Infrastructure Blueprint

WE'RE MOVING

2010-09-14T23:31:00.003+03:00

Greetings,

The blog has been moved to http://blogs.technet.com/b/infrastructure_blueprint/

Please keep an eye on that new blog as I'll be posting a lot of very new and interesting stuff from time to time.

Regards,
Dr.Kernel

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials in Outlook Anywher

2009-05-31T09:19:00.000+03:00

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on the Client Access server. To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.

To disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008

At a command prompt, type the following command, and then press ENTER:

%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Regards
Saad

Exchange 2007 SP1 Outlook Anywhere and Windows Server 2008

2008-09-20T00:13:00.002+03:00

As there is no in-place upgrade from Exchange Server over Windows Server 2003 to Exchange over Server 2008, I think that everyone is going to deploy Exchange 2007 SP1 over Windows Server 2008.. while the product was heavly tested before announcing the supportability of Exchange over Server 2008.. from time to time there are some incidents that's emerge for a reason or another, most of them are caused by some trivial reasons and can be easily overridden..

In our suitcase today, there is an issue, when Exchange Server 2007 SP1 even with latest update (RU3) when it's installed over Windows Server 2008, the outlook anywhere connections is dropped after three times authentication retrials.. then the following error:

The connection to Microsoft Exchange is unavailable. Microsoft Outlook must be online or connected to complete this action.

The problem mainly was caused because Exchange tries to connect by IPv6 first, while it's not configured so it fails, the resolution to this problem is simply to disable the IPv6 over Windows Server 2008 that host the Exchange Server

Best Practices and Guidelines for Hyper-V with Exchange Server 2007 SP1

2008-08-26T20:12:00.002+03:00

Today we will talk about the new Hyper-V technology support for the Messaging virtualization from Microsoft, Microsoft released its hardware virtualization software a while ago and eventually the Exchange Server 2007 SP1 is supported in the production environment, in able to make it supported, certain aspects and conditions must be met otherwise you will put yourself in unsupported situation, in this document we will refer to the Windows Server 2008 that will hold the Hyper-V component and will host the virtual servers as the Root, the Virtual Machine that will be running on the Hyper-V are called the Guest, so let's start..

First let's list some of the supported software to fully function in the production over a virtualized environment, below are the list with the latest updates on 26^th August 2008:

Microsoft Application Virtualization (App-V)
Microsoft BizTalk Server
Microsoft Commerce Server
Microsoft Dynamics AX
Microsoft Dynamics CRM
Microsoft Dynamics NAV
Microsoft Exchange Server (Except UM role)
Microsoft Forefront Client Security
Microsoft Intelligent Application Gateway (IAG)
Microsoft Forefront Security for Exchange (FSE)
Microsoft Forefront Security for SharePoint (FSP)
Microsoft Host Integration Server
Microsoft Internet Security and Acceleration (ISA) Server
Microsoft Office Groove Server
Microsoft Office PerformancePoint Server
Microsoft Office Project Server
Microsoft Office SharePoint Server and Windows SharePoint Services
Microsoft Operations Manager (MOM) 2005
Microsoft Search Server
Microsoft SQL Server 2008
Microsoft System Center Configuration Manager
Microsoft System Center Data Protection Manager
Microsoft System Center Essentials
Microsoft System Center Operations Manager
Microsoft System Center Virtual Machine Manager
Microsoft Systems Management Server (SMS)
Microsoft Visual Studio Team System
Microsoft Windows HPC Server 2008
Windows Server 2003 Web Edition
Microsoft Windows Server Update Services (WSUS)
Windows Web Server 2008

Conditions to support Exchange Server 2007:

In Microsoft virtualization environment, it must be Windows Server 2008 Hyper-V x64 (Not Virtual Server NOT virtual PC)
The Virtualization software other than Microsoft Hyper-V must pass the Server Virtualization Validation Program SVVP (at this moment only Hyper-V passed this test)
Exchange Server 2007 must be with SP1 or later
Exchange Server 2007 with SP1 must be installed on a guest operating system running Windows Server 2008 x64
Support high availability and Exchange clustering Local Continuous Replication, Cluster Continuous Replication, Single Copy Cluster and Standby Continuous Replication. However when using Quick Migration with Hyper-V the CCR and SCC will not be supported.
Exchange Server 2007 installed without the Unified Messaging Server role, the UM server role is not yet supported
If you will use virtual hard disks, Only Fixed Size Disks are supported. Differencing, dynamically expanded or any virtual storage are not supported, ONLY FIXED SIZE HARD DISK is supported as virtual disk type
The Root Server (the one that run the Hyper-V components) must be dedicated server for that purpose, it's not supported to install any other software on the Root server, it should function only as Hyper-V Server
Hyper-V include a feature called snapshots that you can revert the system back to this captured state, but it's not supported with Exchange Server 2007 Virtual Guest as the Snapshot is not Exchange-Aware
The virtual processor-to-logical processor mapping must not exceed 2:1 otherwise it's not supported, that's mean if you have server with two processors with dual core, that's make total of 4 logical processors, the maximum supported is 2:1 which is 8 CPUs in this case, note that these 8 CPUs is the maximum allowed per ALL guests on the same root
hardware-based VSS solutions is not supported to back up virtualized Exchange Server

Guidelines, Recommendations and best practices:

Use pass-through SCSI storage disks or internet iSCSI storage for better performance
Before creating virtual disk, it's recommended to start disk defragment on the root server to reduce disk fragments
Install the integration services on the guest operating system
Ensure that an enforced Data Execution Prevention (DEP) must be available and enabled on the hardware level
Put in mind that if you will use Server 2008 datacenter Edition, you physical memory can support up to 1 TERABYTE of memory, with enterprise edition you limited to 64 GB, and for standard only 32 GB of memory
Put on mind that Hyper-V is supported on physical computers with up to 16 logical processors.
Also put in the same mind that you can use TPM chip with Bit Locker ® security feature of Windows Server 2008 to secure your virtual hard disks
The virtual fixed size hard disk is limited in size to 2040 Gigabyte of disk space, while the pass-through physical disks are not limited to a space
You can take up to 50 snapshots of per guest, it's supported only to make your backup solution for a recovery of Exchange disasters
When allocating the number of virtual processors don't forget the root server share of the
Use Windows System Resource Manager WSRM to control the resources utilization
When calculating the total number of virtual processors required by the root machine, you must also account for both I/O and operating system requirements. In most cases, the equivalent number of virtual processors required in the root operating system for a system hosting Exchange virtual machines is 2. This value should be used as a baseline for the root operating system virtual processor when calculating the overall ratio of physical cores to virtual processors. If performance monitoring of the root operating system indicates you are consuming more processor utilization than the equivalent of 2 processors, you should reduce the count of virtual processors assigned to guest virtual machines accordingly and verify that the overall virtual processor-to-physical core ratio is no greater than 2:1.
The Exchange server guest machine's storage and network design requires additional considerations for the root machine, specifically, the impact to the CPUs on the root machine. In some hardware virtualization environments (such as Hyper-V), all I/O requests that are made by guest virtual machines are serviced through the root machine. In these environments, we recommend that no other I/O intensive applications (for example, Microsoft SQL Server) be deployed on guest machines that are hosted on the same root machine as Exchange server guest machines.
Use multiple network adapters for network-intensive VM workloads, and management
Ensure your storage hardware has I/O bandwidth and capacity to meet current and future needs of the VMs.
Consider Placing VMs with highly disk-intensive workloads on different physical disks will likely improve overall performance
If using clustering, make one Exchange cluster node on one Root, and the other node on another Root to truly achieve high availability

Mailbox Size Quota are not applied on the user mailbox in Exchange 2007

2008-08-10T10:12:00.002+03:00

From time to time, policies changes, and special configuration is requested to add one GB to the executive mailbox size for a reason or another. sometimes we experience and incident that when we change the default quota for a mailbox to higher or lower size, it's not reflected on the outlook client even after restarting outlook many times, it still only feel the old value, meanwhile if we wait for couple of hours, or restart the information store service, you will find that the new configuration is applied immediately… why this behavior?

Well, first it's by design. As when the MSExchangeIS (information store)service starts it read the mailbox configuration and cache this configuration, and the MSExchangeIS service use this cached information to enforce the mailbox size. By default, there are two ways to refresh this cached configuration:

Wait for two hours and that will trigger the refresh interval then it will reread the new configuration
Restart the MSExchangeIS service and it will reread the new configuration

Well, that's not practical, our CEO need the new configuration now, otherwise he won't be able to send or receive mails, (or we will get fired) so what's our third option? We need a quick easy without downtime option… do we have such option? Yes we have but this will include only one time restart for the MSExchangeIS service to take the new configuration after the registry modification..

The safe way to do so (if you do it right) is to change the default refresh interval for the mailbox information cache by a regkey called Reread Logon Quotas Interval this value have some dependencies, so if you gonna change it you have to change two other values as well including the DSAccess (part of MAD.EXE, remember it?)

Make sure you backup the registry first, and do the following steps: (please guys, we are talking about MSExchangeIS service, so which server we will do that on?? Choose the right answer: 1) Mailbox server role, 2) the exchange server that hold the mailboxes, 3) the Exchange 2007 server that's NOT CAS, HUB, UM nor edge?)

yeeeeah james you right, the mailbox server role that we will do the following action on, because MSExchangeIS is the service that's responsible for the Mailbox Database activities, and it's only installed on this server role.. this configuration will be configured in multiple steps bulk to get the same final configuration, as I said it have some dependencies..

Part A of configuration:

Open RUN – type regedit
Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Right click the ParametersSystem container and choose NEW then choose DWORD value and name it Reread Logon Quotas Interval
Right click the value you just created and choose Modify
Ensure that the base is Decimal, and add the value you want to configure in seconds, e.g. for 20 minutes enter there a value of 1200

Part B of configuration:

Open RUN – type regedit
Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Right click the ParametersSystem container and choose NEW then choose DWORD value and name it Mailbox Cache Age Limit
Right click the value you just created and choose Modify
Ensure that the base is Decimal, and add the value you want to configure in Minutes, e.g. for 1 hour enter there a value of 60

Part C of configuration:

Open RUN – type regedit
Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0
If the location is not present, right click the MSExchange ADAccess and choose new KEY and name it Instance0
Right click the Instance0 container and choose NEW then choose DWORD value and name it CacheTTLUser
Right click the value you just created and choose Modify
Ensure that the base is Decimal, and add the value you want to configure in Seconds, e.g. for 20 Minutes enter there a value of 1200

Close regedit, and restart the information store service, from now on the cached information will be kept only for the configured amount of time

Regards

Mohammed Saad

Error (Exchange is unable to create a public folder tree ) when create a Public Folder database in Exchange Server 2007

2008-07-30T11:19:00.001+03:00

An new symptom we faced these days, that when you want to create a new Public Folder Database in Exchange 2007, you will get error message like this one "Exchange is unable to create a public folder tree", in the EMC you will find the wizard give you an error message like this one:

Summary: 2 item(s). 0 succeeded, 1 failed.

Elapsed time: 00:00:00

New Public Folder Database Failed

Error: Exchange is unable to create a public folder tree for the public folder database that you specified.

Active Directory operation failed on MSaad.MCS.com. The object 'CN=Public Folders,CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Microsoft CS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MCS,DC=com' already exists.

The object exists.

