.

If you're running Windows Server 2008 (not Windows Server 2008 R2):
  • Click Control Panel > Personalization
  • Click Windows Color and Appearance and select the Windows Aero color scheme
  • (To turn Aero off, click Theme and select the Windows Classic theme)
For Windows Server 2008 R2:
  • Click Control Panel > Appearance and Personalization
  • Click Personalization and select the Aero Theme

Labels: , ,

Subscribe in a reader Subscribe by Email

How to Configure the Default OS to the Current OS on Multi-boot Systems

Here's a handy tip to automatically configure the default OS if you have a computer with a dual or multi-boot operating system.
Normally, when you configure a system with two or more operating systems, you select the default OS within Windows using Advanced System Settings > Startup and Recovery > System Startup. Whenever the computer is restarted it will boot to this OS automatically when the timer runs out.

If you're like me, you tend to work with one OS for a while and through several restarts. If the default OS is Windows 7, but I'm working with the Windows Server 2008 R2 OS, the computer will always default to Windows 7 on a reboot unless I manually select Windows Server 2008 R2. This is annoying since reboots are the time I usually use to get a cold drink or go to the bathroom.

Here's how to configure the computer to change the default OS to the current OS:
  • Create a new batch file called DefaultOS.bat using Notepad

  • Add the following line:
bcdedit /default {current}
  • Save the file to the Windows directory on each operating system drive

Now do the following in each Windows OS:

  • Run gpedit.msc to edit the Local Computer Policy

  • Expand Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)

  • Double-click Startup in the details pane

  • Click Add to add a new script

  • Browse to %WINDIR%\DefaultOS.bat and click OK

  • Click OK to close Startup Properties

  • Repeat these steps for each Windows operating system

Now Windows will configure the default OS to the current OS whenever the computer starts up. You can also apply this Startup script to all computers in the domain using Group Policy. It will not affect single boot systems.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, February 13, 2009

Windows 7 Problem Steps Recorder

Here's a 4-1/2 minute video by Keith Combs showing a great new feature in Windows 7, the Problem Steps Recorder, or PSR.

PSR allows end users to record the actions they took to produce a problem.

The user enters PSR in the start menu, clicks Record, and then performs the steps to produce the problem. When the user clicks Stop Record, they can optionally enter comments and save the recording to a single ZIP file. Then they email it to the support staff.

The ZIP file contains an MHT file with screen shots and written actions that documents everything the user typed or clicked during the recording session.

This will be very useful for help desk and support staff in corporate environments, not to mention all those calls I get from my parents.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, February 12, 2009

New Keyboard Shortcuts in Windows 7

Windows 7 beta 1 includes some handy new shortcut key combinations that allow you to navigate and manage the Windows workspace more efficiently.

Here are 10 new Windows 7 shortcuts that will help you speed up your workflow (“Win” means the Windows Key):

  • Win+Home: Clear all but the active window

  • Win+Space: All windows become transparent so you can see through to the desktop (requires the Aero interface)

  • Win+Up arrow: Maximize the active window

  • Win+Down arrow: Minimize the active window or restore the window if it's maximized

  • Win+Left/Right arrows: Dock the active window to each side of the monitor

  • Win+Shift+Left/Right arrows: If you've got dual monitors, this will move the active window to the adjacent monitor (love this one!)

  • Win+T: Shift focus to and scroll through items on the taskbar

  • Win+P: Adjust presentation settings for your display

  • Win+(+/-): Zoom in/out

  • Shift+Click a taskbar item: Open a new instance of that particular application

Thanks to Stephen Rose, the Senior Community Manager for the TechNet Springboard Series for the tips.

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, February 10, 2009

How to Configure IPv6 Using Group Policy

By default, Windows Server 2008 R2, Windows 7, Windows Server 2008 and Windows Vista enable and use IPv6 as the default protocol. These versions of Windows will normally use IPv6 for all network communication and will step down to IPv4 as necessary.

You may decide to disable Windows IPv6 for several reasons. Perhaps your IPv4 network doesn't support it, and you want to disable unnecessary protocols. You may have also read that IPv6 breaks Outlook Anywhere on Exchange 2007 Client Access servers.

Most people think that you disable IPv6 by simply unchecking the Internet Protocol Version 6 (TCP/IPv6) checkbox, as shown above. This method disables IPv6 on the particular LAN interface and connection. For other network adapters or connections, users have to repeat the steps to disable IPv6. However, disabling IPv6 this way does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. It also must be done manually and cannot be instrumented or enforced using Group Policy.

In order to truly disable IPv6, you must disable it in the registry in the following key:

Normally, the DisabledComponents value does not exist. If the value does not exist or the value data is 0, IPv6 is enabled on all interfaces.

Microsoft wrote KB article 929852 to document how to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista (and later) manually using the registry. At the end of the article, Microsoft helpfully wrote, "Note: Administrators must create an ADMX file in order to expose the settings in step 5 in a Group Policy setting." Nice. So, I decided to do just that.

I wrote the attached ADMX and ADML files to enable the configuration of IPv6 using Group Policy. Copy each file to the computer you will use to configure the policy. - This ZIP file contains both the ADMX and ADML files:

  • IPv6Configuration.admx - Copy this file to %SYSTEMROOT%\PolicyDefinitions
  • IPv6Configuration.adml - Copy this file to %SYSTEMROOT&\PolicyDefinitions\en-US (Replace en-US with your country's language, as necessary)

Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:

Here, you can configure the following IPv6 settings:
  • Enable all IPv6 components (Windows default)
  • Disable all IPv6 components (the setting you probably want)
  • Disable 6to4
  • Disable ISATAP
  • Disable Teredo
  • Disable Teredo and 6to4
  • Disable all tunnel interfaces
  • Disable all LAN and PPP interfaces
  • Disable all LAN, PPP and tunnel interfaces
  • Prefer IPv4 over IPv6

Note that you must restart the computer for the configuration to go into effect.

Please to enjoy!

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Wednesday, February 4, 2009

How to Configure the Filter Limit in ADSIEdit

When viewing a container with a large number of items in ADSIEdit, you may receive the following error:

There are too many items in the folder DC=xxxxxx. Please refine the query parameters or increase the maximum number of items per folder.

The default filter for each container is 10,000 items. To increase the filter, select the parent naming context (Domain, Configuration, Schema, etc.) and click View > Filter in the menu bar. Then enter an appropriate value.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, January 26, 2009

How to Disable Subnet Prioritization

Windows uses a scheme called "subnet prioritization" to attempt to reduce network traffic by re-ordering DNS round-robin records so that the records that are "closest" to the host are the only records used.

For example, suppose there are three A records for the same name in DNS, One with IP, one with, and one with

If a Windows client with the IPv4 address of performs a DNS query for, subnet prioritization will re-order the IP addresses so that it will always use the address.

Subnet prioritization is enabled by default in both the Windows DNS server and the DNS client.

DNS server subnet prioritization (AKA, netmask ordering) can be demonstrated using the Windows NSLOOKUP command. Repeated lookups of from the client always give the same results:



Here, the DNS server is reordering the IP addresses, based on the requestor's IP address. If true DNS round-robin is working, the records would rotate in a (A, B, C), (B, C, A), (C, A, B) fashion. Subnet prioritization obviously throws a wrench in round-robin DNS if you're using that as your load balancing or fault tolerance solution.

To disable subnet prioritization on DNS servers:
  • Open the DNS Management console

  • Navigate to the DNS server and open its properties

  • Click the Advanced tab

  • Uncheck Enable netmask ordering and check Enable round robin

  • Click OK

But this only solves half the problem because the Windows client will reorder the DNS results, too. Repeated nslookups will now show that the IP address for is rotating correctly, but pinging from the client will still always resolve to You must still disable subnet prioritization on the client.

To disable subnet prioritization on Windows DNS clients:

  • Run Regedit

  • Navigate to HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

  • Click Edit > New > DWORD Value

  • Name the new value PrioritizeRecordData (its value data will be 0)

  • Close Regedit

Note: Both of these changes go into effect immediately. There is no need to restart services or the computers.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Thursday, January 22, 2009

Automating Exchange 2007 Prerequisites for Windows Server 2008

Each server role in Exchange 2007 requires Windows prerequisite software before the Exchange role can be installed on a Windows 2008 server.

All Exchange server roles require the Windows PowerShell feature. Other server roles and features are required, depending on the Exchange role(s) you are installing:

  • The Exchange Hub Transport role requires only the Windows PowerShell feature.
  • The Exchange Client Access role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, Web Digest Authentication, Web Windows Authentication, and Web Dynamic Compression role services. It also needs the Windows PowerShell feature. If the CAS will support Outlook Anywhere clients, it will also need the RPC over HTTP Proxy feature.
  • The Exchange Edge Transport role requires the Active Directory Lightweight Directory Services role and the Windows PowerShell feature.
  • The Exchange Mailbox Server role requires the Web Server role with the ISAPI Extensions, Web Metabase, IIS6 Management Console, Web Basic Authentication, and Web Windows Authentication role services. It also needs the Windows PowerShell feature. If the mailbox server will be clustered, it will also need the Failover Clustering feature.
  • The Exchange Unified Messaging role requires the Windows PowerShell and Desktop Experience features.

