Wednesday, July 26

MCTian Meetup




Malaysia MCT meetup

Once, MCT meet up again. We met up in Mid Valley, KL.

Result: We are going to do a Vista Preview briefing to MCT KL.

See you there in KLCC, Microsoft in August!

Some photos taken

Monday, July 24

Account Problems


Exchange 5.5 to Exchange 2003 migration is being a hot cake in this part of the world. Lots of the migration used OWA 2003 as the replacement of other email clients. However, password expires, account lockout problems give Administrators lots of issues - increase helpdesk calls+++

In this session, we would like to share on how identify/findout when particular account password expired+++

To reach the objective, Acctinfo.dll need to register to DC.

Acctinfo.dll adds a new property page to the user object Properties dialog box in Active Directory Users and Computers. This will then show the date when a user's password was last set, the date when a user's password will expire, and the dates and times when a user last logged on and logged off. Most of the info needed/important unfortunately is not store in AD - BUT- We can calculate based on the user password set. Normally, we need to run lots of script, which give overhaed to Administrators. Acctinfo.dll performs these calculations for you!

System Requirements
Windows Server 2003 or Windows 2000 Server operating system - You must be an Administrator to install Acctinfo.dll.

How to install
  • First of all, install donwload Windows 2003 resource kit from Microsoft Website. Install the downloaded Resource Kit.
  • Then install Windows Support Tools (From Windows 2003 CD)
  • Copy the file Acctinfo.dll (Depending where you install) to the %windir%\system32 folder. In Windows Server 2003, this is typically C:\Windows\System32. In Windows 2000, this is typically C:\Winnt\System32.
  • Open a command window, and type the following (this example assumes that your %windir%\system32 folder is C:\Windows\System32):
  • regsvr32 c:\windows\system32\acctinfo.dll

Security Event Logs - Logon Event IDs

Lots of people asking us, after setting security events, how to monitor it? Most of them only showing event IDs. Believe that Microsoft has the lists on it showing in Technet website, however, for most of our customers/readers convenient, let us share some important events:

  • 528- This is the successful logon
  • 529-537 - Failed logon. Where (529 - Bad username and password, 530 - time restrictions, 531 - account disabled, 532 - Expired accounts, 533 - cannot logon to specific computer account, 534 - Disallowed logon type, 535 - Expired password, 536 - Server is not available, 537 - Other reasons)
  • 548 - Might be your your trust broken (SID does not match)
  • 550 - Your network might be under DOS attack
  • 551 - Logoff events
  • 552 - UserB force logon to another computer while UserA is logged on
  • 682 - User has reconnect to a disconnected terminal session
  • 683 - User disconnect from terminal session without logoff

With this small piece of information, hope this will help most of the people managing/maintaining your AD!

Monday, July 17

Windows Vista

Hi all,

Good day. After knowing Windows Vista, just wondering how many of them will buy new hardware for Vista? or you will use back the existing one?

To know more about Vista Hardware requirements? Please go to http://www.microsoft.com/technet/windowsvista/evaluate/hardware/vistarpc.mspx

You can reply via this post - just a quick survey.

Saturday, July 15

Exchange 2007 - a quick glance

Our Technology Adoption Program customers, existing and potential customers always ask us, what Microsoft is to give in new Exchange Server 2007?

Lets have a quick tour on partial E2007 features.

Discuss about E2007 installation, you need .NET Framework 2.0, MMC3.0. For choosing server role, you will need to select either 1) Bridgehead Server Role, 2) Mailbox Server Role, 3) Client Access Server Role - We will post more article on discussion what is all these abouts. Please come back to this blogs more often...:)

Still remember ForestPrep and DomainPrep in Exchange 2000 and Exchange 2007, no longer have this in Exchange Server 2007. It will be done automatically.

Installation of Exchane 2007 now is just like Vista - for those who tried. The installation program will then:

Copy Exchange Files - take about 3 minutes
Preparing Organization - take about 25 minutes
Installing Bridgehead Server Role -about 2 minutes
Installing Mailbox Server Role - about 4 minutes
Installing Client Access Server - about 2 minutes

In the Beta 1 version of Exchange Server 2007,ya, Beta 1 - the reason is, we are using this version to test out. The Exchange Management Console is referred to as both the Exchange Management Console and Exchange System Manager. Its a bit different in Exchange 2003, which only has Exchange System Manager.