Exchange Management Shell command attempted:

new-publicfolderdatabase -StorageGroup 'MSaad\First Storage Group' -Name 'Public Folder Database' -EdbFilePath 'C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\Public Folder Database.edb'

Elapsed Time: 00:00:01

Mount Public Folder Database Cancelled

Resolution:

Open adsiedit.msc and change the value of msExchPFTreeType to 1, let's do it step by step:

Install adsiedit.msc (ship with windows server 2003 support tool run adsiedit.msc from RUN
Expand Configuration [Server_Name.Domain_Name.Root_Domain], and then expand CN=Configuration,DC=Domain_Name ,DC=Root_Domain.
Expand CN=Services, expand CN=Microsoft Exchange, expand CN=Domain_Name, expand CN=Administrative Groups, expand CN=Exchange Administrative Group (FYDIBOHF23SPDLT), and then click CN=Folder Hierarchies.
In the details pane, right-click CN=Public Folders, and then click Properties.
In the Attributes list, click the msExchPFTreeType, and then click Edit.
In the Value box, type 1, and then click OK two times.
On the File menu, click Exit.
In the Services snap-in, restart the Microsoft Exchange Information Store service.

Then create the PF DB again, it should work fine now.

Event ID 9187 and 9186 appear after move Exchange Servers from one OU to another

2008-06-22T10:28:00.001+03:00

When you rename the OU that contain computer account for exchange server, or if you move exchange server from one OU to another, Exchange will generate this warning:

Event ID: 9186

Source: MSExchangeSA

Type: Warning

Category: General

Description:

Microsoft Exchange System Attendant has detected that the local computer is not a member of group 'cn=Exchange Domain Servers,cn=Microsoft Exchange Security Groups,dc=domainname,dc=com'. System Attendant is going to add the local computer into the group.

The current members of the group are ********* and add some DNs for the group members

This warning sometime followed by an Error from MSExchangeSA as well indicating it tried to add the computer account to the group and it failed with event ID 9187.

This is due to the natural behavior for system attendant service as by design, when this service start at the first time it cache the Distinguished Name for the Exchange server computer account, and when this DN changes it require to be reflected on the MSExchangeSA service cache, to flush this cache only we need to restart MSExchangeSA service by services.msc console or by powershell and this events will go away.

Regards

Mohamed Saad

When you run the get-ExchangeAdministrator cmdlet, you receive the following message: The account is not a member of Exchange View Only Administrators

2008-05-26T20:28:00.001+03:00

Well, this problem does not occur when you install the Mailbox role, the Client Access role, or the Hub Transport role. It's just when you add a passive node to a CMS… what happen in the background is the computer account for the passive node take full control over the CMS object in active directory.

Symptom:

The nature of the problem is visible when you go to organization configuration in the EMC and a yellow line comes up in the top and stating that a certain computer account (which is the secondly added node to the cluster-passive-) is not member of exchange view only administrator, of when you open EMS (powershell) and type Get-ExchangeAdministrator you will find the same warning indication there..

Resolution:

Open the AdsiEdit.msc tool that is included in Windows Support Tools.
Connect to the domain.
Locate the following object:
CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
Right-click this object, and then click Properties, go to security tab
Find the computer account for the passive node
Remove all permissions for that node except read permission
Click advanced and add the following permission for the passive node account (Apply to: This Object Only)
1. Write property msExchEdgeSyncCred
2. Write property msExchServerSite
In the advanced window add the following permissions for the passive node account ( Apply to: This object and all child objects)
1. List Contents
2. In the properties tab, check all properties that's start with (Read)

Get-ExchangeAdministrator

And viola, no more, it's done J

Remove the Internal IP Addresses From Message Headers

2008-05-23T14:13:00.004+03:00

Once upon a time in Qatar, I was wondering if I can remove the internal IP addresses from the messages headers, as I saw it at that time as a security breach to expose the internal IP addresses to the external world maybe a way to help penetrators doing their job :)

I went through this article at Microsoft Technet, and it's recommended to read this article, fabulous!

To get the internal names and IPs in a message through outlook, right click the message in the left pane and choose properties, and you will find all internal data, and in OWA for Exchange 2007, It's included in the Exchange 2007 only OWA, a button called Message Details that will do the job fine on web access

the command will stripe the internal IPs and hostnames from the message sent from your internal network, what it does in the background is it remove the anonymous permission from the ms-Exch-Send-Headers-Routing attribute from the receive connector by this command:

Get-SendConnector "Connector Name" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights "ms-Exch-Send-Headers-Routing" -user "NT AUTHORITY\Anonymous Logon

Reference:
http://technet.microsoft.com/en-us/aa998662.aspx

Have an annoying virus in your MB DB? send it for Microsoft for analysis :)

2008-05-17T19:07:00.004+03:00

Pretty nifty, just send email to this email address submit_virus@fss.microsoft.com

To prepare an archive file that contains the files that you want to submit, follow the steps in the "How to prepare files for submission" section. Attach the archive file to the e-mail message. When you submit the file, make sure that you include the following data.

Your name, e-mail address, and telephone numberMicrosoft will send all responses to the e-mail address that you use to submit the files. When you submit the archive file, Microsoft processes the file and then sends a determination of the files that is based on the current Microsoft malicious software definitions. If it is necessary, adjust your incoming mail filters to make sure that you receive this message.

Sample typeIf the submission includes files that you believe were incorrectly determined to be malicious software, add the words "False Positive" to the e-mail Subject line. Otherwise, the files will be assumed to be malicious software.

Support case number (optional)A support case number is not required to submit files for analysis. However, if a support case is already open for this submission, you can include this case number on the message Subject line.

Other information to include

The names of any scan engines that you are using.

Forefront Security products that you are using. For example, these might include Forefront Security for Exchange Server or Forefront Security for SharePoint.

Platform information. For example, this might be Windows Vista, Windows Server 2003, Windows 2000, or another version of Windows.

Description of the virus activity.

