Sunday, July 26, 2009

Windows Server 2008 Terminal Services

In this post I will be going through some of the new features that are included in Windows Server 2008 terminal services. It frustrates me as many people do not know how powerful 2008 terminal services are now compared to server 2003. When most people (including administrators) think of "Terminal Services" they think of the functionality that of which was provided by Server 2003 which I can say was very limited! It also frustrates me that many companies implement Citrix as their terminal server solution blowing money away that is no longer needed to be spent. There are business cases for when you would need to use Citrix over 2008 Terminal Services however for many companies using Citrix, they do not require it - they were simply sold it as the sales guy did not know better.

Please note that these features listed below are those of which came with Windows Server 2008 RTM, not Windows Server 2008 R2. Microsoft actually changed the name in Server 2008 R2 from Terminal Services to RDS (Remote Desktop Services). But again we will not be going into the R2 stuff, only standard Terminal Services features that came with Server 2008.

Terminal Services RemoteApp

Previously in server 2003 you could only present a entire desktop to a terminal server user. Now with server 2008 you can present just applications to workstations. If the program uses a notification area icon, that icon appears in the client’s notification area. Pop-up windows are redirected to the local desktop and local drives and printers are redirected and made available within the remote program. Users may even be unaware that the remote program is any different than other local applications running side-by-side with the remote program on their desktop because similar functionality, such as cut and paste, are available. Also if a user opened a .doc file on their local machine in their my documents folder, and they have Microsoft Word presented to them by a Microsoft Remote App server, file extensions carry accross so the document file will actually open up in the terminal session - the user will not have a clue what goes on in the back end.

RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user's local computer. Users can run programs from a terminal server and have the same experience as if the programs were running on their local computer, including resizable windows, drag-and-drop support between multiple monitors, and notification icons in the notification area.

Here is an example of OneNote running as a RemoteApp mixed with real physical Apps on a vista PC. Click to make it bigger.

Users can run RemoteApp programs side by side with their local programs. They can minimize, maximize, and resize the program window as well as cut and paste, and easily start multiple programs at the same time. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs will share the same Terminal Services session.

There are many ways of deploying remote apps to workstations however there is only one way I would recommend and that is to package the application as an msi using the remote apps MMC console on the server, then using group policy to push it out to the workstations. These MSI's are very small, all they do is add the icons (or shortcuts if you will) and create the file associations on the users workstation.

Users can run RemoteApp programs in a number of ways:
• Double-click a Remote Desktop Protocol (.rdp) file that has been created and distributed by their administrator.
• Double-click a program icon on their desktop or Start menu that has been created and distributed by their administrator with a Windows Installer (.msi) package.
• Double-click a file whose extension is associated with a RemoteApp program. (This can be configured by their administrator with a Windows Installer package.)
• Access a link to the RemoteApp program on a Web site by using Terminal Services Web Access (TS Web Access).

Terminal Services Web Access

Terminal Services Web Access (TS Web Access) is a service within Terminal Services that lets you make TS RemoteApp programs, and a link to the terminal server desktop, available to users from a Web browser. Additionally, TS Web Access enables users to launch a connection from a Web browser to the remote desktop of any server or client computer where they have the appropriate access.

Here is an example of what the TS Web Access portal looks like:

TS Web Access acts as the access or launch mechanism in conjunction with TS Gateway, to enable you to easily deploy RemoteApp programs over the internet in conjunction with TS Web Access. A user can visit a Web site, view a list of RemoteApp programs, and then simply click on a program icon to start the program. The RemoteApp programs are seamless, meaning that they appear like a local program. Users can minimize, maximize, and resize the program window, and can easily start multiple programs at the same time. For an administrator, TS Web Access is easy to configure and to deploy.

TS Web Access is very user friendly compared to other vendors that provide the same services. This is because users do not have to download a separate ActiveX control to access TS Web Access. Instead, RDC 6.1 includes the required ActiveX control. (The RDC 6.1 client supports Remote Desktop Protocol 6.1.) RDC 6.1 is included in Vista SP1 and Windows XP SP3 and combines both the traditional RDC and the ActiveX control. Citrix users will still need to download and install the Active X control to connect in which generates majority of your help desk calls. Also having done a bit of desktop support in my past years, I remember when there were citrix updates for the citrix terminal servers, and users still had the old ActiveX controls on their workstations. These didn't automatically update, I had to walk around to everyone's workstation, uninstall the old ActiveX control so it would automatically download the new one.

The TS Web Access portal is just as customizable as Citrix. You can add custom company banners, change colours and feel of the page, deploy as part of a customized webpage using ActiveX and ASP (Terminal Services client is fully scripable) - for more information visit You can integrate it in as part of a sharepoint service site, or you could be lazy like me and just deploy it as the default out-of-box solution. I'm not one for customizing and pretty colours.

As an administrator, you can use IIS application settings to configure whether the Remote Desktop tab is available to users. Additionally, you can configure settings such as the TS Gateway server to use, the TS Gateway authentication method, and the default device and resource redirection options.

