Monday, June 27, 2016
is RBAC in Microsoft Exchange flawed?
Is RBAC in Microsoft Exchange flawed?
If you ask Microsoft, they will tell you that it is not. If
you ask me or my friend, we think there is a rather serious flaw in the way that
permissions via RBAC work in the Exchange world.
Background
RBAC (Role-Based Access Control) is the method in which permissions
are granted to accounts in Microsoft Exchange. By using a combination of
Management Roles, Management Role Assignments, Management Role Entries as well
as Role Groups and Role Group Members, it is possible to assign fine-grained
policies for Microsoft Exchange tasks. For example, you could permit one user
account to only be able to mount and dismount mailbox databases beginning with the
letter A, or you could let an account be able to change any attributes on
distribution groups in a certain Active Directory OU.
So what’s the problem then?
The problem is that when an Exchange PowerShell command
runs, it is not actually run under the user account that executes the command,
rather, RBAC checks that the user has the necessary permissions, and then runs
it in the context of the Exchange Server itself.
Well, I sort of understand that, but why is that a
problem?
Do you know all the accounts that are able to log on locally
to any of your Exchange Servers worldwide? Are you sure? Every single backup
account, antivirus account, SCCM account, etc.? Are you sure somebody can’t do
a Mimikatz, or even reset the local Administrator password on one of the
Exchange servers with a Live CD?
Not sure, but why is that important?
Try this (only with your Exchange Admin’s permission of
course): Log on locally on an Exchange Server with an account that is a local
admin, preferably with an account that has absolutely no Exchange permissions
whatsoever and run a “PSEXEC –sid cmd” (you might need to download the PSEXEC
command). You now have a cmd box running as the Exchange Server itself. From
there you can start Active Directory Users and Computers, or PowerShell
(Exchange Management Shell), or the Exchange MMC snap-in (the last one only in
Exchange 2010) or whatever.
Yeah, so I’m the Exchange Server, whoopee, so what?
Well, if you’re using the split RBAC permissions model that
Microsoft recommends (but not always used) then it’s not too bad, you just have
full Exchange Organizational Admin permissions across the entire Org, you can
stop and start databases, create and delete them, set permissions on any
mailbox, create, change and delete connectors, just about anything really,
you’re basically an Exchange god for the complete Exchange org… so just for
fun, run a “get-mailbox –resultsize unlimited | remove-mailbox -whatif”. That
would (without the –whatif) cut down a lot of your Email traffic, deleting
every single mailbox throughout the complete Active Directory forest. (Don’t
really do this, people may get upset).
Additionally… if you’re not running the split permissions
model that Microsoft recommends, then, using this method, you are not only
Exchange god as explained in the previous paragraph, but also quite a powerful Active Directory Admin , you can create, delete and modify users, groups and contacts in ANY
domain throughout the forest (that have been domain-prepped for Exchange which
is normally all of them), reset any non-AdminSDHolder password from any domain,
the only thing you can’t play with are AdminSDHolder accounts from an Active Directory
point of view (although you can still play with their Exchange attributes)
Well that sounds quite serious, do Microsoft know about
this?
Yes, the matter was reported to Microsoft, but their answer
was simply “If you can’t trust your Admins, you’ve already lost”. Now that
maybe O.K. for them to say, but for some companies, it is sometimes not
possible to know every Administrator in every location, never mind knowing
every user that has physical access to an Exchange server with a trusty
reset-password boot CD to hand, but you’re still meant to trust them.
What do we think?
We can understand Microsoft from the point of view that if
your server is compromised, you’ve already lost, but the differences between
a compromised Exchange Server compared to other Microsoft Server products is rather great.
Compromise a SQL Server, whoopee, you’ve got a SQL Server. Compromise a
SharePoint server, whoopee, you’ve got a SharePoint Server. But, if you're able to log on
to one Exchange Server, you’ve got the whole Exchange Org under your control,
and possibly, depending on if you have not split the AD Permissions, 99% of the
Active Directory forest (yes, forest, not domain).
Is there a solution?
Sort of, although you’re probably not going to like it.
Change to using the split-AD permission model, remove all possibility of anyone
being allowed to log onto an Exchange server that is not an Exchange Org Admin
(including SCCM, SCOM, …) and physically secure the servers. Also, make sure
that the backup account passwords are only known by the Exchange Org Admins or
find some other way of doing backups. There’s more… if you’re particularly
paranoid, lock down the AdminSDHolder accounts in all domains so that the
Exchange Server cannot modify their attributes. Also, you may want to turn on
Bitlocker, and/or use BIOS passwords, so that the Password reset CD will not
work. Now just make sure that nobody has access to the local users and
computers on any Exchange Server so that they can’t add anybody to the
administrators group, and you’re almost done. Finally, though, keep your fingers
crossed, you never know, it might help.
Is there a better solution?
Yep, simple to state, hard to implement, but Microsoft could
change RBAC so that the command actually runs in the user context instead of
the server context, but as you’ve already heard, it’s not an RBAC issue, it’s a
trust issue, so there’s no need to fix it.
Labels: RBAC Microsoft Exchange
Wednesday, April 27, 2011
Manually Creating a MobileConfig file including certificates
I've spent a long time trying to automate the creation of MobileConfig files (They are the configuration files for Apple Devices (iPod, iPad and iPhones). The format is relatively simple (i.e. XML) but I have always been stuck when trying to include a personal certificate in the file. Now I am no longer stuck!
I found out that all you need is the certificate as a .PFX file, and then use CERTUTIL with the following syntax
certutil -encode alginald.pfx alginald.enc
then you need to remove the first and last lines of the file (the BEGIN CERTIFICATE and END CERTIFICATE) and then add it to the mobileconfig file. Yippee...
I'm using powershell to script the creation, so a couple more pointers..
To strip the first and last lines..
$content=gc alginald.enc
$newcontent=$content[1..($content.length-2)]
I also use the add-content command to add to the end of a file, but it also needs the UTF8 encoding part.. i.e.
add-content alginald.mobileconfig -value $newcontent -encoding UTF8
Hope this helps...
Labels: certificate, iPhone, mobileconfig, nsdata
Thursday, February 04, 2010
iPhone PDF attachment missing
Well, this is a strange one. iPhone syncing with Exchange 2003 via Push Mail. Sharepoint (or MOSS or WSS or....) sends mail with PDF attachment. In Outlook, everything OK. On iPhone, cannot see the attachment. Mail sent to a different user, also with iPhone and Push Mail. PDF is in the mail, and can be opened on the iPhone.
Solution: Use ADSIEDIT, navigate to the mailbox where it is not working, and change the attribute mapirecipient from TRUE to FALSE, or just remove the value.
Unbelievable, but true...
(Looks like the attribute has been left there from the good old 5.5 days... new mailboxes do not get this attribute set)
Well, this is a strange one. iPhone syncing with Exchange 2003 via Push Mail. Sharepoint (or MOSS or WSS or....) sends mail with PDF attachment. In Outlook, everything OK. On iPhone, cannot see the attachment. Mail sent to a different user, also with iPhone and Push Mail. PDF is in the mail, and can be opened on the iPhone.
Solution: Use ADSIEDIT, navigate to the mailbox where it is not working, and change the attribute mapirecipient from TRUE to FALSE, or just remove the value.
Unbelievable, but true...
(Looks like the attribute has been left there from the good old 5.5 days... new mailboxes do not get this attribute set)
Labels: attachments, iPhone, mapirecipient, MOSS, PDF, Sharepoint
Friday, August 28, 2009
Changed Job again
After over 2 1/2 years at PlanB (www.plan-b-gmbh.com) I have changed jobs. Although I enjoyed my work there, it wasn't really the life for a family man. It involved lots of travelling, and long hours, which was fun before my family came about, but I was missing my children growing up. Therefore I have moved to a local company, with friendly colleagues, and a lot less travelling / fewer hours.
Nanu, if you read this, please call me....
After over 2 1/2 years at PlanB (www.plan-b-gmbh.com) I have changed jobs. Although I enjoyed my work there, it wasn't really the life for a family man. It involved lots of travelling, and long hours, which was fun before my family came about, but I was missing my children growing up. Therefore I have moved to a local company, with friendly colleagues, and a lot less travelling / fewer hours.
Nanu, if you read this, please call me....
Tuesday, July 14, 2009
Don't use biro on a notebook when using paintbrush....
After showing somebody (name removed to protect the innocent) how to use paintbrush on a notebook, and then it not working when they tried it on their own, the person decided that if the mouse wouldn't work, they would use a biro to "paint" on the screen... result? one notebook screen covered in biro. Spent 30 minutes using a normal screen cleaner, and probably did more damage than good. Solution? Buy some isopropanol spray from your local retailer (in Germany, Conrad Electronics) and it removed all the biro within 20 seconds. Cost? €6.45
After showing somebody (name removed to protect the innocent) how to use paintbrush on a notebook, and then it not working when they tried it on their own, the person decided that if the mouse wouldn't work, they would use a biro to "paint" on the screen... result? one notebook screen covered in biro. Spent 30 minutes using a normal screen cleaner, and probably did more damage than good. Solution? Buy some isopropanol spray from your local retailer (in Germany, Conrad Electronics) and it removed all the biro within 20 seconds. Cost? €6.45
Labels: biro notebook screen lcd isopropanol remover
Thursday, February 12, 2009
Office Communications Server R2 - Error 0x80070534
Just done my first test install of OCS R2, and each time I tried to activate the OCS Server, it generated the above error, and wouldn't activate. Problem? To save time, I installed W2K8 x64 once, sysprep'd it, and then used two copies, one for the DC, and one for an OCS Standard server. This seem to be the cause. Once I installed a fresh W2K8 x64 for OCS, everything worked first time
Just done my first test install of OCS R2, and each time I tried to activate the OCS Server, it generated the above error, and wouldn't activate. Problem? To save time, I installed W2K8 x64 once, sysprep'd it, and then used two copies, one for the DC, and one for an OCS Standard server. This seem to be the cause. Once I installed a fresh W2K8 x64 for OCS, everything worked first time
Labels: 0x80070534 80070534 OCS R2 Activate
Wednesday, January 21, 2009
Unable to send / receive SMS (text) messages on my phone for months
Turns out that because I've got dual-sim (one for a backup phone) the messages only go to the primary sim, which I've had turned off for months. A very helpful T-Mobile person (unbelievable, but true, they do exist) told me how to change it. Just call the number *222# on the phone and this changes the SIM to which messages are sent
Turns out that because I've got dual-sim (one for a backup phone) the messages only go to the primary sim, which I've had turned off for months. A very helpful T-Mobile person (unbelievable, but true, they do exist) told me how to change it. Just call the number *222# on the phone and this changes the SIM to which messages are sent
Labels: dual-sim sms *222# text
Monday, August 11, 2008
OCS - Office Communicator cannot access address book
Troubleshooting Address book issues with OCS can be a pain, fortunately, there's a really good troubleshooting guide over at http://ucnoevil.blogspot.com/2008/03/address-book-chaos.html
My problem? Service Account password expired on the OCS Application Pool in IIS.
When you install OCS, it creates the service accounts automatically, but does not set them as "Password never expires" therefore, depending on your password policy, after a while, the application pool cannot start anymore. Changed the account so that the password never expires, and re-entered the password on the application pool properties page, restarted the pool and BINGO!
Troubleshooting Address book issues with OCS can be a pain, fortunately, there's a really good troubleshooting guide over at http://ucnoevil.blogspot.com/2008/03/address-book-chaos.html
My problem? Service Account password expired on the OCS Application Pool in IIS.
When you install OCS, it creates the service accounts automatically, but does not set them as "Password never expires" therefore, depending on your password policy, after a while, the application pool cannot start anymore. Changed the account so that the password never expires, and re-entered the password on the application pool properties page, restarted the pool and BINGO!
