Sunday, December 30, 2012

Access Denied When Deleting Hyper-V VM Files

I have a test environment setup using Hyper-V. I regularly add and remove virtual machines from this Hyper-V host. When you delete a virtual machine in the Hyper-V Management console, it does not delete the files. You need to delete the files manually afterwards.

A significant percentage of the time, I receive an Access Denied message when deleting the VM files. Even though the VM is deleted, I cannot remove the files.The happens because Hyper-V has locked the files.

To unlock the files and allow the files to be deleted you can:
  • Restart the Hyper-V host
  • Restart the Hyper-V Virtual Machine Management service on the host

Saturday, December 15, 2012

PowerShell 3 breaks Exchange 2007/2010

PowerShell 3.0 is now available for Windows Server 2008 and Windows Server 2008 R2 as an optional update in Windows Management Framework 3.0. Do not install this on your Exchange 2007/2010 servers or any workstations with the management tools for Exchange 2007/2010.


Symptoms include the inability to install rollup updates and some cmdlets not functioning properly.

The updates to avoid are:
  • KB2506146
  • KB2506143
For more information, see The Exchange Team Blog:
UPDATE: Feb 11, 2013
Exchange 2010 SP3 has been released and enables support for running on Windows Server 2012. I have not yet tested it, but since Windows Server 2012 has PowerShell v3 installed, this SP should also allow PowerShell v3 to be installed on other versions of Windows Server.
UPDATE: Nov 27, 2013
I have Exchange 2010 SP3 running on Windows Server 2012 with all updates. I was playing yesterday and noticed that EMS loads by using the -version 2.0 switch. If you try to kick it over to use version 3.0, it's not happy. Don't do that!

Thursday, December 6, 2012

Removing a Virus from Startup with Autoruns

My experience lately has been that many viruses/malware only infect the profile of the user that was logged on at the time of infection. This is due mostly to the security of the operating system and browser which generally limit activity to the user profile. However, even older XP machines with users running as a local administrator benefit when the malware assumes that it needs to infect the user profile rather than system files.

If malware is limited to a profile, it makes removal of the malware much easier. Log off as the infected user and log on as a user that is not infected. If the malware is only in the user profile this is just as effective as scanning the hard drive externally from another computer.

Today I had the pleasure of dealing with System Progressive Protection. It is very aggressive fake antivirus software. Once it is in the system, you can't run most tools because it blocks them. However, it was limited to the user profile. When I logged on as another user the system was fine.

My preferred tools for removing this type of malware is MalwareBytes Antimalware (http://www.malwarebytes.org). It removes most of the malware many antivirus programs miss. In this case it picked of some instances of System Progressive Protection, but when I logged on as the original user the malware was still there.

To identify the startup of this malware I used the Autoruns tool from Microsoft (http://technet.microsoft.com/en-ca/sysinternals/bb963902.aspx). Autoruns shows all of the potential startup locations for an application and goes well beyond the locations shown in MSConfig. You can run this tool as one user, but view the autoruns for another user. This is what allowed me to find the location of the malware.

In autoruns, in the runonce key for the infected user, there was a path that pointed to a location in the Application Data folder of the All Users profile. When I went to view the files, they were created with today's date. So, I removed the runonce key and all was good.

Just to test it out, I updated the definitions in MalwareBytes (they update several times per day) and scanned the folder. The folder came up clean even though it was obviously the source of the malware. Not only was the malware no longer running, but when you browsed to the files in Explorer, they displayed with the same icon as the malware used in the system tray. Lucky me, I found a variation of System Progressive Scan that wasn't recognized yet.

Tuesday, November 13, 2012

Configuring Shaw Business POP Accounts

Shaw provides easy to find documentation for their consumer side POP email. The configuration for the business service is a little harder to come by.

Configuration information:
  • incoming and outgoing server: mail.shawcable.com
  • username: your email address, including the domain
  • outgoing port: 25 (587 is not supported)

Windows 8 Jump Start Videos

Microsoft has published some Windows 8 Jump Start videos that are intended for IT professionals to overview new features of Windows 8. Basically, if you are already familiar with Windows 7, these videos highlight differences. You're not going to see basics of Windows.

The videos available are:
  • Tips and Tricks for IT Pros -  Mostly user interface stuff
  • Windows 8 Deployment
  • Access to Windows - Virtualization such as Windows To Go, VDI, and Client Hyper-V
  • Anywhere Productivity - Multi-device management and roaming between them
  • Windows Apps - Sideloading apps is in this one.
  • Recovery and Security - Includes UEFI, Secure Boot, and the Diagnostics and Recovery Toolset (DaRT).
Note: These are all relatively large videos to download. They range between 1.4 and 2.6 GB.

Download the videos here:

Wednesday, November 7, 2012

How to Locate a Rogue DHCP Server on an SBS Network

If you use Windows Small Business Server, you may not realize it has an odd quirk. When the DHCP server on an SBS server see communication from another DHCP server, the DHCP server on SBs shuts down. I suspect this it an attempt to be a good network citizen and get out of the way if DHCP is not required from SBS. Basically, in case you didn't know how to configure DHCP on your network SBS gets it out of the way.

Unfortunately the times I see the DHCP server shut down in SBS is when a rogue DHCP server is introduced to the network. Typically this occurs when users bring in a home router to use as a wireless access point or a switch. They often don't realize that DHCP is enabled on these devices.