Administering Exchange become easier with Exchange Management Shell and Administrative Scripts. Most of the administrative task can be done with just few lines of script.

Enforcing Compliance by Creating an EthicalFirewall - yes, you can have rules configured in this version of Exchange. Example, you can filter subjects that can be send via the Exchange Server, eg: Subject that has "Company Secret" be blocked. In addition, you can create Email Life-Cycle Policies.

DR will always be the headache for most of administrators, with the latest feature - Using Exchange Server 2007 LocalContinuous Replication, you can bring up your Exchange 2007 database in minutes! Yes, it is. We will prepare some print screen and lab in the future.

As mentioned, this is the first glanced, we will publish more articles in this blog regarding this.

Thursday, July 13

How to enable Active Directory diagnostic logging

Active Directory is the fundamental of Exchange Server 2000 to Exchange Server 2003. Most of the time, lots of Exchange problems is due to Active Directory. Recently, one of our customer, Exchange is down due to AD- which take about 3 days to solve!

First, event viewer is the best place to start troubleshooting - this method started far from Windows NT4. Good thing about Active Directory, the diagnostic level can be adjustable!

Before go into increasing diagnostic logging, you have to ensure that your DC is ready to increase some overhead filling up logs in faster rate.

Can you perform in GUI, not we know for now - maybe there is. Find it in Internet.

What we are going to share is how to enable using registry key - PLEASE MAKE SURE YOU PERFORM BACKUP on your system state before continue from here.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

In this key, you will be able to see quite a number of registry key for AD. Example: Backup, KCC++

The default value for the key is 0 - which is minimum. you can increase the number for the key from 0-5 where

1 - Minimal
2 - Basic
3 - Extensive
4 - Verbose
5 - Internal

Normally, we will advice you to increase to 3 for the particular service you would like to troubleshoot. Slowly to 5. 5 menas log EVERYTHING! Then you will be able to gain the record in Directory Service log.

Once you get a clue on how to solve a problem, REMEMBER to turn it back to 0.

Shall I buy third party backup solution for Windows & Exchange?

Lots of our customers and students ask - Is windows backup good enough?

The built in backup program, frank, it is not a feature-rich utility. However, if the provided function is enough for you, the question is, why not? This is saving quite a lot of money$$.

Some brief limitation that I can spell out here:

  1. Not be able to backup system state and other files remotely - only localy. What IT ppl want is to have a centralise or backup to a single backup set.
  2. Not suitable for an enterprise-level backup library (Example robotics)- it does not allows you to manage your backup with large databases of information that other third party backup that sypport, such as Veritas, CA, HP, Htachi+++...

SMEs, small companies which has only less than 5 servers to manage - windows backup definately sufficient.

Tuesday, July 11

Creating custom naming for Exchange attributes

Some of our customers asking us on how to modify/add-in custom naming for Exchange attributes, eg: Socso number, Employee IDs or even IC number. Will be great if we publish in this blog, benefit to the communities.

(This is to apply to Windows 2003 SP1 with Exchange 2003)

To do so, you need to
  • be Schema Administrator to modify the attributes
  • Support tools to be installed in the server to gain ADSI edit
  • Test , test & test before performing this task in a testlab environment.
Steps sound like this:

  1. Connect to schema container with ADSI edit
  2. Find CN=ms-Exch-Extension-Attribute-(1 to 15) - depending on which attribute you would like to change
  3. Select in the window, LDAPDisplayName
  4. Enter a new dispaly name into it

It is that simple. Try it out!

SLA - a simplify version

Information Technology nowadays becomes more and more important to an organization. As an example, Email system which is categorize as non-important servers now become critical servers – which will need a 99% uptime. Furthermore, ICT departments are increasingly called upon to deliver consistent service levels, measure performance, and document the value of IT to the business by showing that written service level agreements (SLAs) are being met - anyway, this is what management wants, isn’t it? However, while necessary, day-to-day monitoring and reporting on SLA compliance can deplete the resources of staffs and budgets that are already stretched. With an approach that covers the fundamentals well, your organization can spend less time and money on the methodology and tools - example - Microsoft Operation Manager.