Wednesday, July 30, 2008
OCS / Communicator - Cannot Synchronize Address Book
Although there are lots of reasons for this error appearing, including problems with the Web Server itself, or a corrupt file, one solution that keeps cropping up in a LAN environment is that the OCS Address Book server is not in the "Bypass proxy for" part of internet explorer. In this case, the Communicator client tries to connect to the address book server via a proxy server, which may need authentication, and therefore fails
Although there are lots of reasons for this error appearing, including problems with the Web Server itself, or a corrupt file, one solution that keeps cropping up in a LAN environment is that the OCS Address Book server is not in the "Bypass proxy for" part of internet explorer. In this case, the Communicator client tries to connect to the address book server via a proxy server, which may need authentication, and therefore fails
Thursday, July 24, 2008
Strange problem sending an email as attachment in a task Outlook 2007 / Exchange 2007 / Forefront for Exchange SP1
Strange problem.... if Forefront is configured to block TNEF files in the wild card file filtering, and somebody sends a task to somebody else, and in the task there is an attachment, and in the attachment there is a full stop (.) in the subject, it gets rejected. Work that one out.
Strange problem.... if Forefront is configured to block TNEF files in the wild card file filtering, and somebody sends a task to somebody else, and in the task there is an attachment, and in the attachment there is a full stop (.) in the subject, it gets rejected. Work that one out.
Labels: TNEF Forefront Exchange Outlook subject full stop point .
Wednesday, July 23, 2008
Cannot delegate calendar to shared mailbox or mail non-universal group -Exchange 2007
Strange problem with Outlook 2007 users running against an Exchange 2007 server. Outlook 2000 users were not affected by the problem.
If a user tries to delegate their calendar (or grant other types of permissions) to either a shared mailbox or a global mail-enabled security group, they cannot. When they try to select the object, it is marked with a red cross. This is because shared mailboxes are normally associated with a disabled user, or because exchange 2007 does not support non-universal groups. Fix? Change the mailboxes back to normal user mailboxes with the set-mailbox -recipienttype:regular (or even a get-mailbox -recipienttypedetails:shared set-mailbox -recipienttype:regular). As for the groups. I manually changed them to universal groups, and they're all working now
Strange problem with Outlook 2007 users running against an Exchange 2007 server. Outlook 2000 users were not affected by the problem.
If a user tries to delegate their calendar (or grant other types of permissions) to either a shared mailbox or a global mail-enabled security group, they cannot. When they try to select the object, it is marked with a red cross. This is because shared mailboxes are normally associated with a disabled user, or because exchange 2007 does not support non-universal groups. Fix? Change the mailboxes back to normal user mailboxes with the set-mailbox -recipienttype:regular (or even a get-mailbox -recipienttypedetails:shared set-mailbox -recipienttype:regular). As for the groups. I manually changed them to universal groups, and they're all working now
Labels: calendar delegate permissions shared mailbox outlook 2007 exchange
Tuesday, July 01, 2008
0x80050014 - Server-sided Active Sync
Yes, I've followed article http://support.microsoft.com/kb/817379 and no, I still can't sync over the wire. I'm running a front-end/back-end scenario. (With multiple back-end servers and some are working fine)
Solution: On the back-end server make sure that the /exchange directory has BASIC and Integrated Windows Authentication checked. For some reason the IWA was missing on one server :-(
p.s. download the virtual images of Windows Mobile, this helps in troubleshooting and means you don't have to hard-reset your own device when testing... go here
Yes, I've followed article http://support.microsoft.com/kb/817379 and no, I still can't sync over the wire. I'm running a front-end/back-end scenario. (With multiple back-end servers and some are working fine)
Solution: On the back-end server make sure that the /exchange directory has BASIC and Integrated Windows Authentication checked. For some reason the IWA was missing on one server :-(
p.s. download the virtual images of Windows Mobile, this helps in troubleshooting and means you don't have to hard-reset your own device when testing... go here
Labels: 0x80050014 80050014 817379 active sync
Thursday, May 22, 2008
Added New Photos of Alan and Peter
Finally got round to adding a few (not many) actual photos of the little ones. Alan is well over 2 and Peter is 10 months. Peter is standing and walking around by holding onto things, whereas Alan is just creating chaos wherever he goes. Got to get a garden fence to keep them in. Photos, as usual, can be found at www.flickr.com/photos/alginald
Finally got round to adding a few (not many) actual photos of the little ones. Alan is well over 2 and Peter is 10 months. Peter is standing and walking around by holding onto things, whereas Alan is just creating chaos wherever he goes. Got to get a garden fence to keep them in. Photos, as usual, can be found at www.flickr.com/photos/alginald
Wednesday, February 27, 2008
Dell 1815dn Multi Printer sends PDF via Exchange 2007 incorrectly
Had a problem today with a Dell multi device, whereby the attachment was in plain text in the mail instead of as attachment.
Solution: Download the latest firmware from the DELL site... 28/02/2008 is the firmware date
Had a problem today with a Dell multi device, whereby the attachment was in plain text in the mail instead of as attachment.
Solution: Download the latest firmware from the DELL site... 28/02/2008 is the firmware date
Labels: Dell 1815dn PDF Exchange Scan
Tuesday, July 17, 2007
And then there were four......
Peter James was born last night, 16.07.2007. 3350g, 54cm. Both Diddly and Peter are doing well, the two Alans are having a ball. More photos can be found at www.flickr.com/photos/alginald
Tuesday, June 05, 2007
Quintum and Office Communications Server 2007
I got a new toy. Well its not really a toy, but a rather wonderful box of tricks that allows you to connect almost any PBX to OCS 2007. It cost less than €800 and allows me to connect 2xBRI (4 lines) directly to OCS as a Media Gateway. OCS is in turn connected to our Exchange 2007 SP1 (beta) server. Now we can call in call out and access our mailboxes via speech. Just like to say thanks for the people at quintum for their help in setting up the box, really helpful friendly people. Check them out at http://www.quintum.com Bressner is the reseller in Germany, you can find them at http://www.bressner.de
That's all
I got a new toy. Well its not really a toy, but a rather wonderful box of tricks that allows you to connect almost any PBX to OCS 2007. It cost less than €800 and allows me to connect 2xBRI (4 lines) directly to OCS as a Media Gateway. OCS is in turn connected to our Exchange 2007 SP1 (beta) server. Now we can call in call out and access our mailboxes via speech. Just like to say thanks for the people at quintum for their help in setting up the box, really helpful friendly people. Check them out at http://www.quintum.com Bressner is the reseller in Germany, you can find them at http://www.bressner.de
That's all
Publishing Multiple Exchange 2007 behind ISA Server 2006
I liked the idea of a Front-end Server in Exchange 2000/2003. Trying to get the same to work with Exchange 2007 is a nightmare. If you want to publish all mailboxes using one front end, you need cas proxying. Unfortunately cas proxying breaks access to sharepoint and file shares in OWA. Take your choice, either publish at least one CAS server per AD Site separately to get sharepoint access, or use CAS proxying with only one server and no sharepoint.
Now how do I get both features, single front-end and sharepoint access? Answers on a postcard please......
I liked the idea of a Front-end Server in Exchange 2000/2003. Trying to get the same to work with Exchange 2007 is a nightmare. If you want to publish all mailboxes using one front end, you need cas proxying. Unfortunately cas proxying breaks access to sharepoint and file shares in OWA. Take your choice, either publish at least one CAS server per AD Site separately to get sharepoint access, or use CAS proxying with only one server and no sharepoint.
Now how do I get both features, single front-end and sharepoint access? Answers on a postcard please......
Labels: Exchange 2007 isa 2006
Wednesday, May 09, 2007
Asterisk, SIPX and Exchange 2007
I've had a lot of mails, and hope that I've helped a lot of people over the past few months. However, some people found the instructions quite daunting. I recently received information from Ryan that he has created a clearer step-by-step. I've had a look, and its much better than mine. I would encourage anybody who wants to get this scenario working to have a look... http://blog.lithiumblue.com/2007/04/accessing-exchange-2007-unified_29.html
I've had a lot of mails, and hope that I've helped a lot of people over the past few months. However, some people found the instructions quite daunting. I recently received information from Ryan that he has created a clearer step-by-step. I've had a look, and its much better than mine. I would encourage anybody who wants to get this scenario working to have a look... http://blog.lithiumblue.com/2007/04/accessing-exchange-2007-unified_29.html
Monday, January 08, 2007
Plan-B GmbH
Hi All, Just to let you know, I now work for Plan B GmbH in Wasseralfingen. My email address is "first dot last @ plan-b-gmbh.com". My private address is still "alginald at gmx . de". Check our our web site at www.plan-b-gmbh.com
Hi All, Just to let you know, I now work for Plan B GmbH in Wasseralfingen. My email address is "first dot last @ plan-b-gmbh.com". My private address is still "alginald at gmx . de". Check our our web site at www.plan-b-gmbh.com
Tuesday, November 28, 2006
Instructions on how to connect Asterisk to Microsoft Exchange 2007 for Unified Messaging
UPDATE AGAIN: There are MUCH better instructions for this at http://blog.lithiumblue.com/2007/04/accessing-exchange-2007-unified_29.html I recommend you take a look at Ryans step-by-step. My guide is nearly 6 months old now, and there are some things that Ryan has done that make it a lot easier to set up than mine. Well done Ryan :-)
*UPDATE:- I will not be adding to the following information any more. I have almost finished a new installation, linking Asterisk with Exchange, which copes with all the Exchange Unified Messaging features such as fax, OVA and answering machine. This will appear on this page in the very near future
Please note that the instructions do not cover the installation of the sipx and asterisk servers, only the configuration of them. I originally used the VMWare community images of trixbox (asterisk with loads of add-ons) and SIPX. Since then, I have installed a stand alone trixbox (iso image from www.trixbox.org). I'm still having problems with CAPI (Fritz! PCI installed in my Asterisk server (cos it was cheap - €30 for two lines is a nice price for testing) so I'll probably end up installing it again using SUSE 9.3 (cos there's a better CAPI driver for SUSE from avm). However, this does not affect how it works. I can dial in via a normal telephone, or I can use a SIP phone connected to either the Asterisk or the SIPX machine and access Exchange UM.
If anybody would like even more detailed instructions (i.e. screenshots, config files, etc.) please let me know. Either add a comment here, or write to me at alginald at gmx dot de. No spam please, I'm vegetarian.
What this document covers:-
1) When somebody connected to the asterisk dials 666666, the call should be forwarded to the Exchange 2007 Auto attendant, whereby the caller can choose to contact somebody directly, or leave a message for them (voice mail)
2) When somebody connected to the asterisk dials 55, the call should be forwarded to the Exchange 2007 Subscription number, whereby the caller can enter their mailbox number, and their pin number for access to their mailbox via Outlook Voice Access
What is not working:-
1) The caller ID is currently not passed correctly from sipx to Exchange, so all Voice messages originate from "anonymous" at the moment
2) Dialling from Exchange 2007 out. This is quite easy to configure, and I have had it working, I have even included some of the instructions, but have not fully tested it
Initial installation
Install Exchange 2007 with the Unified Messaging role
Install Asterisk (I installed , from www.trixbox.org and the trixbox VMWare image, both worked fine)
Install SIPX. (I used the VMWare image from the VMWare community download pages)
The rest of this document assumes that you have downloaded and are using the VMWare images of trixbox and sipx.