How do you identify a rogue DHCP server?

The most common symptoms of a rogue DHCP server on an SBS network are:
  1. The DHCP service on the SBS server stops.
  2. Computers are getting an incorrect IP address or DNS server

How do you find the rogue DHCP server?

If you are lucky you are aware of new devices brought into the network. Based on this information you may be able to track down the bad device. However, in most cases, you don't know about new devices. So, what steps can we follow to track this sucker down:
  1. In the System event log on the SBS server there will be an event generated when the DHCP service is stopped.  Event 1053 with the Source DHCP-Server indicates the IP address for the rogue DHCP server.
  2. Try connecting to the IP address with a web browser. If this is a home router or WAP brought into the office, it will probable have a web site for configuration. At the very least this might help you identify the brand of device and indicate what you physically need to be looking for.
  3. Try to ping the IP address of the rogue DHCP server. If you are lucky it responds back. Then use arp -a to list the MAC address of that IP address.
  4. If you have web-managed switches, you can log on to the web site for your switches and identify the port that the MAC address is attached to. That will give you the location of the offending device.
  5. If you don't have web-managed switches, you can use the MAC address to identify the vendor of the equipment causing the issues. Then at least you know what brand of equipment you are looking for.
You can lookup vendors from MAC addresses here:

Sunday, November 4, 2012

Using a Calculated Property to Display Group Membership

A forum recently had a question about obtaining a list of contacts and their group membership in a CSV file. At first I figured the person was just lazy and hadn't done a bit of basic research. However, it turned out to be a bit more complicated that I expected.

I ran into two issues:
  1. Get-Contact does not return group memberships for contacts. The good news is you can work around this by using Get-ADObject -Filter {ObjectClass -eq "contact"} -Properties MemberOf.
  2. The MemberOf attribute is returned as an array which does not export properly to a CSV file. For this you need to create a new calculated property that is a string.
The final result was this:
Get-ADObject -Filter {ObjectClass -eq "contact"} -Properties MemberOf | Select-Object Name,@{Name='Groups';Expression={$_.MemberOf -join ";"}} | Export-CSV C:\contacts.csv

Let's break this down a bit:
  • The -Properties parameter is used to specify an AD attribute that you want to retrieve for an object. By default, the Get-ADObject retrieves only a default set of attributes. You need to use -Properties to get more than that. You can use -Properties * to get all attributes.
  • The Select-Object cmdlet limits the properties collected for each contact. Prunes them down to the Name property and a new calculated property Groups.
  • The creation of calculated property Groups is within the @{}. This Name='Groups' defines the name. The Expression={} defines the value of the property. In this instance, it takes each instance of the MemberOf array and joins it together into a single value separated by a semicolon. Each contact will have a single Groups attribute with a single value which is a long concatenated list of the groups that contact is a member of.
  • Export-CSV dumps the list of contacts and their group memberships to a CSV file that is easy to sort in Excel.
The original question in the forum was actually about obtaining a list of contacts that were not members of a group. That was actually easier:
Get-Contact -Filter {MemberOfGroup -eq $null}

Friday, November 2, 2012

iOS 6.0.1 Update Fixes ActiveSync Bugs on iPhone 5

Over the last few weeks I've seen a number of reports of problems with iPhone 5 causing problems with Exchange meetings when connected with ActiveSync. Apple has released an update that addresses this problem.

See details here:
 I have also seen reports of Autodiscover not working properly with iPhone 5 unless it uses the autodiscover.domain.com format for the Autodiscover host. There is no mention of that being fixed.

Tuesday, October 30, 2012

Forcing Offline Address Book Updates

Recently a client was having issues with their offline address book (OAB). It hadn't been updating for several weeks. In this case, the source of the problem turned out to be the System Attendant service was stopped. This prevented generation of the OAB. However, as part of the testing process, I attempted to force an update of the OAB and that is how I found the error.

To update the OAB, you need to follow a multistep process:
  1. Generate a new OAB.
  2. Distribute the new OAB to the client access server.
  3. Force the Outlook client to obtain the updated OAB from the client access server.
Normally the update process is done automatically and takes approximately 24 hours to complete. The detailed steps for forcing OAB update are below.

To generate a new OAB:
  1. In the Exchange Management Console,  browse to the Mailbox node in the Organization Management workspace, and select the Offline Address Book tab.
  2. Right-click the Default Offline Address Book and click Update.
  3. In the Update dialog box, click Yes to acknowledge that it may take several minutes.
To distribute the new OAB to the client access server:
  • Restart the Microsoft Exchange File Distribution service, or
  • Run Update-FileDistributionService ServerName -Type OAB
To force the Outlook client to obtain the updated OAB from the client access server:
  1. In Outlook 2010, click the Send/Receive tab.
  2. Click Send/Receive Groups and click Download Address Book.
  3. In the Offline Address Book dialog box, click OK to download the address book.
**If your Outlook 2010 client has multiple Exchange accounts the OAB that is updated is based on the mailbox you were in when you performed the update. You need to select a folder in the appropriate mailbox before downloading the OAB.

Monday, October 29, 2012

Additional Mailbox Remains after Full Mailbox Access Removed

Starting in Exchange 2010 SP1, when you are given Full Access to a mailbox, it is automatically added to your Outlook 2010 profile. Normally, I use the Exchange Management Console to add and remove Full Mailbox permissions. This works great for adding, but not so good for removal.

