Monday, June 27, 2016

is RBAC in Microsoft Exchange flawed?

Is RBAC in Microsoft Exchange flawed?

If you ask Microsoft, they will tell you that it is not. If you ask me or my friend, we think there is a rather serious flaw in the way that permissions via RBAC work in the Exchange world.


RBAC (Role-Based Access Control) is the method in which permissions are granted to accounts in Microsoft Exchange. By using a combination of Management Roles, Management Role Assignments, Management Role Entries as well as Role Groups and Role Group Members, it is possible to assign fine-grained policies for Microsoft Exchange tasks. For example, you could permit one user account to only be able to mount and dismount mailbox databases beginning with the letter A, or you could let an account be able to change any attributes on distribution groups in a certain Active Directory OU.

So what’s the problem then?

The problem is that when an Exchange PowerShell command runs, it is not actually run under the user account that executes the command, rather, RBAC checks that the user has the necessary permissions, and then runs it in the context of the Exchange Server itself.

Well, I sort of understand that, but why is that a problem?

Do you know all the accounts that are able to log on locally to any of your Exchange Servers worldwide? Are you sure? Every single backup account, antivirus account, SCCM account, etc.? Are you sure somebody can’t do a Mimikatz, or even reset the local Administrator password on one of the Exchange servers with a Live CD?

Not sure, but why is that important?

Try this (only with your Exchange Admin’s permission of course): Log on locally on an Exchange Server with an account that is a local admin, preferably with an account that has absolutely no Exchange permissions whatsoever and run a “PSEXEC –sid cmd” (you might need to download the PSEXEC command). You now have a cmd box running as the Exchange Server itself. From there you can start Active Directory Users and Computers, or PowerShell (Exchange Management Shell), or the Exchange MMC snap-in (the last one only in Exchange 2010) or whatever.

Yeah, so I’m the Exchange Server, whoopee, so what?

Well, if you’re using the split RBAC permissions model that Microsoft recommends (but not always used) then it’s not too bad, you just have full Exchange Organizational Admin permissions across the entire Org, you can stop and start databases, create and delete them, set permissions on any mailbox, create, change and delete connectors, just about anything really, you’re basically an Exchange god for the complete Exchange org… so just for fun, run a “get-mailbox –resultsize unlimited | remove-mailbox -whatif”. That would (without the –whatif) cut down a lot of your Email traffic, deleting every single mailbox throughout the complete Active Directory forest. (Don’t really do this, people may get upset).

Additionally… if you’re not running the split permissions model that Microsoft recommends, then, using this method, you are not only Exchange god as explained in the previous paragraph, but also quite a powerful Active Directory Admin , you can create, delete and modify users, groups and contacts in ANY domain throughout the forest (that have been domain-prepped for Exchange which is normally all of them), reset any non-AdminSDHolder password from any domain, the only thing you can’t play with are AdminSDHolder accounts from an Active Directory point of view (although you can still play with their Exchange attributes)

Well that sounds quite serious, do Microsoft know about this?

Yes, the matter was reported to Microsoft, but their answer was simply “If you can’t trust your Admins, you’ve already lost”. Now that maybe O.K. for them to say, but for some companies, it is sometimes not possible to know every Administrator in every location, never mind knowing every user that has physical access to an Exchange server with a trusty reset-password boot CD to hand, but you’re still meant to trust them.

What do we think?

We can understand Microsoft from the point of view that if your server is compromised, you’ve already lost, but the differences between a compromised Exchange Server compared to other Microsoft Server products is rather great. Compromise a SQL Server, whoopee, you’ve got a SQL Server. Compromise a SharePoint server, whoopee, you’ve got a SharePoint Server. But, if you're able to log on to one Exchange Server, you’ve got the whole Exchange Org under your control, and possibly, depending on if you have not split the AD Permissions, 99% of the Active Directory forest (yes, forest, not domain).

Is there a solution?

Sort of, although you’re probably not going to like it. Change to using the split-AD permission model, remove all possibility of anyone being allowed to log onto an Exchange server that is not an Exchange Org Admin (including SCCM, SCOM, …) and physically secure the servers. Also, make sure that the backup account passwords are only known by the Exchange Org Admins or find some other way of doing backups. There’s more… if you’re particularly paranoid, lock down the AdminSDHolder accounts in all domains so that the Exchange Server cannot modify their attributes. Also, you may want to turn on Bitlocker, and/or use BIOS passwords, so that the Password reset CD will not work. Now just make sure that nobody has access to the local users and computers on any Exchange Server so that they can’t add anybody to the administrators group, and you’re almost done. Finally, though, keep your fingers crossed, you never know, it might help.

Is there a better solution?

Yep, simple to state, hard to implement, but Microsoft could change RBAC so that the command actually runs in the user context instead of the server context, but as you’ve already heard, it’s not an RBAC issue, it’s a trust issue, so there’s no need to fix it.


Wednesday, April 27, 2011

Manually Creating a MobileConfig file including certificates
I've spent a long time trying to automate the creation of MobileConfig files (They are the configuration files for Apple Devices (iPod, iPad and iPhones). The format is relatively simple (i.e. XML) but I have always been stuck when trying to include a personal certificate in the file. Now I am no longer stuck!
I found out that all you need is the certificate as a .PFX file, and then use CERTUTIL with the following syntax
certutil -encode alginald.pfx alginald.enc
then you need to remove the first and last lines of the file (the BEGIN CERTIFICATE and END CERTIFICATE) and then add it to the mobileconfig file. Yippee...
I'm using powershell to script the creation, so a couple more pointers..
To strip the first and last lines..
$content=gc alginald.enc
I also use the add-content command to add to the end of a file, but it also needs the UTF8 encoding part.. i.e.
add-content alginald.mobileconfig -value $newcontent -encoding UTF8
Hope this helps...

Labels: , , ,

Thursday, February 04, 2010

iPhone PDF attachment missing
Well, this is a strange one. iPhone syncing with Exchange 2003 via Push Mail. Sharepoint (or MOSS or WSS or....) sends mail with PDF attachment. In Outlook, everything OK. On iPhone, cannot see the attachment. Mail sent to a different user, also with iPhone and Push Mail. PDF is in the mail, and can be opened on the iPhone.

Solution: Use ADSIEDIT, navigate to the mailbox where it is not working, and change the attribute mapirecipient from TRUE to FALSE, or just remove the value.

Unbelievable, but true...

(Looks like the attribute has been left there from the good old 5.5 days... new mailboxes do not get this attribute set)

Labels: , , , , ,

Friday, August 28, 2009

Changed Job again
After over 2 1/2 years at PlanB ( I have changed jobs. Although I enjoyed my work there, it wasn't really the life for a family man. It involved lots of travelling, and long hours, which was fun before my family came about, but I was missing my children growing up. Therefore I have moved to a local company, with friendly colleagues, and a lot less travelling / fewer hours.

Nanu, if you read this, please call me....

Tuesday, July 14, 2009

Don't use biro on a notebook when using paintbrush....
After showing somebody (name removed to protect the innocent) how to use paintbrush on a notebook, and then it not working when they tried it on their own, the person decided that if the mouse wouldn't work, they would use a biro to "paint" on the screen... result? one notebook screen covered in biro. Spent 30 minutes using a normal screen cleaner, and probably did more damage than good. Solution? Buy some isopropanol spray from your local retailer (in Germany, Conrad Electronics) and it removed all the biro within 20 seconds. Cost? €6.45


Thursday, February 12, 2009

Office Communications Server R2 - Error 0x80070534

Just done my first test install of OCS R2, and each time I tried to activate the OCS Server, it generated the above error, and wouldn't activate. Problem? To save time, I installed W2K8 x64 once, sysprep'd it, and then used two copies, one for the DC, and one for an OCS Standard server. This seem to be the cause. Once I installed a fresh W2K8 x64 for OCS, everything worked first time


Wednesday, January 21, 2009

Unable to send / receive SMS (text) messages on my phone for months

Turns out that because I've got dual-sim (one for a backup phone) the messages only go to the primary sim, which I've had turned off for months. A very helpful T-Mobile person (unbelievable, but true, they do exist) told me how to change it. Just call the number *222# on the phone and this changes the SIM to which messages are sent


Monday, August 11, 2008

OCS - Office Communicator cannot access address book
Troubleshooting Address book issues with OCS can be a pain, fortunately, there's a really good troubleshooting guide over at

My problem? Service Account password expired on the OCS Application Pool in IIS.

When you install OCS, it creates the service accounts automatically, but does not set them as "Password never expires" therefore, depending on your password policy, after a while, the application pool cannot start anymore. Changed the account so that the password never expires, and re-entered the password on the application pool properties page, restarted the pool and BINGO!

Wednesday, July 30, 2008

OCS / Communicator - Cannot Synchronize Address Book
Although there are lots of reasons for this error appearing, including problems with the Web Server itself, or a corrupt file, one solution that keeps cropping up in a LAN environment is that the OCS Address Book server is not in the "Bypass proxy for" part of internet explorer. In this case, the Communicator client tries to connect to the address book server via a proxy server, which may need authentication, and therefore fails

Thursday, July 24, 2008

Strange problem sending an email as attachment in a task Outlook 2007 / Exchange 2007 / Forefront for Exchange SP1

Strange problem.... if Forefront is configured to block TNEF files in the wild card file filtering, and somebody sends a task to somebody else, and in the task there is an attachment, and in the attachment there is a full stop (.) in the subject, it gets rejected. Work that one out.


Wednesday, July 23, 2008

Cannot delegate calendar to shared mailbox or mail non-universal group -Exchange 2007
Strange problem with Outlook 2007 users running against an Exchange 2007 server. Outlook 2000 users were not affected by the problem.
If a user tries to delegate their calendar (or grant other types of permissions) to either a shared mailbox or a global mail-enabled security group, they cannot. When they try to select the object, it is marked with a red cross. This is because shared mailboxes are normally associated with a disabled user, or because exchange 2007 does not support non-universal groups. Fix? Change the mailboxes back to normal user mailboxes with the set-mailbox -recipienttype:regular (or even a get-mailbox -recipienttypedetails:shared set-mailbox -recipienttype:regular). As for the groups. I manually changed them to universal groups, and they're all working now


Tuesday, July 01, 2008

0x80050014 - Server-sided Active Sync
Yes, I've followed article and no, I still can't sync over the wire. I'm running a front-end/back-end scenario. (With multiple back-end servers and some are working fine)

Solution: On the back-end server make sure that the /exchange directory has BASIC and Integrated Windows Authentication checked. For some reason the IWA was missing on one server :-(

p.s. download the virtual images of Windows Mobile, this helps in troubleshooting and means you don't have to hard-reset your own device when testing... go here


Thursday, May 22, 2008

Added New Photos of Alan and Peter

Finally got round to adding a few (not many) actual photos of the little ones. Alan is well over 2 and Peter is 10 months. Peter is standing and walking around by holding onto things, whereas Alan is just creating chaos wherever he goes. Got to get a garden fence to keep them in. Photos, as usual, can be found at

Wednesday, February 27, 2008

Dell 1815dn Multi Printer sends PDF via Exchange 2007 incorrectly
Had a problem today with a Dell multi device, whereby the attachment was in plain text in the mail instead of as attachment.
Solution: Download the latest firmware from the DELL site... 28/02/2008 is the firmware date


Tuesday, July 17, 2007

And then there were four......

Peter James was born last night, 16.07.2007. 3350g, 54cm. Both Diddly and Peter are doing well, the two Alans are having a ball. More photos can be found at

Tuesday, June 05, 2007

Quintum and Office Communications Server 2007
I got a new toy. Well its not really a toy, but a rather wonderful box of tricks that allows you to connect almost any PBX to OCS 2007. It cost less than €800 and allows me to connect 2xBRI (4 lines) directly to OCS as a Media Gateway. OCS is in turn connected to our Exchange 2007 SP1 (beta) server. Now we can call in call out and access our mailboxes via speech. Just like to say thanks for the people at quintum for their help in setting up the box, really helpful friendly people. Check them out at Bressner is the reseller in Germany, you can find them at
That's all

Publishing Multiple Exchange 2007 behind ISA Server 2006
I liked the idea of a Front-end Server in Exchange 2000/2003. Trying to get the same to work with Exchange 2007 is a nightmare. If you want to publish all mailboxes using one front end, you need cas proxying. Unfortunately cas proxying breaks access to sharepoint and file shares in OWA. Take your choice, either publish at least one CAS server per AD Site separately to get sharepoint access, or use CAS proxying with only one server and no sharepoint.
Now how do I get both features, single front-end and sharepoint access? Answers on a postcard please......


Wednesday, May 09, 2007

Asterisk, SIPX and Exchange 2007
I've had a lot of mails, and hope that I've helped a lot of people over the past few months. However, some people found the instructions quite daunting. I recently received information from Ryan that he has created a clearer step-by-step. I've had a look, and its much better than mine. I would encourage anybody who wants to get this scenario working to have a look...

Monday, January 08, 2007

Plan-B GmbH

Hi All, Just to let you know, I now work for Plan B GmbH in Wasseralfingen. My email address is "first dot last @". My private address is still "alginald at gmx . de". Check our our web site at

Tuesday, November 28, 2006

Instructions on how to connect Asterisk to Microsoft Exchange 2007 for Unified Messaging

UPDATE AGAIN: There are MUCH better instructions for this at I recommend you take a look at Ryans step-by-step. My guide is nearly 6 months old now, and there are some things that Ryan has done that make it a lot easier to set up than mine. Well done Ryan :-)

*UPDATE:- I will not be adding to the following information any more. I have almost finished a new installation, linking Asterisk with Exchange, which copes with all the Exchange Unified Messaging features such as fax, OVA and answering machine. This will appear on this page in the very near future

Please note that the instructions do not cover the installation of the sipx and asterisk servers, only the configuration of them. I originally used the VMWare community images of trixbox (asterisk with loads of add-ons) and SIPX. Since then, I have installed a stand alone trixbox (iso image from I'm still having problems with CAPI (Fritz! PCI installed in my Asterisk server (cos it was cheap - €30 for two lines is a nice price for testing) so I'll probably end up installing it again using SUSE 9.3 (cos there's a better CAPI driver for SUSE from avm). However, this does not affect how it works. I can dial in via a normal telephone, or I can use a SIP phone connected to either the Asterisk or the SIPX machine and access Exchange UM.

If anybody would like even more detailed instructions (i.e. screenshots, config files, etc.) please let me know. Either add a comment here, or write to me at alginald at gmx dot de. No spam please, I'm vegetarian.

What this document covers:-
1) When somebody connected to the asterisk dials 666666, the call should be forwarded to the Exchange 2007 Auto attendant, whereby the caller can choose to contact somebody directly, or leave a message for them (voice mail)
2) When somebody connected to the asterisk dials 55, the call should be forwarded to the Exchange 2007 Subscription number, whereby the caller can enter their mailbox number, and their pin number for access to their mailbox via Outlook Voice Access

What is not working:-

1) The caller ID is currently not passed correctly from sipx to Exchange, so all Voice messages originate from "anonymous" at the moment

2) Dialling from Exchange 2007 out. This is quite easy to configure, and I have had it working, I have even included some of the instructions, but have not fully tested it

Initial installation
Install Exchange 2007 with the Unified Messaging role
Install Asterisk (I installed , from and the trixbox VMWare image, both worked fine)
Install SIPX. (I used the VMWare image from the VMWare community download pages)
The rest of this document assumes that you have downloaded and are using the VMWare images of trixbox and sipx.
The following computers are used...
asterisk1.local. (TRIXBOX)
IP address
IP address
DNS (Exchange / AD / DNS)
IP address
(I know that the sipx box has got the same name as my domain, that was not done on purpose, a different name can be used if you want)

********************************* START OF EXCHANGE 2007 CONFIGURATION ******************************
What to configure on the Exchange 2007 server
1) Create a new UM Dial Plan....
new-UMDialPlan -Name:'DialPlan6' -NumberOfDigitsInExtension:'6'
2) Add the subscription number 5 to the UM Dial Plan
In the Exchange Management Console,click on Organization Configuration / Unified Messaging / DialPlan6
On the second tab, Subscription Access, add the subscription number "5"
3) Create a new UM IP Gateway...
new-UMIPGateway -Name:'SIPX' -Address:'' -UMDialPlan:'DialPlan6'
(If you do not want to dial out using Exchange, open the properties page for the IP gateway, and deselect the "Allow outgoing calls".)
4) Create two new hunt groups for the UM IP Gateway.....
new-UMHuntGroup -Name:'Hunt5' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'5'
new-UMHuntGroup -Name:'Hunt6' -IPGateway:SIPX -UMDialPlan:'DialPlan6' -PilotIdentifier:'6'
5) Create a new Auto Attendant.....
new-UMAutoAttendant -Name:'AA6' -UMDialPlan:'DialPlan6 -PilotIdentifierList:'666666' -Status:'Enabled' -SpeechEnabled:$true
6) Once the Auto Attendant has been created, edit the properties, and on the features tab, select
Allow caller to transfer to users
Allow callers to send voice mail
Callers can contact anybody in the Global Address List
Allow transfer to operator during business hours
Allow transfer to operator after business hours
(You don't have to configure all of these if you don't want to, but you should have at least the "allow callers to send voice mail and the "anybody in the GAL" set.)
7) Add the Dial Plan (DialPlan6) to the Exchange server
In the Exchange Management Console navigate to Server Configuration / Unified Messaging. Click on the e2k7srv2 server in the main pane with the right mouse button and click on properties. On the UM Settings page, add the dial plan to the list.
(There's probably a management shell command for this, but I used the GOOEY ;-))
8) Create a new UM Mailbox Policy...
new-UMMailboxPolicy -Name:'UMMailPolicy6' -UMDialPlan:'DialPlan6'
9) Enable Unified messaging for one or more test users. I gave Mickey Mouse the extension 777777 and Donald Duck the extension 777778.
********************************* END OF EXCHANGE 2007 CONFIGURATION ******************************
************************************ START OF ASTERISK CONFIGURATION ********************************
Now to configure the asterisk....
There are two ways of configuring the asterisk, you can edit the files via putty or the local console, or you can use the trixbox interface.
************************ start of asterisk configuration using trixbox ************
If you want to configure Asterisk using the Web Interface from trixbox, do the following
1) Connect to the server with a web browser (in my case
2) Click on System Administration and logon with user maint and password password (or whatever)
3) Click on FreePBX (you could also go directly to the page instead)
4) In the new browser window (FreePBX), click on setup
5) Click on TRUNKS
6) Click on Add Sip Trunk
7) Set the following
Outbound Caller ID:6
Dial Rules:6666+6XXXXXXX
Outbound Dial Prefix:66

8) Thats the first trunk. Now do the same again for the second one...
Outbound Caller ID:5
Dial Rules:5555+5XXXXXXX
Outbound Dial Prefix:55
Peer Details:

9) Click on outbound routes
10) Click on Add Route
11) Create a route with the following settings
name:1 6_SipX
Trunk Sequence:SIP/SIPX

12) Create a second route with the following settings
Trunk Sequence:SIP/SIPX2

13) If you want to add a softphone extension for testing do the following
14) Click on extensions
15) Click on SIP and set the following
Display Name:Yourname
Extension Number:200
Direct DID:200

************ End of Asterisk configuration using trixbox ******************

If you don't want to use the trixbox front end, just edit the files in the /etc/asterisk directory, do the following...
What we need to configure is two Dial Plans and two trunks.
Here is my /etc/asterisk/extensions_additional.conf, which is used for the dial plans
;********************** Start of extensions_additional.conf ***************************
OUTCID_1 = 6
OUTCID_3 = 5

;end of [globals]
include => app-cf-busy-off-custom

include => ext-did-direct-custom
exten => 200,1,Set(FROM_DID=200)
exten => 200,n,Goto(from-did-direct,200,1)
; end of [ext-did-direct]

include => ext-local-custom
exten => 200,1,Macro(exten-vm,novm,200)
exten => 200,hint,SIP/200
; end of [ext-local]

include => outbound-allroutes-custom
include => outrt-001-1 6_SipX
include => outrt-002-5_SipX2
exten => foo,1,Noop(bar)
; end of [outbound-allroutes]

[outrt-001-1 6_SipX]
include => outrt-001-1 6_SipX-custom
exten => _6.,1,Macro(dialout-trunk,1,${EXTEN},,)
exten => _6.,n,Macro(outisbusy,)
; end of [outrt-001-1 6_SipX]

include => outrt-002-5_SipX2-custom
exten => _5.,1,Macro(dialout-trunk,3,${EXTEN},,)
exten => _5.,n,Macro(outisbusy,)
; end of [outrt-002-5_SipX2]

include => from-internal-additional-custom
include => app-cf-busy-off
include => app-cf-busy-off-any
include => app-cf-busy-on
include => app-cf-off
include => app-cf-off-any
include => app-cf-on
include => app-cf-unavailable-off
include => app-cf-unavailable-on
include => app-userlogonoff
include => app-zapbarge
include => ext-test
include => ext-local
include => outbound-allroutes
exten => h,1,Hangup
; end of [from-internal-additional]

;********************** end of extensions_additional.conf ***************************
(p.s. make sure there is an entry in the extensions.conf called #include extensions_addtional.conf)
I have left some of this file out, so you may want to edit the existing one, and just add the bits above. (You can connect to the asterisk box with SSH to edit files, or log on locally)
Also note that trunk 2 in the above configuration is my capi in card. you might want to remove this from here if you don't want to capi it.

Here is my /etc/asterisk/sip_additional.conf
;********************** start of sip_additional.conf ***************************
callerid=Alan <200>


;********************** end of sip_additional.conf ***************************
(p.s. make sure there is an entry in the sip.conf called #include sip_additional.conf)

Please note that the first entry, [200] is a test phone that I configured, for the user Alan
The [SIPX] and [SIPX2] are the two connections to the SIPX server. the secret is the password for root on the SIPX machine, although AFAIK, you don't need it

Here is the file /etc/asterisk/localprefixes.conf
;********************** start of localprefixes.conf ***************************


;********************** end of localprefixes.conf ***************************

************************************** END OF ASTERISK CONFIGURATION ********************************
I recommend using the trixbox/freepbx web interface unless you're a dab hand with vi.

**************************************** START OF SIPX CONFIGURATION ***********************************
Finally, we need the SIPX configuration
As you probably read at the beginning, I used the VMWare image. If you use the same onem I recommend changing the ip address, server name and dns server manually.
Once you have the necessary information, connect to the sipx server's web server via web browser (in my case
Click on configuration, accept the goofy SSL, and enter the username and password (in the VMWare image case, superadmin, no password)
Click on gateways, and then Add Gateway. Give a name for the gateway (i.e. ToMXS) and enter the IP address and the MAC address from the Exchange Server, and select unmanaged gateway
Now we need the two dial plans
First, for Voice Mail...
Click on Dial Plans
Click on Add Dial Rule
Click on Enabled
Give it a name
In Dialed Numbers, add 6 with "any number of digits"
In Resulting call, enter 666666 with nodigits
Add the gateway defined above for the route
Second, for Outlook Voice Access
Click on Dial Plans
Click on Add Dial Rule
Clickon Enabled
Give it a name
In Dialed Numbers add 5 with "any number of digits"
In Resulting Call, enter 5 with nodigits
Add the gateway defined above for the route
Move these dial plans to the top of the list (Select the dial plan and click slowly but surely on Move UP)
Make sure they are enabled, and then click on Dial Plan Activation, "Activate"
That's all there is.
**************************************** END OF SIPX CONFIGURATION ***********************************

If you want to dial back to the Asterisk, add an additional Gateway and a Dial Plan on the SIPX box to point to the Asterisk Box, and just configure the Exchange box to use the correct prefix.
What to do if it doesn't work?
Log into the asterisk server and use the command "asterisk -r -dddddddddd -vvvvvvvvvv"
Check the asterisk logs in the /var/log/asterisk directory
Set the Exchange UM logging to 7 via the registry
Write to me @ alginald at gmx dot de, or post a comment :-)

Sunday, November 26, 2006

Asterisk and Exchange 2007 working!

After spending a bit of time playing around with the Unified Messaging features in Exchange 2007, and getting bored using the test phone, I tried to find a way of connecting it to my telephone system at home (ISDN). After a few sleepness nights, I now have it working fine. Basically, I use a trixbox (ASTERISK) with a Fritz! PCI card, which answers the call. ASTERISK uses SIP/UDP, so I can't just send the call directly to Exchange 2007, so I send it to a SiPX router, which then sends it on to the Exchange 2007 server. I can dial in, and leave a message, or I can dial in, and access my mailbox using speech or touch tone, its working fine. If anybody's interested, drop me a line, and I'll tell you how to do it, or I might just publish it here....

Monday, November 13, 2006

Goodbye, god bless, and thank you.

I have left my job in Sunny South Germany after 12 years of working for a top Windows consultancy company. It was a hard decision to make, but fresh horizons lie ahead. I will be staying in South Germany, but working elsewhere starting 1.1.2007.

Thursday, August 17, 2006

China Visit
Just returned from a few weeks work in Qingdao, China. Quite a strange experience, walking the streets, rarely seeing another european with nobody understanding english or german and having to communicate solely with hands and paper.
I'd like to thank Mr Yu and Mr Lu for their hospitality, two really friendly and happy colleagues...
Now, as you probably know, I don't eat meat or fish. So here's a picture of a butcher's shop I saw in China, it might make you go down the same path......

Little Al
Is 5 months old today. There's a few more pictures over at the flickr page. He's just starting to walk with the help of two fingers... Still smiling, got 2 teeth, with others coming through, and he's just happy happy happy.

Thursday, May 18, 2006

Sleepless Nights - I don't think so....
Little Al is doing well.... I've published quite a few more photos to flickr if you're interested. I'm sleeping well, and Little Al's getting better at it. Sometimes it's only once per night :-) We're busy doing a lot to the garden at the moment. I've got rid of most of the ivy, and we bought a load of top soil. Last night the potatoes, lettuces, tomatoes and cucumbers were planted by Diddly. Next purchase will be garden furniture. Shame about Arsenal losing the Champions League final last night, but after Lehmann getting sent off after 18 minutes, and then Arsenal only defending the last 1/3rd of the field, whadya expect. At least Ronaldhinio (or how ever you write it) played pretty crappy. Ha Ha.

One last thing. Spent 40 minutes trying to find out why, when users sent an email to a certain distribution group in Exchange 2003, it was getting swallowed by the Message Categorizer. Answer: The users that were trying to send the mail were located in a different domain to the global distribution group. Therefore the membership couldn't be resolved. Solution: Either make the group universal or make the expansion server a server in the same domain as the group.

Sunday, March 19, 2006

And then there were three.....
Who's the daddy? I am. Little Al came into the world at 19:29 on 17 March. Weighing in at 3420g and 54 cm tall. (That's about 7lb 8oz and just over 21 inches). Full name is Alan Robert. More photos can be found at

Diddly and Little Al are doing extremely well.

Tuesday, February 28, 2006

2 weeks to go (ish)
Well, its 1 day before the start of March, and its snowing outside. I wouldn't mind if it was good snow, but its just annoying now. Non-stop minus temperatures for the last few weeks haven't helped either.

I'm currently trying to get Microsoft Vista to upgrade my XP on my notebook, running it in a Virtual Server downstairs, playing around with Exchange 12 elsewhere, writing a Create User program in VB for a customer, and patiently waiting for ErSie. ErSie for those that don't know, is a combination of the two words Er and Sie, meaning He and She in German. We don't know if our coming baby (somtime in the next two weeks-ish) will be a boy or a girl.... more news to follow here

Tuesday, November 22, 2005

Exchange 2003 Public Folder Error 80090325 SSL Problem
Just when I thought all error messages regarding E2K3 were documented, I run into one that I couldn't find a solution on the web to. The problem? Running the Exchange System Manager from a non-Exchange server wouldn't let me access the Public Folders, throwing the above mentioned error (80090325).
Reason for the error: The certificate path isn't trusted. Basically you've stuck a certificate on the servers for OWA reasons, but the certificate path isn't trusted.
Solution: Navigate to the OWA HTTPS page (https://yourserver/exchange). When the message comes about the certificate not being trusted, click on View Certificate, and then click on Install Certificate. Then click on certificate path, click on the top certificate (it will have a RED X on it), and click on Install Certificate and click a few nexts.

Problem solved

Friday, October 14, 2005

Change of telephone number

As you might have read in the last post, I am moving house soon. My telephone number will also change, therefore, as of 31.10.2005 my existing number will not work. Both mobile (handy) numbers will continue to work, so if you want the new house telephone number, either write or phone. New number will start working on 02.11.2005 as the 1st is a holiday in Germany. Everything's going perfect with the house at the moment, tiling in the kitchen should be finished on Sunday, and I hope to have everything finished before the end of next week (cos I wanna move in ;-))

Still can't get an ISA Server 2004 to use IPSec site-to-site to connect to a PIX 501. Even the whitepaper from MS didn't help, even though I followed the steps exactly. Ah well, gonna try with a smoothnet linux firewall at the weekend.

England in the world cup!
Typical, just cos we didn't need to win the game against Poland, and some of our top players were missing, England played fantastic. Compare it to the game at the weekend, and it looked like two completely different teams. Lampard is looking good for the future, Rooney seemed to be a bit calmer, and I'm pretty sure we've got one of the best goalkeepers in the world at the moment. Being a spurs fan, I would say that last bit anyway :-)... Now just got to try and get some tickets to some games over here. Stuttgart's just around the corner for me, so let's hope England get to play there.

Monday, October 10, 2005


So, got the new house. Fortunately there's not too much work to be done. I've finished painting the walls, just gotta strip down the doors and door frames. Found some lovely wooden floors underneath the lino in some rooms, so I got rid of the lino, hired a whopping huge floor sander, and have been trying to get the wood looking good. It's taken quite a few hours so far, but I hope to be finished this week. Then there's only the kitchen to go. Big thanks to everybody who's helped me so far, it has saved a lot of my time.

Been given a petrol lawn mower, garden hoover and a load of other machines for the garden for nothing, that means we'll be able to make a good start on the garden next year when spring arrives (about the same time as ErSie)

Off to Detroit in November for 10 days, W2K, E5.5 migration to W3K and E2K3. Hopefully the house will be finished by then, and I'll have moved.

Monday, September 26, 2005

How the world can change....

Well it's been a few months since my last post. Things have been pretty hectic. Bought a house, getting married, and a little Elvis should be landing on my doorstep next year :-)
Just got back from Brazil as well, a really good week doing a network update. More to follow.....

Tuesday, March 08, 2005

Snow fun anymore
Well, it just wont stop snowing here, I'm sure we're all going to move into igloos soon :-)

Tuesday, November 02, 2004

New NAS device

Went to the hobby messe (exhibition) in Stuttgart on Monday. Didn't really want to go, but as I got there at 9 am, it was really empty, and I managed to see nearly everything in about 90 minutes, a new record. Unfortunately, there wasn't as many stalls as usual, but enough. I bought a NAS device for at home. Its a little box with embedded linux, that you can put a hard drive into, and then access via ftp or smb (MS shares). 109 euro for the box, and then I added an old 160 GB hard drive. Now I can access my data from around the world, without leaving a computer on at home, or have to open up my firewall to an internal computer. COOL. I bought it from ARLT, the home page for the device is

Friday, October 29, 2004

Outlook 2003 Nicknames

Now I don't often rant about MS :-) but something like this really annoys me. I have spent the last 2 hours trying to find out how to remove the "Nicknames" feature from Outlook 2003. Nothing found anywhere. Then I found the Ol2kNick tool from MS, that doesn't work with 2002 or 2003. Then I found an updated article for a new tool for Outlook 2002, that has not been officially released, so I downloaded that (KB 318827). Fortunately, it also works with Outlook 2003, despite setting the wrong registry key. So why the rant, you ask? Well, why didn't Microsoft just tell us that you can create a key called NoNicknames and set it to 1 !!! And the key MaxNicknames which can be set to the maximum number of nicknames that you want stored in the .NK2 file if you want (default is 1000).

Somebody wrote about the MaxNicknames saying that it will not work with a value above a 1000. I haven't tested this, I wanted to change it to 0 so that no nicknames could be saved, sorry

Change 11.0 to 10.0 for Outlook 2002 (XP). You may have to create the AutoNameCheck registry hive yourself, and the key most definitely. They are both REG_DWORDs.

Friday, October 15, 2004

Marriage (not mine), Linux and other things
First things first, congratulations to two of my best friends, Elaine and Lee, on their marriage - 25th Sept 2004.

Second things second, Linux. Playing around with the Fedora Core 2, which is pretty amazing. Never really payed much attention to Linux before, and now I'm behaving like I did when I got my first ZX Spectrum :-) Late nights, sore back and hours of staring at the screen. Its a cracking system. I LIKE the way it takes ages to get some things working. I feel like I have achieved something when it works. So, I've got the CD Burner working with it, just need to get the NEXUS-S DVB-S card working with Freevo, and I'm there, Jim. I've probably said it before, bug check out they really do have the best amount of freeware, and you can even participate in some of the projects if you want.

Other things other, well done England! 1-0 and 2-0 in the last week. The game on Wednesday was pretty terrible from what I heard. (In Germany, they didn't broadcast it live, so we had to listen to BBC Radio 5 Live via digital sat) but its the points that count. Roll on March for the next round. Nice goal Beckham!

Thursday, August 26, 2004

Even Microsoft isn't that impressed with .pst files..

Not supported over WAN or LAN connections. Ha Ha.

Friday, August 20, 2004

England vs Ukraine

What a game, well played Becks and Owen, and what a goal by Wright-Phillips. In fact, in the second half, it was the first time I've seen England attacking their opponents to get the ball instead of doing their normal "keep 5 yards away until they pass it" tactics in donkeys years. Keep it up!


Had the *pleasure* to do a bit more programming recently. I am certainly NOT the world's best programmer, but I do like programming Admin tools. My latest program sends a list of selected registry key values to any number of other windows machines. It can also copy and delete files on a list of other machines. Works a dream. Try and find another tool on the market (freeware) that can do the same....


Trying to install a 3-way Exchange 2003 cluster in a test environment. Got it working once, but when trying to do it again, it keeps getting stuck on the System Attendant resource. It tells me "User Name was not found". Well, as it uses local system, I don't get it. I still think the problem is with DNS, but who am I.


Had a lovely 10 days in Cornwall, it even included a few days of sunshine ;-). Stayed at the beautiful St. George's Hotel in Perranporth, which I can strongly recommend, small, quiet and relaxing. Fortunately this was a good month before the recent flash floods that have been happening in the area - poor old Boscombe

Wednesday, June 30, 2004

Exchange Virtual Memory

There still seems to be a lot of problems out there with Exchange and Virtual Memory. Beware of rogue information though.
A few helpful tips seem to be....

1) Use the /3GB flag when using Windows 2000 Advanced Server or any flavour of Windows 2003
2) Don't put too much memory into the machine if you don't need it.
3) If using Windows 2000 with SP4 and Exchange 5.5 DO NOT RUN THE PERFORMANCE OPTIMIZER (well do it, but not when the Exchange Server is running)
4) Make sure you put all the latest hotfixes on the boxes, and try to keep all servers at the same level, its much harder to troubleshoot if there are different versions

Extract Exchange 200x information from the GAL

Well OK, I know that its not really the GAL that we're gonna extract from, its active directory, but I found a good article about it and thought I would post it here...

Friday, June 04, 2004

Don't backup Exchange 2003 Information Stores and the System State in the same backup job!

Of course we wouldn't do this anyway, or? Quite a lot of my customers are using the in-built ntbackup utility because its cheap, can do backup-to-file, and has an Exchange Agent free. What I didn't know is that you cannot backup the system state at the same time as the Exchange Information Store due to a feature of VSS. More information can be found at;EN-US;820852

Exchange moving again and again

Been playing around with LOTS of Exchange Servers recently. Was at a customer for the last 3 days, and was confronted by another *gremlin*. I moved lots of Exchange mailboxes from the old server to the new one a few months ago. Yesterday I switched the old box off and deleted it from the Exchange world. From that moment on, there were problems with people accessing other peoples' calendars. Seems like that although Outlook updates the profile automatically when a mailbox is moved to reflect the new server, it does not update any saved calendar queries. Only way round is to delete them, or reopen them once using the "Open other user's folder", and not the quick link.

PFDAVAdmin again

I know I've already mentioned this program, but I was playing around with it again the other day, and found one of the best features. As long as the person running the program has enough rights, permissions for every single mailbox can be set from a central location. It used to be almost impossible to quickly see which permissions people had set for access to their calendar (or any other folder really) but with this tool, you can see each separate mailbox folder's permissions. Nice one MS.

New Printer

Finally plunged out for a new printer. Epson C64 (and I thought it was Commodore that made the C64 :-)) I am rather impressed. It only cost ?60, which is about 40 quid, and prints REALLY good photos. Also got 100 ready-to-print high glossy photo paper sheets for ?9 - 6 quid. Goodbye Lexmark Laser, you caused me a lot of problems, and ate more paper than you printed on... now which window is open...

Exchange 200x Troubleshooter

I've been promising myself and a few people that I would eventually get around to an easy to follow guide, a bit like a flowchart, for Exchange Disaster Recovery and Database Recovery. Well its started. Not finished, and won't be for a while yet, but from little acorns........

Wednesday, April 14, 2004

Beamer woes

Decided to kill my beamer last week. Dropping it from 1.5 meters tends to have that effect. Thankfully, after breaking off bits of the fan that wouldn't rotate, and then unplugging and plugging in the bulb about 30 times, it sprang into life again. Nice one Sony. You may not support it anymore, but its a magic beamer (projector)

Exchange Disaster Recovery

Well, since I've given the training courses, I've been involved in at least 3 database rescues. All without any data loss. Exchange 2000 is OK for data recovery, but the new features offered by Exchange 2003, including Recovery Storage Groups, and Snapshot backups is unbelievable. This feature, and OWA/OMA 2003 make it work upgrading. The client license pricing unfortunately does not win my seal of approval

New Handy

Just got myself a new handy (mobile phone), the Sony Ericsson T610, which has got camera, bluetooth, Outlook, etc integration. Not bad for €19 and a contract extension. I really didn't know which handy to take, but this one has got bluetooth, and a big easy to use display.

CD Will be Sent

For those people on my last training course that are wondering where the CD is, its almost ready. The CD should be landing in your inbox (snail mail, not email) within the next 7 days. Sorry for all the time its taken, but I've been very busy.

Thursday, April 01, 2004

Oh, To Be In England
Just been back to my island for the last few days. Had a good time wandering around the junk shops, collecting books for the next few months. It was mum's birthday on Sunday, which was good fun. Finally got around to delivering the Astro Wars box to Alex in England as well, so I've got a bit more room. Ebay... here I come....

MS Exchange 2000 training course
Spend this week giving the MOC for Exchange 2000. Really good fun, and the people on the course were very interested in the product. Tried to bring across all the new features of Exchange 2003, and we ended the course with an inplace upgrade to Exchange 2003. Don't forget Service Pack 3 on the Global Catalog servers as well as on the E2K machine :-)

Monday, March 15, 2004


My mate Fraser has got a new CD out. Its called "Rain before seven". Given it a few plays, and it gets my thumbs up. There's not too much on his webpage but I guess with all the troubles he's had recently, its no wonder. Some information about it can be found on the newsletter part of his homepage.

FC Normannia

Not being content with 4 points lead in the Obersliga, FC Normannia beat the 2nd place team on Saturday by 3-2. Magical game with all 3 Normannia goals in the first half. Getting towards the end, and Normannia started looking a bit sticky. This is the second game after the winter break. Last weekend they drew 1-1 away.

Tuesday, March 09, 2004

Exchange 2000 Disaster Recovery

Just as I thought I was getting an early hometime (16:30) along pops another Exchange 2000 problem. This time, the SAN bit the dust, and took the Exchange Server with it. After replacing the failed disks in the SAN, the customer did almost everything right.... Reinstalled Exchange 2000 with the /disasterrecovery option, and then applied the service packs. Then came the biggy - restoring the databases. Each time this was attempted, there was an error at the end of the restore, and no databases were mounted. The error code was very strange 9939xxxxxxxx. What was the problem? Well quite simply, there were no actual logs to play forward, only those from the backup. Now it if was me that had written Exchange, I would've included a little check to see if there are any logs and ask the user what he wants to do - hard recovery or get the logs from somewhere else. If you ever get the same problem, do the following. Restore all databases for a Storage Group at the same time, but do not set the "Last Backup Set" flag when restoring, even on the last backup set. Once the restore is finished, navigate to the temp directory that you defined during the restore operation from a command prompt. Check for the existence of the restore.env file, and then issue the command %pathtoexchangebin%\ESEUTIL /CC /T and press enter. This will do a hard recovery, only using the logs from the current directory, and will not start looking for other logs in the mdbdata directory. Took a few hours to sort out the problem, mainly because I was using the wrong syntax, and thought that you had to specify the .edb file that you want to roll the logs forward on.
Just goes to show that the worst time to test your disaster recovery is when the disaster happens. One other thing, why is there so little documentation available about Disaster Recovery? Try a google search sometime, and see what a very poor world it is. Maybe I'll get round to doing a document one day, only time will tell.

Monday, March 08, 2004


Bought a new Wireless Router on Friday. I know its *only* 11MB, but as the internet is only 768Kb, its enough for surfing. I bought the ACER offer from Mediamarkt. You get the 4-port Wireless Router and a PCMCIA Wireless Card and a USB Wireless Dongle for €79 which is about 50 UK Pounds. Plugged it in, typed in the WEP key that I want to use, configured the client, everything working within 5 minutes. Not using it to connect directly to the internet though, for that I use IPCOP (a free linux firewall with some impressive features, the main one being that it is running on a P75/32Mb/120MB HD). Before getting this router, I was having problems connecting from one end of the apartment to the other end (where my other WLAN is). Now I can connect from anywhere, including the notebook in the bedroom (is that Geeky or what?)

Server Problem

Also had a problem with a Lotus Notes server running on Windows 2000. For some reason, small files could be copied without any problems, but as soon as it got over about 800 Mb, it was coming up with an error message just before the end of copying telling me that there wasn't enough system resources. Did all the usual stuff.... stopped 3 billion services running on the machine, still no difference, even after a reboot. Solution? Time and Time again, the solution is always the same. I reinstalled Service Pack 4 for Windows 2000. All problems gone. Lucky for the Admin really, he wanted to get HP to swap all Hard Disks as the problem was to do with writing to disk. Phew.

Outlook Express Problem

An easy request, I though.... Export Outlook 2000 contacts into Outlook Express. There's even a technet article about it. Unfortunately, it doesn't work by default on a German machine. The problem is that Outlook exports in "comma-separated" and Outlook Express thinks that it can import in "comma-separated". Unfortunately, Outlook Express relies on the seperation character defined in the regional settings in the control panel. This is by default a semi-colon in German, and not a comma. Changing this value in the Control Panel allowed me to export and import without any headaches.

Weekend Sport

And what a weekend it was. Semi-final of the FA Cup. Fortunately, DSF (A german sports channel) had both games on Saturday, and BBC had the Millwall game on Sunday, so I only missed one game. Unlucky Fulham, and well played Tranmere. Arsenal were in a different class. I noticed that they shortened Portsmouth to POR for the scoreline. Wonder why they didn't use the first four letters of Arsenal for their name on the scoreline :-). Typical Ferrari and Schumacher, they were in a class of their own in Melbourne (yes, I woke up at 4 am to watch it). Roll on Malaysia.

Wednesday, March 03, 2004

Active Directory Disaster Recovery
Well, two weeks later, and I've just finished giving a 2 day Active Directory Disaster Recovery training course. Well attended, and a very interesting two days. Did lots of different scenarios, and lots of hands-on which went down rather well. Also, managed to do everything in VMWare and the difference to Virtual PC is really noticeable. Only one problem this time, the base PCs were not very well installed, and I was getting a lot of crashes if the physical CD was connected to a VMWare machine. Problem solved by a reinstall of all client machines.

I haven't had a chance to have a good play around with it yet, but there is a new Public Folder administration tool for Exchange called PFDavAdmin, which you should be able to download from here. Its meant to be able to reset MAPI and non-MAPI rights on public folders, as well as *simple* things like propagating a single user's permissions non-destructively through a tree. In 5.5 we had to hope that PFAdmin would work, or try and use Klaus Seeling's strange PFRights program

My sister came to visit! Its the second time she's been to Sunny South Germany, and not to let the side down, it snowed like crazy on the Sunday night. She visited with her boyfriend, it was his first time here, but got quite quickly used to the schnapps and the game of chicago (dice game). Had a great time in Stuttgart, watched the Fulham vs. Chelsea match when we got back, the next day was spent walking around a small mountain, and then to an outdoor naturally heated thermal bath. A good time was had by all.

Tuesday, February 24, 2004

Another translation of sorts
A work colleague sent me an email regarding an Office CD that I needed. He translated the original german into english for me using an online translation site (No idea why, as I can read german quite well). Still, if he had sent it in german, I would never have had the pleasure that the translated mail gave me. I haven't laughed as much in years. (I got permission from him to publish it here, have no worries)

A point is furnished to installations with the following path \\computer\share. I can to you gladly offer, if you are in the house the Office2003 CD tomorrow for installation to give.

Wednesday, February 18, 2004

Finished giving a two-day Exchange 200x disaster recovery course. Went well in my opinion. Probably the worst thing was the speed of the machines. Decided to use Virtual PC from Microsoft instead of VMWare, and the virtual machines ran really slowly. I use VMWare on my home machine, but don't have it on my notebook because I only have one license. What pops in my Inbox this morning? A free (yes, free!) license for VMWare Workstation 4 as I'm an MCT. Made my day. Already installed it and running a W3K DC and W3K E3K Server on my notebook as I type. Performance is quite impressive - ADU&C starts in about 10 seconds, ESM in 7, with both machines running. Might change my opinion when I finally get a copy of Virtual Server, but with the network limitation of only 1 network card in Virtual PC, I really need VMWare. Now where is that ISA Server 2004 Beta CD................

Its fasching time here in Sunny South Germany, there was a great street festival in town at the weekend with lots of bands playing purposely off-tune. After a few beers, it gets easier to understand :-)

Wednesday, February 04, 2004

Well its a very sunny day today. Temperature at 17C is rather strange for this time of year, although we should have snow back by the weekend. Giving a Windows 2000 Server and Professional training course this week, and then two Exchange 2003 training courses in the next two weeks, as well as receiving a PKI training course myself next week. Should be fun. Microsoft have also got an online test centre where you can have a stab at trying to get MCP. Check out for more information. Finally managed to buy the dishwasher tablets, and so, for the first time in my life, I operated a dishwasher last night. Result: Crystal clear. Very impressed was I. Ye olde back is also much better. Seven months of acupuncture, training and massage finally seems to have sorted it out. I've bought a training machine for home now off of Kev for 80 euros, which even measures pulse. Just gotta find the strength to carry it down three flights of stairs, into the car, home, and then up the one flight of stairs to mine. Also gotta find room for it. The games room is pretty full at the moment, as I've still got the Zaccaria machines for Astro Wars in there. I'll be taking one back to England for Alex next time I visit there, and I guess I'll just have to return the other one to the cellar. Also seriously thinking about selling some of them now. Still gonna keep the Invaders, Asteroids, Missile Command, PuckMan and Track and Field. Might also keep the quiz machine. One JAMMA machine will also be saved, but the rest will have to be ebayed. I just don't have the time that it takes to concentrate on such a time-devouring hobby.

Thursday, January 29, 2004

Well, I've been doing an ISA Server installation the last few days, which, as always, was fun, and quite easy. A little problem with the Certificates for the Remote VPN Clients, in that both the User Certificate and the Root Certificate had to be installed into the machine certificate pool but apart from that, sweet.

It's snowing, wowowow. Big time. South Germany really is a pretty sight at this time of year, one day I'll get my photos on here somewhere. Current temperature is about 0°c and the snow has been here for a good week now with not much chance of hoofing. Might even get a chance to go skiing or skating. Who knows.

Was MSNing with Danny earlier today, did NetMeeting as well, as we had a problem with audio, and now he's gone off to find a cheap WebCam on the internet somewhere, impressed as he was.

Also translating a document from German into English at the moment, and have been using Babelfish (from Altavista) which is rather hilarious. So much so, here's a cracking example:-

"In the first step we create ourselves an overview, on which all further steps develop and are for a successful introduction from great importance."

Well thank you very much :-p

Last thing... got the ISA Server 2004 beta 2. Will be bunging it on a VM Machine later, looks like they've done quite a good job. Time will tell.

Friday, January 23, 2004

Hi, this is my first blog, which will probably get deleted at some time or another. I just needed somewhere to keep information which could be accessed from *almost* anywhere in the world. In sunny Schwäbisch Gmünd, its currently -6 degrees outside

This page is powered by Blogger. Isn't yours?