How to prepare files for submission:

1.In Windows Explorer, open the folder that contains the suspected malicious software files.
2.Right-click a blank area in the window, point to New, and then click Compressed (zipped) Folder.
3.Type malware.zip to name the new archive file, and then press ENTER.
4.Drop the suspected malicious software files into the archive file as you would drop them into a typical Windows folder.
5.Double-click the archive file.
6.On the File menu, click Add a Password.
7.In the Password box, type infected.
8.In the Confirm Password box, retype infected, and then click OK.

Mail flow doesn't work if Exchange 2007 Installed on Server 2008 with certain routers

2008-05-17T18:10:00.003+03:00

Windows vista and windows Server 2008 have the TCP autotuning setting enabled by default, so if the router is small or outdated maybe it doesn't support that feature, so we have to disable the feature on Server 2008 to make that work, but beware that this will decrease the server performance

Symptom:
Mail flow doesn't work if Exchange 2007 Installed on Server 2008 with certain small routers

Cause:
That's if the router doesn't support TCP autotuning settings in Windows Server 2008.

Resolution:
open RUN==CMD== and type this command

netsh interface tcp set global autotuninglevel=disabled

this will disable the feature and we back in business

here is more info about parameters for that command from MS sites:

The following autotuning settings are available if a router supports TcpWindowScaling:

Disabled: Fix the receive window at its default value.

Highly Restricted: Allow the receive window to grow beyond its default value, but do so very conservatively.

Restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios.

Normal: Allow the receive window to grow to accommodate most scenarios.

Experimental: Allow the receive window to grow to accommodate extreme scenarios.

Help! Forefront Engines update timed out while downloading updates and keep logging Errors !.

2008-04-20T09:06:00.002+03:00

Well, I had this problem myself a while before, when i was awaiting updates to be downloaded and get installed on the Forefront Server Security For Exchange, i found that many engines updates are not applied and error message in the application log stating that it's just timed out ..

the mystery behind that is the default time out value is 5 minutes, which is fine with many organizations, and everything is cool, but sometimes with some latency and network problems it just don't allow the updated to be graped in that assigned time .. so what we will do here is modifying the registry and increase that time.. and don't worry it don't need any restart to your server or services. just do it right !

open RUN and type RegEdit go to this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Exchange Server

and make a new DWORD there with the name of EngineDownloadTimeout , right click the key and choose Modify and put there the required value, let's say we will make it 10 minutes, so write there 600 ( it's counted in seconds) and voila it's done

Just note that this is still applicable on Forefront for sharepoing still with the same Reg path but with changing Exchange by sharepoint ..

Good Luck

Event ID 1002, Source: MSExchangeSetup , and Error: Process execution failed with exit code 5, when uninstalling Exchange 2007

2008-04-17T08:46:00.002+03:00

Symptom:

Event ID 1002

Source: MSExchangeSetup

Error: Process execution failed with exit code 5

when uninstalling Exchange 2007

Cause:

This happen for the DiagnosticCmdletController.dll file is not registered (it supposed to be but maybe not registered for any crazy reason)

Resolution:

make a search for the DiagnosticCmdletController.dll file, and go for each location where that file is, and reregister it again by regsvr32 command, for example:

C:\C:\Program Files\Microsoft\Exchange Server\bin\Monitoring\x86\regsvr32.exe DiagnosticCmdletController.dll

DllRegisterServer in DiagnosticCmdletController.dll succeeded.

Please don't repeat this process for each location where that file is

Good Luck

Configure Autoreply to messages in exchange 2007

2008-04-06T09:03:00.003+03:00

I has been requested once to configure autoreply to messages sent to helpdesk in exchange 2007, imemdiatly i told the customer if OOF is accepted he denied that and he need a autoreply one

well, here is how i made that

it's in two parts, from server side (Exchange 2007 HUB Role) and from outlook side

A- From server Side:
Exchange 2007 by default will block autoreplies and auto forward messages, hence we need to configure this to allow this-like messages
1- open EMC and go to organization configuration
2- navigate to Hub transport and remote domains tab
3- click properties of the remote domains and go to Message format tab
4- check the check box there that allow auto reply (and auto forward if needed) and OK

B- From OUTLOOK
1- Open Outlook.
2- Click Tools, and click Rules and Alerts.
3- Click New Rule, select "Start from a blank rule", select "Check messages when they arrive" and click Next.
4 - Select "Send only to me" and click Next.
5- Select "have server reply using a specific message".
6- In the bottom box, click "a specific message", enter the Subject and body for the autoreply message and click "Save and close".

Now test it by sending a message to the configured account and you will get an autoreply

Outlook anywhere keep prompt for a password even NTLM authentication is selected

2008-04-03T10:07:00.002+03:00

Outlook anywhere keep prompt for a password even NTLM authentication is selected

that occure if value of the Server attribute is set incorrectly for the EXPR OutlookProvider object

run this command on all CAS Servers

Set-OutlookProvider EXPR -Server $null
and restart IIS will resolve the issue

How to recover the trust between parent and child domain if Access is denied between them happened

2008-03-31T18:19:00.001+03:00

that's becasue the TDO ( trusted domain object) has been corrupted as i have been informed once from Microsoft

Busbar, one of the Experts out there, blog that wonderfull post and i wanted to share it with you

http://busbar.blogspot.com/2008/03/what-to-do-parentchild-domain-trust-is.html

when you send digitally signed message through exchange 2007 edge server, the message cannot be verfied on the destination

2008-03-31T18:08:00.003+03:00

as the address say, when you send digitally signed message through exchange 2007 edge server, the message cannot be verfied on the destination, that has been raised for a while, by escalation case by myself, and after further investigation on that subject working with the support team whom they made a lot of work ( and me as well) i managed to fix that, it was a bug !

a bug in which when you send email from outlook in HTML format, it will reach the destination in unverfied format, and a red arrow in the front of head of the message, and that's only happen when you send HTML messages with attachement in it, that's also mean when you send HTML messages in HTML format without attachement it WILL be verified, so the problem came in sending attachement

sawing saw, i disabled the attachement filter on the edge servers, and voila ! it woked fine..

i reported that to Microsoft and hopefully a fix will be available on rollup update 2 for exchange SP1

btw, you still can use remove-attachementfilterentry cmdlet but i didn't tested that actually

Good luck with your implementation

Dr.Kernel

______________________

Edited:

Install Rollup update 2 for exchange 2007 SP1 and that will fix the issue
http://support.microsoft.com/kb/949703/

Regards

Remote Server Administration Tools (RSAT) Beta is now available!