When you use the graphical tool to remove Full Access to a mailbox, it removes your permissions to the mailbox, but it remains in your profile. And just to make it interesting, you can't remove it from Outlook. You'll get an error when you attempt to delete it and it's not visible in the Outlook profile.

The error in outlook when attempting to close the leftover mailbox:
This group of folders is associated with an e-mail account. To remove the account, click the File Tag, and on the Info tab, click Account Settings. Select the e-mail account, and then click Remove.

The solution is to use the Exchange Management Shell to remove the permissions instead. When you do so, it removes the additional permission that adds the account to your profile.
Remove-MailboxPermission MbxName -User UserWithPermissions -AccessRights Fullaccess

Friday, October 19, 2012

Things I Learned From My Students This Week - Oct 19, 2012

Learning in class is not a one way experience. A good instructor is going to learn based on the experience of his/her students. Inspired by my students this week, I'm going to start putting up a list of things I learn each week from my students. So, with no further ado, here is this weeks list:
  1. Alt+F4 closes the current window. Very handy when you have a ton of windows open and want them all to go away. Just keep whacking Alt+F4. Credit to Doug.
  2. I've always struggled for an example when a desktop computer would have multiple network connections and therefore possible have  issues with multiple default gateways. This week a student pointed out that laptops could have wireless and wired connections at the same time. Seems obvious now that he said it, but for some reason it never clicked for me before. Credit to Doug.
  3. Snap To option for a mouse automatically moves the mouse pointer to the OK button in a dialog box. I'm not sure whether this is good or evil yet, but I didn't know it existed before this week. Credit to Gord.
  4. If you need to test antivirus software functionality, you can download the EICAR file. It is a file that is not a virus, but will be detected by antivirus software. You can download it from here: http://www.eicar.org/86-0-Intended-use.html. Credit to Mike.
  5. The AHCI for hard drive configuration stands for Advanced Host Controller Interface. Credit to Mario, but fixed after fact check.

Thursday, October 11, 2012

Install the SCOM 2012 Agent with PowerShell

I'm creating some lab activities and we're using the System Center 2012 - Operations Manager SP1. I'm not sure if this is causing our issue or we're just too low on memory in the VM. However, when I attempted to automatically deploy the Operations Manager agent to a Windows 2012 server, it was failing.

If you've done the deployment of the agent before, normally, when you deploy the agent a window opens that shows the deployment process. On my Operations Manager server, this window flickered then disappeared.

The solution for me in the short term was to use PowerShell to push out the agent. I used the following code:
$mServer = Get-SCOMManagementServer -Name server.domain.local
Install-SCOMAgent -Name target.domain.local -PrimaryManagementServer $mServer
If you have multiple computers that you want to deploy to at the same time, you can provide an array of computer names as a variable for the Name parameter in the Install-SCOMAgent.

Tuesday, October 9, 2012

Security Permissions for Event Log Forwarding

The default configuration for all of the Microsoft documentation related to event log forwarding indicates that you should use security based on the computer account of the computer that is collecting the events. From a security perspective, you need to add the computer account of the collector as an event log reader.
If you are collecting events from the security log, and use this basic configuration, you will get the following error:
Code (0x138C) Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.
This occurs because you need to assign addition permissions to allow the security log to be read by a computer. You need to:
  • Add the Network Service local account to the Event Log Readers Group
  • Modify the Manage auditing and security log User Rights Assignment to include the Network Service  local account and the event collector computer account. By default, this includes only the local Administrators group.
After configuring the security permissions, you need to restart the computer that is source of the events.

As you've seen this is a bit of a hassle. As an alternative, if you have a user account that has local administrative permissions on the event source computer then you can configure the event subscription to use that account instead. A user account with local administrative permissions already has the necessary permissions.


Friday, October 5, 2012

BCDedit Wierdness from PowerShell

I've started to standardize on using PowerShell instead of a command prompt for most activities, but every once in a while I run into odd things that don't work properly from the PowerShell prompt.

Today I'm doing some development on a course and it requires me to setup a host that boots to VHD. This is actually nice for courses because students work within the VHD rather than the original host OS. In theory, you could have independent classes setup with different VHD files.

Anyway, my issue was changing the description of a boot entry in the Boot Configuration Database with BCD edit. The syntax is this:
bcdedit /set {default} description "20415 Host 1"
However, I was getting the error:
The set command specified is not valid.
When I ran it from a command line it worked. It turns out that this is due to how PowerShell processes the curly braces. In PowerShell these are special characters. So, you can run it in PowerShell, but you need to escape the curly braces with backticks like this:
bcdedit /set `{default`} description "20415 Host 1"

Reducing Memory Usage for Symantec Mail Security

We have many clients using Symantec Mail Security for AV and Spam scanning for Exchange. The software is memory intensive and can cause problems on older implementations of Exchange 2003 where there is limited memory on the server. Each scan process (SAVFMSESp.exe) can use quite a bit of memory and there are multiple threads.