Terminal Services Gateway

Terminal Services Gateway (TS Gateway) is a role service that allows authorized remote users to connect to terminal services based resources on an internal corporate or private network, from Internet-connected devices. The network resources can be terminal servers, terminal servers running RemoteApp programs, or computers with Remote Desktop enabled.

TS Gateway uses Remote Desktop Protocol (RDP) encapsulated in RPC over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.

If your organization makes Terminal Services–based applications and computers that run Remote Desktop available to users from outside your network perimeter, TS Gateway can simplify network administration and reduce your exposure to security risks. TS Gateway can also make it easier for users because they do not have to configure VPN connections and can access TS Gateway servers from sites that can otherwise block outbound RDP or VPN connections. Note if your users need more then RDP 3389 externally then I would still recommend VPN.

TS Gateway provides a secure yet flexible RDP connection allowing users access to anything to which their RDP host has access, rather than allowing remote users direct network connectivity to all internal network resources; helping protect the internal resources.

The TS Gateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:
• Who can connect to network resources (in other words, the user groups who can connect).
• What network resources (computer groups) users can connect to.
• Whether client computers must be members of Active Directory® security groups.
• Whether device and disk redirection is allowed.
• Whether clients need to use smart card authentication or password authentication, or whether they can use either method.

TS Gateway also has full built in support for NAP (Network Access Protection) to ensure all remote clients accessing your network are virus free, up to date in patch level and have an active firewall running. The NAP Client is built into the Microsoft Security Center which is on all windows releases from Windows XP SP3 and higher.

You can use TS Gateway server with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network and screened subnet), and host ISA Server in the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.

The TS Gateway Manager snap-in console provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes. There is also full SCOM integration for this so you can monitor your terminal services health all from OpsMgr 2007.

TS Gateway provides several new features to simplify administration and enhance security.

Monitoring Capabilities: You can use TS Gateway Manager to view information about active connections from Terminal Services clients to internal corporate network resources through TS Gateway. This information includes the connection ID, the domain and user ID of the user logged on to the client, full name of the user logged on to the client, date and time when the connection was initiated, length of time the connection was active, length of time that the connection is idle- if applicable, name of the internal network computer to which the client is connected, IP address of the client.

Group Policy Settings for TS Gateway: You can use Group Policy and Active Directory Domain Services to centralize and simplify the administration of TS Gateway policy settings. You use the Local Group Policy Editor to configure local policy settings, which are contained within Group Policy Objects (GPOs). You use the Group Policy Management Console (GPMC) to link GPOs to sites, domains, or organizational units (OUs) in Active Directory Domain Services. Group Policy settings for Terminal Services client connections through TS Gateway can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. Suggesting a policy setting allows users on the client to enter alternate TS Gateway connection settings. Enforcing a policy setting prevents a user from changing the TS Gateway connection setting, even if they select the Use these TS Gateway server settings option on the client.

TS CAPs: Terminal Services connection authorization policies (TS CAPs) allow you to specify user groups, and optionally client computer groups, that can access a TS Gateway server. You can create a TS CAP by using TS Gateway Manager. TS CAPs simplify administration and enhance security by providing a greater level of control over access to computers on your internal network. TS CAPs also allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access a TS Gateway server. You can list specific conditions in each TS CAP. For example, you might require a user to use a smart card to connect through TS Gateway. Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP.

TS RAPs: Terminal Services remote authorization policies (TS RAPs) allow you to specify the internal corporate network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the TS RAP. Remote users connecting to an internal network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP. Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.

Terminal Services Session Broker

Terminal Services Session Broker (TS Session Broker) is a role service in Windows Server 2008 that allows a user to reconnect to an existing session in a load-balanced terminal server farm. TS Session Broker stores session state information that includes session IDs and their associated user names, and the name of the server where each session resides. I had someone from Citrix come out and give a presentation trying to tell us it worked the same as NLB (which was used in server 2003) - shows how out of date peoples knowledge in this area is.

The new TS Session Broker Load Balancing feature enables you to evenly distribute the session load between servers in a load-balanced terminal server farm. With TS Session Broker Load Balancing, new user sessions are redirected to the terminal server with the fewest sessions.

TS Session Broker is a two phased load-balancing mechanism. In the first phase, initial connections are distributed by a preliminary load-balancing mechanism, such as DNS round robin. After a user authenticates, the terminal server that accepted the initial connection queries the TS Session Broker server to determine where to redirect the user.

In the second phase, the terminal server where the initial connection was made redirects the user to the terminal server that was specified by TS Session Broker. The redirection behavior is as follows:
• A user with an existing session will connect to the server where their session exists.
• A user without an existing session will connect to the terminal server that has the fewest sessions

TS Session Broker Load Balancing sets a (total combined) limit of 16 for the maximum number of pending logon requests to a particular terminal server. This helps to prevent the scenario where a single server is overwhelmed by new logon requests; for example, if you add a new server to the farm, or if you enable user logons on a server where they were previously denied.