2007-12-25T10:17:00.000+03:00

This is something that of you have been waiting for a while now! Remote Server Administration Tools (RSAT) is essentially the WS08 version of the "Admin Pack". RSAT allows you to install many of the WS08 management tools on a Vista SP1 computer so you can remotely manage WS08 servers (full servers and server core). Some of the tools included in RSAT can also be used to manage WS03 servers as well.
More details about RSAT are pasted below.

=========================================

Microsoft® Remote Server Administration Tools enables IT administrators to remotely manage roles and features in Windows Server® 2008 from a computer running Windows Vista with Service Pack 1. It includes support for remote management of computers running a Server Core or Full Server installation of Windows Server 2008. This feature has been requested by customers as a replacement for the Windows Server 2003 Administration Tools Pack.

To test the Remote Server Administration Tools Beta and obtain customer feedback, Microsoft offers a Feature Focus program for this update, starting November 28, 2007 on the Microsoft Connect site. By participating in the program, you have the opportunity to try the new Remote Server Administration Tools, and provide feedback directly to the product team. The download is available as part of the Windows Beta program

CENTRO = SMALL BUSINESS SERVER SBS 2008

2007-12-24T15:24:00.000+03:00

Centro" = Windows Essential Business Server

Essential Business Server combines Windows Server 2008, Exchange Server 2007, System Center Essentials, Forefront Security for Exchange, the next version of ISA and SQL Server 2008 (in Premium Edition) into an "all-in-one" solution. But the product is truly more than the sum of its parts and delivers new technology above and beyond the component products. Essential Business Server provides a single point of management for all of the components and workloads, as well as third party software applications, and incorporates an incredible amount of best practices. We estimate set up will require 75% fewer steps than what is required today, for example. In addition, it has a single server license and a single client access license, as well as features to help IT track, manage and re-assign licenses.

Microsoft hardware partners that are already planning to support Essential Business Server include Fujitsu Siemens, HP, IBM and Intel. Software partners already developing or planning on creating "Add-Ins" for the Essential Business Server console include CA, Citrix, FullArmor, McAfee, Quest, Symantec and Trend Micro. Microsoft applications will add-in, too, of course.

E12 SP1 Released and its features

2007-11-29T12:37:00.001+03:00

Hi Friends,
As we all know that Exchange 2007 SP1 will be released for production tomorrow 30/11/2007 after a while in market as a beta release. Now I will navigate you for the SP1 features and enhancements:
- Support for IPv4 and IP6
If you installed Exchange 2007 SP1 on windows Server 2008 you have an option to enter the IPv6 format
- CAS Improvement
o GUI for administering POP3 and IMAP4 for authentication, connection and ports setting
o EAS Improvement:
§ An Exchange ActiveSync default mailbox policy is created.
§ Enhanced Exchange ActiveSync mailbox policy settings have been added.
§ Remote Wipe confirmation has been added
§ Direct Push performance enhancements have been added
o Changes to Outlook Web Access Light so that Outlook Web Access does not time out while a user is composing a long entry.
o Changes to Outlook Web Access Premium The following features have been added to Outlook Web Access Premium in Exchange 2007 SP1:
§ Users can create and edit Personal Distribution Lists.
§ Users can create and edit server side rules.
§ WebReady Document Viewing has added support for some Office 2007 file formats
§ Users will have access to the dumpster from Outlook Web Access and will be able to use the Recover Deleted Items feature.
§ A monthly calendar view has been added.
§ Move and copy commands have been added to the Outlook Web Access user interface.
§ Public Folders are supported through the /owa virtual directory.
§ S/MIME support has been added.
- HUB Improvement
o Improvements in Transport Rule in the Back Pressure Future
o The addition of transport configuration options to the Exchange Management Console
- MB Improvement
o Public folder management by using the Exchange Management Console in MB server Role
o New public folder features
o Mailbox management improvements
o Ability to import and export mailbox by using .pst files
o New performance monitor counters for online database defragmentation
o Standby continuous replication
o New quorum models (disk and file share witness)
- Unified Communication
o Many features and enhancement for UM server role [ check the website]

And Support for public folder access. Public folders can now be created, deleted, edited, and synchronized by using the Exchange Web Services.

I will give a brief of SCR new feature in Exchange 2007 SP1

o Standby continuous replication

Basically, a regional cluster solution, or remote site recovery that Microsoft present to us out of the box. In brief instead of using LCR to replicate the database to a local hard drive in the Exchange Server 2007 server, SCR lets the copy of the storage group take place on multiple remote Exchange Server 2007 server within the site or between two sites. In the event the production server fails, then the copy generated by SCR can be mounted and run. I really love the MS Exchange team !

Regards,

SCCM Extras

2007-11-24T10:32:00.000+03:00

Microsoft Links

1- System Center Configuration Manager 2007 Toolkit

Overview
The following list provides specific information about each tool in the toolkit.
Client Spy - A tool to help troubleshoot issues related to software distribution, inventory, and software metering on Configuration Manager 2007 clients.
Policy Spy - A policy viewer to help review and troubleshoot the policy system on Configuration Manager 2007 clients.
Trace32 - A log viewer that provides a way to easily view and monitor log files created and updated by Configuration Manager 2007 clients and servers.
Security Configuration Wizard Template for Configuration Manager 2007 - An attack-surface reduction tool for the Microsoft Windows Server 2003 operating system with Service Pack 1 and Service Pack 2 (SP1 and SP2) that determines the minimum functionality required for a server's role or roles, and disables functionality that is not required.
DCM Model Verification - A tool used by desired configuration management content administrators for the validation and testing of configuration items and baselines authored externally from the Configuration Manager console.
DCM Digest Conversion - A tool used by desired configuration management content administrators to convert existing SMS 2003 Desired Configuration Management Solution templates to Desired Configuration Management 2007 configuration items.
DCM Substitution Variables - A tool used by desired configuration management content administrators for authoring desired configuration management configuration items that use chained setting and object discovery.

http://www.microsoft.com/downloads/details.aspx?FamilyID=948E477E-FD3B-4A09-9015-141683C7AD5F&displaylang=en

=========================

2- System Center Configuration Manager 2007 Configuration Pack

Overview
Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. The System Center Configuration Manager 2007 Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure and reliable Configuration Manager 2007 infrastructure. This Configuration Pack contains Configuration Items intended to manage your Configuration Manager 2007 site system roles using the desired configuration management component in Configuration Manager 2007. This configuration pack monitors the following site system roles: management points, distribution points, and software update points. The Configuration Pack can also monitor Windows Server Update Services (WSUS) components on software update points or upstream WSUS servers. To manage your site system roles with this Configuration Pack, import and assign the Microsoft System Center Configuration Manager 2007 Server Roles configuration baseline to a collection which contains your Configuration Manager 2007 site systems. While there is one configuration baseline for all site systems, it evaluates compliance only for roles configured on the site system. For example, if a computer has only the distribution point role, it will not be evaluated for management point configurations. To understand in detail what each configuration item will be evaluating, review the properties of that configuration Iitem in the context of the Configuration Manager 2007 Server Role being addressed. System Center Configuration Manager 2007 site roles covered:
• Management points • Distribution points • Software update points

http://www.microsoft.com/downloads/details.aspx?familyid=45586F82-1816-4AEB-A0DC-ADE1859820B9&displaylang=en

=================================

3- System Center Configuration Manager 2007 Vulnerability Assessment Configuration Pack

Overview
Software installation errors and misconfigurations compromise security and stability, resulting in escalated support costs. System Center Configuration Manager 2007 Vulnerability Assessment Configuration Pack can help prevent errors, increasing your organizational uptime and helping you build a more secure infrastructure. This configuration pack provides vulnerability assessment reporting for common software misconfigurations using the desired configuration management component in Configuration Manager 2007. The Configuration Manager 2007 Vulnerability Assessment Configuration Pack monitors the configuration of Microsoft Windows operating systems, Internet Explorer, Microsoft Office, SQL Server, and Internet Information Services (IIS). To use this Configuration Pack, import and assign the three configuration baselines (Vulnerability Assessment: IIS Baseline, Vulnerability Assessment: SQL Server Baseline, Vulnerability Assessment: Windows Baseline) to a collection containing the computers you want to monitor. To understand in detail what each configuration item will be evaluating, review the properties of the configuration item. Scenarios:
• Scan for potential security issues that may exist because of misconfigurations. • Example checks:
o Are unnecessary services installed and running? o Do shared folders have appropriate permissions? o Is Windows Firewall enabled? o Are strong passwords enforced? o Are unsecured guest accounts enabled?

http://www.microsoft.com/downloads/details.aspx?familyid=FC6989E9-68A3-43B1-8019-72BC1B9C5FF3&displaylang=en

Step-By-Step Guide: Configure System Center Configuration Manager 2007 For Native Mode By Certificate

2007-11-18T10:27:00.000+03:00

Hi Guys

Today, I present to you the first document in the internet that guide you to configure certificates for SCCM 2007 preparing it for the native mode

the file is attached as .pdf and it's allowed to be published everywhere but please credit that to Dr.Kernel as the owner

Download Link:
http://msaadexpert.googlepages.com/SCCM_NativeMode.pdf

10 Steps guide to configure Certificate based authentication between Agents and Management Server

2007-11-15T09:05:00.000+03:00

I made this guide to configure certificate based authentication between ths SCOM RMS server and agents in non-trusted domain. Tarek did helped me at the first place by telling me about momcertimport.exe tool that i didn't knew about it at the time being, then i figured it out after a while

Download:
http://tarek.ismail.googlepages.com/CertificateOpsMgr2007.pdf

it's posted at Tarek's blog earlier that i had no blog at that time :)

SCOM 2007 Parametrs

2007-11-12T11:35:00.000+03:00

Well well well, what we have here ...

have you tried to run the /? command on every .exe file you ever see ? actually that's me :)

and here is the result of what i got on the SCOM executable file

C:\Program Files\System Center Operations Manager2007>Microsoft.MOM.UI.Console.exe /?

i liked that /clearcache one looks usefull

Microsoft Forefront Client Security Health Management Pack for MOM 2005

2007-11-12T11:12:00.000+03:00

The Forefront Client Security Management Pack allows you to monitor key Client Security components from a centralized MOM location in order to ensure that your Client Security environment is running efficiently.

This is to mention that it's just arrived, more details will come soon

http://www.microsoft.com/downloads/details.aspx?FamilyID=0672b4ca-c6dc-4093-bae6-30eb1560a429&DisplayLang=en

Microsoft Fantastic 4 :Forefront and System Center Demonstration Toolkit

2007-11-12T10:48:00.000+03:00

virtual-machine based demo environment containing Forefront and System Center products. After installing this demo, please read the accompanying Script Steps document that will show you how to demo the following capabilities:

1. System Center Configuration Manager pushing Forefront Client Security signatures to keep a client machine updated
2. Forefront Security for Exchange Server blocking viruses in emails received in Outlook 2007
3. System Center Operations Manager monitoring the health of servers and clients in the environment
4. Intelligent Application Gateway adapting user access to SharePoint 2007 based on end-point policy detection
5. Forefront Client Security performing Real-time Protection against malware.