There are two ways to reduce memory utilization:
  1. Reduce the number of scanning processes. I've seen each process consuming up to 400 MB of memory. So, less threads is good. The default is 3. In low volume environments, I've reduced this to 2 processes with no issues. Do this in the Mail Security for Microsoft Exchange Console on the Admin tab.
  2. Reduce the memory used by each process. In the default configuration, each process uses as much memory as it likes and doesn't give it back. This makes sense on a busy server where that memory is in constant use, but on a relatively quiet server, you want that memory back for other processes. There are registry keys that you can use to set this.
To reduce the memory used by each thread on a 32-bit system, create the following keys as a DWORD in HKLM\Software\Symantec\SMSMSE\6.5\Server\Components\NaveSp\:
  • ProcessUpperMemoryLimitInMB. This key specified the based memory usage for the thread. The thread can use more memory than this when actively processing, but it returns to this level. This value should not be set below 100MB. I typically use 128MB.
  • ProcessMemoryCheckTimeInMin. This key specifies when the memory utilization of the threads is reduced. If you do not create and set this key, the default value is 5 minutes.

After changing the registry keys, you must restart Mail Security for Exchange.

Reference post from Symantec includes the path for 64-bit systems if required:

Wednesday, October 3, 2012

Exchange 2003 Wrong Mapi32.dll

We are not sure how it happened, but a client that is still running Exchange 2003 experienced an issue today where System Manager could not be started. When you started it, there was an error about the incorrect version of mapi32.dll. However, to the best of our knowledge the version of mapi32.dll had not changed.

I did notice that mapisvc.inf had changed this morning and I suspect that was the cause of the wrong mapi32.dll being used. However, we don't know why that file was updated.


The fix was relatively easy I copied mapi32.dll from C:\Program Files\Exchsrvr\bin to C:\Windows\System32. This is done normally as part of the Exchange 2003 installation process.

Full text of the error was:
Exchange detected that "c:\windows\system32=MAPI32.DLL" is not the
correct version required to run Exchange System Manger or Exchange Server
2003. This may cause failures in Exchange System Manager, affect
availability of your server, or both. For more information see Microsoft
Knowledge Base article Q266418 at http://support/microsoft.com
 In most cases, this error is the result of installing Outlook on an Exchange 2003 server and the Outlook mapi32.dll overwrites that from Exchange. That was not the case here.

For more information:

Monday, October 1, 2012

Grid Lines in RDP Session from Windows 2003 to Windows 2008 R2

In the midst of doing a server migration I was using RDP from a Windows 2003 server to a Windows 2008 R2 server. When I connected, there were annoying grid lines that make it awkward to read the screen. Easy fix though. Just download a newer version of RDP client for Windows 2003.

Saturday, September 22, 2012

Filtering for $null Values with Get-ADUser

Get-ADUser includes a -Filter parameter that lets you define queries for users with specific characteristics. Today I was trying to figure out how to filter for $null values.  Here is my example of why you might care to do this......

Let's say that in your organization, that you always set the Department attribute to match the department that users work in. This could be required for dynamic groups or address books. You've just created 100 new users, but forgot to configure the department. You need to make a query for all of the users without a department configured.

My first attempt was this:
Get-ADUser -Filter {company -eq $null}
However, this generates an error. You can't use $null in a filter.

What finally worked was this:
Get-ADUser -Filter {company -notlike "*"}
The gets a list of users where the company attribute is not like anything.

I should also note that if you try to query for not equal (-ne) then it will skip $null values when comparing. The above example is the only way that I know of to get $null values.

Update Apr 2017:
A quick note that the corollary of  the above is that when you want to query objects with any value set, you can filter for -like "*". I recently used this in a script where I only wanted users with values in the proxyAddresses property that I wanted to copy to the UPN.

Monday, September 17, 2012

Windows Server 2012 Editions

The editions for Windows Server 2012 are a lot different than they were for Windows Server 2008. For mid-sized and larger organizations, there are only two editions.
  • Standard Edition license. For up to 2 processors and two virtual machines.
  • Datacenter Edition license. For up to 2 processors and unlimited virtual machines.
The only difference between these two licenses is the number of virtual machines you can use the license on. There is no functional difference between Standard and Enterprise editions. Standard edition now includes features such as failover clustering that were previously included only in Enterprise and Datacenter editions.

There are also no limitations on memory based on edition.

So, if you are going to run Windows Server 2012 directly on hardware, there is no difference between Standard and Datacenter editions. So, it makes sense to use Standard edition.

If you are going to run lots of VMs on a 4 processor server, then it probably makes sense to buy 2 Datacenter licenses (2 processors each) and be licensed for an unlimited number of VMs on that server.

There is some middle ground where it may be worth your while to run two Standard licenses on a 2 processor server for 4 VMs instead of a single Datacenter edition, but you'll need to do the math on that based on pricing from your reseller.

Microsoft has an FAQ here:

Editions for Small Business

There are also two editions for small business:
  • Windows Server 2012 Essentials. This edition is meant to replace Small Business Server 2011. It has some of the nice automated stuff found in SBS, but no longer has Exchange Server. It is assumed that clients will use a cloud-based service such as Office 365 for email. Up to 25 users can connect to and Essentials server. No user CALs are required.
  • Windows Server 2012 Foundations. This edition is available only from OEMs and is limited to 15 users. It is meant to be a basic file and print server that is very inexpensive. It does not support being a Hyper-V host.
A list of editions and the limitations can be found here:

Sunday, September 16, 2012

Importing a PST containing IMAP Folders

I've done lots of work with PST files in the past, but recently got caught by surprise when we imported PST files that had been used by IMAP accounts as part of a migration to Exchange Server 2010. When you import a PST from and IMAP account, there are special IMAP views applied to the folders that prevent cached mailboxes from working properly. Basically, the view prevents Outlook from properly determining the presence of new messages.