The TS Session Broker Load Balancing feature also enables you to assign a relative weight value to each server. By assigning a server weight value, you can help to distribute the load between more powerful and less powerful servers in the farm.

A User logon mode setting is provided that enables you to prevent new users from logging on to a terminal server that is scheduled to be taken down for maintenance. This mechanism provides for the ability to take a server offline without disrupting the user experience. If new logons are denied on a terminal server in the farm, TS Session Broker will allow users with existing sessions to reconnect, but will redirect new users to terminal servers that are configured to allow new logons.

You can still use load balancing techniques such as NLB or Round-Robin DNS to load balance 2008 terminal servers buy why would you when you have TS Session Broker.

Terminal Services Easy Print

Terminal Services Easy Print (TS Easy Print) is a feature in Windows Server 2008 that enables users to reliably print from a TS RemoteApp program or from a TS remote desktop session to the correct printer on their client computer. Microsoft Easy Print is better then the Citrix universal print driver as the universal print driver supports most printers however easy print supports all printers provided there is a driver on the client PC. Terminal Services Easy Print leverages the client-side print driver (no server side driver needed) to enable fast and reliable printing to a local or network-attached printer. End users can more productively work from remote locations. It also enables users to have a much more consistent printing experience between local and remote sessions.

The Redirect only the default client printer policy setting allows you to specify whether the default client printer is the only printer that is redirected in Terminal Services sessions. This helps to limit the number of printers that the spooler must enumerate, therefore improving terminal server scalability.

To use the TS Easy Print driver, clients must be running both of the following:
• Remote Desktop Connection (RDC) 6.1
• Microsoft .NET Framework 3.0 Service Pack 1 (SP1)

Also new in Windows Server 2008 Terminal Services is the Use Terminal Services Easy Print printer driver first Group Policy for Terminal Services printing located in the following node of the Local Group Policy Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection.

Terminal Services Licensing

Yes - still the same old stuff here. Distributes licences to each of your terminal servers on your network. Can distribute licences to multiple farms. You normally want to put this on a server as an additional role as it does not use hardly any CPU usage or memory usage.

Terminal Services and Windows System Resource Manager

Windows System Resource Manager (WSRM), allows you to control how CPU and memory resources are dynamically allocated to applications, services, and processes. Managing resources in this way improves system performance and reduces the chance that applications, services, or processes will interfere with the rest of the system. It also creates a more consistent and predictable experience for users of applications and services running on the computer.

You can use WSRM to resource allocation of the following things:
• TS Sessions on a terminal server
• Users on a server (users are seperate because remember it is possible to have 1 user with multiple sessions open in effect eating up all the resources on the terminal server). You can manage users by security group!
• Administering resource usage of multiple Microsoft SQL Server® instances sharing a server.
• Administering resource usage of IIS 6.0 application pools on a server, such as when one server hosts multiple Web sites.
• Reports on memory usage and CPU time to support service level agreement (SLA) metrics.

What you can do with WSRM is ensure that no applications eat up all processing power on a terminal server, or that 1 user or TS session does not hog all available processing power to the server. Windows System Resource Manager is a feature that is built into all 2008 servers and should be used to ensure no server has a memory leak or constant processor loop but it is particulary handy on terminal servers. I'd always lock it down to either TS Session or TS Users and you can do this to all terminal servers in your farm by simply using a group policy.

With WSRM you can ensure that everyone has an equal share to a terminal servers resources!

Other New Features

Large Display Support - Custom display resolution provides support for large display and additional display resolution ratios (up to 4096x2048). Additionally, only 4:3 display resolution ratios were supported, now can create custom ratios like 16:9 or 16:10. Finally, full 32-bit color depth is now enabled and with the new compression engine 32-bit color will typically consume less bandwidth than 24-bit color. You can set a custom display resolution in an .rdp file or from a command prompt.

Multiple Monitor Support - Monitor spanning allows you to display your remote desktop session across multiple monitors (only support for horizontal spanning); you can enable it in an .rdp file or from a command prompt by including the /span switch.

Vista Experiance - You can enable Vista Experiance on your 2008 server to give your users the full Areo desktop experiance - ooooo fancy!

RDP Protocol and Advanced Compression - Terminal Services delivers applications and data via the Remote Desktop Protocol (RDP), an optimized transport mechanism low bandwidth. Traditional client server applications that slow end-user productivity over a slow network connection, receive a performance boost when delivered via Terminal Services to remote users. This compression is not as great as ICA but it is getting there.

PnP Device Redirection Framework - The PnP Device Redirection Framework enables driver vendors to create device drivers to ensure their hardware can be utilized remotely over RDP. Microsoft includes “out-of-the-box” support for MTP Devices (Cameras and MP3 players that have a Windows mode) and Windows Embedded Point of Service Devices (WePOS).

Advanced Clipboard Redirection - The clipboard had been improved with Windows Server 2008 Terminal Services to enable stream support. This improves the performance of redirected drives, enable support for more types of data to be exchange via cut and paste e.g graphics, files, office data etc. I think this is fantastic I use it all the time - copying and pasting images in and out of RDP sessions.