[Require Registeration]

http://www.microsoft.com/downloads/details.aspx?familyid=4d7329b8-2bd1-4ab4-a73c-75e9e0912de8&displaylang=en

Microsoft Forefront Client Security Best Practice Analayzer

2007-11-12T10:34:00.000+03:00

Microsoft Forefront Client Security Best Practice Analayzer Ready For Download !

http://www.microsoft.com/downloads/details.aspx?familyid=0CEFAC3F-91ED-40C3-A684-603F149A4E32&displaylang=en

install and run it from
C:\Program Files\Microsoft Forefront\Client Security\BPA\fcsbpa.exe

or the command prompt version
C:\Program Files\Microsoft Forefront\Client Security\BPA\fcsbpacmd.exe

Microsoft Forefront Client Security Product Documentation

2007-11-12T10:30:00.000+03:00

Download the product documentation for Forefront Client Security. Documentation includes guidelines and information from the Microsoft Forefront Client Security team, including deployment instructions and more.The June 2007 release contains:

• Microsoft Forefront Client Security Getting Started Guide

• Microsoft Forefront Client Security Planning and Architecture Guide

• Microsoft Forefront Client Security Deployment Guide

• Microsoft Forefront Client Security Administrator's Guide

• Microsoft Forefront Client Security Performance and Scalability Guide

• Microsoft Forefront Client Security Disaster Recovery Guide

• Microsoft Forefront Client Security Security Guide

• Microsoft Forefront Client Security Troubleshooting Guide

• Microsoft Forefront Client Security Technical Reference Guide

http://www.microsoft.com/downloads/details.aspx?familyid=90044d88-299b-49fb-b762-eae17a1f01f4&displaylang=en

http://rapidshare.com/files/69134941/FCS_Docs.zip.html

FCS Service Kit: Scripts to uninstall Mcafee, Symantic, Sophos, E-trust and Trend AVs

2007-11-12T10:11:00.000+03:00

Hi guys, today and after all here it comes the uninstall scripts for the Antivirus products

This rar file include:
FCS-SampleScript Install FCS Client.vbs
FCS-SampleScript Uninstall Anti-Spyware Products.vbs
FCS-SampleScript Uninstall eTrust AV.vbs
FCS-SampleScript Uninstall McAfee AV.vbs
FCS-SampleScript Uninstall Sophos AV.vbs
FCS-SampleScript Uninstall Symantec AV.vbs
FCS-SampleScript Uninstall Trend AV.vbs
FCS-SampleScript-XPSP2 HotFix Install.vbs

That helps you to uninstall other AV Products before installing FCS Agent, you can edit it to target specific version or product

http://rapidshare.com/files/69132716/FCSScripts.rar.html

Please use wise

Regards

How to uninstall Forefront Client Security Agent From All Computers By Startup Script

2007-11-12T08:56:00.001+03:00

Well, after a lot of deployment scenarios. I wondered what if i want to uninstall FCS from all computers, the TechNet says that you will manually uninstall it. but i again i wan't completly convinced by this solution for the enterprise.. so

i managed to get the hash for the FCS agent and use it with MSIEXEC /I command to uninstall the Agent

well here is the way:

To uninstall put the red line in a .bat file and made it startup script

Microsoft Forefront Client Security Antimalware Service v 1.5.1941.9
MsiExec.exe /I{D3E31640-DC20-4722-A1CF-604FF6C540B0}

Microsoft Forefront Client Security State Assessment Service V 1.0.1703.0
MsiExec.exe /X{E8B56B38-A826-11DB-8C83-0011430C73A4}

Regards

Forefront Client Security Features

2007-10-27T13:54:00.000+03:00

1- Best Of Breed:
As Microsoft infrastructure products fit best together with its other Microsoft products, we offer FCS that integrate with AD infrastructure and integrate with your operating system well as. The anti virus vender is the same with the operating system vendor which present the Best Of Breed and integration between the same Microsoft platform ensuring that no Third parties overwrites or additional registry keys. beside other anti viruses while uninstalling, It doesn't remove all its registry keys and files.. FCS works best with Microsoft Desktops

2- Unified protection
While any antivirus system is based on windows system and its services, and while operating system is booting and starting service after service, you should know that the over-windows services always run the latest as kernel and core windows services must run first, till the operating system complete it’s loading and the antivirus service is not yet initiated, the operating system is 100% unsecured and as it have not any antivirus software installed , and any worm even it’s absolute worm can attack your system and kill your antivirus service at the first place !
With Forefront client security you ensure that operating system is batched with latest batches and hot fixes to ensure there are no worms attack that will use any old or new System vulnerability to launch attack on your system by distributing updates by Microsoft Software update Service

3- Best Of Class
One of the best antivirus have been before in house with low price against others

4 – Deployment
Setting get to client by means of group policies with the GPMC that add registry keys to the FCS Client to point him to his management server which present ease of use out-of-the-box

5- Reporting
With Microsoft SQL reporting engine, and with the managed MOM agent that’s deployed with FCS client, you can generate reports on incidents and events that had happened in the Viruses behavior in your network

· Awards
Info Security 2008 Global Product Excellence Finalist
ICSA Labs Certification
Virus Bulletin 100% Award
West Coast Labs Checkmark Certification

· Reporting Design

Summary:

Unified Protection
One solution for spyware and virus protection
Built on protection technology used by millions worldwide
Effective threat response
Complements other Microsoft security products

Simplified Administration
One console for simplified security administration
Define policy to manage client protection agent settings
Deploy signatures and software faster
Integrates with your existing infrastructure

Visibility and control
One dashboard for visibility into threats and vulnerabilities
View insightful reports
Stay informed with state assessment scans and security alerts

Microsoft Forefront Server Security Management Console Trial Version Available !

2007-10-23T14:06:00.000+03:00

The Microsoft Forefront server Security management CONSOLE (FSSMC) is available now as RTM version and can be downloaded in the Download center as 120 Day Trial

Assistance of the FSSMC installations can be administered and supervised by Microsoft Forefront server Security and Microsoft antigen in a network together over a Web-based surface central.

http://www.microsoft.com/downloads/details.aspx?FamilyID=f9b669c6-6f9f-4c09-8457-c00b5b6ebd7a&displaylang=en

Microsoft Forefront Server Security Management Console User Guide

http://download.microsoft.com/download/f/7/2/f727049c-b15f-4754-bb1f-b36161ca8f28/FSSMC_Users_Guide.doc

Exclude Certian Processes From Forefront Scan Jobs

2007-10-23T13:52:00.000+03:00

If one would like to exclude certain processes with Forefront Client Security (FCS) from the Scan by the anti-mark commodity engine, one does not become fuendig in the possible attitudes of a guideline in the Forefront Client Security management CONSOLE. There there is the possibility of listing paths and file extensions only unfortunately to indicate. One can deposit processes which can be excluded at present only directly in the Registry or by GPO (ADM):

For each process in addition under
HKLM\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes
new DWORD entry with the complete listing name of the process (e.g. "C:\WINDOWS\system32\Dienstname.exe") one puts on.

The value of these entries is always 0

Triggering Immediate Update Checker for Win and FCS updates

2007-10-23T13:48:00.000+03:00

After you Deploy FCS you will wait the client operating system to detect updates based on the frequent that you specified in the group policy, but you can immediate trigger update detection by running this command in the RUN or CMD : wuauclt /detectnow .. here is a guide for some wuauclt command and its parametrs that i found usefull:

[Quote]

Client Troubleshooting Tool RequirementI'd like to see either one tool (i.e wuauclt.exe) that does "everything", or two tools: wuauclt (that runs client stuff) and waucltLINT (that sorts out issues, ala DNSLINT, etc). I can live with either, although there might be value in having 2. But in what follows, I've assumed that JUST wuauclt.exe is to be used.The following feartures/switches are needed.1. /? - list parameters and usage/? - describes usage of wuauclt.exeThe /? switch should be supported and give details of wuauclt usage. If client options are in error, this summary is displayed following an explanation of why the error occured. ALL command line tools should support this option.

2. Verbose mode console logging, with multiple levels/v - verbose mode/vv - very verbose modeBoth switches cause wuauclt to output normal log information to the command line (STDIO). /v provides basic information, while /vv logs greater detail. /vv is what is logged in normal logs. While wuauclt can log to a log file, it's more work for the admin when troubleshooting, The admin has to run the command, then navigate over to another folder, find the log, the navigate to the end of it, to find out where the run began. This is harder than it needs to be, and the /v, /vv options could just pipe log entries to stdio.

3. List client configuration/configlist - lists WUAUCLT configuration.This option lists all configuration items current by the client, and includes the client version number, AU policy/registry settings and provide details of all AU clients files, version numbers, file dates, etc. This helps admins (and MS) to ensure that the right client versions are loaded.

4. Install the correct AU client by force/installAUclient/installAUclientFromMicrosoftThis option causes the system to contact either the confiugred WSUS server, or Microsoft's WU server, and to reinstall forefully the latest version of the AU client. This enables admins (and MS) to ensure that the latest client versions are loaded, and enables download from Microsoft for roaming systems.

5. Make /DetectNow a little less silent/DetectNow - forces a client AU detection and logs detailsThe /detectnow option should log to stdio what it is doing. This includes what WU server is it contacting, how many updates are on the WU server, and how many are needed by the client, etc, and any information being sent back the server. This is really no change, just requesing some level of output to stdio. This makes troubleshooting quicker.

6. Clear Log File/clearlogfile - clears the client update log file/clearandsaveogfile - saves the current client update log file to a named file, then clears the update log.Currently, the client log appears to be non deletableand just grows. This is a potential DOS vector. Also, for troubleshooting, it's helpful to be able to clear the log (possibly saving it first for later detailed exam).

7. Download Updates Now/downloadnow - initiates an immiate downoad of any requried update using BITS/downloanowfast - initiates an initiates an immiate downoad of any requried update using HTTP.This option forces the AU client to start downloading of any outstanding updates. the secton version downloads using HTTP, and is therefore much faster in elapsed time and is mainly used for troubleshooting isues (or possibly to speed up larger updates). Often, expecially for laptops that have been 'abroad' for awhile, you want to just get all the approved updates NOW, and not wait for the next detection time.

8. Stop Downloading AU Updates/stopdownload - stops any AU updates being downloaded (either using HTTP, or BITS).This option stops the downloading of any AU updates either queued, or in progress. Just as you can invoke a download, you need to be able to stop it.

9. Test WSUS Server Connecttion/TestWSUSServer - checks connection with configured WU ServerThis option attempts to coonect to the WSUS server configured, and checks that a connection can be made, and that communcations between AU client and WSUS server is working. This would be useful for example, to diagnose network communications failures, or an internal firewall that might be accientally blocking some traffic between client and server.
[Quote/]

and don't forget to always check the \windowsupdate.log to see the AU error and sucess logs

Cheers

Forefront Client Security Startup Scan batch

2007-10-22T23:12:00.000+03:00

When you deploy FCS, there is no option for making a startup scan, we can make this feature working by making a startup script with a batch file that run the following command

For Quick Scan:
%ProgramFiles%\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe scan scantype 1

For Full Scan:
%ProgramFiles%\Microsoft Forefront\Client Security\Client\Antimalware\mpcmdrun.exe scan scantype 2

tested ;)