We identified this problem because users started to complain about copying items into subfolders and the items were not appearing in the new folders. When we viewed the mailbox in OWA, we could see the items. If you view the properties of the folder in Outlook, on the General tab, it shows that the folder contains IMAP items

The fix for this is to change the type of folder so that Outlook uses the correct view and synchronizes the folder properly. You need to edit the folder properties in the Exchange database by using ExFolders.

The high level process is:
  1. Give yourself FullMailbox access to all mailboxes that need to be fixed.
    • For a single mailbox use the Exchange Management Console.
    • For all mailboxes use the Exchange Management Shell: Get-Mailbox -RecipientTypeDetails usermailbox | Add-MailboxPermission -user (YourAccount) -AccessRights FullAccess
  2. Run ExFolders and connect to the database
  3. Select the Mailboxes you want to update
    • For a single mailbox, select only that mailbox
    • For all mailboxes, select the Mailboxes node
  4. From the Tools menu open the Custom Bulk Operation window.
  5. Search for folders with the PR_CONTAINER_CLASS property (0x3613001E) with a value of IPF.Imap and replace this property with a value of IPF.Note.
    • Overall Filter: (&(0x361001E=IPF.Imap))
    • Operation: Other folder properties, Modify, Property: PR_CONTAINER_CLASS 0x3613001E, Value: IPF.Note
  6.  Remove your FullMailbox permissions from the mailboxes.
    • For a single mailbox use the Exchange Management Console.
    • For all mailboxes use the Exchange Management Shell: Get-Mailbox -RecipientTypeDetails usermailbox | Remove-MailboxPermission -user (YourAccount) -AccessRights FullAccess
After the property is updated, the folders should begin working immediately. You can verify by copy some items around and verifying that they are visible in the new location.

In Outlook 2010 (perhaps other versions also) there is a synchronization tab in the Properties of a cached mailbox folder. The tab will not appear for the fixed folders, but synchronization will be successful. A brief test indicated that if the cached mailbox is recreated then the synchronization tab will be added. However, for most scenarios, I consider this only cosmetic and not worth the effort.

I'm not sure whether this will apply to all installations, but on the server I was working with, when I viewed the properties of the folders, the PR_CONTAINER_CLASS property actually had a value of 0x361001F instead of 0x361001E as most documentation indicates. The 0x361001F property is the same property but a unicode version. When you query and modify 0x361001E, you actually query and modify 0x361001F which is what you seen when browsing the database.

I figured out a lot of this based on the following web page. It has nice detailed step-by-step instructions on how to do this. However, there is a typo where he indicates that the value to search for 0x36100iE, when in fact it is 0x361001E.
Download ExFolders from this link.  Note that it must be installed in the Exchange 2010 bin folder (C:\Program Files\Microsoft\Exchange\v14\bin). There is also a .reg file that needs to be imported.

Tuesday, September 4, 2012

Exchange 2010 Build Numbers

You can use the Exchange Management Console to view the build number for an Exchange 2010 server. This is visible in the Server Configuration node.

Unfortunately, there is no easy pattern to know what service packs or rollup updates have been installed. Fortunately, a list of build numbers and the corresponding service packs and rollup updates is maintained in the Exchange Server documentation.

Exchange Server Build Numbers and Release Dates
 There is also a Technet Wiki article with similar information that seems to be updated a bit faster

Configuring Time Synchronization for Domain Joined Computers

A Windows-based network with Active Directory relies on time synchronization to allow authentication between computers. All of the domain members must have their time reasonably close to the domain controllers to allow for authentication. In early versions of Active Directory the limit was 20 minutes. I believe it may have been changed to 5 minutes.

In most cases, a domain joined computer is automatically configured to obtain time from the PDC emulator in the domain. This is generally desired and simple. You can verify this configuration by using:
w32tm /query /status
The value listed for Source will be the name of the PDC emulator. If it is configured to use static time sources instead of the PDC emulator, you can reset it to use the PDC emulator with the following:
w32tm /config /syncfromflags:domhier /update
The PDC emulator should be configured to use a reliable time source. In most cases, this will be an NTP time source on the Internet.

The NTP Pool project provides a set of NTP servers that are publicly available as time sources. The benefit of using a pool is that a single NTP server in the pool being offline will not affect your time synchronization. Some of the available pools are:
  • ca.pool.ntp.org
  • us.pool.ntp.org
  • mx.pool.ntp.org
  • uk.pool.ntp.org

To manually specify a timesource on your PDC emulator use the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:"ca.pool.ntp.org" /update
Other useful time resources:

Friday, August 31, 2012

Aug 30, Update Your Java NOW!

Java has a severe security flaw in it that is publicly known and exploited by a number or virus toolkits. Oracle has finally realeased and update that fixes this flaw. This flaw is severe enough and well known enough that it is being released outside of the standard update cycle.

By default Java does not check for daily updates, it might be up to a month before your system automatically detects that there is a new update. If you have not already been prompted to update Java, you should do it manually.