With products expert as well as developer providing management pack, ICT consultants and engineers will have a clear and right direction to attempt problems, in other word, meet SLA. With the latest technology, MOM 2007 is now proudly present in the market, reliably scales across your organization and environment, and includes the Microsoft application and operating system knowledge you need to rapidly resolve your operational problems. Want to know more about MOM? http://www.microsoft.com/MOM

What's new in the release?

  • Proactively manage business critical IT services, including distributed applications, the supporting infrastructure and hardware, and end-user service delivery.
  • Reduce the complexities of managing your IT environment by providing a monitoring solution that is designed with ease of use in mind.
  • Provide a highly reliable infrastructure by leveraging Windows Server and SQL 2005 clustering for high availability and through agents that automatically failover to a secondary management server if connectivity to the primary server is lost.
  • Include management packs with prescriptive knowledge developed by the application and OS development teams at Microsoft and verified in production deployments to improve monitoring, troubleshooting, and problem resolution for more than 50 Microsoft applications and Windows Server components.

Monday, July 10

Ports used by Exchange

Protocol: LDAPPort (TCP/UDP): 389 (TCP)Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory, Active Directory Connector, and the Microsoft Exchange Server 5.5 directory.

Protocol: LDAP/SSLPort (TCP/UDP): 636 (TCP)Description: LDAP over Secure Sockets Layer (SSL). When SSL is enabled, LDAP data that is transmitted and received is encrypted. To enable SSL, you must install a Computer certificate on the domain controller or Exchange Server 5.5 computer.

Protocol: LDAPPort (TCP/UDP): 379 (TCP)Description: The Site Replication Service (SRS) uses TCP port 379.

Protocol: LDAPPort (TCP/UDP): 390 (TCP)Description: While not a standard LDAP port, TCP port 390 is the recommended alternate port to configure the Exchange Server 5.5 LDAP protocol when Exchange Server 5.5 is running on a Microsoft Windows 2000 Active Directory domain controller.

Protocol: LDAPPort (TCP/UDP): 3268 (TCP)Description: Global catalog. The Windows 2000/2003 Active Directory global catalog listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP.

Protocol: LDAP/SSLPort (TCP/UDP): 3269 (TCP)Description: Global catalog over SSL. Applications that connect to TCP port 3269 of a global catalog server can transmit and receive SSL encrypted data. To configure a global catalog to support SSL, you must install a Computer certificate on the global catalog.

Protocol: IMAP4Port (TCP/UDP): 143 (TCP)Description: Internet Message Access Protocol version 4, may be used by "standards-based" clients such as Microsoft Outlook Express or Netscape Communicator to access the e-mail server. IMAP4 runs on top of the Microsoft Internet Information Service (IIS) Admin Service (Inetinfo.exe), and enables client access to the Exchange 2000/2003 information store.

Protocol: IMAP4/SSLPort (TCP/UDP): 993 (TCP)Description: IMAP4 over SSL uses TCP port 993. Before an Exchange 2000 server supports IMAP4 (or any other protocol) over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: POP3Port (TCP/UDP): 110 (TCP)Description: Post Office Protocol version 3, enables "standards-based" clients such as Outlook Express or Netscape Communicator to access the e-mail server. As with IMAP4, POP3 runs on top of the IIS Admin Service, and enables client access to the Exchange 2000/2003 information store.

Protocol: POP3/SSLPort (TCP/UDP): 995 (TCP)Description: POP3 over SSL. To enable POP3 over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: NNTPPort (TCP/UDP): 119 (TCP)Description: Network News Transport Protocol, sometimes called Usenet protocol, enables "standards-based" client access to public folders in the information store. As with IMAP4 and POP3, NNTP is dependent on the IIS Admin Service.

Protocol: NNTP/SSLPort (TCP/UDP): 563 (TCP)Description: NNTP over SSL. To enable NNTP over SSL, you must install a Computer certificate on the Exchange 2000/2003 Server.

Protocol: HTTPPort (TCP/UDP): 80 (TCP)Description: the protocol used primarily by Microsoft Outlook Web Access (OWA), but also enables some administrative actions in Exchange System Manager. HTTP is implemented through the World Wide Web Publishing Service (W3Svc), and runs on top of the IIS Admin Service.