The following computers are used...
asterisk1.local. (TRIXBOX)
IP address 192.168.254.127/24
DNS 192.168.254.152
testorg.int (SIPX)
IP address 192.168.254.10
DNS 192.168.254.152
e2k7srv2.testorg.int (Exchange / AD / DNS)
IP address 192.168.254.152
DNS 192.168.254.152
(I know that the sipx box has got the same name as my domain, that was not done on purpose, a different name can be used if you want)
********************************* START OF EXCHANGE 2007 CONFIGURATION ******************************
What to configure on the Exchange 2007 server
1) Create a new UM Dial Plan....
new-UMDialPlan -Name:'DialPlan6' -NumberOfDigitsInExtension:'6'
2) Add the subscription number 5 to the UM Dial Plan
In the Exchange Management Console,click on Organization Configuration / Unified Messaging / DialPlan6
On the second tab, Subscription Access, add the subscription number "5"
3) Create a new UM IP Gateway...
new-UMIPGateway -Name:'SIPX' -Address:'192.168.254.5' -UMDialPlan:'DialPlan6'
(If you do not want to dial out using Exchange, open the properties page for the IP gateway, and deselect the "Allow outgoing calls".)
4) Create two new hunt groups for the UM IP Gateway.....
new-UMHuntGroup -Name:'Hunt5' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'5'
new-UMHuntGroup -Name:'Hunt6' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'6'
5) Create a new Auto Attendant.....
new-UMAutoAttendant -Name:'AA6' -UMDialPlan:'DialPlan6 -PilotIdentifierList:'666666' -Status:'Enabled' -SpeechEnabled:$true
6) Once the Auto Attendant has been created, edit the properties, and on the features tab, select
Allow caller to transfer to users
Allow callers to send voice mail
Callers can contact anybody in the Global Address List
Allow transfer to operator during business hours
Allow transfer to operator after business hours
(You don't have to configure all of these if you don't want to, but you should have at least the "allow callers to send voice mail and the "anybody in the GAL" set.)
7) Add the Dial Plan (DialPlan6) to the Exchange server
In the Exchange Management Console navigate to Server Configuration / Unified Messaging. Click on the e2k7srv2 server in the main pane with the right mouse button and click on properties. On the UM Settings page, add the dial plan to the list.
(There's probably a management shell command for this, but I used the GOOEY ;-))
8) Create a new UM Mailbox Policy...
new-UMMailboxPolicy -Name:'UMMailPolicy6' -UMDialPlan:'DialPlan6'
9) Enable Unified messaging for one or more test users. I gave Mickey Mouse the extension 777777 and Donald Duck the extension 777778.
********************************* END OF EXCHANGE 2007 CONFIGURATION ******************************
************************************ START OF ASTERISK CONFIGURATION ********************************
Now to configure the asterisk....
There are two ways of configuring the asterisk, you can edit the files via putty or the local console, or you can use the trixbox interface.
************************ start of asterisk configuration using trixbox ************
If you want to configure Asterisk using the Web Interface from trixbox, do the following
1) Connect to the server with a web browser (in my case http://192.168.254.127)
2) Click on System Administration and logon with user maint and password password (or whatever)
3) Click on FreePBX (you could also go directly to the page http://192.168.254.127/admin instead)
4) In the new browser window (FreePBX), click on setup
5) Click on TRUNKS
6) Click on Add Sip Trunk
7) Set the following
name:SIPX
Outbound Caller ID:6
Dial Rules:6666+6XXXXXXX
Outbound Dial Prefix:66
Peer
Details:
host=192.168.254.5
secret=voipjot
type=peer
username=66666666
8) Thats the first trunk. Now do the same again for the second one...
name:SIPX2
Outbound Caller ID:5
Dial Rules:5555+5XXXXXXX
Outbound Dial Prefix:55
Peer Details:
host=192.168.254.5
secret=voipjot
type=peer
username=5555
9) Click on outbound routes
10) Click on Add Route
11) Create a route with the following settings
name:1 6_SipX
Dialpatterns:6.
Trunk Sequence:SIP/SIPX
12) Create a second route with the following settings
name:5_SipX
Dialpatterns:5.
Trunk Sequence:SIP/SIPX2
13) If you want to add a softphone extension for testing do the following
14) Click on extensions
15) Click on SIP and set the following
Display Name:Yourname
Extension Number:200
Direct DID:200
secret:12345678
************ End of Asterisk configuration using trixbox ******************
If you don't want to use the trixbox front end, just edit the files in the /etc/asterisk directory, do the following...
What we need to configure is two Dial Plans and two trunks.
Here is my /etc/asterisk/extensions_additional.conf, which is used for the dial plans
;********************** Start of extensions_additional.conf ***************************
DIRECTORY_OPTS =
OUTCID_1 = 6
OUTMAXCHANS_1 = 100
VM_PREFIX = *
TONEZONE = de
ALLOW_SIP_ANON = yes
FAX_RX_FROM = freepbx@gmail.com
VM_DDTYPE =
VM_GAIN =
DIALOUTIDS = 1/2/3/
OUTCID_2 =
OUTMAXCHANS_2 =
OUTPREFIX_2 =
OUT_2 = AMP:CAPI/ISDN1/$OUTNUM$
OUTPREFIX_1 = 66
OUT_1 = SIP/SIPX
OUTCID_3 = 5
OUTMAXCHANS_3 = 1
OUTPREFIX_3 = 55
OUT_3 = SIP/SIPX2
;end of [globals]
[app-cf-busy-off]
include => app-cf-busy-off-custom
[ext-did-direct]
include => ext-did-direct-custom
exten => 200,1,Set(FROM_DID=200)
exten => 200,n,Goto(from-did-direct,200,1)
; end of [ext-did-direct]
[ext-local]
include => ext-local-custom
exten => 200,1,Macro(exten-vm,novm,200)
exten => 200,hint,SIP/200
; end of [ext-local]
[outbound-allroutes]
include => outbound-allroutes-custom
include => outrt-001-1 6_SipX
include => outrt-002-5_SipX2
exten => foo,1,Noop(bar)
; end of [outbound-allroutes]
[outrt-001-1 6_SipX]
include => outrt-001-1 6_SipX-custom
exten => _6.,1,Macro(dialout-trunk,1,${EXTEN},,)
exten => _6.,n,Macro(outisbusy,)
; end of [outrt-001-1 6_SipX]
[outrt-002-5_SipX2]
include => outrt-002-5_SipX2-custom
exten => _5.,1,Macro(dialout-trunk,3,${EXTEN},,)
exten => _5.,n,Macro(outisbusy,)
; end of [outrt-002-5_SipX2]
[from-internal-additional]
include => from-internal-additional-custom
include => app-cf-busy-off
include => app-cf-busy-off-any
include => app-cf-busy-on
include => app-cf-off
include => app-cf-off-any
include => app-cf-on
include => app-cf-unavailable-off
include => app-cf-unavailable-on
include => app-userlogonoff
include => app-zapbarge
include => ext-test
include => ext-local
include => outbound-allroutes
exten => h,1,Hangup
; end of [from-internal-additional]
;********************** end of extensions_additional.conf ***************************
(p.s. make sure there is an entry in the extensions.conf called #include extensions_addtional.conf)
I have left some of this file out, so you may want to edit the existing one, and just add the bits above. (You can connect to the asterisk box with SSH to edit files, or log on locally)
Also note that trunk 2 in the above configuration is my capi in card. you might want to remove this from here if you don't want to capi it.
Here is my /etc/asterisk/sip_additional.conf
;********************** start of sip_additional.conf ***************************
[200]
username=200
type=friend
secret=12345678
record_out=Always
record_in=Always
qualify=no
port=5060
nat=never
mailbox=200@device
host=dynamic
dtmfmode=rfc2833
context=from-internal
canreinvite=no
callerid=Alan <200>
allow=0
[SIPX]
username=66666666
type=friend
secret=voipjot
host=192.168.254.5
[SIPX2]
username=5555
type=friend
secret=voipjot
host=192.168.254.5
;********************** end of sip_additional.conf ***************************
(p.s. make sure there is an entry in the sip.conf called #include sip_additional.conf)
Please note that the first entry, [200] is a test phone that I configured, for the user Alan
The [SIPX] and [SIPX2] are the two connections to the SIPX server. the secret is the password for root on the SIPX machine, although AFAIK, you don't need it
Here is the file /etc/asterisk/localprefixes.conf
;********************** start of localprefixes.conf ***************************
[trunk-2]
rule1=0.
[trunk-1]
rule1=6666+6XXXXXXX
[trunk-3]
rule1=5555+5XXXXXXX
;********************** end of localprefixes.conf ***************************
************************************** END OF ASTERISK CONFIGURATION ********************************
I recommend using the trixbox/freepbx web interface unless you're a dab hand with vi.
**************************************** START OF SIPX CONFIGURATION ***********************************
Finally, we need the SIPX configuration
As you probably read at the beginning, I used the VMWare image. If you use the same onem I recommend changing the ip address, server name and dns server manually.
Once you have the necessary information, connect to the sipx server's web server via web browser (in my case http://192.168.254.5)
Click on configuration, accept the goofy SSL, and enter the username and password (in the VMWare image case, superadmin, no password)
Click on gateways, and then Add Gateway. Give a name for the gateway (i.e. ToMXS) and enter the IP address and the MAC address from the Exchange Server, and select unmanaged gateway
Now we need the two dial plans
First, for Voice Mail...
Click on Dial Plans
Click on Add Dial Rule
Click on Enabled
Give it a name
In Dialed Numbers, add 6 with "any number of digits"
In Resulting call, enter 666666 with nodigits
Add the gateway defined above for the route
Second, for Outlook Voice Access
Click on Dial Plans
Click on Add Dial Rule
Clickon Enabled
Give it a name
In Dialed Numbers add 5 with "any number of digits"
In Resulting Call, enter 5 with nodigits
Add the gateway defined above for the route
Move these dial plans to the top of the list (Select the dial plan and click slowly but surely on Move UP)
Make sure they are enabled, and then click on Dial Plan Activation, "Activate"
That's all there is.
**************************************** END OF SIPX CONFIGURATION ***********************************
If you want to dial back to the Asterisk, add an additional Gateway and a Dial Plan on the SIPX box to point to the Asterisk Box, and just configure the Exchange box to use the correct prefix.
What to do if it doesn't work?
USE A NETWORK SCANNER!!!!
Log into the asterisk server and use the command "asterisk -r -dddddddddd -vvvvvvvvvv"
Check the asterisk logs in the /var/log/asterisk directory
Set the Exchange UM logging to 7 via the registry
Write to me @ alginald at gmx dot de, or post a comment :-)
UPDATE AGAIN: There are MUCH better instructions for this at http://blog.lithiumblue.com/2007/04/accessing-exchange-2007-unified_29.html I recommend you take a look at Ryans step-by-step. My guide is nearly 6 months old now, and there are some things that Ryan has done that make it a lot easier to set up than mine. Well done Ryan :-)
*UPDATE:- I will not be adding to the following information any more. I have almost finished a new installation, linking Asterisk with Exchange, which copes with all the Exchange Unified Messaging features such as fax, OVA and answering machine. This will appear on this page in the very near future
Please note that the instructions do not cover the installation of the sipx and asterisk servers, only the configuration of them. I originally used the VMWare community images of trixbox (asterisk with loads of add-ons) and SIPX. Since then, I have installed a stand alone trixbox (iso image from www.trixbox.org). I'm still having problems with CAPI (Fritz! PCI installed in my Asterisk server (cos it was cheap - €30 for two lines is a nice price for testing) so I'll probably end up installing it again using SUSE 9.3 (cos there's a better CAPI driver for SUSE from avm). However, this does not affect how it works. I can dial in via a normal telephone, or I can use a SIP phone connected to either the Asterisk or the SIPX machine and access Exchange UM.
If anybody would like even more detailed instructions (i.e. screenshots, config files, etc.) please let me know. Either add a comment here, or write to me at alginald at gmx dot de. No spam please, I'm vegetarian.
What this document covers:-
1) When somebody connected to the asterisk dials 666666, the call should be forwarded to the Exchange 2007 Auto attendant, whereby the caller can choose to contact somebody directly, or leave a message for them (voice mail)
2) When somebody connected to the asterisk dials 55, the call should be forwarded to the Exchange 2007 Subscription number, whereby the caller can enter their mailbox number, and their pin number for access to their mailbox via Outlook Voice Access
What is not working:-
1) The caller ID is currently not passed correctly from sipx to Exchange, so all Voice messages originate from "anonymous" at the moment
2) Dialling from Exchange 2007 out. This is quite easy to configure, and I have had it working, I have even included some of the instructions, but have not fully tested it
Initial installation
Install Exchange 2007 with the Unified Messaging role
Install Asterisk (I installed , from www.trixbox.org and the trixbox VMWare image, both worked fine)
Install SIPX. (I used the VMWare image from the VMWare community download pages)
The rest of this document assumes that you have downloaded and are using the VMWare images of trixbox and sipx.
The following computers are used...
asterisk1.local. (TRIXBOX)
IP address 192.168.254.127/24
DNS 192.168.254.152
testorg.int (SIPX)
IP address 192.168.254.10
DNS 192.168.254.152
e2k7srv2.testorg.int (Exchange / AD / DNS)
IP address 192.168.254.152
DNS 192.168.254.152
(I know that the sipx box has got the same name as my domain, that was not done on purpose, a different name can be used if you want)
********************************* START OF EXCHANGE 2007 CONFIGURATION ******************************
What to configure on the Exchange 2007 server
1) Create a new UM Dial Plan....
new-UMDialPlan -Name:'DialPlan6' -NumberOfDigitsInExtension:'6'
2) Add the subscription number 5 to the UM Dial Plan
In the Exchange Management Console,click on Organization Configuration / Unified Messaging / DialPlan6
On the second tab, Subscription Access, add the subscription number "5"
3) Create a new UM IP Gateway...
new-UMIPGateway -Name:'SIPX' -Address:'192.168.254.5' -UMDialPlan:'DialPlan6'
(If you do not want to dial out using Exchange, open the properties page for the IP gateway, and deselect the "Allow outgoing calls".)
4) Create two new hunt groups for the UM IP Gateway.....
new-UMHuntGroup -Name:'Hunt5' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'5'
new-UMHuntGroup -Name:'Hunt6' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'6'
5) Create a new Auto Attendant.....
new-UMAutoAttendant -Name:'AA6' -UMDialPlan:'DialPlan6 -PilotIdentifierList:'666666' -Status:'Enabled' -SpeechEnabled:$true
6) Once the Auto Attendant has been created, edit the properties, and on the features tab, select
Allow caller to transfer to users
Allow callers to send voice mail
Callers can contact anybody in the Global Address List
Allow transfer to operator during business hours
Allow transfer to operator after business hours
(You don't have to configure all of these if you don't want to, but you should have at least the "allow callers to send voice mail and the "anybody in the GAL" set.)
7) Add the Dial Plan (DialPlan6) to the Exchange server
In the Exchange Management Console navigate to Server Configuration / Unified Messaging. Click on the e2k7srv2 server in the main pane with the right mouse button and click on properties. On the UM Settings page, add the dial plan to the list.
(There's probably a management shell command for this, but I used the GOOEY ;-))
8) Create a new UM Mailbox Policy...
new-UMMailboxPolicy -Name:'UMMailPolicy6' -UMDialPlan:'DialPlan6'
9) Enable Unified messaging for one or more test users. I gave Mickey Mouse the extension 777777 and Donald Duck the extension 777778.
********************************* END OF EXCHANGE 2007 CONFIGURATION ******************************
************************************ START OF ASTERISK CONFIGURATION ********************************
Now to configure the asterisk....
There are two ways of configuring the asterisk, you can edit the files via putty or the local console, or you can use the trixbox interface.
************************ start of asterisk configuration using trixbox ************
If you want to configure Asterisk using the Web Interface from trixbox, do the following
1) Connect to the server with a web browser (in my case http://192.168.254.127)
2) Click on System Administration and logon with user maint and password password (or whatever)
3) Click on FreePBX (you could also go directly to the page http://192.168.254.127/admin instead)
4) In the new browser window (FreePBX), click on setup
5) Click on TRUNKS
6) Click on Add Sip Trunk
7) Set the following
name:SIPX
Outbound Caller ID:6
Dial Rules:6666+6XXXXXXX
Outbound Dial Prefix:66
Peer
Details:
host=192.168.254.5
secret=voipjot
type=peer
username=66666666
8) Thats the first trunk. Now do the same again for the second one...
name:SIPX2
Outbound Caller ID:5
Dial Rules:5555+5XXXXXXX
Outbound Dial Prefix:55
Peer Details:
host=192.168.254.5
secret=voipjot
type=peer
username=5555
9) Click on outbound routes
10) Click on Add Route
11) Create a route with the following settings
name:1 6_SipX
Dialpatterns:6.
Trunk Sequence:SIP/SIPX
12) Create a second route with the following settings
name:5_SipX
Dialpatterns:5.
Trunk Sequence:SIP/SIPX2
13) If you want to add a softphone extension for testing do the following
14) Click on extensions
15) Click on SIP and set the following
Display Name:Yourname
Extension Number:200
Direct DID:200
secret:12345678
************ End of Asterisk configuration using trixbox ******************
If you don't want to use the trixbox front end, just edit the files in the /etc/asterisk directory, do the following...
What we need to configure is two Dial Plans and two trunks.
Here is my /etc/asterisk/extensions_additional.conf, which is used for the dial plans
;********************** Start of extensions_additional.conf ***************************
DIRECTORY_OPTS =
OUTCID_1 = 6
OUTMAXCHANS_1 = 100
VM_PREFIX = *
TONEZONE = de
ALLOW_SIP_ANON = yes
FAX_RX_FROM = freepbx@gmail.com
VM_DDTYPE =
VM_GAIN =
DIALOUTIDS = 1/2/3/
OUTCID_2 =
OUTMAXCHANS_2 =
OUTPREFIX_2 =
OUT_2 = AMP:CAPI/ISDN1/$OUTNUM$
OUTPREFIX_1 = 66
OUT_1 = SIP/SIPX
OUTCID_3 = 5
OUTMAXCHANS_3 = 1
OUTPREFIX_3 = 55
OUT_3 = SIP/SIPX2
;end of [globals]
[app-cf-busy-off]
include => app-cf-busy-off-custom
[ext-did-direct]
include => ext-did-direct-custom
exten => 200,1,Set(FROM_DID=200)
exten => 200,n,Goto(from-did-direct,200,1)
; end of [ext-did-direct]
[ext-local]
include => ext-local-custom
exten => 200,1,Macro(exten-vm,novm,200)
exten => 200,hint,SIP/200
; end of [ext-local]
[outbound-allroutes]
include => outbound-allroutes-custom
include => outrt-001-1 6_SipX
include => outrt-002-5_SipX2
exten => foo,1,Noop(bar)
; end of [outbound-allroutes]
[outrt-001-1 6_SipX]
include => outrt-001-1 6_SipX-custom
exten => _6.,1,Macro(dialout-trunk,1,${EXTEN},,)
exten => _6.,n,Macro(outisbusy,)
; end of [outrt-001-1 6_SipX]
[outrt-002-5_SipX2]
include => outrt-002-5_SipX2-custom
exten => _5.,1,Macro(dialout-trunk,3,${EXTEN},,)
exten => _5.,n,Macro(outisbusy,)
; end of [outrt-002-5_SipX2]
[from-internal-additional]
include => from-internal-additional-custom
include => app-cf-busy-off
include => app-cf-busy-off-any
include => app-cf-busy-on
include => app-cf-off
include => app-cf-off-any
include => app-cf-on
include => app-cf-unavailable-off
include => app-cf-unavailable-on
include => app-userlogonoff
include => app-zapbarge
include => ext-test
include => ext-local
include => outbound-allroutes
exten => h,1,Hangup
; end of [from-internal-additional]
;********************** end of extensions_additional.conf ***************************
(p.s. make sure there is an entry in the extensions.conf called #include extensions_addtional.conf)
I have left some of this file out, so you may want to edit the existing one, and just add the bits above. (You can connect to the asterisk box with SSH to edit files, or log on locally)
Also note that trunk 2 in the above configuration is my capi in card. you might want to remove this from here if you don't want to capi it.
Here is my /etc/asterisk/sip_additional.conf
;********************** start of sip_additional.conf ***************************
[200]
username=200
type=friend
secret=12345678
record_out=Always
record_in=Always
qualify=no
port=5060
nat=never
mailbox=200@device
host=dynamic
dtmfmode=rfc2833
context=from-internal
canreinvite=no
callerid=Alan <200>
allow=0
[SIPX]
username=66666666
type=friend
secret=voipjot
host=192.168.254.5
[SIPX2]
username=5555
type=friend
secret=voipjot
host=192.168.254.5
;********************** end of sip_additional.conf ***************************
(p.s. make sure there is an entry in the sip.conf called #include sip_additional.conf)
Please note that the first entry, [200] is a test phone that I configured, for the user Alan
The [SIPX] and [SIPX2] are the two connections to the SIPX server. the secret is the password for root on the SIPX machine, although AFAIK, you don't need it
Here is the file /etc/asterisk/localprefixes.conf
;********************** start of localprefixes.conf ***************************
[trunk-2]
rule1=0.
[trunk-1]
rule1=6666+6XXXXXXX
[trunk-3]
rule1=5555+5XXXXXXX
;********************** end of localprefixes.conf ***************************
************************************** END OF ASTERISK CONFIGURATION ********************************
I recommend using the trixbox/freepbx web interface unless you're a dab hand with vi.
**************************************** START OF SIPX CONFIGURATION ***********************************
Finally, we need the SIPX configuration
As you probably read at the beginning, I used the VMWare image. If you use the same onem I recommend changing the ip address, server name and dns server manually.
Once you have the necessary information, connect to the sipx server's web server via web browser (in my case http://192.168.254.5)
Click on configuration, accept the goofy SSL, and enter the username and password (in the VMWare image case, superadmin, no password)
Click on gateways, and then Add Gateway. Give a name for the gateway (i.e. ToMXS) and enter the IP address and the MAC address from the Exchange Server, and select unmanaged gateway
Now we need the two dial plans
First, for Voice Mail...
Click on Dial Plans
Click on Add Dial Rule
Click on Enabled
Give it a name
In Dialed Numbers, add 6 with "any number of digits"
In Resulting call, enter 666666 with nodigits
Add the gateway defined above for the route
Second, for Outlook Voice Access
Click on Dial Plans
Click on Add Dial Rule
Clickon Enabled
Give it a name
In Dialed Numbers add 5 with "any number of digits"
In Resulting Call, enter 5 with nodigits
Add the gateway defined above for the route
Move these dial plans to the top of the list (Select the dial plan and click slowly but surely on Move UP)
Make sure they are enabled, and then click on Dial Plan Activation, "Activate"
That's all there is.
**************************************** END OF SIPX CONFIGURATION ***********************************
If you want to dial back to the Asterisk, add an additional Gateway and a Dial Plan on the SIPX box to point to the Asterisk Box, and just configure the Exchange box to use the correct prefix.
What to do if it doesn't work?
USE A NETWORK SCANNER!!!!
Log into the asterisk server and use the command "asterisk -r -dddddddddd -vvvvvvvvvv"
Check the asterisk logs in the /var/log/asterisk directory
Set the Exchange UM logging to 7 via the registry
Write to me @ alginald at gmx dot de, or post a comment :-)
Sunday, November 26, 2006
Asterisk and Exchange 2007 working!
After spending a bit of time playing around with the Unified Messaging features in Exchange 2007, and getting bored using the test phone, I tried to find a way of connecting it to my telephone system at home (ISDN). After a few sleepness nights, I now have it working fine. Basically, I use a trixbox (ASTERISK) with a Fritz! PCI card, which answers the call. ASTERISK uses SIP/UDP, so I can't just send the call directly to Exchange 2007, so I send it to a SiPX router, which then sends it on to the Exchange 2007 server. I can dial in, and leave a message, or I can dial in, and access my mailbox using speech or touch tone, its working fine. If anybody's interested, drop me a line, and I'll tell you how to do it, or I might just publish it here....
After spending a bit of time playing around with the Unified Messaging features in Exchange 2007, and getting bored using the test phone, I tried to find a way of connecting it to my telephone system at home (ISDN). After a few sleepness nights, I now have it working fine. Basically, I use a trixbox (ASTERISK) with a Fritz! PCI card, which answers the call. ASTERISK uses SIP/UDP, so I can't just send the call directly to Exchange 2007, so I send it to a SiPX router, which then sends it on to the Exchange 2007 server. I can dial in, and leave a message, or I can dial in, and access my mailbox using speech or touch tone, its working fine. If anybody's interested, drop me a line, and I'll tell you how to do it, or I might just publish it here....
Monday, November 13, 2006
Goodbye, god bless, and thank you.
I have left my job in Sunny South Germany after 12 years of working for a top Windows consultancy company. It was a hard decision to make, but fresh horizons lie ahead. I will be staying in South Germany, but working elsewhere starting 1.1.2007.
I have left my job in Sunny South Germany after 12 years of working for a top Windows consultancy company. It was a hard decision to make, but fresh horizons lie ahead. I will be staying in South Germany, but working elsewhere starting 1.1.2007.
Thursday, August 17, 2006
China Visit
Just returned from a few weeks work in Qingdao, China. Quite a strange experience, walking the streets, rarely seeing another european with nobody understanding english or german and having to communicate solely with hands and paper.
I'd like to thank Mr Yu and Mr Lu for their hospitality, two really friendly and happy colleagues...
Now, as you probably know, I don't eat meat or fish. So here's a picture of a butcher's shop I saw in China, it might make you go down the same path......
Little Al
Is 5 months old today. There's a few more pictures over at the flickr page. He's just starting to walk with the help of two fingers... Still smiling, got 2 teeth, with others coming through, and he's just happy happy happy.
Thursday, May 18, 2006
Sleepless Nights - I don't think so....
Little Al is doing well.... I've published quite a few more photos to flickr if you're interested. I'm sleeping well, and Little Al's getting better at it. Sometimes it's only once per night :-) We're busy doing a lot to the garden at the moment. I've got rid of most of the ivy, and we bought a load of top soil. Last night the potatoes, lettuces, tomatoes and cucumbers were planted by Diddly. Next purchase will be garden furniture. Shame about Arsenal losing the Champions League final last night, but after Lehmann getting sent off after 18 minutes, and then Arsenal only defending the last 1/3rd of the field, whadya expect. At least Ronaldhinio (or how ever you write it) played pretty crappy. Ha Ha.
One last thing. Spent 40 minutes trying to find out why, when users sent an email to a certain distribution group in Exchange 2003, it was getting swallowed by the Message Categorizer. Answer: The users that were trying to send the mail were located in a different domain to the global distribution group. Therefore the membership couldn't be resolved. Solution: Either make the group universal or make the expansion server a server in the same domain as the group.
Little Al is doing well.... I've published quite a few more photos to flickr if you're interested. I'm sleeping well, and Little Al's getting better at it. Sometimes it's only once per night :-) We're busy doing a lot to the garden at the moment. I've got rid of most of the ivy, and we bought a load of top soil. Last night the potatoes, lettuces, tomatoes and cucumbers were planted by Diddly. Next purchase will be garden furniture. Shame about Arsenal losing the Champions League final last night, but after Lehmann getting sent off after 18 minutes, and then Arsenal only defending the last 1/3rd of the field, whadya expect. At least Ronaldhinio (or how ever you write it) played pretty crappy. Ha Ha.
One last thing. Spent 40 minutes trying to find out why, when users sent an email to a certain distribution group in Exchange 2003, it was getting swallowed by the Message Categorizer. Answer: The users that were trying to send the mail were located in a different domain to the global distribution group. Therefore the membership couldn't be resolved. Solution: Either make the group universal or make the expansion server a server in the same domain as the group.
Sunday, March 19, 2006
And then there were three.....
Who's the daddy? I am. Little Al came into the world at 19:29 on 17 March. Weighing in at 3420g and 54 cm tall. (That's about 7lb 8oz and just over 21 inches). Full name is Alan Robert. More photos can be found at http://www.flickr.com/photos/alginald
Diddly and Little Al are doing extremely well.
Tuesday, February 28, 2006
2 weeks to go (ish)
Well, its 1 day before the start of March, and its snowing outside. I wouldn't mind if it was good snow, but its just annoying now. Non-stop minus temperatures for the last few weeks haven't helped either.
I'm currently trying to get Microsoft Vista to upgrade my XP on my notebook, running it in a Virtual Server downstairs, playing around with Exchange 12 elsewhere, writing a Create User program in VB for a customer, and patiently waiting for ErSie. ErSie for those that don't know, is a combination of the two words Er and Sie, meaning He and She in German. We don't know if our coming baby (somtime in the next two weeks-ish) will be a boy or a girl.... more news to follow here
Well, its 1 day before the start of March, and its snowing outside. I wouldn't mind if it was good snow, but its just annoying now. Non-stop minus temperatures for the last few weeks haven't helped either.
I'm currently trying to get Microsoft Vista to upgrade my XP on my notebook, running it in a Virtual Server downstairs, playing around with Exchange 12 elsewhere, writing a Create User program in VB for a customer, and patiently waiting for ErSie. ErSie for those that don't know, is a combination of the two words Er and Sie, meaning He and She in German. We don't know if our coming baby (somtime in the next two weeks-ish) will be a boy or a girl.... more news to follow here
Tuesday, November 22, 2005
Exchange 2003 Public Folder Error 80090325 SSL Problem
Just when I thought all error messages regarding E2K3 were documented, I run into one that I couldn't find a solution on the web to. The problem? Running the Exchange System Manager from a non-Exchange server wouldn't let me access the Public Folders, throwing the above mentioned error (80090325).
Reason for the error: The certificate path isn't trusted. Basically you've stuck a certificate on the servers for OWA reasons, but the certificate path isn't trusted.
Solution: Navigate to the OWA HTTPS page (https://yourserver/exchange). When the message comes about the certificate not being trusted, click on View Certificate, and then click on Install Certificate. Then click on certificate path, click on the top certificate (it will have a RED X on it), and click on Install Certificate and click a few nexts.
Problem solved
Just when I thought all error messages regarding E2K3 were documented, I run into one that I couldn't find a solution on the web to. The problem? Running the Exchange System Manager from a non-Exchange server wouldn't let me access the Public Folders, throwing the above mentioned error (80090325).
Reason for the error: The certificate path isn't trusted. Basically you've stuck a certificate on the servers for OWA reasons, but the certificate path isn't trusted.
Solution: Navigate to the OWA HTTPS page (https://yourserver/exchange). When the message comes about the certificate not being trusted, click on View Certificate, and then click on Install Certificate. Then click on certificate path, click on the top certificate (it will have a RED X on it), and click on Install Certificate and click a few nexts.
Problem solved
Friday, October 14, 2005
Change of telephone number
As you might have read in the last post, I am moving house soon. My telephone number will also change, therefore, as of 31.10.2005 my existing number will not work. Both mobile (handy) numbers will continue to work, so if you want the new house telephone number, either write or phone. New number will start working on 02.11.2005 as the 1st is a holiday in Germany. Everything's going perfect with the house at the moment, tiling in the kitchen should be finished on Sunday, and I hope to have everything finished before the end of next week (cos I wanna move in ;-))
Still can't get an ISA Server 2004 to use IPSec site-to-site to connect to a PIX 501. Even the whitepaper from MS didn't help, even though I followed the steps exactly. Ah well, gonna try with a smoothnet linux firewall at the weekend.
England in the world cup!
Typical, just cos we didn't need to win the game against Poland, and some of our top players were missing, England played fantastic. Compare it to the game at the weekend, and it looked like two completely different teams. Lampard is looking good for the future, Rooney seemed to be a bit calmer, and I'm pretty sure we've got one of the best goalkeepers in the world at the moment. Being a spurs fan, I would say that last bit anyway :-)... Now just got to try and get some tickets to some games over here. Stuttgart's just around the corner for me, so let's hope England get to play there.
As you might have read in the last post, I am moving house soon. My telephone number will also change, therefore, as of 31.10.2005 my existing number will not work. Both mobile (handy) numbers will continue to work, so if you want the new house telephone number, either write or phone. New number will start working on 02.11.2005 as the 1st is a holiday in Germany. Everything's going perfect with the house at the moment, tiling in the kitchen should be finished on Sunday, and I hope to have everything finished before the end of next week (cos I wanna move in ;-))
Still can't get an ISA Server 2004 to use IPSec site-to-site to connect to a PIX 501. Even the whitepaper from MS didn't help, even though I followed the steps exactly. Ah well, gonna try with a smoothnet linux firewall at the weekend.
England in the world cup!
Typical, just cos we didn't need to win the game against Poland, and some of our top players were missing, England played fantastic. Compare it to the game at the weekend, and it looked like two completely different teams. Lampard is looking good for the future, Rooney seemed to be a bit calmer, and I'm pretty sure we've got one of the best goalkeepers in the world at the moment. Being a spurs fan, I would say that last bit anyway :-)... Now just got to try and get some tickets to some games over here. Stuttgart's just around the corner for me, so let's hope England get to play there.
Monday, October 10, 2005
Housework
So, got the new house. Fortunately there's not too much work to be done. I've finished painting the walls, just gotta strip down the doors and door frames. Found some lovely wooden floors underneath the lino in some rooms, so I got rid of the lino, hired a whopping huge floor sander, and have been trying to get the wood looking good. It's taken quite a few hours so far, but I hope to be finished this week. Then there's only the kitchen to go. Big thanks to everybody who's helped me so far, it has saved a lot of my time.
Been given a petrol lawn mower, garden hoover and a load of other machines for the garden for nothing, that means we'll be able to make a good start on the garden next year when spring arrives (about the same time as ErSie)
Off to Detroit in November for 10 days, W2K, E5.5 migration to W3K and E2K3. Hopefully the house will be finished by then, and I'll have moved.
So, got the new house. Fortunately there's not too much work to be done. I've finished painting the walls, just gotta strip down the doors and door frames. Found some lovely wooden floors underneath the lino in some rooms, so I got rid of the lino, hired a whopping huge floor sander, and have been trying to get the wood looking good. It's taken quite a few hours so far, but I hope to be finished this week. Then there's only the kitchen to go. Big thanks to everybody who's helped me so far, it has saved a lot of my time.
Been given a petrol lawn mower, garden hoover and a load of other machines for the garden for nothing, that means we'll be able to make a good start on the garden next year when spring arrives (about the same time as ErSie)
Off to Detroit in November for 10 days, W2K, E5.5 migration to W3K and E2K3. Hopefully the house will be finished by then, and I'll have moved.
Monday, September 26, 2005
How the world can change....
Well it's been a few months since my last post. Things have been pretty hectic. Bought a house, getting married, and a little Elvis should be landing on my doorstep next year :-)
Just got back from Brazil as well, a really good week doing a network update. More to follow.....
Well it's been a few months since my last post. Things have been pretty hectic. Bought a house, getting married, and a little Elvis should be landing on my doorstep next year :-)
Just got back from Brazil as well, a really good week doing a network update. More to follow.....
Tuesday, March 08, 2005
Snow fun anymore
Well, it just wont stop snowing here, I'm sure we're all going to move into igloos soon :-)
Well, it just wont stop snowing here, I'm sure we're all going to move into igloos soon :-)
Tuesday, November 02, 2004
New NAS device
Went to the hobby messe (exhibition) in Stuttgart on Monday. Didn't really want to go, but as I got there at 9 am, it was really empty, and I managed to see nearly everything in about 90 minutes, a new record. Unfortunately, there wasn't as many stalls as usual, but enough. I bought a NAS device for at home. Its a little box with embedded linux, that you can put a hard drive into, and then access via ftp or smb (MS shares). 109 euro for the box, and then I added an old 160 GB hard drive. Now I can access my data from around the world, without leaving a computer on at home, or have to open up my firewall to an internal computer. COOL. I bought it from ARLT, the home page for the device is www.flipo.de
Went to the hobby messe (exhibition) in Stuttgart on Monday. Didn't really want to go, but as I got there at 9 am, it was really empty, and I managed to see nearly everything in about 90 minutes, a new record. Unfortunately, there wasn't as many stalls as usual, but enough. I bought a NAS device for at home. Its a little box with embedded linux, that you can put a hard drive into, and then access via ftp or smb (MS shares). 109 euro for the box, and then I added an old 160 GB hard drive. Now I can access my data from around the world, without leaving a computer on at home, or have to open up my firewall to an internal computer. COOL. I bought it from ARLT, the home page for the device is www.flipo.de
Friday, October 29, 2004
Outlook 2003 Nicknames
Now I don't often rant about MS :-) but something like this really annoys me. I have spent the last 2 hours trying to find out how to remove the "Nicknames" feature from Outlook 2003. Nothing found anywhere. Then I found the Ol2kNick tool from MS, that doesn't work with 2002 or 2003. Then I found an updated article for a new tool for Outlook 2002, that has not been officially released, so I downloaded that (KB 318827). Fortunately, it also works with Outlook 2003, despite setting the wrong registry key. So why the rant, you ask? Well, why didn't Microsoft just tell us that you can create a key called NoNicknames and set it to 1 !!! And the key MaxNicknames which can be set to the maximum number of nicknames that you want stored in the .NK2 file if you want (default is 1000).
Somebody wrote about the MaxNicknames saying that it will not work with a value above a 1000. I haven't tested this, I wanted to change it to 0 so that no nicknames could be saved, sorry
Where?
HKeyCurrentUser/Software/Microsoft/Office/11.0/Outlook/AutoNameCheck
Change 11.0 to 10.0 for Outlook 2002 (XP). You may have to create the AutoNameCheck registry hive yourself, and the key most definitely. They are both REG_DWORDs.
Now I don't often rant about MS :-) but something like this really annoys me. I have spent the last 2 hours trying to find out how to remove the "Nicknames" feature from Outlook 2003. Nothing found anywhere. Then I found the Ol2kNick tool from MS, that doesn't work with 2002 or 2003. Then I found an updated article for a new tool for Outlook 2002, that has not been officially released, so I downloaded that (KB 318827). Fortunately, it also works with Outlook 2003, despite setting the wrong registry key. So why the rant, you ask? Well, why didn't Microsoft just tell us that you can create a key called NoNicknames and set it to 1 !!! And the key MaxNicknames which can be set to the maximum number of nicknames that you want stored in the .NK2 file if you want (default is 1000).
Somebody wrote about the MaxNicknames saying that it will not work with a value above a 1000. I haven't tested this, I wanted to change it to 0 so that no nicknames could be saved, sorry
Where?
HKeyCurrentUser/Software/Microsoft/Office/11.0/Outlook/AutoNameCheck
Change 11.0 to 10.0 for Outlook 2002 (XP). You may have to create the AutoNameCheck registry hive yourself, and the key most definitely. They are both REG_DWORDs.
Friday, October 15, 2004
Marriage (not mine), Linux and other things
First things first, congratulations to two of my best friends, Elaine and Lee, on their marriage - 25th Sept 2004.
Second things second, Linux. Playing around with the Fedora Core 2, which is pretty amazing. Never really payed much attention to Linux before, and now I'm behaving like I did when I got my first ZX Spectrum :-) Late nights, sore back and hours of staring at the screen. Its a cracking system. I LIKE the way it takes ages to get some things working. I feel like I have achieved something when it works. So, I've got the CD Burner working with it, just need to get the NEXUS-S DVB-S card working with Freevo, and I'm there, Jim. I've probably said it before, bug check out http://sourceforge.net they really do have the best amount of freeware, and you can even participate in some of the projects if you want.
Other things other, well done England! 1-0 and 2-0 in the last week. The game on Wednesday was pretty terrible from what I heard. (In Germany, they didn't broadcast it live, so we had to listen to BBC Radio 5 Live via digital sat) but its the points that count. Roll on March for the next round. Nice goal Beckham!
First things first, congratulations to two of my best friends, Elaine and Lee, on their marriage - 25th Sept 2004.
Second things second, Linux. Playing around with the Fedora Core 2, which is pretty amazing. Never really payed much attention to Linux before, and now I'm behaving like I did when I got my first ZX Spectrum :-) Late nights, sore back and hours of staring at the screen. Its a cracking system. I LIKE the way it takes ages to get some things working. I feel like I have achieved something when it works. So, I've got the CD Burner working with it, just need to get the NEXUS-S DVB-S card working with Freevo, and I'm there, Jim. I've probably said it before, bug check out http://sourceforge.net they really do have the best amount of freeware, and you can even participate in some of the projects if you want.
Other things other, well done England! 1-0 and 2-0 in the last week. The game on Wednesday was pretty terrible from what I heard. (In Germany, they didn't broadcast it live, so we had to listen to BBC Radio 5 Live via digital sat) but its the points that count. Roll on March for the next round. Nice goal Beckham!
Thursday, August 26, 2004
Even Microsoft isn't that impressed with .pst files..
http://support.microsoft.com/?kbid=297019
Not supported over WAN or LAN connections. Ha Ha.
http://support.microsoft.com/?kbid=297019
Not supported over WAN or LAN connections. Ha Ha.
Friday, August 20, 2004
England vs Ukraine
What a game, well played Becks and Owen, and what a goal by Wright-Phillips. In fact, in the second half, it was the first time I've seen England attacking their opponents to get the ball instead of doing their normal "keep 5 yards away until they pass it" tactics in donkeys years. Keep it up!
Programming
Had the *pleasure* to do a bit more programming recently. I am certainly NOT the world's best programmer, but I do like programming Admin tools. My latest program sends a list of selected registry key values to any number of other windows machines. It can also copy and delete files on a list of other machines. Works a dream. Try and find another tool on the market (freeware) that can do the same....
Work
Trying to install a 3-way Exchange 2003 cluster in a test environment. Got it working once, but when trying to do it again, it keeps getting stuck on the System Attendant resource. It tells me "User Name was not found". Well, as it uses local system, I don't get it. I still think the problem is with DNS, but who am I.
Holiday
Had a lovely 10 days in Cornwall, it even included a few days of sunshine ;-). Stayed at the beautiful St. George's Hotel in Perranporth, which I can strongly recommend, small, quiet and relaxing. Fortunately this was a good month before the recent flash floods that have been happening in the area - poor old Boscombe
What a game, well played Becks and Owen, and what a goal by Wright-Phillips. In fact, in the second half, it was the first time I've seen England attacking their opponents to get the ball instead of doing their normal "keep 5 yards away until they pass it" tactics in donkeys years. Keep it up!
Programming
Had the *pleasure* to do a bit more programming recently. I am certainly NOT the world's best programmer, but I do like programming Admin tools. My latest program sends a list of selected registry key values to any number of other windows machines. It can also copy and delete files on a list of other machines. Works a dream. Try and find another tool on the market (freeware) that can do the same....
Work
Trying to install a 3-way Exchange 2003 cluster in a test environment. Got it working once, but when trying to do it again, it keeps getting stuck on the System Attendant resource. It tells me "User Name was not found". Well, as it uses local system, I don't get it. I still think the problem is with DNS, but who am I.
Holiday
Had a lovely 10 days in Cornwall, it even included a few days of sunshine ;-). Stayed at the beautiful St. George's Hotel in Perranporth, which I can strongly recommend, small, quiet and relaxing. Fortunately this was a good month before the recent flash floods that have been happening in the area - poor old Boscombe
Wednesday, June 30, 2004
Exchange Virtual Memory
There still seems to be a lot of problems out there with Exchange and Virtual Memory. Beware of rogue information though.
A few helpful tips seem to be....
1) Use the /3GB flag when using Windows 2000 Advanced Server or any flavour of Windows 2003
2) Don't put too much memory into the machine if you don't need it.
3) If using Windows 2000 with SP4 and Exchange 5.5 DO NOT RUN THE PERFORMANCE OPTIMIZER (well do it, but not when the Exchange Server is running)
4) Make sure you put all the latest hotfixes on the boxes, and try to keep all servers at the same level, its much harder to troubleshoot if there are different versions
Extract Exchange 200x information from the GAL
Well OK, I know that its not really the GAL that we're gonna extract from, its active directory, but I found a good article about it and thought I would post it here...
http://www.outlookexchange.com/articles/Pavelnagaev/nagaev_c1p1.asp
There still seems to be a lot of problems out there with Exchange and Virtual Memory. Beware of rogue information though.
A few helpful tips seem to be....
1) Use the /3GB flag when using Windows 2000 Advanced Server or any flavour of Windows 2003
2) Don't put too much memory into the machine if you don't need it.
3) If using Windows 2000 with SP4 and Exchange 5.5 DO NOT RUN THE PERFORMANCE OPTIMIZER (well do it, but not when the Exchange Server is running)
4) Make sure you put all the latest hotfixes on the boxes, and try to keep all servers at the same level, its much harder to troubleshoot if there are different versions
Extract Exchange 200x information from the GAL
Well OK, I know that its not really the GAL that we're gonna extract from, its active directory, but I found a good article about it and thought I would post it here...
http://www.outlookexchange.com/articles/Pavelnagaev/nagaev_c1p1.asp
Friday, June 04, 2004
Don't backup Exchange 2003 Information Stores and the System State in the same backup job!
Of course we wouldn't do this anyway, or? Quite a lot of my customers are using the in-built ntbackup utility because its cheap, can do backup-to-file, and has an Exchange Agent free. What I didn't know is that you cannot backup the system state at the same time as the Exchange Information Store due to a feature of VSS. More information can be found at http://support.microsoft.com/default.aspx?scid=kb;EN-US;820852
Exchange moving again and again
Been playing around with LOTS of Exchange Servers recently. Was at a customer for the last 3 days, and was confronted by another *gremlin*. I moved lots of Exchange mailboxes from the old server to the new one a few months ago. Yesterday I switched the old box off and deleted it from the Exchange world. From that moment on, there were problems with people accessing other peoples' calendars. Seems like that although Outlook updates the profile automatically when a mailbox is moved to reflect the new server, it does not update any saved calendar queries. Only way round is to delete them, or reopen them once using the "Open other user's folder", and not the quick link.
PFDAVAdmin again
I know I've already mentioned this program, but I was playing around with it again the other day, and found one of the best features. As long as the person running the program has enough rights, permissions for every single mailbox can be set from a central location. It used to be almost impossible to quickly see which permissions people had set for access to their calendar (or any other folder really) but with this tool, you can see each separate mailbox folder's permissions. Nice one MS.
New Printer
Finally plunged out for a new printer. Epson C64 (and I thought it was Commodore that made the C64 :-)) I am rather impressed. It only cost ?60, which is about 40 quid, and prints REALLY good photos. Also got 100 ready-to-print high glossy photo paper sheets for ?9 - 6 quid. Goodbye Lexmark Laser, you caused me a lot of problems, and ate more paper than you printed on... now which window is open...
Exchange 200x Troubleshooter
I've been promising myself and a few people that I would eventually get around to an easy to follow guide, a bit like a flowchart, for Exchange Disaster Recovery and Database Recovery. Well its started. Not finished, and won't be for a while yet, but from little acorns........
Of course we wouldn't do this anyway, or? Quite a lot of my customers are using the in-built ntbackup utility because its cheap, can do backup-to-file, and has an Exchange Agent free. What I didn't know is that you cannot backup the system state at the same time as the Exchange Information Store due to a feature of VSS. More information can be found at http://support.microsoft.com/default.aspx?scid=kb;EN-US;820852
Exchange moving again and again
Been playing around with LOTS of Exchange Servers recently. Was at a customer for the last 3 days, and was confronted by another *gremlin*. I moved lots of Exchange mailboxes from the old server to the new one a few months ago. Yesterday I switched the old box off and deleted it from the Exchange world. From that moment on, there were problems with people accessing other peoples' calendars. Seems like that although Outlook updates the profile automatically when a mailbox is moved to reflect the new server, it does not update any saved calendar queries. Only way round is to delete them, or reopen them once using the "Open other user's folder", and not the quick link.
PFDAVAdmin again
I know I've already mentioned this program, but I was playing around with it again the other day, and found one of the best features. As long as the person running the program has enough rights, permissions for every single mailbox can be set from a central location. It used to be almost impossible to quickly see which permissions people had set for access to their calendar (or any other folder really) but with this tool, you can see each separate mailbox folder's permissions. Nice one MS.
New Printer
Finally plunged out for a new printer. Epson C64 (and I thought it was Commodore that made the C64 :-)) I am rather impressed. It only cost ?60, which is about 40 quid, and prints REALLY good photos. Also got 100 ready-to-print high glossy photo paper sheets for ?9 - 6 quid. Goodbye Lexmark Laser, you caused me a lot of problems, and ate more paper than you printed on... now which window is open...
Exchange 200x Troubleshooter
I've been promising myself and a few people that I would eventually get around to an easy to follow guide, a bit like a flowchart, for Exchange Disaster Recovery and Database Recovery. Well its started. Not finished, and won't be for a while yet, but from little acorns........
Wednesday, April 14, 2004
Beamer woes
Decided to kill my beamer last week. Dropping it from 1.5 meters tends to have that effect. Thankfully, after breaking off bits of the fan that wouldn't rotate, and then unplugging and plugging in the bulb about 30 times, it sprang into life again. Nice one Sony. You may not support it anymore, but its a magic beamer (projector)
Exchange Disaster Recovery
Well, since I've given the training courses, I've been involved in at least 3 database rescues. All without any data loss. Exchange 2000 is OK for data recovery, but the new features offered by Exchange 2003, including Recovery Storage Groups, and Snapshot backups is unbelievable. This feature, and OWA/OMA 2003 make it work upgrading. The client license pricing unfortunately does not win my seal of approval
New Handy
Just got myself a new handy (mobile phone), the Sony Ericsson T610, which has got camera, bluetooth, Outlook, etc integration. Not bad for €19 and a contract extension. I really didn't know which handy to take, but this one has got bluetooth, and a big easy to use display.
CD Will be Sent
For those people on my last training course that are wondering where the CD is, its almost ready. The CD should be landing in your inbox (snail mail, not email) within the next 7 days. Sorry for all the time its taken, but I've been very busy.
Decided to kill my beamer last week. Dropping it from 1.5 meters tends to have that effect. Thankfully, after breaking off bits of the fan that wouldn't rotate, and then unplugging and plugging in the bulb about 30 times, it sprang into life again. Nice one Sony. You may not support it anymore, but its a magic beamer (projector)
Exchange Disaster Recovery
Well, since I've given the training courses, I've been involved in at least 3 database rescues. All without any data loss. Exchange 2000 is OK for data recovery, but the new features offered by Exchange 2003, including Recovery Storage Groups, and Snapshot backups is unbelievable. This feature, and OWA/OMA 2003 make it work upgrading. The client license pricing unfortunately does not win my seal of approval
New Handy
Just got myself a new handy (mobile phone), the Sony Ericsson T610, which has got camera, bluetooth, Outlook, etc integration. Not bad for €19 and a contract extension. I really didn't know which handy to take, but this one has got bluetooth, and a big easy to use display.
CD Will be Sent
For those people on my last training course that are wondering where the CD is, its almost ready. The CD should be landing in your inbox (snail mail, not email) within the next 7 days. Sorry for all the time its taken, but I've been very busy.
Thursday, April 01, 2004
Oh, To Be In England
Just been back to my island for the last few days. Had a good time wandering around the junk shops, collecting books for the next few months. It was mum's birthday on Sunday, which was good fun. Finally got around to delivering the Astro Wars box to Alex in England as well, so I've got a bit more room. Ebay... here I come....
MS Exchange 2000 training course
Spend this week giving the MOC for Exchange 2000. Really good fun, and the people on the course were very interested in the product. Tried to bring across all the new features of Exchange 2003, and we ended the course with an inplace upgrade to Exchange 2003. Don't forget Service Pack 3 on the Global Catalog servers as well as on the E2K machine :-)
Just been back to my island for the last few days. Had a good time wandering around the junk shops, collecting books for the next few months. It was mum's birthday on Sunday, which was good fun. Finally got around to delivering the Astro Wars box to Alex in England as well, so I've got a bit more room. Ebay... here I come....
MS Exchange 2000 training course
Spend this week giving the MOC for Exchange 2000. Really good fun, and the people on the course were very interested in the product. Tried to bring across all the new features of Exchange 2003, and we ended the course with an inplace upgrade to Exchange 2003. Don't forget Service Pack 3 on the Global Catalog servers as well as on the E2K machine :-)
Monday, March 15, 2004
Fraser
My mate Fraser has got a new CD out. Its called "Rain before seven". Given it a few plays, and it gets my thumbs up. There's not too much on his webpage but I guess with all the troubles he's had recently, its no wonder. Some information about it can be found on the newsletter part of his homepage.
FC Normannia
Not being content with 4 points lead in the Obersliga, FC Normannia beat the 2nd place team on Saturday by 3-2. Magical game with all 3 Normannia goals in the first half. Getting towards the end, and Normannia started looking a bit sticky. This is the second game after the winter break. Last weekend they drew 1-1 away.
My mate Fraser has got a new CD out. Its called "Rain before seven". Given it a few plays, and it gets my thumbs up. There's not too much on his webpage but I guess with all the troubles he's had recently, its no wonder. Some information about it can be found on the newsletter part of his homepage.
FC Normannia
Not being content with 4 points lead in the Obersliga, FC Normannia beat the 2nd place team on Saturday by 3-2. Magical game with all 3 Normannia goals in the first half. Getting towards the end, and Normannia started looking a bit sticky. This is the second game after the winter break. Last weekend they drew 1-1 away.
Tuesday, March 09, 2004
Exchange 2000 Disaster Recovery
Just as I thought I was getting an early hometime (16:30) along pops another Exchange 2000 problem. This time, the SAN bit the dust, and took the Exchange Server with it. After replacing the failed disks in the SAN, the customer did almost everything right.... Reinstalled Exchange 2000 with the /disasterrecovery option, and then applied the service packs. Then came the biggy - restoring the databases. Each time this was attempted, there was an error at the end of the restore, and no databases were mounted. The error code was very strange 9939xxxxxxxx. What was the problem? Well quite simply, there were no actual logs to play forward, only those from the backup. Now it if was me that had written Exchange, I would've included a little check to see if there are any logs and ask the user what he wants to do - hard recovery or get the logs from somewhere else. If you ever get the same problem, do the following. Restore all databases for a Storage Group at the same time, but do not set the "Last Backup Set" flag when restoring, even on the last backup set. Once the restore is finished, navigate to the temp directory that you defined during the restore operation from a command prompt. Check for the existence of the restore.env file, and then issue the command %pathtoexchangebin%\ESEUTIL /CC /T and press enter. This will do a hard recovery, only using the logs from the current directory, and will not start looking for other logs in the mdbdata directory. Took a few hours to sort out the problem, mainly because I was using the wrong syntax, and thought that you had to specify the .edb file that you want to roll the logs forward on.
Just goes to show that the worst time to test your disaster recovery is when the disaster happens. One other thing, why is there so little documentation available about Disaster Recovery? Try a google search sometime, and see what a very poor world it is. Maybe I'll get round to doing a document one day, only time will tell.
Just as I thought I was getting an early hometime (16:30) along pops another Exchange 2000 problem. This time, the SAN bit the dust, and took the Exchange Server with it. After replacing the failed disks in the SAN, the customer did almost everything right.... Reinstalled Exchange 2000 with the /disasterrecovery option, and then applied the service packs. Then came the biggy - restoring the databases. Each time this was attempted, there was an error at the end of the restore, and no databases were mounted. The error code was very strange 9939xxxxxxxx. What was the problem? Well quite simply, there were no actual logs to play forward, only those from the backup. Now it if was me that had written Exchange, I would've included a little check to see if there are any logs and ask the user what he wants to do - hard recovery or get the logs from somewhere else. If you ever get the same problem, do the following. Restore all databases for a Storage Group at the same time, but do not set the "Last Backup Set" flag when restoring, even on the last backup set. Once the restore is finished, navigate to the temp directory that you defined during the restore operation from a command prompt. Check for the existence of the restore.env file, and then issue the command %pathtoexchangebin%\ESEUTIL /CC /T and press enter. This will do a hard recovery, only using the logs from the current directory, and will not start looking for other logs in the mdbdata directory. Took a few hours to sort out the problem, mainly because I was using the wrong syntax, and thought that you had to specify the .edb file that you want to roll the logs forward on.
Just goes to show that the worst time to test your disaster recovery is when the disaster happens. One other thing, why is there so little documentation available about Disaster Recovery? Try a google search sometime, and see what a very poor world it is. Maybe I'll get round to doing a document one day, only time will tell.
Monday, March 08, 2004
WLAN
Bought a new Wireless Router on Friday. I know its *only* 11MB, but as the internet is only 768Kb, its enough for surfing. I bought the ACER offer from Mediamarkt. You get the 4-port Wireless Router and a PCMCIA Wireless Card and a USB Wireless Dongle for €79 which is about 50 UK Pounds. Plugged it in, typed in the WEP key that I want to use, configured the client, everything working within 5 minutes. Not using it to connect directly to the internet though, for that I use IPCOP (a free linux firewall with some impressive features, the main one being that it is running on a P75/32Mb/120MB HD). Before getting this router, I was having problems connecting from one end of the apartment to the other end (where my other WLAN is). Now I can connect from anywhere, including the notebook in the bedroom (is that Geeky or what?)
Server Problem
Also had a problem with a Lotus Notes server running on Windows 2000. For some reason, small files could be copied without any problems, but as soon as it got over about 800 Mb, it was coming up with an error message just before the end of copying telling me that there wasn't enough system resources. Did all the usual stuff.... stopped 3 billion services running on the machine, still no difference, even after a reboot. Solution? Time and Time again, the solution is always the same. I reinstalled Service Pack 4 for Windows 2000. All problems gone. Lucky for the Admin really, he wanted to get HP to swap all Hard Disks as the problem was to do with writing to disk. Phew.
Outlook Express Problem
An easy request, I though.... Export Outlook 2000 contacts into Outlook Express. There's even a technet article about it. Unfortunately, it doesn't work by default on a German machine. The problem is that Outlook exports in "comma-separated" and Outlook Express thinks that it can import in "comma-separated". Unfortunately, Outlook Express relies on the seperation character defined in the regional settings in the control panel. This is by default a semi-colon in German, and not a comma. Changing this value in the Control Panel allowed me to export and import without any headaches.
Weekend Sport
And what a weekend it was. Semi-final of the FA Cup. Fortunately, DSF (A german sports channel) had both games on Saturday, and BBC had the Millwall game on Sunday, so I only missed one game. Unlucky Fulham, and well played Tranmere. Arsenal were in a different class. I noticed that they shortened Portsmouth to POR for the scoreline. Wonder why they didn't use the first four letters of Arsenal for their name on the scoreline :-). Typical Ferrari and Schumacher, they were in a class of their own in Melbourne (yes, I woke up at 4 am to watch it). Roll on Malaysia.
Bought a new Wireless Router on Friday. I know its *only* 11MB, but as the internet is only 768Kb, its enough for surfing. I bought the ACER offer from Mediamarkt. You get the 4-port Wireless Router and a PCMCIA Wireless Card and a USB Wireless Dongle for €79 which is about 50 UK Pounds. Plugged it in, typed in the WEP key that I want to use, configured the client, everything working within 5 minutes. Not using it to connect directly to the internet though, for that I use IPCOP (a free linux firewall with some impressive features, the main one being that it is running on a P75/32Mb/120MB HD). Before getting this router, I was having problems connecting from one end of the apartment to the other end (where my other WLAN is). Now I can connect from anywhere, including the notebook in the bedroom (is that Geeky or what?)
Server Problem
Also had a problem with a Lotus Notes server running on Windows 2000. For some reason, small files could be copied without any problems, but as soon as it got over about 800 Mb, it was coming up with an error message just before the end of copying telling me that there wasn't enough system resources. Did all the usual stuff.... stopped 3 billion services running on the machine, still no difference, even after a reboot. Solution? Time and Time again, the solution is always the same. I reinstalled Service Pack 4 for Windows 2000. All problems gone. Lucky for the Admin really, he wanted to get HP to swap all Hard Disks as the problem was to do with writing to disk. Phew.
Outlook Express Problem
An easy request, I though.... Export Outlook 2000 contacts into Outlook Express. There's even a technet article about it. Unfortunately, it doesn't work by default on a German machine. The problem is that Outlook exports in "comma-separated" and Outlook Express thinks that it can import in "comma-separated". Unfortunately, Outlook Express relies on the seperation character defined in the regional settings in the control panel. This is by default a semi-colon in German, and not a comma. Changing this value in the Control Panel allowed me to export and import without any headaches.
Weekend Sport
And what a weekend it was. Semi-final of the FA Cup. Fortunately, DSF (A german sports channel) had both games on Saturday, and BBC had the Millwall game on Sunday, so I only missed one game. Unlucky Fulham, and well played Tranmere. Arsenal were in a different class. I noticed that they shortened Portsmouth to POR for the scoreline. Wonder why they didn't use the first four letters of Arsenal for their name on the scoreline :-). Typical Ferrari and Schumacher, they were in a class of their own in Melbourne (yes, I woke up at 4 am to watch it). Roll on Malaysia.
Wednesday, March 03, 2004
Active Directory Disaster Recovery
Well, two weeks later, and I've just finished giving a 2 day Active Directory Disaster Recovery training course. Well attended, and a very interesting two days. Did lots of different scenarios, and lots of hands-on which went down rather well. Also, managed to do everything in VMWare and the difference to Virtual PC is really noticeable. Only one problem this time, the base PCs were not very well installed, and I was getting a lot of crashes if the physical CD was connected to a VMWare machine. Problem solved by a reinstall of all client machines.
PFDavAdmin
I haven't had a chance to have a good play around with it yet, but there is a new Public Folder administration tool for Exchange called PFDavAdmin, which you should be able to download from here. Its meant to be able to reset MAPI and non-MAPI rights on public folders, as well as *simple* things like propagating a single user's permissions non-destructively through a tree. In 5.5 we had to hope that PFAdmin would work, or try and use Klaus Seeling's strange PFRights program
Sissie
My sister came to visit! Its the second time she's been to Sunny South Germany, and not to let the side down, it snowed like crazy on the Sunday night. She visited with her boyfriend, it was his first time here, but got quite quickly used to the schnapps and the game of chicago (dice game). Had a great time in Stuttgart, watched the Fulham vs. Chelsea match when we got back, the next day was spent walking around a small mountain, and then to an outdoor naturally heated thermal bath. A good time was had by all.
Well, two weeks later, and I've just finished giving a 2 day Active Directory Disaster Recovery training course. Well attended, and a very interesting two days. Did lots of different scenarios, and lots of hands-on which went down rather well. Also, managed to do everything in VMWare and the difference to Virtual PC is really noticeable. Only one problem this time, the base PCs were not very well installed, and I was getting a lot of crashes if the physical CD was connected to a VMWare machine. Problem solved by a reinstall of all client machines.
PFDavAdmin
I haven't had a chance to have a good play around with it yet, but there is a new Public Folder administration tool for Exchange called PFDavAdmin, which you should be able to download from here. Its meant to be able to reset MAPI and non-MAPI rights on public folders, as well as *simple* things like propagating a single user's permissions non-destructively through a tree. In 5.5 we had to hope that PFAdmin would work, or try and use Klaus Seeling's strange PFRights program
Sissie
My sister came to visit! Its the second time she's been to Sunny South Germany, and not to let the side down, it snowed like crazy on the Sunday night. She visited with her boyfriend, it was his first time here, but got quite quickly used to the schnapps and the game of chicago (dice game). Had a great time in Stuttgart, watched the Fulham vs. Chelsea match when we got back, the next day was spent walking around a small mountain, and then to an outdoor naturally heated thermal bath. A good time was had by all.
Tuesday, February 24, 2004
Another translation of sorts
A work colleague sent me an email regarding an Office CD that I needed. He translated the original german into english for me using an online translation site (No idea why, as I can read german quite well). Still, if he had sent it in german, I would never have had the pleasure that the translated mail gave me. I haven't laughed as much in years. (I got permission from him to publish it here, have no worries)
A point is furnished to installations with the following path \\computer\share. I can to you gladly offer, if you are in the house the Office2003 CD tomorrow for installation to give.
A work colleague sent me an email regarding an Office CD that I needed. He translated the original german into english for me using an online translation site (No idea why, as I can read german quite well). Still, if he had sent it in german, I would never have had the pleasure that the translated mail gave me. I haven't laughed as much in years. (I got permission from him to publish it here, have no worries)
A point is furnished to installations with the following path \\computer\share. I can to you gladly offer, if you are in the house the Office2003 CD tomorrow for installation to give.
Wednesday, February 18, 2004
Finished giving a two-day Exchange 200x disaster recovery course. Went well in my opinion. Probably the worst thing was the speed of the machines. Decided to use Virtual PC from Microsoft instead of VMWare, and the virtual machines ran really slowly. I use VMWare on my home machine, but don't have it on my notebook because I only have one license. What pops in my Inbox this morning? A free (yes, free!) license for VMWare Workstation 4 as I'm an MCT. Made my day. Already installed it and running a W3K DC and W3K E3K Server on my notebook as I type. Performance is quite impressive - ADU&C starts in about 10 seconds, ESM in 7, with both machines running. Might change my opinion when I finally get a copy of Virtual Server, but with the network limitation of only 1 network card in Virtual PC, I really need VMWare. Now where is that ISA Server 2004 Beta CD................
Its fasching time here in Sunny South Germany, there was a great street festival in town at the weekend with lots of bands playing purposely off-tune. After a few beers, it gets easier to understand :-)
Its fasching time here in Sunny South Germany, there was a great street festival in town at the weekend with lots of bands playing purposely off-tune. After a few beers, it gets easier to understand :-)
Wednesday, February 04, 2004
Well its a very sunny day today. Temperature at 17C is rather strange for this time of year, although we should have snow back by the weekend. Giving a Windows 2000 Server and Professional training course this week, and then two Exchange 2003 training courses in the next two weeks, as well as receiving a PKI training course myself next week. Should be fun. Microsoft have also got an online test centre where you can have a stab at trying to get MCP. Check out http://www.msmeasureup.com for more information. Finally managed to buy the dishwasher tablets, and so, for the first time in my life, I operated a dishwasher last night. Result: Crystal clear. Very impressed was I. Ye olde back is also much better. Seven months of acupuncture, training and massage finally seems to have sorted it out. I've bought a training machine for home now off of Kev for 80 euros, which even measures pulse. Just gotta find the strength to carry it down three flights of stairs, into the car, home, and then up the one flight of stairs to mine. Also gotta find room for it. The games room is pretty full at the moment, as I've still got the Zaccaria machines for Astro Wars in there. I'll be taking one back to England for Alex next time I visit there, and I guess I'll just have to return the other one to the cellar. Also seriously thinking about selling some of them now. Still gonna keep the Invaders, Asteroids, Missile Command, PuckMan and Track and Field. Might also keep the quiz machine. One JAMMA machine will also be saved, but the rest will have to be ebayed. I just don't have the time that it takes to concentrate on such a time-devouring hobby.
Thursday, January 29, 2004
Well, I've been doing an ISA Server installation the last few days, which, as always, was fun, and quite easy. A little problem with the Certificates for the Remote VPN Clients, in that both the User Certificate and the Root Certificate had to be installed into the machine certificate pool but apart from that, sweet.
It's snowing, wowowow. Big time. South Germany really is a pretty sight at this time of year, one day I'll get my photos on here somewhere. Current temperature is about 0°c and the snow has been here for a good week now with not much chance of hoofing. Might even get a chance to go skiing or skating. Who knows.
Was MSNing with Danny earlier today, did NetMeeting as well, as we had a problem with audio, and now he's gone off to find a cheap WebCam on the internet somewhere, impressed as he was.
Also translating a document from German into English at the moment, and have been using Babelfish (from Altavista) which is rather hilarious. So much so, here's a cracking example:-
"In the first step we create ourselves an overview, on which all further steps develop and are for a successful introduction from great importance."
Well thank you very much :-p
Last thing... got the ISA Server 2004 beta 2. Will be bunging it on a VM Machine later, looks like they've done quite a good job. Time will tell.
It's snowing, wowowow. Big time. South Germany really is a pretty sight at this time of year, one day I'll get my photos on here somewhere. Current temperature is about 0°c and the snow has been here for a good week now with not much chance of hoofing. Might even get a chance to go skiing or skating. Who knows.
Was MSNing with Danny earlier today, did NetMeeting as well, as we had a problem with audio, and now he's gone off to find a cheap WebCam on the internet somewhere, impressed as he was.
Also translating a document from German into English at the moment, and have been using Babelfish (from Altavista) which is rather hilarious. So much so, here's a cracking example:-
"In the first step we create ourselves an overview, on which all further steps develop and are for a successful introduction from great importance."
Well thank you very much :-p
Last thing... got the ISA Server 2004 beta 2. Will be bunging it on a VM Machine later, looks like they've done quite a good job. Time will tell.
Friday, January 23, 2004
Hi, this is my first blog, which will probably get deleted at some time or another. I just needed somewhere to keep information which could be accessed from *almost* anywhere in the world. In sunny Schwäbisch Gmünd, its currently -6 degrees outside