  1. In Control Panel, open Java. (you can also type Java from the search box in Start menu to find it)
  2. On the Update tab, click Update Now.
  3. Follow the onscreen instructions.
Reference: https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

Sunday, August 26, 2012

Monitor and Start Critical Services with PowerShell

We have multiple virtual machines running on a single Hyper-V host. Due to resource contention during startup, sometimes not all services start properly on one VM. To resolve this I created small PowerShell script that checks the status of some specific critical services and if they are stopped, starts them. I've scheduled the script to run hourly.

$services="MSExchangeADTopology","MSExchangeAntispamUpdate","MSExchangeEdgeSync","MSExchangeFDS","MSExchangeIS","MSExchangeMailboxAssistants","MSExchangeMailSubmission","MSExchangeSA","MSExchangeSearch","MSExchangeServiceHost","MSExchangeTransport","MSExchangeTransportLogSearch"

Foreach ($s in $services) {
    If ($s.status -ne "Running") {
        Start-Service $s
        }
    }
The $services variable contains the list of all the services names that are monitored. The script uses a foreach loop to examine the status of each service and start the service if the status is anything other than Running.

Friday, August 10, 2012

MED-V (Not for Windows 8)

MED-V is a virtualization technology that was enabled by Virtual PC on Windows 7. It had the advantage of presenting applications installed in a Windows XP virtual machine directly in Windows 7. Nice, but not widely used.

In Windows 8, Virtual PC has been replaced in Windows 8 by Client Hyper-V. As a consequence MED-V is not supported on Windows 8. The Windows XP Mode included as part of Windows 7 is also unsupported due to the loss of Virtual PC.

An announcement is here: http://windowsteamblog.com/windows/b/business/archive/2012/06/12/mdop-news-at-teched-north-america-2012.aspx

Thursday, August 9, 2012

PowerShell Cmdlets for Networking


Windows Server 2012 and Windows 8 include PowerShell 3 with some new cmdlets for networking. For me this means the end of netsh for network configuration. It’s not that I ever used netsh much but it was occasionally useful for scripting. The following is a list of what I think will be some useful cmdlets.

Get-NetIPInterface: Queries and displays a list of interfaces on the computer. The list includes the IP addresses associated with an interface. Each interface has an index number that you can use to identify the interface with other cmdlets. So, this is similar to IPConfig /all.

Get-NetIPInterface | Format-List

Set-NetIPInterface: Modifies the configuration of an interface on the computer. You can use this to enable DHCP on an interface.

Set-NetIPInterface –InterfaceIndex 12 –DHCP Enabled

New-NetIPAddress: Adds an IP address to an interface. It is not possible to change an existing IP address, you must remove and create a new IP address. This cmdlet allows you to set the default gateway and subnet mask.

New-NetIPAddress –InterfaceIndex 12 –IPaddress 172.16.0.50 –DefaultGateway 172.16.0.2 –PrefixLength 24

Set-NetIPAddress: Modifies the configuration of an IP address, such as modifying the prefix length. You cannot modify the default gateway with this cmdlet.

Remove-NetIPAddress: Removes an existing IP address from an interface.

New-NetRoute: Used to add a new route to the local routing table. You can use this to change the default gateway, but you must remember to remove the existing default gateway.

New-NetRoute –InterfaceIndex 12 –DestinationPrefix 0.0.0.0/0 –NextHop 172.16.0.1

Remove-NetRoute: Used to remove routes from the routing table. Remember to include the NextHop parameter or it will remove all routes matching the destination prefix on the interface.

Remove-NetRoute –InterfaceIndex 12 –DestinationPrefix 0.0.0.0/0 –NextHop 172.16.0.5

To view all of the cmdlets that are available for configuring TCP/IP you can use:

Get-Command –Module NetTCPIP

This documentation is not 100% up to date, but you can also check this out:

Wednesday, August 8, 2012

Prevent Autodiscovery from Using a Pre-production CAS

When you install a Client Access server (CAS) into an existing Exchange environment, an SCP object is created in Active Directory for autodiscover. That object is immediately available in Active Directory and can be located by Outlook clients. If the CAS is not ready, and you've not configured certificates on the CAS yet, then users may start getting the errors about untrusted certificates.

To prevent clients from using the new CAS before it is configured (effectively disabling autodiscover), you can modify the SCP object by using the following cmdlet:

Set-ClientAccessServer ServerName -AutoDiscoverServiceInternalUri $NULL

Later, when the CAS is ready for production, you need to put the correct URI back into the object with the following cmdlet:

Set-ClientAccessServer ServerName -AutoDiscoverServiceInternalUri https://ServerFQDN/Autodiscover/Autodiscover.xml

Thursday, July 26, 2012

Unable to Filter Get-ADUser Based on Distinguished Name

When you are using the Get-AD* cmdlets to generate a list of users or other objects, it is a best practice to use the Filter parameter. When you use the Filter parameter, you pass a filter directly to Active Directory when you run the cmdlet. This is more efficient than retrieving a large list of objects and then filtering them with Where-Object.

I was working through a query with Get-ADUser that would obtain a list of all disabled users from Active Directory except for two or three OUs. To do this, I was trying to use the Filter parameter as shown below.
Get AD-User -Filter {(enabled -eq $false) -and (distinguishedname -notlike "*cn=users,dc=contoso,dc=com)}
Looks good right? Unfortunately, the filtering based on the distinguished name didn't work. It turns out that you cannot use wildcards when filtering based on the distinguished name. I also tried using the CanonicalName property, but it is a calculated property generated by Get-ADUser. So, CanonicalName cannot be used for a filter. The answer is to use Where-Object.
Get AD-User -Filter * | Where-Object {($_.enabled -eq $false) -and ($_.distinguishedname -notlike "*cn=users,dc=contoso,dc=com)}
**Note that a standard OU would start with ou= rather than cn=. Both the Users container and the Computers container are technically not OUs.