Protocol: HTTP/SSLPort (TCP/UDP): 443 (TCP)Description: HTTP over SSL. To enable HTTP over SSL, you must install a Computer certificate on the Exchange 2000/2003 server.

Protocol: SMTPPort (TCP/UDP): 25 (TCP)Description: Simple Mail Transfer Protocol, is the foundation for all e-mail transport in Exchange 2000/2003. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike IMAP4, POP3, NNTP, and HTTP, SMTP in Exchange 2000/2003 does not use a separate port for secure communication (SSL), but rather, employs an "in-band security sub-system" called Transport Layer Security (TLS).

Protocol: SMTP/LSAPort (TCP/UDP): 691 (TCP)Description: The Microsoft Exchange Routing Engine (also known as RESvc) listens for routing link state information on TCP port 691. Exchange 2000/2003 uses routing link state information to route messages and the routing table is regularly updated. The Link State Algorithm (LSA) propagates outing status information between Exchange 2000/2003 servers. This algorithm is based on the Open Shortest Path First (OSPF) protocol from networking technology, and transfers link state information between routing groups by using the X-LSA-2 command verb over SMTP and by using a Transmission Control Protocol (TCP) connection to port 691 in a routing group.

Protocol: X.400Port (TCP/UDP): 102 (TCP)Description: ITU-T Recommendation X.400 is really a series of recommendations for what an electronic message handling system (MHS) should look like. TCP port 102 is defined in IETF RFC-1006, which describes OSI communications over a TCP/IP network. In brief, TCP port 102 is the port that the Exchange message transfer agent (MTA) uses to communicate with other X.400-capable MTAs.

Protocol: MS-RPCPort (TCP/UDP): 135 (TCP)Description: Microsoft Remote Procedure Call is a Microsoft implementation of remote procedure calls (RPCs). TCP port 135 is actually only the RPC Locator Service, which is like the registrar for all RPC-enabled services that run on a particular server. In Exchange 2000/2003, the Routing Group Connector uses RPC instead of SMTP when the target bridgehead server is running Exchange 5.5. Also, some administrative operations require RPC. To configure a firewall to enable RPC traffic, many more ports than just 135 must be enabled. Please take note... however, you can static the port by changing the registry. Let me share with you all in future articles...

Protocol: DNSPort (TCP/UDP): 53 (TCP)Description: Domain Name System (DNS) is at the heart of all of the services and functions of Windows 2000/2003 Active Directory and Exchange 2000/2003 Server. You cannot underestimate the impact that a DNS issue can have on the system. Therefore, when service issues arise, it is always good to verify proper name resolution.

This definately clear all of your mind when you want to put in Front End in DMZ...

Last not least, we will always recommend to put in ISA rather than opening ports. This is also the recommended way from MSFT.

What do you need to know before choosing InterOrg Migration

Something to flash your mind before we go for the Migration Phase. (InterOrg…)

What Exchange migration does

The Migration Wizard performs the following tasks:
Migrate all mailbox information to the new Exchange mailboxes, including the following data:

  • Inbox
  • Drafts
  • Sent Items
  • Calendar
  • Tasks
  • Custom folders that were created by the mailbox owner
  • Contacts
  • Create new user accounts in Active Directory (if they do not already exist) based on the Exchange 5.5 accounts in the source organization - you can choose during the step.
  • Migrate X.400, Simple Mail Transfer Protocol (SMTP), cc:Mail, Microsoft Mail, and other e-mail addresses into the e-mail addresses attribute of the new user account in Active Directory.
  • Convert Active Directory contacts to mail-enabled user accounts in Active Directory (if these contacts have been created with the Active Directory Connector) when you migrate from Exchange 5.5. If a contact has been manually created in the target Active Directory and a mailbox that has the same alias is migrated, a new disabled user account with a 1 appended to the name is created in Active Directory. The original contact remains unchanged. Only contacts that are created by the ADC are converted into mail-enabled user accounts by the Migration Wizard.
  • Update Exchange Server 2003 group membership when you migrate from Exchange 5.5. However, Exchange 5.5 distribution lists are not migrated. For example, if a distribution group in Active Directory contains contacts, during a migration procedure these contacts may be converted to user accounts that are turned off, and the distribution group in Active Directory is updated to reflect this change.

Another Important things to know!!

What Exchange migration does not do:

The Migration Wizard is not designed to perform the following tasks:

  • Clean up or remove mailboxes in the source organization. The original mailboxes in the source organization continue to receive messages after the migration process is complete. You must delete the original mailboxes, or configure other recipients that point to the new mailboxes that are hosted in the target Exchange organization.
    Migrate custom recipients. The Migration Wizard creates contacts from custom recipients. However, you can delete the mailbox, if ADC configured, a custom recepient will be created in Exchange 5.5
  • Preserve ACLs. The Migration Wizard does not preserve ACLs to other mailboxes or public folders.
  • Migrate mailboxes in the same organization. The source organization from which you migrate mailboxes must be different from the target organization.
  • Migrate personal mail archives or personal address books.
  • Migrate distribution lists.
    Export the distribution list, and then use the LDIFDE or CSVDE command-line utilities to convert them.
  • Migrate Inbox rules. After you use the Migration Wizard to migrate mailbox information, the mailbox owners must re-create their Microsoft Outlook Inbox rules.
  • Migrate public folders. You can migrate public folders by exporting them to .pst files or by using the Inter-organization replication utility, which sound like PFMigrate.

Have Fun - please remember, we will always recommend a huge organization to go for IntraOrg unless some political or technical issues - eg: Change of company name.

Modify attributes in Exchange 2003 which previously possible in 5.5

Previously in Exchange 5.5, there are lots more attribute that can be enter in Exchange 5.5 administrators. However, those attributes is taken off from Exchange 2000 and 2003, store in attributes but not shown. A good example is assistant attribute.

 

To those who is still would like those entry to be publish and alter,

 

To let users update attributes on their own accounts against the server that is running Microsoft Exchange 2000 Server or Microsoft Exchange Server 2003, follow these steps:

 

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the Domain container, and then click Delegate Control.
  3. Click Add, click the special account Self, click OK, and then click Next. 
  4. Click to select the Create a custom task to delegate check box, and then click Next. 
  5. Click to select the Only the following objects in the folder check box, click User objects in the list, and then click Next. 
  6. Click to select the Property-specific check box, set each attribute that you want your users to modify, and then click Next. 
  7. Click Finish.

 

Users can now use Galmod32 or the Windows Search applet to update their information in Active Directory.

 

The permissions on your user account determine the global address list entries that you can modify. If you have Domain Users permissions, you can modify the following fields in your own global address book entry:

  • Address
  • City 
  • Business Phone Number
  • State
  • Fax
  • Home Phone Number
  • Mobile Phone Number
  • Notes 
  • Office
  • Pager
  • Zip Code

 

If you have Domain Administrator permissions, you can modify the following fields:

  • Assistant
  • Company
  • Country
  • Department
  • Title

 

Note The Country attribute is not displayed as a text box in the Active Directory Users and Computers snap-in. When you use GAL Modify to change the Country attribute, the changes are displayed in the Outlook Address Book instead of in the user attributes in the Active Directory Users and Computers snap-in.

 

FOR MORE Information, please visit Microsoft KB article - 272198

Vista

First of all, XP has Home & Professional edition, how about Vista? – it has six editions, ya, 6! 4 aims on normal users, 2 aim on Enterprise. Consists of Vista Starter, Vista Home Basic, Vista Home Premium, and Vista ultimate; for business, Vista Business and Vista Enterprise.

1) It should come with Windows Media Center Edition – which include DVD playback, authoring and even burning!
2) Can view and flip windows 3 dimension!
3) With new Sidebar – which can add in news, RSS feed, Stock Price, Whether… - on your desktop!
4) Monitor normal user Internet use, with content filter! – porn website, even IM!
5) ShareView – some sort of P2P technology- eg: sharing PowerPoint technology
6) Easier to deploy for Enterprise users
7) Admin user prompt when doing administrative task (eg: Installing applications) – which solved given admin rights to normal users
8) Secure Startup – Users need to put in the USB drive, the encrypted file for the Vista to startup!
9) Security – definitely

That’s what I can think of, for those who like to add on or modify – go ahead and share among the group.