Wildcard SSL Certificate Support - SSL certificates are used in TS Gateway, TS Web Access, RDP Signing and TLS Authentication. Obtaining multiple SSL certificates for all of these purposes can, for some customers, be both costly and a management challenge. TS supports Wildcard SSL certificates for all these purposes, Wildcard certificates provides a single certificate than can be used on multiple machines.

RDP Signing - RDP signing allows signing of RDP files and connections launched from TS Web Access. This helps the user be sure that they are not using malicious RDP files to potentially connect to hostile terminal servers. It is also possible, using group policy, to specify that a user can only launched signed files. This allows administrators to ensure that users only connect to know resources.

Clint's Wrap Up

These features listed above are those of what were released in the initial 2008 RTM release. With R2 and RDS (Remote Desktop Services) the Microsoft terminal technology has taken another huge leap forward - when I get time I will write another blog post of what new features have been introduced into R2 terminal services.

One thing I will admit though is Citrix is still a better solution - one of the key factors behind their success is the ICA protocol. It's bandiwidth utilization is amazing. However one thing I would like to achieve is majority of the selling points Citrix are still using (even the citrix engineers) are features that are natively supported in Windows Server - so why would you go pay for them?

Companys that have huge branch offices with an extremely slow link such as a remote mine site would definately benefit from Citrix because they can take advantage of ICA enhancers such as their WAN Scaler.

However I think for majority of businesses they would be wasting money for software that is not needed.

I would love feedback - feel free to contact me on

Exchange User Monitor

Microsoft has a great tool for monitoring which users are causing the most load on your exchange server. This is fantastic for finding out why an exchange mailbox server is running slow.

Download the tool from here:

This is what the tool looks like:

Sort the users by CPU usage to find out the ones having the biggest impact on the server.

Troubleshoot Rapid Mailbox Growth Issues

Sometimes bad outlook profiles and stupid mail rules can cause rapid mailbox growth and transaction log growth for particular individuals. Trouble Shooting this can be a real pain, however this article I found by Mike Lagase is fantastic and goes into a great deal of detail. I highly recommend reading it.

Exchange 2007 Update Rollout 9

With the release of Update Rollout 9 for Exchange 2007 SP1 comes a new version of eseutil. This new version has a new arithmetic for verifying transaction logs which is now much faster. Microsoft has written a knowledge base article about this which can be found here:

Another change in Update Rollout 9 is support for Server 2008 R2 domain controllers. Note this support does not allow Exchange 2007 to be installed on a 2008 domain controller, only authenticate against them.

This will be the last update rollout of Service Pack 1. The next release is Exchange 2007 SP2 which is going to contain all the fixes in the past 9 update rollouts as well as additional features within the exchange console & shell and support to intergrate directly with Exchange 2010.

Microsoft Device Emulator - Testing Active Sync (Outlook Mobile Access)

If you want to test and verify that Active Sync is functioning correctly for end users and you dont have a windows mobile device Microsoft provides a product called Microsoft Device Emulator. Microsoft's indended purpose behind this was to provide software developers an environment in which they can create applications to run on windows mobile and test the applications without actually having to have a windows mobile device on them. This is why Microsoft Device Emulator also comes with Visual Studio. However it is also very handy for us system engineers its great for testing connectivity to a server.

As of this writing the latest version of Microsoft Device Emulator is version 3. You can get both the x86 and x64 versions from here:

Once you have installed the Device Emulator you then need to download the ROM for the appropriate version of windows mobile device.

To download the ROM for windows mobile device version 5 go to following website scroll down and download the efp.msi file.

To download the ROM for windows mobile device version 6.1.4 go to here:

Below I will be showing you what it looks like inside the emulator. I will be using windows mobile version 5 just because its only 57 MB as apposed to version 6.1.4 which 320.8 MB just because I don't want to wait for the download to complete.

You will notice that initially your internet wont work and you will get the following error. Yes I know, google is in the background - this is because I went and broke it again to show you what happens and it happened to have it cached.

To fix this, go to Start then Settings.

Then click the connections tab, then network cards.

Change it to "The Internet" instead of Work. Then click OK. The virtual machine will simply get an IP address from your DHCP server.

Your internet should work now. If you are still unable to get onto the internet you may need to download the Virtual Machine Network Driver. This is the same driver that comes with Virtual PC - which I also have installed on this computer. I know you needed this for Microsoft Device Emulator v1.0 however v3.0 may already come with it. If you are having issues download it from here:

It is very important you have internet connectivity before you go ahead and use it to test your active sync setup on the exchange server. Also, make sure you perform the testing outside of your corporate network as windows mobile devices are made to be carried around everywhere (they do not VPN in). So do this from another internet connection, from home, from another client location or using something like a 3G card for conveniance.

Additionally you might want to copy files such as certificates and the certificate import tool if you are dealing with a company that does not want to go purchase a trusted certificate from a certificate provider. There are two ways to copy files to windows mobile devices that are running in an emulator. The first way is install the active sync client to the workstation itself. The second and my prefered method is use microsoft device emulator to point a share to an expantion card in the device itself. Simply click file then click Configure. Create a share on your PC then point it at that share.

You can see that whatever files are in that share now appear on the windows mobile device. If you want you can run files and programs directly of your host machine. Alternatively you can still copy files to the virtual mobile device itself if you wish.

Lastly I would like to let you know about a little handy app that has become very popular called P12imprt that lets you import certificates that are in the p12 or pfx format. You can download it from here:

Copy the exe to \Windows\Start Menu\Programs that way it will appear with all your applications on the main apps screen like so in the below screenshot:

Note that this tool is only needed for p12 and pfx certificates. Windows mobile device can import a .cer certificate format by just clicking on the .cer file in the windows mobile device interface.

Thursday, July 23, 2009

Zombie User Accounts and Exchange Public Folders

Today I tried to remove some permissions from a public folder database. I had all these "NT User" objects under some of the public folders for users that no longer existed. This environment is running Exchange 2007.

When I went to remove "NT User:S-1-5-21-676542811-1909674497-837300805-8592" using:

Remove-PublicFolderClientPermission -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner

I recieved the following error:

Remove-PublicFolderClientPermission : The specified public folder user "NT User:S-1-5-21-676542811-1909674497-837300805-8592" does not exist. A valid public folder user should be a mail-enabled user, mailbox or distribution group.
At line:1 char:36
+ Remove-PublicFolderClientPermission <<<< -Identity "\Professional Services" -User "NT User:S-1-5-21-676542811-1909674497-837300805-8592" -AccessRights Owner

What this error is saying is only a valid public folder user should be a mail-enabled user, mailbox or distribution group. These objects are actually Zombie User objects.

What are Zombie Users?

Pretty much anyone who has upgraded a 5.5 server to E2K has probably encountered the zombie user phenomenon. The reason behind these errors has to do with what we did to Exchange security in Exchange 2000 versus how it existed in Exchange 5.5 and earlier. The early versions of Exchange were developed before the NT security model became widely adopted, so it rolled its own for security. Both the NT model and the Ex5.5 model made use of something called an ACL, or Access Control List, but the formats of them are very different. Having a different security model in Exchange versus the OS and other products was a nuisance and limited a lot of things we could do along the lines of storage convergence, but the main reason for making the change was that we were also integrating with the new (at the time) Active Directory which used NT security descriptors. This presented us with a major headache: how do we convert the 5.5 ACL's to NTSD's?

The above paragraph was taken from:

How can I remove these Zombie User Accounts

This cannot be done using Exchange Management Console or Exchange Management Shell (as of this writing the latest exchange release is 2007 SP1).

There are two known ways to kill zombies, this can be done using Outlook or using PFDavAdmin.

The following comments were made by Evan Dodds, Program Manager for Exchange at Microsoft:

I asked around a bit - as I don't have a lot of awareness of the details of the PublicFolder Permissions feature - and here's what I found out:

Yes. What you are observing is by design. When a user is removed, the ACL on public folders has a hanging SID. Since this is not transmitted over the wire (due to conversion to LegacyDN, which cannot be found for deleted users), the only ramification is that of wasted space.

There are currently no cmdlets to clean up such SIDs.

Comments from Me

This is the second problem I have witnessed in the past few months that has appeared to be a bug - however turning out to be "By Design". The last one was with adding replica's to certain system public folders in which Indarraaj, a microsoft exchange architect told me the error was by design. You can find this blogpost here:

Friday, July 17, 2009

Configure RPC over HTTPS for Outlook 2007 from Exchange 2003

The Office 2007 ADM files do not contain configuration for Outlook Anywhere or RPC over HTTPS. This is because autodiscover ususally configures this. However if you are running Exchange 2003, this does not support autodiscover. To configure the Outlook 2007 files you need a custom ADM file:

Yes Article 961112 from Microsoft KB article 961112:

When you import the ADM file it looks like this:

Thursday, July 16, 2009

Migrate Data to New Domain without ADMT

I had a client that wanted to move all their information to a new domain but they did not care about SIDs and did not want to use ADMT. Here is how I did it - please note you normally want to do an ADMT Migration for this.

Export Organisational Units:
ldifde -f c:\domainOUs.ldf -s Server1 -d "dc=domain,dc=local" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou"

Export Users (these were the attributes I was interested in):
ldifde -f c:\domainusers.ldf -s Server1 -d "dc=domain,dc=local" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName,c,co,company,countryCode,description,displayName,facsimileTelephoneNumber,homePhone,initials,l,mail,name,physicalDeliveryOfficeName,postalCode,sn,st,streetAddress,telephoneNumber,title"

I then opened these ldf files up in notepad and changed the domain with the find and replace tool.

Next I imported these ldf files in the new domain on one of the new domain controllers.

ldifde -i -f c:\domainOUs.ldf -s newserver -k -j c:\

ldifde -i -f c:\domainusers.ldf -s newserver -k -j c:\

LDIFDE imports the users without a password and the account being disabled. Next step was to enable all the accounts and provide them with a password. I wrote a script to do this against all users apart from a few we dont want passwords applied to:

Option Explicit

Dim oDomain, oObject

Set oDomain = GetObject("WinNT://newdomain.local")

For Each oObject in oDomain

'Only run if the AD object is a user and if it is not any of the following user accounts.
If oObject.Class = "User" and oObject.Name <> "Administrator" and oObject.Name <> "Guest" and oObject.Name <> "krbtgt" Then

'Set the password to P@ssw0rd
oObject.SetPassword "P@ssw0rd"

'Check if account is disabled, if so enable it.
If oObject.AccountDisabled = TRUE Then
oObject.AccountDisabled = FALSE
End If

'Once done write the change for each user object in Active Directory

End If


I then simply used GPMC to export and import the group policy objects to the right locations. The reason this client did not want to use ADMT was they were not keeping their existing file server/data. This process generates new SID's for each user account and hence any access control lists you may have setup wheather its on NTFS, Certificates or other means will not carry over due to the user SID change. I hope you can find bits of information from this post helpful.

Wednesday, July 15, 2009

Configuring Vista, Server 2008 or Windows 7 to Perform Complete Memory Dump

You have probably noticed that windows vista, server 2008 or windows 7 does not have the option to configure a full memory dump in the Startup and Recovery interface.

So how do you get it to perform the full memory dump?

Well you now need to do this by a registry key. Navigate in the registry to:

Change the value on CrashDumpEnabled to "1".

CrashDumpEnabled "2" = Kernal Memory Dump
CrashDumpEnabled "3" = Small Memory Dump

When you go back into Startup and Recovery it will now read as "Complete Memory Dump"

Cause a Manual Memory Dump - KB244139

On Windows XP, 2003, Vista and 2008 you can cause a PC to manually blue screen in order to dump memory for analyse when diagnosing problems. For this to work you need to add a registry key depending on what type of keyboard you have plugged into the server. This will not work via RDP or other remote access methods, only for physical keyboards plugged into the server.

For a PS/2 Keyboard perform this:

1. Start Registry Editor.
2. Locate the following registry subkey:
3. On the Edit menu, click Add Value, and then add the following registry entry:
Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
4. Exit Registry Editor, and then restart the computer.

For a USB Keyboard perform this:

1. Start Registry Editor.
2. Locate the following registry subkey:
3. Make sure that the following registry entry is enabled:
Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1
4. Exit Registry Editor.

Once you have added in this value reboot the server. To manually cause the server to bluescreen and dump memory hold in the Right CTRL key and press Scroll Lock twice.

There is a full MS KB article on this, find it here:

If you wish to a memory dump through an RDP session and you do not have access to the physical keyboard on that server, what you can do is use a tool by sysinternals called notmyfault which causes a server to bluescreen and dump memory. Download it from here, it contains a x86 and x64 version.

Tuesday, July 14, 2009

Scripting - List all user accounts in AD domain

This script lists all objects in the domain that are user objects.

Option Explicit

Dim oDomain, oObject

Set oDomain = GetObject("WinNT://domain.local")

For Each oObject in oDomain
If oObject.Class = "User" Then
WScript.Echo oObject.Name
End If

Allow Network Applications to Relay Email using Recieve Connectors

In this article I'm going to show you how to setup your exchange 2007 server to relay email for network applications. I will show you the steps you need to do this, but I really want you to understand the process behind Exchange 2007 recieve connectors. I found this great article by Anderson Patricio from community that is in four parts that is well worth reading, here are the parts:

Part 1
Part 2
Part 3
Part 4

Now for the steps to allow a network application to relay while keeping your exchange server locked down.

Create a new recieve connector

Open exchange management console, under server configuration, hub transport click create a new recieve connector. Choose custom and provide the recieve connector with a name unique to identify it.

Configure the Local Network Settings

These settings specify what network adapters or IP's the recieve connector is to listen on as well as its FQDN to be used by the recieve connector.

Remote Network Settings

The remote network settings are the IP address, or addrsses that the network application is sending the mail from. This can be an IP range if you wish.

Create the New Connector

Hit new to create the new connector.

Set the Authentication

Next, continue to the authentication mechanisms page and add the "Externally secured" mechanism. What this means is that you have complete trust that the previously designated IP addresses will be trusted by your organization.

Set the Permissions

Set it up so only Exchange Servers have ACL permissions to read this recieve connector. These permissions are stored on the object container in the AD schema and are viewable by using ADSI Edit or powershell. Refer to the msexchange articles above for more information.

Microsoft Virtual CD Control Panel

Microsoft Virtual PC Control Panel is a extremely small tool for mounting CD Images to a virtual CD/DVD Rom drive. It consists of just 2 files, a 23kb exe and a 9kb driver.

This can be installed on windows XP or Server 2003. Much cleaner, extremely fast compared to more bloated applications on the market.

Download it from here:

Thursday, July 9, 2009

Make Your Mobile Ring for Longer

I know this works for both Telstra and 3G. My phone is with Telstra and I was getting very frustrated because whenever I got a call it would ring like 4 times then go to message bank. Most of the time this would happen before I even had a chance to get to the phone.

To make the phone ring for twice as long simply type in:


Then hit the call button. Some weird stuff will come up on the screen, just OK it. Then try calling the phone, it will ring much longer!

Windows 7 Feature Comparison Chart

This is a very good table that shows you the differences between Windows XP, Windows Vista and Windows 7.

Wednesday, July 8, 2009

Exchange 2010 SMS Capabilities

Exchange 2010 allows you to send and recieve SMS messages using your Outlook 2010 or Outlook Web Access client.

Exchange 2010 Calendar Sharing

Exchange 2010 allows calendars to be shared to people outside of the individuals organisation, which is critical to working with partners. Access is controlled by policies managed by administrators or by individual users through Outlook 2010 or Outlook Web Access.

Exchange 2010 and NK2 Files

Exchange 2010 now provides a server side cache for auto-completion of e-mail addresses. In previous versions such as exchange 2003 and exchange 2007 auto-complete data was stored locally in the outlook profile on the local PC in an NK2 file. If the users outlook profile was ever recreated, all their auto complete data was lost.

Because this auto complete data is stored on the server, it is available to the user regardless which PC they are using. Exchange 2010 also makes this auto complete data available to mobile devices running Windows Mobile Device version 6.5 or higher.

To import your NK2 files into Outlook 2010 please see:

Exchange 2010: Outlook Web Access with Third Party Browsers

In previous version of exchange like exchange 2003 and exchange 2007, when you logged into outlook web access using clients like firefox and safari you experianced loss of functionality. Now with Exchange 2010 you get full functionality regarding which web browser your using.

Tuesday, July 7, 2009

How Free/Busy With Public Folders Works

In this post I'm going to give some insite into how free/busy with public folders works, as not many people understand this process.

The standard generation of free/busy data is not done by the exchange server! This is actually done by the outlook client itself. Outlook 2003 does it every 45 minutes, outlook 2007 does it every 15 I think, I'm not 100% sure on Outlook 2007. If your running Outlook 2007, this will use the availability service unless the users mailbox is exchange 2003 or an administrator has manually configured public folders over the availability service in powershell.

Here is the process outlook goes through for updating this data:

1. End user updates their Calendar with a new appointment
2. Outlook determines that the Calendar has been dirtied and goes to update Free Busy; or we hit the user defined publishing interval.
3. Outlook uses the users LegacyExchangeDN to determine what Public folder it will publish the information in.
4. Outlook makes a connection to the public folder server and locates the nearest replica of the appropriate folder.
5. Outlook overwrites any existing Free Busy data with a new Free Busy message containing the current information

You can manually force outlook to update this data by running outlook /cleanfreebusy

What if the user updates their calendar via Outlook Web Access or Active Sync aka Outlook Mobile Access?

If a user updates their calendar via one of these methods, what happens is the public folder free/busy data on the server is updated by an Exchange 2003/2007 mailbox server instead. This is done by MSExchangeFBPublish which runs as part of the System Attendent Service that can be found on any Exchange 2003 server or Exchange 2007 mailbox server with legacy support. For Exchange 2003 the file that actually does the work is the madfb.dll file which is loaded through mad.exe.

If your running public folders for distribution of Free/Busy it is good to set all your mailbox databases to point to a single public folder database for all servers. This means that there is no delay on public folder replication meaning users will see updated Free/Busy at a more rapid rate. If you want Free/Busy to be distributed at a faster rate you need to use the Exchange 2007 availability service as this stores the free/busy information in the users mailbox itself instead of public folders. For more information on why Free/Busy is so slow updating on Exchange 2003 please see:

Why does it take so long for my calendar to update?

If your running outlook 2003, or have your mailbox on a exchange 2003 mailbox server this is why. With Exchange 2003 and Outlook 2003 there were big delays in free-busy information getting updated:

- By default, Outlook only updated free and busy information every 45 minutes. Furthermore, because of bandwidth and scalability issues, you could not decrease this interval.

- There were latencies that resulted from public folder replication - 15 minutes by default.

- In cross-forest scenarios, there were delays when you used the Microsoft Exchange Inter-Organization Replication tool to replicate free and busy information across forests.

If you move all your users accross to an Exchange 2007/2010 mailbox server, the availability service is used instead of public folders. With the availability service there is a very small delay (60 seconds) for information to be retrieved from outlook clients. This also requires Outlook 2007/2010 to ensure that you use the availability service instead of public folders.

CrossForest Exchange Free/Busy Status

If you setup a exchange deployment in two seperate forests, because a forest is the logical boundary for an exchange server making this work is a bit of a doosy. First of all you will want to use MIIS (Microsoft Identity Integration Server) or IIFP (Identity Integration Feature Pack). With this you setup an SQL database which stores attributes and values from both LDAP Schema's in SQL. It then creates contacts for every user account in the other forest, so that users can see everyone in the GAL. You then setup your SMTP or send connectors etc go get the mail flow feature happening.

However what about Free/Busy Status?

With Exchange 2003 public folder system you want to use the IORepl tool known as the Inter-Organization Replication Tool.

With Exchange 2007 the availability service supports cross forest free/busy out of the box. You just need to add the availability service address spaces for the other forest on both sides using Add-AvailabilityAddressSpace. Make sure you specify a service account and provide credentials. This service account must have rights to read availability data.

Enable Logging to Trouble Shoot Availability Service in Outlook 2007

If your having trouble with the availability service, you are able to enable some diagnostic logging in Outlook 2007 to help you trouble shoot it. This logging applies to other stuff as well, but you will see all errors regarding free/busy!

1. In outlook go to Tools->Options->Other->Advanced Options and check enable logging
2. Click ok and get out of the dialogs.
3. Now, try getting free/busy.
4. Open %temp% folder.
5. Look in the olkdisc.log and olkas\

Monday, July 6, 2009

VBS Script - Recursively Delete all Files in a Folder

This script deletes all files under a particular folder, in this example c:\test.

set objFSO = createobject("Scripting.FileSystemObject")
set objFolder = objFSO.GetFolder("C:\test")

for each folder in objFolder.SubFolders
objFSO.DeleteFolder folder.path, True

for each file in objFolder.Files
objFSO.DeleteFile file.path, True

Saturday, July 4, 2009

Exchange 2010: New High Availability Functionality

Exchange 2010 combines the key availability and resilience features of cluster continuous replication (CCR) and standby continuous replication (SCR) into a single high availability solution that handles both on-site data replication and off-site data replication. Mailbox servers can be defined as part of a Database Availability Group to provide automatic recovery at the individual mailbox database level instead of at the server level. Each mailbox database can have up to 16 copies.

The following features in Exchange 2007 and Exchange 2007 Service Pack 1 (SP1) no longer exist in Exchange 2010:

Local continuous replication (LCR)

Single copy clusters (SCC)

For more information about this see:

Wednesday, July 1, 2009

Exchange 2003 SMTP Connectors in Exchange 2007

In this post I will give some insite into Exchange 2003 SMTP Connectors in Exchange 2007. Exchange 2007 treats a SMTP connector as a send connector - however exchange 2007 cannot modify a SMTP Connector.

In this environment we have a single hub transport server and a single exchange 2003 server acting as a relay. Our exchange 2003 SMTP connector is called "Ausmail01" as shown exchange 2003 system manager. Remember SMTP connectors are located under:

Administrative Grups --> Administrative Group Name --> Routing Groups --> Routing Group Name --> Connectors. Remember to see routing groups you need to ensure you have display routing groups enabled on the the exchange organisation level.

Here you can see the SMTP connector appears in Exchange 2007 as well. We also have a Send connector called "Send to Ironport" which is unique to exchange 2007.

Although the the exchange 2003 SMTP connectors appear in exchange 2007, exchange 2007 cannot be used to modify them. Saying that some attributes can be changed using Exchange 2007 such as Maximum message size limit - but to stop yourself hitting walls its best to use System Manager when dealing with these legacy SMTP connectors. Also if you try and use power shell to work with these legacy SMTP connectors you will recieve errors too. Here I showed you what I got when I tried to change the logging level on the Ausmail01 SMTP Connector.

One thing that I think Microsoft can improve is the fact there is no attribute on these connectors stating if they are a legecy SMTP connector or not. Lets look at the attributes in Powershell - you will see that they are exactly the same. An attribute defining if its legacy with a true or false would make it much more easy.

Ausmail01 SMTP Connector:

Send to Ironport Send Connector:

To determine how your mail is flowing out of your exchange organisation, look at the servers that are associated with the SMTP or Send Connector stored in the SourceTransportServers attribute. { } means its a multivalue attribute. Remember you do not need a send connector to relay mail around your exchange organisation, only when mail is needing to leave the organisation. Exchange 2007 uses hub transport servers to relay mail around between other hub transport servers. Exchange 2003 uses routing group connectors. When you have them mixed you will have 2 routing group connectors for bidirectional flow linking the exchange 2007 routing group to the exchange 2003 routing group or routing group(s) for that matter.

When doing a migration from exchange 2003 to 2007 you will notice that you have a connector already, the exchange 2003 SMTP connector (if one exists - remember exchange 2003 you do not need SMTP connectors). This means all your mail from exchange 2007 will go accross the routing group connector and out through exchange 2003. If you add a Send Connector for one or more hub transport servers, the mail will no longer need to go accross the routing group connector and out through exchange 2003, as the hub transport server will be able to take care of mail leaving the exchange organisation itself.

I hope you found this post informative.