Tuesday, July 24, 2012

Query Recently Created Mailboxes or Users

You may at some point have a need to query recently created mailboxes. This script queries mailboxes created within the last seven days.

$date=(get-date).adddays(-7)
Get-Mailbox –Filter {WhenCreated –gt $date}
The logic of the script is this:
  • Set the variable $date equal to the current date minus 7 days.
  • Get a list of mailboxes with a WhenCreated attribute greater than the date 7 days ago
You can use the same basic structure for other objects such as Active Directory users by substituting the Get-ADUser cmdlet for the Get-Mailbox cmdlet.

$date=(get-date).adddays(-7)
Get-ADUser –Filter {WhenCreated –gt $date}
Update (Dec 2015):
The above syntax actually doesn't work. Not sure how I missed it when I first wrote the post. Today when I was writing a script using this syntax, it returned all mailboxes no matter what. So, the $date variable wasn't being properly evaluated. I'm leaving the above example so that people can see what syntax not to use.

Use the following syntax instead:
$date=(get-date).adddays(-7)
Get-Mailbox –Filter "WhenCreated –gt '$date'"
Apparently when building a filter with a variable, you need to enclose the whole filter in double quotes and the variable in single quotes. This syntax worked properly for me.

Wednesday, July 18, 2012

Virus Created Its Own Partition

I ran into a first yesterday. As seems to happen on a somewhat regular basis, a client had a virus infected computer. One of tools I normally rely on is TDSSKiller.exe from Kaspersky. It removes most rootkits that infect the boot sector of a hard drive. And is one of the few that checks the boot sector of non-boot drives. So, you can use it when a drive is externally attached.

In this case, TDSSKiller.exe identified Rootkit.boot.SST.b. When the software attempted to clean it, it didn't display an errors, but if you looked at the log it indicated that it couldn't be cleaned.

Some web sites suggested downloading Kaspersky Rescue Disk to remove it. This is a bootable linux CD/USB image. Basically, it accomplishes the same thing as placing the drive in an external case. It prevents any malware on the drive from loading in the boot process. This tool also found the rootkit, but couldn't remove it.

I also tried booting up in the XP recovery console and using FixMBR, which appeared to work, but the rootkit was still there.

The final fix was referenced by a few web sites. This rootkit created its own partition that it inserted into the boot process. None of the repair tools understood the boot process and therefore could not repair it.

On this computer, the OS partition was 40GB and a 100 MB parition was created after that. The 100MB partition was marked active and therefore was used to start the boot process. When viewed from within Disk Management, the partition type was unknown. The fix was to remove the extra 100 MB partition and then mark the OS partition as active. After this, the rootkit was gone.

Based on reading other web sites, the size of this partition may vary. I saw references to a small partition that is only a few MB. I'm guessing the virus authors changed it to be 100 MB to make it confusing with the 100 MB partition used by Windows Vista and Windows 7. Also, I can only assume that a larger partition provides more space to hide malware that is introduced during the boot process.

After removing the rootkit, there was still a bunch of other malware that I removed with MalwareBytes and SuperAntiSpyware. In the end the only thing lost was some Start Menu shortcuts.

Realistically, I should have just wiped it and rebuilt it, but after putting in an hour or so, it became competitive and I just wanted to win.


Tuesday, July 17, 2012

Exchange 2013 Preview Released

Microsoft has publicly released Exchange 2013 Preview for download. I'll try to review some of the more interesting new features over the next few weeks. However, for those of you that like to play.

Exchange 2013 Preview download:
Exchange 2013 Preview resources:
 Exchange 2013 online help:
I shouldn't need to say this, but do not deploy this software in a production environment. This software is for testing only. Who knows what these schema extensions impact when you want to deploy the release version of the product.

Multi-Mailbox Search No Longer Requires Enterprise CAL

The licensing for Exchange 2010 has been changed to allow multi-mailbox search with standard CALs instead of enterprise CALs. Previous to this change any mailbox searched with multi-mailbox search required an enterprise CAL.

This is a pretty big deal for a few reasons. First, it's handy to use multi-mailbox search when recovering items for single item recovery. Much nicer interface than straight PowerShell. Secondly, it's also nice when users complains that they've lost a message and you can go a search their mailbox without connecting directly to their mailbox.

You still need an enterprise CAL for personal archives, legal hold, per user/group journaling, and custom retention policies.

The Exchange 2010 licensing page (http://www.microsoft.com/exchange/en-us/licensing-exchange-server-email.aspx#Exchange2010CAL) has been updated to show the change.

Friday, July 13, 2012

SBS 2008 RWW Error 50331688

I recently updated the certificate for OWA on an SBS 2008 installation. That went fine and I deleted the old certificate. A few weeks later, we were informed that Remote Web Workplace was not working. When users attempted to connect to their computer they got a Javascript dialog box with error 50331688.

The cause of the issue is a certificate not being installed for the Terminal Services gateway. The Terminal Services gateway is used by RWW. The fix is to select a valid certificate and then all is good.