These server roles and features can be added using the Server Manager UI, but this post focuses on automating the installation from the command line using the ServerManagerCmd utility.

I have created answer files to use with ServerManagerCmd for each Exchange server role:

Note that I have added the Active Directory Domain Services Tools feature to the All-in-One and Mailbox answer files, since most administrators usually install them with these roles. You can remove this from these answer files if you wish.

Also note that the all of these Exchange roles will work for the Hub Transport role, since the Hub role only requires PowerShell. It is common to combine the Hub and CAS roles on a single server. You only have to use the appropriate CAS answer file in this case.

To use these answer files, right-click the answer file above and save it to C:\ on the target Windows 2008 server. Open a Command Prompt and run the following command:

ServerManagerCmd -InputPath C:\answerfile.xml -WhatIf

This will test the answer file you specified and display what operation will do. Review the output and then run it again without the -WhatIf switch to actually perform the installation. Then install the appropriate Exchange 2007 server role from the DVD.

Labels: , ,

Subscribe in a reader Subscribe by Email

Monday, January 19, 2009

The Case of the Missing E-Mail Addresses Tab

Recently a customer came to me with a problem. One of his users was missing the E-mail Addresses tab on the user object in Active Directory.

The user had been sending and receiving email for months without a problem, and the other Exchange tabs in AD Users and Computers (Exchange General, Exchange Features, and Exchange Advanced) were present. Here's an example:

This happens because the Exchange Alias is missing and the Exchange Recipient Update Service (RUS) cannot update the email addresses. The fix for this is simple -- enter an Alias for the user on the Exchange General tab. Once you do this, the E-mail Addresses tab becomes visible, as shown below.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, January 18, 2009

Microsoft Begins 20-Part Webcast on Virtualization

Microsoft kicked off a 20-part virtualization webcast series last week on TechNet.

The series covers a wide array of subjects, from "What is virtualization?" to managing your virtual infrastructure. It's presented by Microsoft virtualization evangelists and covers Hyper-V virtualization, as well as System Center Virtual Machine Manager 2008 (VMM 2008).

The series objectives are to not only help you develop technical depth on various virtualization solutions, but to appreciate the essentials of a typical virtualization project in a real world implementation.

Each webcast is about 90 minutes long and is geared toward level 300 technical detail. This looks to be an interesting series.

The series includes the following live webcasts:

If you should miss any one of these webcasts, the content will be recorded and available within a few days from the same site.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, January 15, 2009

How to Install a new Certificate on ISA 2004

If you use ISA 2004 to secure an SSL-enabled website such as Outlook Web Access (OWA), you need to install a web listener in ISA. This web listener intercepts (listens) for SSL web traffic destined for the HTTPS server.

Usually, you'll set this up when you configure your ISA server, but eventually the certificate you installed will expire and need to be replaced. This post describes how to do this.

In a nutshell, you have to install the certificate on the OWA server, configure IIS to use it, and then export it with the private key as a PFX file. Then you import the PFX file to the Personal store for the local computer on ISA. Just follow the bouncing ball...

First, you need to request and order a new SSL certificate. This can be done several ways, but usually ends with you getting an email from the certificate authority (i.e., Verisign) with your new certificate. The certificate is in the format of:


You simply need to copy and paste the certificate into Notepad and save it as something like C:\Webmail.cer. Be careful to only save the text between the BEGIN and END CERTIFICATE statements (including the leading and trailing dashes).

Now you need to import the certificate into IIS on the web server. Again, there are several ways to do this depending on how you ordered your cert, but this should work everytime:

  • Click Start > Run and enter MMC
  • Click File > Add/Remove Snap-in and add the Certificates snap-in
  • Select Computer account > Next > Finish > OK
  • Now your should see Certificates MMC for the local computer, as shown here:
  • Expand Certificates (Local Computer) > Personal
  • Right-click Personal and select All Tasks > Import
  • Browse to the C:\Webmail.cer file you saved earlier
  • Click Next to store it in the Personal store and Finish to complete the import
  • Don't close the Certificates MMC yet. You'll need it later in this process.

Next, you need to tell IIS to us the new certificate.

  • Open IIS Manager and navigate to the Default Web Site that uses SSL
  • In IIS 6, view the properties of the web site and click the Directory Security tab. Then click Server Certificate, Next and Replace the Current Certificate. Select the new cert you imported and compete the wizard.
  • In IIS 7, click Bindings and edit HTTPS. Then select the new cert you imported and close the Site Bindings window and IIS Manager.

Now that IIS is using the new certificate on the OWA server, you need to export the cert and its private key to import on the ISA server.

  • Now go back to the Certificates MMC and click refresh on Certificates in the Personal store
  • Select the certificate you imported
  • Right-click the certificate and select All Tasks > Export
  • Click Next and choose Yes, export the private key
  • Click Next twice and enter a password for the exported file.
  • Complete the wizard, saving the PFX file in a temporary location
  • Copy the PFX file to your ISA 2004 server

Next, we import the certificate into ISA and configure the ISA listener.

  • On the ISA server, double-click the PFX file you exported
  • Follow the Certificate Import Wizard and place the file in the computer's Personal store
  • Now open the ISA Server Management Console
  • Select the Firewall Policy
  • Click the Toolbox tab on the right and expand Web Listeners
  • Double-click the web listener you want to update to edit it
  • Click the Preferences tab and click Select
  • Select the new certificate and close the listener properties
  • Apply the ISA changes

Finally, you're done!!!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Tuesday, January 13, 2009

Editing the 32-bit Registry on a 64-bit computer

or: How to Stop Worrying and Learn to Love Wow6432Node *

Have you ever edited the registry on a 64-bit computer, but the changes don't seem to go into effect? This usually happens with a 32-bit application (often a 32-bit COM app). Here's why:

Windows normally uses the HKEY_LOCAL_MACHINE\SOFTWARE subkey for 32-bit applications that run on a 64-bit version of the operating system. But when a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\ subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey. A "registry reflector" copies certain values between the 32-bit and 64-bit registry views and resolves any conflicts using a "last writer wins" approach.

So if your 32-bit application is not reading the registry correctly (often because you're enforcing a setting through Group Policy), ensure the setting is being written to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ subkey on 64-bit computers.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, January 12, 2009

How to Move the SMTP Queue in Exchange 2007

Unlike previous versions of Exchange, all SMTP queue activity in Exchange Server 2007 happens in a new ESE database.

By default, this database (and its logs) exists in the C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue folder. You may wish to move this database and its logs to a seperate physical volume for better performance. Here's how to do this:

To Change the Database Path:

1. Open the EdgeTransport.exe.config file in the C:\Program Files\Microsoft\Exchange Server\Bin folder using Notepad

2. Edit the value of the line containing add key="QueueDatabasePath" to reflect the new path. For example:

add key="QueueDatabasePath" value="D:\QueueDB"

To Change the Database Logs Path:

3. Edit the value of the line containing add key="QueueDatabaseLoggingPath" to reflect the new path. For example:

add key="QueueDatabaseLoggingPath" value="D:\QueueLogs"

4. Save the file and restart the Microsoft Exchange Transport service

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, December 23, 2008

How to Modify the All Users Startup Menu

As you no doubt know, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 have modified the locations for user profiles. They are no longer in %SystemDrive%\Documents and Settings and exist in the %ProgramData%\Users folder.

However, to modify the All Users profile to add a shortcut to the Startup menu you actually need to access the %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup folder.

See Peter Fitzsimon's blog for all the gory details.

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Monday, December 15, 2008

Incorrect userAccountControl Attribute value causes error in DCDIAG

When you run DCDIAG for a domain controller your may see the following error reported:

Starting test: MachineAccount
Checking machine account for DC MYDC01 on DC MYDC01.
Warning: Attribute userAccountControl of MYDC01 is: 0x82020 = ( UF_PASSWD_NOTREQD , UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT , UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
......................... MYDC01 passed test MachineAccount

This typically occurs when the computer account was pre-staged in Active Directory before the computer was joined to the domain. It also may occur if you use the Active Directory Migration Tool (ADMT) to migrate to a new domain. When you do this, the 0x20 attribute is assigned to the UserAccountControl attribute, indicating that the computer account does not require password changes. It really doesn't matter, as Windows will use a password (and change it every 30 days) regardless of this setting.

The error is still annoying, so here's how to fix it:
  • Open ADSIEdit.MSC (install the Support Tools if ADSIEdit is not installed)
  • Connect to the Domain naming context
  • Expand the domain and navigate to the Domain Controllers container
  • Select the problem Domain Controller
  • Right-click the Domain Controller and select Properties
  • Scroll to the userAccountControl attribute and click the Edit button
  • Change the decimal value to 532480 (0x82000 hex)
  • Click Ok twice and close ADSIEdit

Wait for the change to replicate and re-run DCDIAG to confirm the error has cleared.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, December 1, 2008

Stop Spamming Yourself!

We all knew that the huge decrease in spam that occurred after was shutdown would be short-lived.

Recently, I've a seen large increase in the amount of spam to me apparently coming from me.

Note: Exchange 2003 and 2007 displays the "from" address
of these emails as the full SMTP address (i.e.,, rather than the resolved name (Jeff Guillet), to show that the email actually came from outside the company.
To stop spamming yourself, configure your SMTP gateway server to reject all external emails from your domain(s). Here's how to do this using the Exchange 2007 Edge Transport server:
  1. Open the Exchange Management Console (EMC) on the Exchange Edge Transport server

  2. Expand Microsoft Exchange and select Edge Transport

  3. Double-click Sender Filtering to open its properties

  4. Click the Blocked Senders tab and click Add

  5. Select Domain, enter your SMTP domain name, Include all subdomains, and click OK

  6. Click OK again to close the Sender Filtering Properties window

Now the Edge server will not accept non-authenticated emails from your domain to your domain. Note that this does not affect any external Windows Mobile or Outlook Express clients from sending email into your domain, as long as these users are authenticated.

You can use the following VB script to test the new settings:

'VBScript to test SMTP email

CONST mailServer = ""
CONST emailAddress = ""

Set objEmail = CreateObject("CDO.Message")
objEmail.From = emailAddress
objEmail.To = emailAddress
objEmail.Subject = "Test Message"
objEmail.Textbody = "This is a test message."
objEmail.Configuration.Fields.Item _
("") = 2
objEmail.Configuration.Fields.Item _
("") = mailServer
objEmail.Configuration.Fields.Item _
("") = 25
MsgBox "SMTP Email sent successfully to " & emailAddress, vbInformation, "TestSMTP"

Change the mailServer variable to use your Edge Transport server name and the emailAddress variable to use your internal SMTP address. The script will send SMTP email to the email address from the same email address.

Before Sender Filtering is enabled, the script will return a success message:

After Sender Filtering is enabled, the script will return a Sender Denied message:

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Thursday, November 6, 2008

New Windows Update Client Available

Microsoft is releasing a new version of the Windows Automatic Update client, version 7.2.6001.788, for Windows XP, Vista, and Windows Server 2000, 2003 and 2008.

This update includes the same performance enhancements available in the last client:
  • Improves scan times for Windows Update
  • Improves the speed at which signature updates are delivered
  • Enables support for Windows Installer reinstallation functionality
  • Improves error messaging
This version also fixes a bug that limited the client to only downloading 80 updates at a time. This is important when trying to update an XP RTM computer, for example, since there are far more than 80 updates for this build.

The update will be slowly rolled out via Windows Update and WSUS over the next two months. You can also download the update directly from Microsoft here.

It may be important to know that Windows Update will automatically update the Windows Automatic Update client software, even if the computer is configured not to download automatic updates. The only way to prevent this is to completely turn off Automatic Updates (not recommended).

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 31, 2008

Cannot Add a Site to Trusted Sites

I ran into a weird problem today with a Windows Server 2003 SP2 server, where I could not add a site to the Trusted Sites zone. The error I got was, "There was an unexpected error with your zone settings. Unable to add this zone."

To fix the issue, enable Internet Explorer Enhance Security Configuration in Add/Remove Windows Components, add the desired site to the Trusted Sites zone, and then disable Internet Explorer Enhance Security Configuration again. That seems to fix the corruption in the Trusted Sites zone information. Future sites can then be added without issue.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Saturday, October 25, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 2)

This is part 2 of my series, where I show you how to configure Windows Mobile to send and receive email from Exchange 2007 using IMAP4 and SMTP.

Part 1, where we configured Exchange 2007, can be read here.

Now that Exchange 2007 is configured, we need to configure a new email account in Windows Mobile. How you do this depends on the version of Windows Mobile on your device, but the essential steps are as follows:

  • Enter your email address and password to access the new account

  • Select Internet e-mail from the dropdown box for Your e-mail provider

  • Enter your name as you want it to appear to recipients and choose an account display name on the device (i.e., IMAP Email)

  • Enter the FQDN for the Exchange 2007 server that holds the Client Access (CAS) role (i.e., for the Incoming mail server.

  • Choose IMAP4 as the Account Type

  • Enter your account logon (domain\username) for the User Name and enter the network password

  • Enter the FQDN for the Exchange 2007 server that holds the Hub Transport role, followed by :587 (i.e., for the Outgoing (SMTP) mail server. See the figure above. If you don't follow the FQDN with :587, the Windows Mobile device will use the standard port 25 for SMTP communication.

  • Select Outgoing server requires authentication

  • Under Advanced Settings, select both the Require SSL for Incoming e-mail and Require SSL for Outgoing e-mail checkboxes to encrypt the traffic between the Windows Mobile device and Exchange 2007

  • Configure your Automatic Send/Receive schedule

Important Note: You must enter the FQDN:587 correctly the first time for the Outgoing (SMTP) mail server field. You cannot edit it later once you've clicked off that field -- if you do, Windows Mobile will still use port 25. This seems to be a bug in Windows Mobile 6.1 and may happen in other versions, as well. If you don't enter it correctly the first time, you will either need to cancel the setup wizard and start over again or delete the email account and recreate it.

Now test your new settings by synchronizing the mail account and test sending
an email. If you get an error saying,

Message not sent. The message 'Test email' was not sent and has been moved to the Drafts folder. The server returned the following error message:

550 5.7.1 Unable to relay

It means that the Windows mobile device is trying to send SMTP email over port 25 through your Exchange server to a remote address, which is relaying. Delete the account you just created and do it again, making sure to enter :587 after the FQDN of the SMTP server.

I hope this two-part series helps you get IMAP and SMTP working properly between Exchange 2007 and your Windows Mobile device!

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, October 24, 2008

Getting Windows Mobile to Work with Exchange 2007 Using POP3/IMAP4 and SMTP (Part 1)

This is the first of a two-part article that describes how to enable Windows Mobile devices to receive email from Exchange 2007 using IMAP4 and send email using SMTP.

As you probably know, Windows Mobile can only have one connection agreement with Exchange at a time. That means that if you want to access additional email accounts you must use POP3 or IMAP4 for incoming email and SMTP for outgoing email on your device.

In part 1, I will describe how to set up IMAP4 and SMTP client email submission in Exchange 2007. Part 2 will describe how to configure the Windows Mobile client.

Configuring IMAP4 in Exchange 2007
POP3 offers simple email retrieval services from a user's Inbox in Exchange. IMAP4 offers a few more extensive features, including access to all the folders in the user's mailbox. Neither of these services are enabled in Exchange 2007 by default. To enable POP3 or IMAP4 (usually one or the other), simply change the appropriate service from Manual to Automatic on your Exchange 2007 Client Access server (CAS) and then start it. In this article I will be using IMAP4 for Windows Mobile access.

The next step is to configure the logon authentication mechanism for IMAP4. I strongly recommend using TLS to secure logons so that usernames and passwords are not transmitted in plain text.
  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Client Access and view the POP3 and IMAP4 properties of the CAS
  • Double-click the IMAP4 protocol and select the Authentication tab
  • Select Secure Logon. A TLS connection is required for the client to authenticate to the server.
  • Select the appropriate X.509 certificate to use and click OK to close the properties window

Configuring SMTP Client Submissions in Exchange 2007
Now we need to configure the Exchange 2007 Hub Transport (HT) server to accept (receive)inbound SMTP connections from clients.

  • Open the Exchange Management Console (EMC)
  • Navigate to Server Configuration, Hub Transport and select the HT server
  • Click New Receive Connector from the Action pane
  • Give the new Receive Connector a name such as, "Mobile Clients"
  • Select Client as the intended use for this receive connector and click Next
  • Click Next to allow all remote networks to use this receive connector
  • Click New to create the new Receive Connector
  • Now open the properties of the Mobile Clients connector
  • Click the Network tab and notice that the port the connector uses is 587
  • Click the Authentication tab. Ensure that Transport Layer Security (TLS), Basic Authentication, Offer basic authentication only after starting TLS, and Integrated Windows Authentication are checked.
  • Click the Permissions Groups tab. Ensure that only Exchange users is checked and click OK to close the properties window.

Name Resolution and Port Forwarding
The FQDN of the CAS (i.e., and the HT server (i.e., must be resolvable from your Windows Mobile device on the Internet. The CAS must also accept IMAP4 requests and the HT must accept SMTP submissions from your Windows Mobile device. This may require you to configure port forwarding from your external firewall. You will need to forward TCP port 143 for IMAP4 to the CAS and port 587 for client SMTP message submission to the HT server.

Port 25 is fast becoming the port used exclusively for server to server SMTP traffic and port 587 is becoming the standard for client to server SMTP traffic.

So far, we have configured Exchange 2007 to allow secure IMAP4 and SMTP client access. In part 2 of this series I will discuss how to enable IMAP4 and SMTP access to Exchange from a Windows Mobile device.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Monday, October 20, 2008

Fix for 0x8024400E Errors on WSUS Clients

I've seen this happen with two customers over the past few weeks, so I figure it might be prevalent enough to blog about it.

Some, but not all, WSUS clients begin to fail when checking for updates. The %windir%\WindowsUpdate.log file shows errors such as:

  • WARNING: SyncUpdates failure, error = 0x8024400E, soap client error = 7, soap error code = 400, HTTP status code = 200

  • WARNING: PTError: 0x8024400e

  • WARNING: Failed to synchronize, error = 0x8024400E

  • WARNING: WU client failed Searching for update with error 0x8024400e

According to the Comprehensive List of WSUS Codes page hosted on this blog, the 0x8024400e error means "SUS_E_PT_SOAP_SERVER: The message was OK but server couldn't process at the moment. Same message *may* succeed at a later time." Huh? I already took a shower this morning! What's with this SOAP business?

The Fix:
This problem is due to problem with a recent revision to the Office 2003 Service Pack 1 update on the WSUS server. It results in some WSUS 3.X servers syncing that revision to an inconsistent state. When computer with products related to Office 2003 communicate to one of these WSUS servers, the web service is unable to process the approvals resulting in detection failure.

In order to reset the approvals to a consistent state on the WSUS server, follow these steps from the WSUS Administration Console:

  1. Find the 'Office 2003 Service Pack 1' update in the updates list. This may involve changing the Approval and Status filters in the update UI (set the Status to "Any" and the Approval to "Declined" -- if you don't see it then set the Approval to "Any except Declined"

  2. Perform the following steps:

    • First, make sure the update is declined. If the update is not yet declined, right-click on the update and decline it.

    • Next, approve the update:

      • Right-click on the update and select the 'Approve...' option in the context menu.

      • In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.

    • Next, decline the update.

      • Right-click on the update and select the 'Approve...' option in the context menu.

      • In the 'Approve Updates' dialog that opens, just click 'OK'. Dismiss the 'Approval Progress' dialog that appears.

The computers that were failing detection will now successfully complete detection against the server and receive any applicable updates.

Note: If you have a hierarchy of WSUS servers, these steps must be performed on each server, starting with the top-level server. If one of the servers is a replica child, one must first change it to be autonomous, then perform the steps above, then change it back to being a replica. This can be done from the Options/Update Source and Proxy Server Dialog.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, October 9, 2008

Fix for Large Framework.log files

The WMI service maintains text log files for all operating systems earlier than Windows Vista and Windows Server 2008. These log files are stored in the %SystemRoot%\System32\WBEM\Logs folder. The log files include:

  • Wbemcore.log

  • Wbemess.log

  • Mofcomp.log

  • Wmiadap.log

  • Wbemprox.log

  • Framework.log

  • Winmgmt.log

Most of these log files are configured to automatically wrap every 64KB. When the log file reaches this limit, it is renamed to logfile.lo_ and a new log file is created. Unfortunately, this does not happen with the Framework.log file - it will continue to grow indefinitely. This came to light recently at a client site when the backup team noticed that this file was taking a very long time to back up on Exchange servers. The Framework.log files on these servers exceeded 800MB.

Microsoft wrote a TechNet support article, "The Framework.log file grows larger than 64 KB when you use WMI on a Windows Server 2003 or Windows XP computer," which explains that this is due to permissions problem with the Network Service. As the article explains, the fix is to grant the Network Service account the Delete right on the %SystemRoot%\System32\WBEM\Logs folder.

Here's how to do this for all machines in the domain using Group Policy:

  1. Edit the appropriate Group Policy object for the managed computers. I used the Default Domain Policy.
  2. Navigate to Computer Configuration, Windows Settings, Security Settings, File System
  3. Right-click File System and select Add File...
  4. Navigate to the %SystemRoot%\System32\WBEM\Logs folder and click OK. A security window will appear.
  5. Add the LOCAL SERVICE and NETWORK SERVICE accounts, giving both accounts only Read and Write permissions.
  6. Click the Advanced button.
  7. Clear the "Inherit from parent the permission entries that apply to child objects" checkbox.
  8. Select the NETWORK SERVICE account and click Edit.
  9. Check Delete under the Allow column and click OK. Repeat for the LOCAL SERVICE account.
  10. Click OK four times to close all the dialog boxes.

The new security settings will be enforced on target computers on the next Group Policy refresh. After that, the large Framework.log file will be renamed to Framework.lo_ and a new Framework.log file will be created. Once that new logfile grows beyond 64KB it will replace the large file.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, October 8, 2008

Unlocked Workstation

I found this great graphic at

Next time you come across an unlocked workstation, just open a browser on it and go to the website. Don't forget to lock the workstation when you're done.

Labels: ,

Subscribe in a reader Subscribe by Email

Monday, October 6, 2008

Fix for "Could not start the Automatic Updates service on local computer"

You may find that the Automatic Updates service on Windows XP is stopped with the following error:

Could not start the Automatic Updates service on local computer. Error 0×80004015: The class is configured to run as a security ID different from the caller.

This can happen when Windows XP clients attempt to start the Automatic Updates service and is due to a permissions issue. The quickest and the easiest solution would be to reset the permissions for the Automatic Updates service on the client and then start the service.

To display the current permissions of the Automatic Updates service and fix them:
  1. Click Start, Run and type “cmd” to launch the Command prompt
  2. From the command prompt, type: SC sdshow wuauserv
  3. Now, reset the permissions as follows from the command prompt (single line, wrapped for clarity):

We can now start the service and try to detect the Automatic Updates from the command prompt:

C:\>wuauclt.exe /detectnow

This should fix the problem.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, September 26, 2008

How to Delegate the Right to Unlock User Accounts

In order to delegate the right to unlock locked user accounts to a user or group in Active Directory, you first need to make the right visible in Active Directory Users and Computers (ADUC).

The %windir%\System32\dssec.dat file contains all the rights attributes that can be exposed in ADUC. These rights attributes are grouped under headings surrounded by square brackets, such as [user] or [computer]. Each attribute is assigned a value (filter) as follows:

0 - Read and Write is exposed
1 - Write is exposed
2 - Read is exposed
7 - Hide the attribute

To modify the filter, open dssec.dat in Notepad. Find the lockoutTime attribute under the [user] heading. Be careful to select the [user] heading, as there's another lockoutTime attribute under [computer]. Change the value of the filter from 7 to 0 (lockoutTime=0) and save the changes.

To delegate the right right to unlock user accounts in ADUC:
  1. Right-click the OU or domain in Active Directory Users and Computers and select Delegate Control from the context menu
  2. Click Next on the Welcome dialog
  3. Click Add to select the user or group and click OK
  4. Click Next
  5. Select Create a custom task to delegate and click Next
  6. Select Only the following objects in the folder. In the list, check User objects and click Next
  7. Clear the General checkbox and check the Property-specific box
  8. Check both the Read lockoutTime and Write lockoutTime boxes and press Next
  9. Click Finish

Note: You only need to edit the dssec.dat file on the computer where you are performing the delegation. You do not need to modify it from any other machine, including the one where the user administration will occur.

Labels: , ,

Subscribe in a reader Subscribe by Email

Sunday, September 21, 2008

Getting NumLock to Stick

Here's a tip on how to get the Num Lock key to stay on (or off) every time a user logs on.

Simply set the NumLock key to the desired status (on or off), press Ctrl-Alt-Delete (Ctrl-Alt-End in a Hyper-V guest, Ctrl-Alt-Ins in a VMware guest), and select Log off.

This will set the HKEY_CURRENT_USER\Control Panel\Keyboard\InitialKeyboardIndicators to 0 (OFF) or 2 (ON), depending on your preference. The next time you logon, the NumLock setting will stick.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Friday, August 29, 2008

Fallback Printer Drivers in RDP and Terminal Server Sessions

Microsoft Remote Desktop Connection provides the ability for users to use the printers installed on their local computer within a Terminal Server session. This behavior is enabled by default, and can be changed in MSTSC (the Remote Desktop Connection client) in Options, Local Resources tab, Printers.

In order for this to work, a printer driver must be installed on the Terminal Server that matches the driver installed on the local computer. This is problematic, since you can't always be sure which printer is installed on connecting computers. If there is no matching printer driver on the server, the user will be unable to print to that printer within the RDP session. You will also see an error in the System Event Log similar to the following when the user
logs into the Terminal Server:

Event Type: Error
Event Source: TermServDevices
Event Category: None
Event ID: 1111
Date: 7/8/2008
Time: 12:51:15 PM
User: N/A
Computer: HOFS01
Driver HP LaserJet 4250 PCL 5e required for printer !!SERVER1! NetPrinter2 is unknown. Contact the administrator to install the driver before you log in again.

To handle this issue without having to install tons of drivers on your server, you can tell the server to use a "fallback printer driver." If the exact driver is not installed, the server will offer a fallback PCL or PS driver (or both) to use instead. This is configured in Group Policy as shown below. Note that this requires Windows Server 2003 SP1 or later.

For Windows Server 2003, open Group Policy and navigate to Computer Settings, Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server data redirection, and configure the Configure Terminal Server Fallback Printer Driver Behavior option.

For Windows Server 2008, open Group Policy and navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, Terminal Services, Terminal Server, Printer Redirection and configure the Specify Terminal Server Fallback Printer Driver Behavior option.

Configure the Terminal Server Fallback Printer Driver Behavior to Enabled, Show both PCL and PS if one is not found, as shown below.

When a client logs into the Terminal Server, you will now see the following event in the System Event Log and the client will be able to use their printer.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Monday, August 25, 2008

Exchange Server Virtualization Support Policy Summary

Microsoft released their Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments document this month. I reviewed the support document and summarized the salient facts here.
Exchange 2007 Virtualization

Host Requirements:
  • A hypervisor virtualization solution that has been validated by the Windows Server Virtualization Validation Program
  • Adequate storage space to accommodate the host OS and components, paging file, management software and crash recovery (dump) files
  • Storage space must be allocated for Hyper-V temporary memory storage (BIN) files, equal to the amount of RAM allocated to each guest
Guest Requirements:
  • Exchange 2007 SP1 (or later) deployed on Windows Server 2008
  • Cannot have the Unified Messaging Role installed
  • The total maximum number of virtual processors cannot exceed the twice the number of physical cores.Typically 2 virtual processors are required for each Exchange server guest, but use this as a baseline
  • Large mailboxes (1GB and larger) require the use of Cluster Continuous Replication (CCR)
  • CCR nodes must be hosted on separate physical host servers to provide true redundancy and high availability
  • Mixing physical and virtual nodes is supported for CCR and SCC environments
  • Exchange supported backups must be run from the guest
  • Both legacy backups (using ESE streaming APIs) and Exchange-aware software-based VSS backups (Data Protection Manager) are supported
  • VSS backups of the an Exchange guest is supported if the guest uses only VHDs (not pass-through disks)
Guest Storage Requirements:
  • Supports fixed size VHDs, SCSI pass-through and iSCSI storage
  • Storage must be dedicated to one guest machine. In other words, a pass-through disk must be dedicated to one, and only one, guest.
  • Guest OS must use a minimum fixed-size VHD of 15GB plus the size of virtual RAM allocated to the guest
  • VHD limit is 2,040GB (nearly 2TB) in Hyper-V
  • Hub and Edge Transport servers require sufficient storage for message queues and log files
  • Mailbox servers require sufficient storage for databases and log files
  • iSCSI storage using an iSCSI initiator within the guest is supported. This offers greater portability, but decreased performance
Not Supported:
  • Dynamically expanding VHDs are not supported
  • Snapshots or differencing disks are not supported
  • Virtualization high availability solutions, such as Hyper-V Quick Migrations, are not supported. Only Exchange aware HA solutions (SCC, LCR, CCR and SCR) are supported.
  • VSS backups of the Exchange guest machine's pass-through disk from the host are not supported
  • Storage should be hosted on separate disk spindles from the guest's OS
  • Use SCSI pass-through storage to host transport and mailbox databases and transaction logs
  • When using iSCSI storage, configure the iSCSI Initiator on the host and present it as a pass-through disk to the guest
  • Use dedicated NICs with jumbo frames and not bound to a Virtual Network Switch, Gigabyte Ethernet, and isolated networks for iSCSI storage
Exchange 2003 Virtualization

Host Requirements:
  • The hardware virtualization software is Microsoft Virtual Server 2005 R2 or any later version of Microsoft Virtual Server
Guest Requirements:
  • Exchange Server 2003 SP2 (or later)
  • Microsoft Virtual Server 2005 R2 Virtual Machine Additions must be installed on the guest operating system
  • Exchange Server 2003 is configured as a stand-alone server and not as part of a Windows failover cluster
  • Each guest must have only one CPU
Guest Storage Requirements:
  • The SCSI driver installed on the guest operating system is the Microsoft Virtual Machine PCI SCSI Controller driver
  • The virtual hard disk Undo feature is not enabled for the Exchange virtual machine
  • Consider adding a dedicated virtual network adaptor for Exchange Server backups
  • Create separate fixed-size VHDs for Exchange Server databases and log files and store them on separate physical drives on the host
  • Exchange Server performance should be validated before production by using the Exchange Server 2003 Performance Tools
  • Make sure that the host server is sized correctly to handle the number of virtual machines that you plan to deploy
  • Use a storage solution that enables fast disk access
  • Antivirus programs should be configured to not scan VHD files

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Saturday, August 23, 2008

Best. Birthday Present. Ever.

My family decided to celebrate my birthday by pushing me out of a perfectly good airplane.

Bay Area Skydiving, in Byron, CA. I highly recommend this.

Labels: ,

Subscribe in a reader Subscribe by Email

Friday, August 22, 2008

How to Determine if a PST is ANSI or Unicode

PSTs created in Outlook 2002 and earlier versions are saved in ANSI format, which has a 2.1GB limit. Outlook 2003 and later offer both ANSI and Unicode formats for PST creation. Unicode PSTs have a theoretical 36TB limit which makes them a better choice, providing that backward compatibility is not an issue.

So how can you tell if a PST is in ANSI or Unicode format?

One way is to download a free utility called ListPSTs from You run this utility from the command line against the file or folder that contains the PST(s). The output displays the format of the PST files, as shown above.

Another way to tell without having to use a separate utility is by viewing the properties of the PST from within Outlook, itself. When you add the PST to Outlook, pay attention to the Format field of the PST, as shown below:

Unicode formatted PSTs will display the format, "Personal Folders File". ANSI formatted PSTs will display the format, "Personal Folders File (Outlook 97-2002)".

Labels: , , , , ,

Subscribe in a reader Subscribe by Email

Tuesday, August 19, 2008

How to Configure the SCL in Exchange

Recently I was asked what the proper Spam Confidence Level (SCL) should be for an Exchange 2007 installation. The answer is the ever-popular, "it depends."

The SCL is a value that Exchange assigns to each incoming SMTP email and is based on Microsoft's SmartScreen technology. This score determines how likely Exchange thinks an email message is spam. A rating of 0 means the message is not likely spam and a rating of 9 means the message is most likely spam.

SmartScreen is a "black hole" technology -- meaning that the algorithms and heuristics it uses for scoring is not published by Microsoft, thereby making it more difficult for spammers to create messages that can score lower and pass the filter. The Exchange server downloads new heuristics from Microsoft periodically.

Exchange 2003 SP2 introduced the Internet Message Filter (IMF) to score emails with an SCL rating. Exchange 2007 uses Content Filtering on the Anti-spam tab of the Edge Transport server to score emails (as shown below). It can also be enabled on a Hub Transport server if Edge Transport servers are not used. See How to Enable Anti-Spam Functionality on a Hub Transport Server.

Selecting the right SCL filter level is not an exact science. You're trying to filter obvious spam without accidentally filtering legitimate messages. You can use the following method to determine the starting point for your filter.

Using Perfmon to Select the SCL Filter Level
The best way to determine the appropriate SCL filter level is to use perfmon and examine the MSExchange Content Filter Agent object. Over time, the "Messages with SCL x" counters will increment and begin to show a trend.

In the example below, the Messages with SCL 0 through 7 counters are in the lower half of the scale. Messages with SCL 8 is off the charts at 270 -- more than all the lower SCL levels combined. From this data we can infer that it is safe to filter messages with an SCL higher than 7.

Note that these counters reset to zero upon restart of the server. It may take a little while before the trend appears.

Keep in mind that this is only the filter to begin with. You may have to adjust your filter up or down for your specific environment, but this will give you an excellent starting point.

SmartScreen filtering is just one of the anti-spam solutions available for Microsoft Exchange Server 2007. Other solutions include Sender ID Framework, Outlook Junk E-Mail Filter, and Microsoft Exchange Hosted Filtering. See the Microsoft AntiSpam Technologies website for more details.

Labels: , , , , , ,

Subscribe in a reader Subscribe by Email

Thursday, July 31, 2008

It's Not Exchange 2007 Enterprise Until You Enter the Product Key

According to the Microsoft article, "Exchange Server 2007: Platforms, Editions, and Versions":

"When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation."

This means that you will be unable to add additional storage groups, managed folders, or use any of the Exchange Enterprise features until you enter the Enterprise product key.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, July 29, 2008

Customizing Server Manager in Windows Server 2008

This article explains how to create a customized Server Manager console for Windows Server 2008 that displays more (or less) MMC snap-ins and extensions. The example above shows the default Server Manager console with the Microsoft Exchange 2007 and Queue Viewer snap-ins added to it. Note that you can't customize the default Server Manager console in Windows Server 2008, but you can create a new one that you can customize.

To begin, use Windows Explorer to navigate to the %WINDIR%\System32 folder, right-click ServerManager.msc, and select Author. This will open the MSC for editing.

Click File, Options and set the Console Mode to User mode - full access. This will cause the new console to automatically save and remember views and changes you make to the console in the future. Click OK.

To add new snap-ins to the console, click File, Add/Remove Snap-in. Now click the Advanced button and select the checkbox to Allow changing the parent snap-in and click OK. Select Server Manager from the Parent snap-in drop-down box. This is where the new snap-ins will be added.

Now select the additional snap-in(s) you want to add to the console. In my example, I double-clicked Exchange Server 2007 and Queue Viewer to add them below the Server Manager snap-in, as shown below.

If you want to remove extensions (or features) from a snap-in, select the snap-in under Selected snap-ins and click the File Extensions button. Click Enable only selected extensions and clear the check-box for the extensions you want to hide, such as Component Services and Disk Management Extension in the example below, and click OK.

Once you've added and configured the snap-ins you want to add to the console, you have to save it. Click File, Save as and give the new console a unique name, such as ServerManager1.msc. Windows will save the new console in the %WINDIR%\System32 folder by default.

Now modify the Server Manager icon in the Windows task bar to launch the new console. Right-click the Server Manager icon in the Quick Launch toolbar and select Properties. Change the Target path to read %SystemRoot%\system32\ServerManager1.msc and click OK, as shown below.

Now when you click the Server Manager icon in the task bar, your new Server Manager console will be displayed with the new snap-ins. Not only that, Server Manager will remember states of extensions (such as always displaying the Standard view of Windows Services, a pet peeve of mine) and will also open to the last extension you viewed. If you decide you want to add or remove snap-ins from this console in the future, simply right-click the console icon and select Author to make your changes.

Hope this helps you out!

Labels: ,

Subscribe in a reader Subscribe by Email

Thursday, July 24, 2008

Free/Busy Information in Exchange 2000/2003/2007

What is Free/Busy?
Users' availability information is stored in Exchange in a hidden system public folder. This information is used by Outlook and OWA to tell other users if they are free or busy (hence, the term Free/Busy information). Normally this information is displayed as color-coded blocked out areas in a user's calendar, as show above. If users have extended rights, they can right-click another user's blocked out time to view the subject of the busy time.

The Free/Busy information is posted as a single message that contains data for the entire Free/Busy duration. The default to publish is 2 month's worth of information, configurable in Outlook Options or via Group Policy. Every time the Free Busy information is updated, the message is overwritten.

Publishing Free/Busy Information
The way Free/Busy information is published to Exchange depends on the method used to update the user's calendar. The Outlook client is usually responsible for generating Free/Busy information. Outlook will read the calendar and generate Free/Busy every 15 minutes by default if the information has been changed. This schedule can be changed in Outlook options or via Group Policy. Outlook also republishes the Free/Busy information whenever Outlook is shut down.

So what happens when the user updates their calendar using Outlook Web Access (OWA) or some other non-MAPI client? In this case, Free/Busy information is updated by a background process called MSExchangeFBPublish (MadFB). This process runs under the System Attendant mailbox and updates Free/Busy every 5 minutes for OWA, OMA, and Entourage clients. When a change is made to the calendar, a Free/Busy message is submitted to the System Attendant mailbox on the mailbox server for the user. The MadFB process polls this mailbox and picks up that there has been a change. MadFB then publishes the user's full Free/Busy message to the Free/Busy folder overwriting the existing message.

Replicating Free/Busy Information
The short answer is don't do it. The only reason to replicate Free/Busy information is when you frequently have users accessing Free Busy information of users in another site, and those sites are separated by a slow or lossy network link. Replicating Free/Busy information introduces inherent latency and causes inaccuracy in the Free/Busy information. Users in one site may see information from a site that has not replicated yet.

Where is Free/Busy Information Stored?
As mentioned earlier, Free/Busy information is stored in a system public folder. You can view all the Free/Busy information in the org by opening the following URL in a web browser: "http(s)://ServerName/Public/Non_IPM_Subtree/SCHEDULE%2B%20FREE%20BUSY/".

Here, you will see a folder under SCHEDULE+ FREE BUSY for each Administrative Group in the format, "EX:/o=/OU=". Each folder contains messages for each user. These messages are the Free Busy information for the user. The messages are formatted as, "USER-/CN=RECIPIENTS/CN=".

Free/Busy message placement is based on the user's legacyExchangeDN attribute in AD. For example, if my legacyExchangeDN is /o=CompanyABC/ou=Paris/cn=Recipients/cn=jsguillet", my Free Busy information will be stored in the "USER-/CN=RECIPIENTS/CN=jsguillet" message in the "/EX:/o=CompanyABC/ou=Paris" folder.

You are unable to view the contents of the message, but you can delete it. Doing so will remove all Free Busy information from Exchange until it is republished using one of the methods explained above. If Free/Busy information is not available to other users, they will see black and white hash marks across your calendar and Outlook will say that Free/Busy information is not available for this user.

How to Republish Free/Busy Information
On occasion Free/Busy information may not be published correctly in Exchange. There are many reasons that this can occur. Examples include errors in Public Folder replication (if Free Busy is being replicated, another reason to not do this), network errors, and incorrect shutdown of Outlook or Windows.

So how do you republish Free/Busy information? The easiest way to do this for individual users is to have them run Outlook with the /CleanFreeBusy switch:

  • Close Outlook

  • Click Start, Run, enter "start outlook /cleanfreebusy" and click OK

  • Outlook will start, generate the Free/Busy information from the Outlook calendar and republish it to Exchange within 5 minutes. It will overwrite any existing Free/Busy message or publish a new one if it doesn't exist.

While this is easy to do for one or two users, it isn't a good solution for all users in the enterprise since it requires user intervention.

Microsoft KB article 294282 details how to use Updatefb.exe to regenerate Free/Busy information from the calendar information contained in each user's mailbox. You run this utility under the context of a user or service account that has full mailbox access to the affected users. It reads a comma delimited file containing the alias and home mailbox server of each user (i.e., alias, mailbox1) and logs in as that user using Collaboration Data Objects (CDO). It then creates a single appointment for the user for today at 11:00pm. This marks the Free/Busy information as "dirty". It then logs off the MAPI connection, causing the Free/Busy information to republish to Exchange. Note that Updatefb will be unable to open disabled user's or hidden mailboxes, so be sure to exclude them from the CSV input file.

Updatefb.exe is an unsupported utility written by Microsoft and is only available through Microsoft Product Support Services. There are two versions of the utility, Updatefb.exe is the GUI version and CPPCDO.exe is a command line version. I have used it in several environments with no issues.

What About Exchange 2007?
Exchange 2007 uses an entirely new and different way to manage Free/Busy information, so the above does not apply in a pure Exchange 2007/Outlook 2007 environment. When using Exchange 2007 with Outlook 2007 Free/Busy information will no longer come from a Public Folder, but will instead use the Microsoft Exchange 2007 Availability Service. This web service will provide a direct look at the user's Free/Busy information without the need of a client publishing any data. Outlook 2007 and Exchange 2007 can still use (and will still have) the Free/Busy public folder for backwards compatibility with older Outlook clients.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, July 23, 2008

Your Troubleshooting PAL

How many times have you been faced with a performance issue with a computer and you don't really know where to start? Sure, you can fire up Performance Monitor (perfmon) and start collecting data for analysis, but which counters do you collect and how do you identify a bottleneck?

Perfmon can gather tons of information and pouring over all that data for analysis can be a daunting task. Enter Performance Analysis of Logs (PAL), a new and powerful tool that reads in a performance monitor counter log in any known format and analyzes it using complex, but known thresholds. The tool produces an HTML report which reports important performance counters and displays alerts when thresholds are exceeded.

PAL is a free open source application developed by Microsoft and is hosted on CodePlex, Microsoft's open source project hosting web site. It requires two other free pieces of software on the computer where PAL will run:

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.

Note: Because there is no 64-bit version of the Microsoft Office Web Components, PAL only runs on x86 platform computers.

To use PAL, you begin by collecting performance data from the target machine using perfmon. Typically, I collect the Memory, Network Interface, Physical Disk, Processor and System counters to begin with. Once you've collected some data run PAL and walk through the wizard. Be sure to answer the Question Variable Names at the bottom of the Threshold File page. The variables are Number of Processors, use of the /3GB switch, is the target a 64-bit computer, total RAM and whether it has a kernel dump configured. Step through the rest of the wizard and PAL will create a batch file, run it and display the output as a graphical report in your web browser. Very cool!!!

You can view a LiveMeeting streaming video training of PAL here.

Labels: , , , ,

Subscribe in a reader Subscribe by Email

Friday, June 20, 2008

Using Exchange 2007 Header Firewall

Each time an SMTP email is passed from one server to another, the receiving server records the hand-off in the SMTP headers of the email. This is usually recorded like this:
Received: from ( by ( with Microsoft SMTP Server id; Fri, 20 Jun 2008 15:17:46 -0700
Customers often do not like their internal email infrastructure exposed in the SMTP headers for security reasons. It displays private information, such as internal IP addresses and SMTP versions that can be used by bad guys for targeted attacks. In the example above, SMTP Server id tells me that at public IP is running Exchange Server 2007 SP1.

You can remove this information from the SMTP headers on Exchange 2007 using a concept called Header Firewall. This is done using the remove-adpermission cmdlet in the Exchange Management Shell. If you use Exchange 2007 Edge server(s), run the following one-liner:

Remove-ADPermission -id "EdgeSync - companyabc to Internet" -User "MS Exchange\Edge Transport Servers" -ExtendedRights Ms-Exch-Send-Headers-Routing

Note: Replace "EdgeSync - companyabc to Internet" with the name of the Internet bound send connector. You can run the Get-SendConnector cmdlet to display the names of all the Exchange send connectors.

For Exchange 2007 implementations that do not use Edge servers, use the following:

Remove-ADPermission -id "companyabc to Internet" -User "NT Authority\Anonymous Logon" -ExtendedRights Ms-Exch-Send-Headers-Routing
Again, replace "companyabc to Internet" with the name of the Internet bound send connector.

Essentially, you want to remove the rights of the last user account that will handle the outbound SMTP from reading the Ms-Exch-Send-Headers-Routing attribute in Active Directory. For Edge servers that will be the MS Exchange\Edge Transport Servers user account and for everything else it will be NT Authority\Anonymous Logon. Doing so will remove all the internal relay entries in the header before the last Exchange server, making the email appear like it originated from that last server.

Labels: , ,

Subscribe in a reader Subscribe by Email

Friday, June 6, 2008

New PowerShell Scriptomatic

For those of you who are familiar with the the WMI Scriptomatic tool (and those of you who aren't), check out this awesome new version for Windows PowerShell -- The PowerShell Scriptomatic!

This tool will have you writing PowerShell scripts like a pro with absolutely NO experience. Imagine the fun you'll have deleting all the user accounts in the domain without having to write a single line of code yourself! Well, errr, maybe that was a bad example.

Actually, this really is a great tool to use to create PowerShell scripts without having to know the classes and objects necessary to access. Just select the WMI namespace and WMI class to access, and the PowerShell Scriptomatic will generate the correct PowerShell code. Then use this code to experiment with or add to other snippets. Brilliant!
It's great for those new to PowerShell and seasoned veterans who are just plain lazy.

Labels: , , ,

Subscribe in a reader Subscribe by Email

TechEd Newbie Resource Posts

As TechEd 2008 ITPro week approaches, I thought I'd provide links to the posts I've made that will help first time TechEd attendees. A sort of one stop shopping blog entry, if you will.

If you have a suggestion for future articles, let me know by posting a comment.

Labels: ,

Subscribe in a reader Subscribe by Email

Thursday, June 5, 2008

New TechEd Airline Check-in Service

Open Thursday, June 12 and Friday, June 13

South Hall A1 next to Registration

New this year for TechEd attendees!

Airline Check-in is a full-service, multi-airline remote skycap operation that offers issuance of boarding pass and luggage receipts. The next time you’ll have to think about your luggage will be at your final destination!

Airline Check-in service is available to all attendees departing on domestic flights from Orlando International Airport on American, Alaska, Air Tran, Continental, Delta, JetBlue, Northwest and United Airlines. You must have your luggage checked in a minimum of three hours before your flight departure time.

Remember, this service is only valid for flights departing on June 12-13.

Check Your Bags
Enter Event ID: 15019 and Passcode: microsoft to check your baggage and receive your boarding pass. Online check-in service fee is US$5 per person.

Walk-up airline check-in at the OCCC is US$10 per person.

Airline Check-in is also available at the Rosen Centre and Rosen Plaza hotels.

Check your bags here!

Labels: ,

Subscribe in a reader Subscribe by Email

Thursday, May 29, 2008

Outlook Calendar Synchronization Cookbook

I carry an AT&T 8525 Windows Mobile device as my phone and PDA. It’s connected to my company’s Exchange 2007 server back in the office, but as a consultant I’m nearly always at a client site.

When I’m onsite for any length of time the client usually provides me with an email account on their network so that I can more easily communicate with teams and accept meeting invitations. The trouble for me has always been how to synchronize calendar data between the two calendars. There are lots of hard and messy ways to do this – I can forward the appointments to my WM device or type them in manually, or I can use Google calendar to do a “middle man” synchronization.

What I’ve discovered that does a really good job is a software and service called Funambol. This free service is made up of three components:

  • The Funambol client for Windows Mobile
  • The Funambol client for Windows Outlook
  • The myFunambol Portal, the hosted server that holds the synchronized data

Funambol can perform synchronization of email, contacts, calendar items, tasks, notes and briefcases. Synchronization can be one-way (from Funambol server to phone only or from phone to server only) or two-way. Since I only perform calendar synchronization this article only covers this, but the other types of synchronization can be setup the same way.

To begin, sign up for a free myFunambol account at This creates a personal database account for you that will hold the synchronized data. The myFunambol portal also offers a web interface where you can view and manage your synchronized data stored on the server.

Next, download the Funambol Outlook Plugin from and install it on the computer with Outlook that you want to sync with your mobile device. Follow the Wizard to install the plugin. I won’t list them here because Funambol updates their software regularly and the steps may change, but here are the settings I use in the version I’m currently using:

  • Account and password are the same as the myFunambol account
  • Sync Calendar; One-way: Outlook -> Server; Synchronize every 2 hours

Test the synchronization from Outlook. The plugin may warn you that it needs to perform a full sync the first time. Once the sync completes, log into the myFunambol portal to ensure that your data is there.

Now download and install the correct Funambol client for your mobile device from Funambol makes one for Windows Mobile PocketPC, Windows Mobile Smartphone, Blackberry, Java based phones and even the Apple iPod.

Install the client on your device and configure it thusly:

  • Account and password are the same as the myFunambol account
  • Synchronize all items in: Calendar
  • PIM options – Sync Direction: Server to Phone only
  • Sync Method: Scheduled Sync, Sync every 2 hours

Now sync your mobile device. The device will tell you that it needs to perform a full sync the first time and begin syncing the data from the myFunambol portal.

Viola!!! Calendar synchronization made easy!

For this solution to work, your Outlook client must be running and have Internet access.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Teched 2008 Extracurricular Activities Map

At the request of geniph on the Extracurricular Activities group on the Microsoft TechEd Connect site, I created the Teched 2008 Extracurricular Activities Map.

This map is based on the events in the TechEd 2008 Extracurricular Activities Calendar to help show the distances between each event.

If you know of an event, party or activity not listed on the calendar, please leave a comment and I'll add it.

View Larger Map

Since everything's pretty close to each other, click View Larger Map to open it in a new window. Then you can use your mousewheel to zoom in and out, and to drag the map around.

Labels: ,

Subscribe in a reader Subscribe by Email

Wednesday, May 28, 2008

TechEd Attendee Party - What to Expect

Here's a little write up of what to expect for the TechEd Attendee Party at Universal Studios Orlando.

Around 6:00 at the convention center there will be more buses in one place than you've probably ever seen before. In the past, buses leave from the conference center to Universal Studios theme park, but last year they picked us up at the same bus stops in front of the hotel that we use to go to the convention center. Buses will run every 10 minutes or so. There will be many more people in line waiting for a bus than the buses can hold. Just be patient and meet some new friends while you wait. Hopefully it won’t rain while we’re waiting, like it did last year. :)

Remember to wear comfortable shoes and clothes, You’ll be doing a lot of walking and standing (after a full day of walking the TechEd floor).

When you arrive at Universal, there will be lots of staff on hand to usher you into the park or answer questions. All the rides, food and drink that are open are free. There will be soda and beer stands setup along the walkways. It’s a very festive, fun and family friendly atmosphere.

The big rides, like The Simpsons Ride, Shrek 4-D, and Revenge of the Mummy, are very popular, but the lines move pretty quick. The park is open to us from 6:30-11:00pm, so be sure to scope out the rides and restaurants you want to visit before getting to the park. Not all rides may be open, however, due to maintenance or weather.

The park will close sharply at 11:00pm, which leads us to the most thrilling ride of the them all… Getting back to the hotel! This is probably my least favorite part of TechEd. Thousands of people, all as tired as you, descending on an extremely crowded area filled with buses. You have to find the one that’s going back to your hotel region and fight to get on board. Keep your kids close (if they were lucky enough to come with you).

Some people choose to skip the throngs of people by hanging out along Universal City Walk. Here, you can browse shops and maybe get a drink of something stronger at one of the bars, like Jimmy Buffett’s Magaritaville. Just be sure not to miss the last bus or you'll be calling a cab! Which come to think of it, isn't such a bad idea...

Update: Microsoft just changed the hours for the Attendee Party to run from 8:00pm-12:00am this year. :(

Labels: ,

Subscribe in a reader Subscribe by Email

Tuesday, May 20, 2008

Quickly installing MOSS 2007 with SP1 on Windows Server 2008

If you try to install MOSS 2007 on Windows Server 2008, you are going to get an error that there is an incompatibility. To install, you need SP1 for MOSS.

You can slipstream SP1 yourself, but it turns out there's an easier way. First, install the trial version of MOSS 2007 with SP1 (32 bit or 64 bit). After you install the trial version, upgrade from the trial version.
  1. In Central Administration, on the top link bar, click Operations.
  2. On the Operations page, in the Upgrade and Migration section, click Convert license type.
  3. On the Convert License Type page, in the Enter the Product Key box, type the new product key.

Thanks to Kirk Allen for the tip!

Labels: , ,

Subscribe in a reader Subscribe by Email

PowerShell on Windows Server 2008 Server Core!

Yes, it is possible.

No, it is not supported. Don't even ask...

Labels: ,

Subscribe in a reader Subscribe by Email

Unable to Successfully Promote SCOM RMS Server

If the root management server (RMS) in a System Center Operations Manager 2007 (SCOM 2007) implementation fails or becomes unavailable for some reason the entire SCOM system will fail. Well, not exactly. The managed agents will still collect performance and alert data and will either queue this data or forward it to its management server. The management servers will be unable to forward this information to the SQL database and administrators will be unable to launch either the Operations or web consoles, so it's as good as dead.

There are two ways to rectify this -- bring the RMS server back online or promote an existing SCOM management server to an RMS. Microsoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a good job of explaining the steps required, so I won't go through them here. But what happens if you get the following error when promoting the new RMS?

The machine managementserver is a server for multiple management groups (not supported)!

This occurs when the registry contains extra "Parent Health Service" or "Send Priority" keys under the Server Management Groups key. Navigate to:

HKLM-Software-Microsoft-Microsoft Operations Manager-3.0-Server Management Groups

Under this key you should see a key that matches the name of your SCOM management group. There should not be any other keys at the same level as the management group name. Back them up and delete them. In the example below, backup and delete the "Send Priority" key and its subkeys.

Run the same ManagementServerConfigTool.exe PromoteRMS command and it should work now.

Labels: , ,

Subscribe in a reader Subscribe by Email

Thursday, May 15, 2008

TechEd Tips for Families

Today we have a special guest article from my wife, Amy!

She wrote the following helpful tips for families who will be accompanying their significant other to TechEd in Orlando:

Kids and Tech Ed Tips and Tricks

You’ll most likely be in a hotel on or near International Drive. There is a trolley that runs up and down the street. Buy the 7 day ticket pass at your hotel's concierge. The trolleys run about every 15 to 20 minutes at stops all along the drive. There are well marked signs for the trolleys and they are so much more comfortable than walking in the heat with kids.

There's tons to do on International Drive. Lots of different themed mini golf places, a water slide park, an upside down museum (Wonderworks), and a go-kart park.

There are not a lot of “kid” places to eat, just a Denny’s, Chuck E. Cheese's, and a *big* McDonald's. If you order in like pizza or something, remember that there are thousands of guests in town for the conference and it could, and probably will, take well over an hour to get the food delivered. The other restaurants get very busy in the evening so call ahead for reservations. No grocery stores are nearby.

Take advantage of the breakfasts at your hotel and grab a few extra pieces of fruit for the room and hungry kids for later. Have your husband bring back extras of all the snack handouts from the conference. You could practically feed off of these alone for the week. It’s all grab and go, prepackaged stuff from granola bars, to cookies, to Power Bars.

Remember it’s hot, so be realistic about how much you and your children can do. I find that mine are very happy to get the afternoon off to just play in the pool at the hotel. It also helps if your hotel offers an adult “happy hour.” :)

Most hotels offer shuttle service to Disney World and other parks (Universal Studios, Islands of Adventure, Epcot, Sea World, etc). Check at the front desk the day before as you might need to reserve a seat.

Theme parks are all fun but choose wisely based on your children’s ages. If they are over 10 then Animal Kingdom in Disney World would be OK, but might be bored with the rest of the “princess” thing. Universal is fun for older kids, but not for younger ones due to height requirements on most rides. Islands of Adventure is a good dual choice with things for older and younger kids and a nice “downtown” area with restaurants and shops just outside the park.

If you have a car, Kennedy Space Center at Cape Canaveral is not that far away. It’s only about 40 minutes, but remember that there are toll roads all over the state so have lots of change handy. The Kennedy Center is amazing and worth going to if you can make it. You can spend the whole day there. If no car, check with the concierge for a tour group. Allow a full day to enjoy it all. It will be in the mid 90’s and humid so hats, sun block and lots of water are a necessity.

TechEd veteran and mother of an 8 and 12 year old

Labels: , ,

Subscribe in a reader Subscribe by Email

SQL Exceptions during SCOM 2007 RMS Promotion

The Micosoft article, "How to Promote a Management Server to a Root Management Server Role in Operations Manager 2007" does a pretty good job of explaining how to promote a SCOM 2007 management server to a root management server.

While performing a disaster recovery test today, I found that I was getting the following SQL exceptions when I ran the ManagementServerConfigTool.exe PromoteRMS command:

The type initializer for 'Microsoft.MOMv3.Setup.MOMv3ManagedCAs' threw an exception.

Turns out this is because I ran the ManagementServerConfigTool.exe PromoteRMS command directly from the SCOM SP1 Support Tools folder, which is missing some of the DLLs required to run the command.

Simply copy the files from the Support Tools folder on the SP1 CD to the local \Program Files\System Center Operations Manager 2007 folder and re-run the command.

Labels: , ,

Subscribe in a reader Subscribe by Email

Microsoft Exchange Server 2007 Management Tools (32-Bit) Released

Microsoft has released a 32-bit version of the Microsoft Exchange Server 2007 Management Tools.

Exchange Server 2007 is a native 64-bit application that includes 64-bit management tools. You can use the management tools to administer your Exchange Server environment remotely. If your remote computer is running a 32-bit operating system, you will need to download the 32-bit management tools.

The Exchange management tools include the Exchange Management Console (EMC), the Exchange Management Shell (EMS), the Exchange Help file, the Microsoft Exchange Best Practices Analyzer Tool, and the Exchange Troubleshooting Assistant Tool.

Get the 32-bit Exchange management tools here.

Labels: , ,

Subscribe in a reader Subscribe by Email

Wednesday, May 14, 2008

Error Running SecureStorageBackup

When backing up or restoring the RMS keys using the SecureStorageBackup utility in SCOM SP1, you may come across the following error:

Could not load file or assembly 'Microsoft.Mom.Common, Version=6.0.4900.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

To fix this, copy Microsoft.Mom.Common.dll from C:\Program Files\System Center Operations Manager 2007 to the same folder where SecureStorageBackup.exe is run. Then run SecureStorageBackup again.

Labels: , ,

Subscribe in a reader Subscribe by Email

Tuesday, May 13, 2008

TechEd 2008 Group, Calendar and more

Just a reminder to all Teched 2008 attendees to visit my Extracurricular Activities group on TechEd Connect. Here, you'll read about any parties, get togethers and activities outside the event itself. Recent discussions have been around golf and poker.

You can also view the Extracurricular Activities Calendar to see which activities to join. If you have an event, no matter how small, you'd like to add to the calendar please let me know.

And be sure to check out Microsoft TechEd Online, a site devoted to TechEd 2008 Developers and IT Pros. Here, you can read about the event itself as well as what other TechEd bloggers are blogging about.

Labels: ,

Subscribe in a reader Subscribe by Email

Sunday, May 11, 2008

Failure installing VMM2008

When installing the server component of Microsoft System Center Virtual Machine Manager 2008, you may come across the following error:

Microsoft System Center Virtual Machine Manager 2008 installation did not complete successfully. Review the error log for information, and then try Setup again.
ID: 205. Details: Fatal error during installation

Virtual Machine Manager Server installation did not successfully install. All items that were copied during the installation process have been removed, however some required prerequisite software is still present on the machine. It is not necessary to remove the remaining software before you run Setup again. But you can uninstall the prerequisite software by going to Add or Remove Programs.
For error details, click the Error tab.

The ServerSetup.log file also references error 1603 in various places. This is caused by name resolution (DNS lookup) failures. Examine your DNS configuration for any or more of the following errors:
  • Misconfigured TCP/IP settings
  • Primary DNS is misconfigured on the VMM server
  • The VMM server is unable to resolve the DC by name
  • The VMM server does not have a record in DNS
  • The DC is unable to get proper name resolution of the VMM server
  • Incorrect DNS forwarding
  • DNS is not functioning correctly on the DNS server

Once the errors have been corrected, reinstall the VMM server component.

Labels: , , ,

Subscribe in a reader Subscribe by Email

Wednesday, May 7, 2008

Can my system support Hyper-V?

This is a common question. Hyper-V requires three things: processor virtualization support, BIOS virtualization support and Windows Server 2008 with Hyper-V.

Processor virtualization is provided by Intel (Intel VT) and AMD (AMD-T) processors. You can check each of these websites to see if a processor supports virtualization. AMD offers an AMD Virtualization™ Technology and Microsoft® Hyper-V™ System Compatibility Check Utility that will tell if the installed AMD CPU supports it.

BIOS virtualization support, however, can be dicey. Normally, a BIOS manufacturer will offer the ability to turn virtualization on or off -- but not always. I have a Dell Dimension E521, for example, that doesn't offer virtualization configuration. Thankfully, it's enabled by default in this BIOS.

So how do you tell if your machine will support Hyper-V? Well, the easiest way by far is to use a utility by Gibson Research called SecurAble. This handy little program will quickly tell you if your computer is 64bit, running hardware DEP and is virtulization capable.

Note that SecurAble will report that Hardware Virtualization is "No" if you run it on a Windows Server 2008 computer that has the Hyper-V role installed. This is because Hyper-V capability is "hidden" once it's installed. See the Virtual PC Guy's WebLog for more details about this.

Labels: , , ,

Subscribe in a reader Subscribe by Email