Friday, October 31, 2008

Chrome Privacy Guard

"Google's new browser "Chrome" has raised a big wave of people that mistrust the new browser. A big point for this is the unique ID that will be assigned to the user's installation of Chrome. Because of that I wrote a small tool that automatically deletes the unique Client ID before each run of Google Chrome."


You can check it out here.

Tuesday, October 28, 2008

OWA Loop Back to Login Page Issue

After the installation of RollUp 4 there were issues getting to OWA on one of the CAS servers.  404 errors were received.  After reregistering ASP with IIS via:

%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe –I

We received an error to check the ASP log.  In the log, it was trying to create aspnet_client.  This did not exist on the CAS server that was not functioning.  We changed the home directory to c:\inetpub\wwwroot, reregistered, and iireset.  The folder was created successfully.  After changing the redirect back to owa as per their configuration, the login form came up again.

Upon trying to log in to OWA, however, we were presented with a new problem.  OWA would log in, but then boot the user right back to the FBA login page.  To solve this issue, all it took was recreating the OWA virtual directory with the following commands:

Remove-OwaVirtualDirectory -identity "CASSERVER\owa (Default Web Site)"


New-OWAVirtualDirectory -OWAVersion "Exchange2007" -Name "CASSERVER\owa (Default Web Site)"

Reset IIS again (iisreset)..

Users are now able to log in to OWA on this CAS server.  Now all that was left to do was reenable NLB for the front end cluster, change he authentication settings back, change back the default domain, and reset the internal/external OWA addresses.

Sunday, October 26, 2008

Microsoft Critical Security Release - MS08-067

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

New Security Bulletin Technical Details

 

Identifier

MS08-067

Severity Rating

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

Impact of Vulnerability

Remote Code Execution

Detection

Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.

Affected Software

All currently supported versions of Windows

Restart Requirement

The update requires a restart.

Removal Information

·         For Windows 2000, Windows XP, Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility

·         For Windows Vista and Windows Server 2008: WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.

Bulletins Replaced by This Update

MS06-040 is superseded on these operating systems: Windows 2000 SP4, Windows XP SP2, Windows XP X64, Windows Server 2003 SP1, Windows Server 2003 X64, Windows Server 2003 SP1 for Itanium-based Systems.

Full Details:

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx


To summarize.. Go update if you haven't already.

Thursday, October 23, 2008

Journaling + Archive = Ideal Litigation Searches -- Part 3 ?

Some notes when installing Journaling with archiving..this is sort of a part 3 to my previous two blogs.  

The more journaling mailboxes you utilize, the more you can take advantage of Archive Attender multithreading.  It is hard capped at one thread per mailbox though.  In order to ensure archiving keeps up in the event of a failure (especially if you are using a single journal mailbox), a good idea is to have tiered archiving policies as sort of layered message traps by date:







An example of the policy to be on the front line would be:
















Other policies would be between dates, with the final policy applying to anything older than the second to last policy's criteria.

I've noticed significant improvement once policies were added.  This method also sort of safe guards you against back logs by already have a system in place to deal with them.

If you are bent on journaling at the Hub Transport level, you may want to at least split internal and external mail into two different mailboxes.  If you are journaling at the database level, then you could go as far as to have a separate journal mailbox for each database.

Tuesday, October 21, 2008

Not enough storage is available to complete this operation

I realize this is a rudimentary issue, but I saw it in my notes and remembered how annoying it was.

"Not enough storage is available to complete this operation"

Here is the registry key to quickly eliminate this annoying bugger:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:0000ffff




Monday, October 20, 2008

Quotes

Though I've tried to make this blog as professional as possible by leaving off most personal info, I've decided to start leaving quotes of the | time period | up in the upper right hand corner. I have no plans to leave a history, so if you catch it you catch it.  I say "time period" because I refuse to commit to daily changes. 

I'm jaded, bitter, aproachable, identifying across lines, smart enough to realize everyone has an agenda, dumb enough to no longer care, and hiding in plain sight.  Enjoy.

Adding Trusted Sites - Unblocked Downloads

At times you'll need to add your domain to trusted zones, and allow it to launch items.  This is necessary to avoid the annoying popup blocking that occurs when opening archived messages (especially if you do so frequently).  To get around this you can do the following:


1. Create a reg file out of the text between the lines.  Be sure to replace domain.net with yours.

--------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.net]
"https"=dword:00000002
--------------------

Running this will add your domain to the trusted zones. 

 

2.  You can then make the change on  HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 2

Zone 2 = Trusted Sites

Value data for 2200
0  - Automatic prompting for file downloads is Enabled
3  - Automatic prompting for file downloads is Disabled

Value data for 2201
0  - Automatic prompting for ActiveX controls is Enabled
3  - Automatic prompting for ActiveX controls is Disable



Now instead of getting this:












You'll get this right away:



Friday, October 17, 2008

Exchange SP1 Rollup 4

Here is the link with the changes:

http://support.microsoft.com/?kbid=952580

My particular favorites are:

949512
950076
952152


That is all.

Thursday, October 16, 2008

How to Publish More Free Busy Data

It has been a bit since I posted, so I figured I'd toss out some easy fodder for those that don't know (which seems to be a lot more than I thought initially).

Unfortunately there is no quick easy server side change to publish more free/busy data for a user.  It is a client side setting.  The setting itself can be deployed this way:

Tools -> Options ->Calendar Options-> Free/Busy Options -> Permissions Tab -> Other Free/Busy.. -> Modify the number of months to publish.


Being a client side change, if you want to roll it out on a mass scale you'll either have to build it into your ghost images, or you'll have to roll out a GPO/login script.  I went to find the exact one, and ran across the Exchange team's blurb on it:

http://msexchangeteam.com/archive/2004/06/10/152698.aspx 

Tuesday, October 7, 2008

A Good Summary For Explaining Databases/Logs

This.

Mail.que Issues - White Space, Defrags, etc

What is the Mail.que?

The Mail.Que is an ese database that acts as the transport queue on your Exchange 2007 server - Hub Transport or Edge Transport roles only.

Why would I need to run maintenance/fix issues with mail.que?

Issues can arise with the mail.que file getting very large, and fragmented.  This can cause problems ranging from performance issues, to a full blown outage on an Exchange environment.  This scenario can come about from multiple avenues, but a couple of seemingly more common culprits can be email blasts (especially with a large attachment on it), or if the database has not been maintained.  

If my mail.que file gets large/fragmented, how do we rein it in?

Prerequisites:

1.  You must be at least an Exchange Server Administrator. (Local admin on the Edge Transport server).

2.  Per Microsoft, the following rights must exist to the mail.que:

Network Service: Full Control
System: Full Control
Administrators: Full Control

3.  If you are planning to restore the mail.que file to another transport server, that server must have the same roles as the server you are taking it from.  Mail delivery issues can arise if this is not the case, or if that server is located in a different AD forest (in which case you may have to resubmit through the categorizer).


Now that the prereqs are out of the way, we can begin to repair the database.


Step 1:  Locate the database.  

Unless you've changed the location, the database should reside at "C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue" on a Hub Transport server. 

You can find the location on an Edge Server in the EdgeTransport.exe.config file under C:\Program Files\Microsoft\Exchange Server\Bin.  Look for the 'QueueDatabasePath' and 'QueueDatabaseLoggingPath' values.


Step 2: Move the database out.

Stop the MSExchangeTransport service then move the following files to a temporary location: Mail.que, Trn.chk, Temp.edb, Trn.log, Trnnnn.log, Trnres00001.jrs, Trnres00002.jrs, and Trntmp.log. 

Upon restarting the MSExchangeTransport service, a new mail.que will be created so mail and continue to flow.  


Step 3: Recovering/Maintaining the Database

Open a command prompt and navigate to the directory where you moved the database to.

eseutil.exe /r Trn /d

This command will run a recovery against the database.  You could run this from another location, but you'd have to specify where the database exists after /d.  Either way works.

eseutil /d mail.que

This command will defrag the database and rid it of any white space that has ballooned it up, thus increasing performance and/or resurrecting it.


Step 4:  Prepare for reinsertion of the old mail.que.

The first thing we need to do is to pause the queues via:

Net Pause MSExchangeTransport

This will stop the flow into queues and delivery all current mail.

Just to make sure the queues are clear before we continue, lets have a look.

VIA Get-Queue in the Exchange Management Shell:







VIA Exchange Management Console:



























It would probably be a good idea to resubmit your unreachable queues, though this is optional. 

If you want to, MS provides us the following command to do so:

Retry-Queue -Identity "Unreachable" -Resubmit $True

You can recover your poison queues too, though I personally don't usually bother.




Step 5:  Reinjection.

Now all we have to do is reinsert the old mail.que.  Stop the MSExchangeTransport service, copy the old files back in, and Start MSExchangeTransport.  

This is the part where I stray from the MS plan.  I would recommend to go back to Step 4 and let the queues drain out again.  Once they are empty, stop the MSExchangeTransport service, delete the mail.que database, and restart the MSExchangeTransport service letting the mail.que database recreate.  The reason I say to do this is that I know a colleague of mine had an issue using the original mail.que file.  It suffered corruption, and would balloon back out to upwards of 7 gigs with no real data in it to speak of!  This type of behavior could bring the Exchange system to its knees.  I'd just as soon start with a fresh slate.

Friday, October 3, 2008

Scripts to Create Archive Attender Service Account

Save this one as usercreation.vbs or something along those lines:

'Creates ArchiveUser in the Archive OU and assigns Password


Option Explicit
Dim objRootLDAP, objContainer, objUser, objShell, objNetwork, objLocalGroup, objDomainGroup, objWshNet
Dim strUser, strName, strContainer, strPassword, strDescription, strDomain, strLogon, strLastName, strDisplayName, strComputer

'Variables
Set objWshNet = CreateObject("WScript.Network")
strUser = "ArchiveUser"
strName = "Archive"
strContainer = "OU=Archive ,"
strPassword = "Password"
strDescription = "Archive Attender Service Account"
strLogon = "ArchiveUser"
'Automatically pulls Domain
strDomain = objWshNet.UserDomain
strLastName = "Archive"
strDisplayName ="ArchiveUser"

'Gets you bound to AD
Set objRootLDAP = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strContainer & _
objRootLDAP.Get("defaultNamingContext"))

' Performs user creation
Set objUser = objContainer.Create("User", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser '25
objUser.Put "givenName", strName
objUser.put "sn",strLastName
objUser.put "UserPrincipalName",lcase(strLogon)&"@"&strDomain
objUser.put "DisplayName",strDisplayName
objUser.put "name",strName
objUser.put "description",strDescription
objUser.Setinfo

' Do not force a change of password on first login
objUser.SetPassword strPassword
objUser.Put "pwdLastSet", CLng(-1)
objUser.SetInfo

' Enable the user account
objUser.Put "userAccountControl", 512
objUser.Put "userAccountControl", &H10000
objUser.SetInfo

WScript.Quit



Now that we have a user, lets give themlocal admin rights.  You can name this localadmin.vbs or something like that:

Set objWshNet = CreateObject("WScript.Network")

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

strUser = "ArchiveUser"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")

'Add user to group

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If


We now have a user with local admin rights.   What about Exchange rights though?  


For Exchange 2007:

Create this script and name is ExchangeRights.ps1:

Add-ExchangeAdministrator -Identity ArchiveUser -role 'orgadmin'
$server = Get-MailboxServer
Add-ADPermission -Identity $server.Identity -User "ArchiveUser" -ExtendedRights ("Send As", "Receive As")
Get-MailboxDatabase | Add-ADPermission -user ArchiveUser -AccessRights GenericAll -ExtendedRights ("Send As", "Receive As", "MS-EXCH-STORE-ADMIN")

For Exchange 2003:

First enable the security tab to be displayed in ESM via this registry key:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin 

ADD--
Value Name: ShowSecurityPage
Data Type: REG_DWORD
Value: 1  


Once that is done, you need only do to the org level in ESM and add full rights for your new account (be sure to include Send As / Receive As rights).  If it isn't working, be sure that you didn't inadvertantly add the user to Domain Admins.  Domain Admins was set to have an explicit deny set for send/receive as as part of Microsoft's security push.

If you are not wanting to set permissions at the org level, you can set the permission levels down further so long as they apply to all the users/databases that you wish to process against.

DPM - Consistency Checking Versus SLAs

There can sometimes be issues with meeting SLAs while using DPM within tight constraints.  The problem is that while consistency checking is essential, it kills other scheduled synchornizations while it runs.

"Synchronization with consistency check, also referred to as “a consistency check,” is the process by which DPM checks for and corrects inconsistencies between a protected volume and its replica. As part of the synchronization process, a consistency check performs block-by-block verification to ensure that all the data on the replica is consistent with the protected data. This process is slower than incremental synchronization because all the data on the replica is compared rather than just applying the data changes to the replica."


Example:

Lets say your SLA is something very low such as having the ability to restore to the last 30 minutes.  We set up a 30 minute synchronization in DPM, which in itself isn't bad (though it seems to be more commonly set around 3-4 hours).  The issue comes when the consistency check runs, which could take for example 1.5-2 hours.  This would result in at least 3 failed synchronizations, thus breaking the SLA.

The only methods I am aware of to somewhat work around this would be to modify the SLA, or manually schedule consistency checks.