To fix the issue:
  1. Open TS Gateway Manager from Administrative Tools.
  2. In the left pane, right-click the server and click Properties.
  3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption and click Browse Certificates.
  4. Select a valid certificate and click Install.
  5. Click OK to close the properties of the server.
All done. It should begin working immediately.

Thursday, July 12, 2012

How to Join Dell ISO Files

Apparently a few years back, Dell started splitting large ISO files into smaller pieces to make downloading easier. The page I was downloading from said they needed to be joined, but did not provide the instructions.

Here are the instructions for joining two DVD files (OM_6.5.0_SMTD_A01.iso.001 and OM_6.5.0_SMTD_A01.iso.002):
  1. Place the files to be joined in a separate folder.
  2. Open a command prompt and change to the folder containing the files.
  3. At the command prompt, type copy /b om* OM_650_SMTD_A01.iso and press Enter.
This copies the two existing files into a single new file. Based on the file names, they should be selected in the correct order. However, if they are not, you can use this modified command that specifies the order:
copy /b OM_6.5.0_SMTD_A01.iso.001+OM_6.5.0_SMTD_A01.iso.002 OM_650_SMTD_A01.iso

Tuesday, July 10, 2012

Exchange 2010 Backups - The Details

The Exchange Team has posted a nice series of blog articles about the details of backing up Exchange Server 2010. The articles discuss exactly how VSS backups work, backups of active database copies, and backups of passive database copies.

The articles are here:

Exchange 2010 Mailboxes Quarantined Randomly

If you downloaded the most recent version (14.3.38.2) of the Exchange 2010 Management Pack released in June of 2012, it can cause mailboxes to be randomly quarantined. As of June 27th, the Management Pack has been pulled and will be released again when it is fixed.

If you have already installed this management pack, there are some workarounds to disable the function that is quarantining the mailboxes.

Information about version 14.3.38.2 of the management pack:
Information about the problem and workarounds if you've installed it:

Friday, July 6, 2012

HP LaserJet Pro 400 MFP M425 Scans All Black

One of our guys was on site today installing a new HP M425 for a client. He unpacked the printer and everything worked great except for the scanning. All scanning was 100% black.

He rechecked the whole unit and there was no packing material blocking the scanner. Nothing left to do but call HP support.

HP support had him flash the firmware to the latest version and scanning began to work fine. Very very weird. I would never have guessed in a million years.

User Sending as Multiple Email Addresses

Many organizations want a single user to have multiple email addresses and would like the user to be able to select which email address to send as. In Exchange 2010 (and earlier versions) it's very easy to add multiple email addresses for a user. However, the sending is a problem.

When multiple email addresses have been configured for a user, only one email address can be set as the primary/Reply To address. The primary address is the From address when sending a message. The user cannot select an alternate From address from their list of addresses.

You can buy commercial software that enables this functionality (http://www.ivasoft.biz/choosefrom2007.shtml). However, for the cheap (ahem, cost sensitive) among us there is a workaround.

  1. For any secondary address you want to assign to a user, create a distribution group with that address.
  2. Make the user the only member of that group.
  3. Assign the user Send As permission for the group.
It's not very scalable, but easy to do.

Enable Remote Management for Windows 7

Windows 7 is more secure than Windows XP. That is a good thing. However, it's also annoying when you want to remotely manage a domain joined computer and it's not allowed by default.

Windows Firewall in Windows 7 does not allow remote management even on domain joined computers. You need to create the exceptions that allow remote management of Windows.

You generally want to:
  • Allow ping. I'd like to see if the computer is up or not.
  • Connect with Remote Desktop. It's nice to fix up desktop computers without going on site.
  • Connect with Computer Management. Nice to see event logs remotely without logging on.
  • Connect to the registry remotely. Nice to do reg edits without logging on locally and bothering the customer.
In SBS 2011, much of this is done automatically by a Group Policy object created during installation. However, if you are using a normal edition of Windows Server then you need make the Group Policy object yourself.

A blog post (http://skatterbrainz.blogspot.ca/2009/08/enabling-windows-7-remote-management.html) by David Stein provides the details on how to do it. He lists the specific Group Policy settings to enable and configure. And if you are not familiar with the Group Policy Management Console, he also provides some detailed steps on how to use it.

Thursday, July 5, 2012

Installing SQL 2005 on Windows 2008 R2

As part of a performance test for an application at a client, we needed to setup a temporary server running Windows Server 2008 R2 and SQL Server 2005. When you install SQL 2005, it indicates that IIS must be installed. Back in Windows Server 2003 this was easy because IIS was installed as a single lump. Starting in Windows Server 2008, IIS is installed as multiple role services. This makes it difficult to determine which role services are required.

Here is a list of the IIS 7 role services that must be installed for SQL 2005:
  • Common HTTP Features
    • Static Content - Common HTTP Features
    • Default Document
    • HTTP Redirection
    • Directory Browsing
  • Application Development
    • ASP.NET
    • ISAPI Extension
    • ISAPI Filters
  • Security
    • Windows Authentication
  • Management Tools
    • IIS Metabase
    • IIS 6 WMI

Thursday, June 21, 2012

Free E-book about Windows Server 2012

I haven't had a chance to read it yet, but Microsoft has made an e-book about Windows Server 2012 available free for download. You can get it here: