Exchange 2007 Anti-Spam

As part of this Exchange roll out, I've experimented with the built-in anti-spam features of Exchange 2007. I expected it to be horrible and it wasn't as bad a I feared.

The good:

• Simple, easy to understand interfaces
• Easy setup

The bad:

• No manual sender whitelist
• Not much control over whether the mail gets dropped or redirected
• You have to have an Edge server to get the best benefits.

That's right - to get the best benefits of the built in anti-spam, you have to sacrifice a whole server license of Exchange 2007 to get the half the functionality of ORF or any of a half dozen open source RBL filters. I am shocked that is sucks that badly. I really don't get it...

I found the Exchange 2007 error

I finally opened a business critical support issue with Microsoft and found the problem. The KB that I got pointed to was both right and wrong. http://support.microsoft.com/kb/936907

The description of the issue was 100% accurate

If you copy and paste the LDAP query string exactly as shown, you're install will fail because there is a typo in the KB.

That was a first for me. The string shown for the All Users query has an extra space in the last portion of the string. The correct string is:

(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)((homeMDB=*)(msExchHomeServerName=*))) ))

Exchange 2007 Setup

The Exchange 2007 setup is an annoying process. I've done a couple now and they all seem to generate the strangest errors. I'm getting a couple of fun ones:

When running setup.com /PrepareAD:

Welcome to Microsoft Exchange Server 2007 Unattended Setup
Preparing Exchange Setup
No server roles will be installed
Performing Microsoft Exchange Server Prerequisite Check
Organization Checks ......................... COMPLETED
Configuring Microsoft Exchange Server
Organization Preparation ......................... FAILED Active Directory operation failed on sabeydata.Sabeyco.com. The object 'CN=All Contacts,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com' alreadyexists.

I got pointed to one possible lead http://support.microsoft.com/kb/936907 that looked promising but didn't pan out.

The system log has an error similar to this from http://support.microsoft.com/kb/555854/en-us

The following error may appear in the event log:
Event Type: Error Event Source: MSExchange ADAccess Event Category: Devices Event ID: 2152

Description: The following information is part of the event: ExSetupUI.exe; 4912; 1753; Error 6d9 from HrGetServersForRole

This error may occur due network adapter binding error issue or/and disable File and Print sharing on the network adapter.

That still didn't get me anywhere...

ISA 2006 SSL publishing

I'm not a big fan of Internet Security and Acceleration (ISA) server but it many of my clients can get it for free. The documentation is pretty bad, though. Here' s the latest irritation I found.

Publishing a SSL protected site through ISA is more complicated than the MS technet articles show. The how-to’s and technet articles are slanted towards an enterprise-wide certificate authority instead of third party SSL certificates. At the size of the Centro target market, I don’t expect many organizations would have their own PKI infrastructures. The changes to the setup that should be noted are:

• After installing the third-party web certificate on the web server, open the IIS management consoleo Right click the SSL protected website and select properties
• On the directory security tab, press the Server Certificate button to start the certificate wizardo Select “Export the certificate to an PFX file” and select a password and file location
• At the ISA server, select Start >> Run and enter MMC to start a new MMC console
• Select File >> Add and Remove snap ins
• Add the Certificates snap in
• Select Computer account in the next screen.
• Once the MMC console is open, right click the Personal node and select Import
• Browse to the location of the PFX file and open ito Enter the password and click through the remaining dialog boxes to import the cerficate.

If you just open the PFX file, the certificate will get automatically placed in Current User >> Personal and the only location that ISA will accept the certificate and private key is Computer >> Personal – a point that is not mentioned in the ISA documentation. The import wizard available from opening the PFX file will not give you that option.

I guess this is a more secure way to access an SSL protected website but it seems very complicated.

Why the $#%# is Vista so slow?

I have a brand new IBM T60p with 2 gigs of RAM and Vista absolutely sucks! I don't get it. I've been though the system and disabled as much of the junk as I can, I've removed all sorts of applications, and followed Daniel Petri's http://www.perti.co.il/ recommendations and it still drags. Between turn on and fully ready to go (outlook open) is almost 10 minutes.

I have a ton of devices that don't work correctly, too.

I don't remember these kinds of problems with the Windows 2000 roll out. I'm starting to agree with Joel's philosophy about MS http://www.joelonsoftware.com/articles/APIWar.html

Getting used to Exchange 2007

I've had to roll out an Exchange 2007 upgrade at one of my clients and it did not go well. I can't believe how much Microsoft changed the interface around. I can't find anything! Exchange 2007 is no longer tightly integrated with Active Directory users and computers so you don't get "exchange tasks" options or any way to assign a mailbox to a new user inside AD. The paradigm has shifted to "adjust Active Directory inside Exchange Manager"

The documentaiton is less than ideal as well. I strongly recommend waiting until SP1 to do serious deployments.

First thoughts on SharePoint 2007

After wrapping up that class, I'm still not sure what I really think about the new version. The new version is signficantly better that before but I'm not sure if my clients will actually care about it. The portal version - Microsoft Office Server - has so many bells and whistles that might be useful but that version is pretty expensive.

Here are some of the good things:

• The workflow systems that trigger actions based on new events could really be the "killer app" for small businesses.
• The search options in the portal version are significantly better than before. You can index and search against existing NTFS shares
• Groove's "offline SharePoint" effect would be great but you have to by Enterprise Office to get Groove
• The Content Management System of the portal makes editing the site collection quite a bit smoother

I think a deep exploration of the differences are needed.

SharePoint 2007

Right now, I'm taking one of the MS/IT Mentor SharePoint 2007 boot camp training courses and I'm really impressed. I think the new V3 version of SharePoint is significantly better than the previous versions and could be heavily used by even small clients.

I'm going to have to work on more deployment ideas, though.

Remote Support for the Mac - Finally

CoPilot (www.copilot.com) from Fog Creek Software seemed to be paying attention to a suggestion that I (and probably several others) suggested. CoPilot works on Macs!

Remote Tech Support for Macs

There are dozens of on-demand remote desktop sharing programs for troubleshooting PCs. I’ve used CoPilot (www.copilot.com) by FogBugz and GoToAssist by Citrix and they are just fine. But there is nothing available like that for the Mac. There are tools for use on the LAN but none of them are available for the ad-hoc, download-and-run-without-changing-the-firewall programs. I don’t get it – am I missing one somewhere that I don’t know about?

Relocate Remote Web Workplace to a different server

If you have a client with Small Business Server 2003, they may have gotten used to using the Remote Web Workplace to access workstations and other network resources. When the client grows and you need to migrate them off one server, Microsoft has a transition pack that breaks most restrictions on SBS. However when you retire the orginal SBS server, there is no built in function to move RWW to a new server.

Note: In order for RWW's built-in OWA link to work, the RWW system needs to be installed on an Exchange server.

The process to move it is:

Install TSWEB on the new Windows 2003 Server

• Open Add/Remove Programs from the Control Panel and open the Add/Remove Windows Components
• Double click the Application Server from the list or hightlight the entry and press the Details... button
• Enable ASP.NET (which will install other components)
• Double click the Internet Information Services (IIS) entry or highlight the entry and press the Details... button
• Double click the World Wide Web Service entry or highlight the entry and press the Details... button
• Enable the Remote Desktop Web Connection
• Press OK through the remaining dialog boxes and provide the i386 files as needed

This will install components that are needed and place them in http://servername/tsweb

Copy selected files from SBS Server to new Windows 2003 Server

• Copy the entire contents of C:\Intepub\remote from the old server to the new server
• Copy the entire contents of %programfiles%\Microsoft Windows Small Business Server from the old server to the new server. This is probably over kill but it gets all important files.
  

Copy selected registry keys from the SBS Server to the new Windows 2003 Server

• At the SBS server, open Regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer
• Select the entire key and export it to a .reg file via the File >> Export command
• Copy the file to the new server
• At the new server, double click the .reg file to merge the contents with the current server's regeistry

IIS Modifications

• Install an SSL certificate on the IIS server. I always encourage clients to purchase commercial SSL certificates but if you install the certificate services on the new server, you can issue a self signed certificate.
• Add a virtual directory called Remote that points to the C:\Inetpub\Remote folder
  
• Right Click the Remote directory under the default website.
• Create an application pool for the folder.
• Set the .NET level for the application pool to 1.1
• Make default.aspx the top priority document

Note: This is not a microsoft supported procedure. I developed this entirely through experimentation. I wouldn't expect to get any offical MS support for these modifications.

DFS is your friend

Distributed File System is a trick that Microsoft borrowed from Unix and incorporated it in Windows 2000. If you read the Microsoft standard blurbs they make it sound like something for the big guys with split offices and big, complicated WAN systems so most small businesses ignore it. Don’t! DFS can make your life easier in the long run.

DFS is painful to setup at the beginning but it can save you a ton of time later. Networks are never static, even in a small office that only has one or two servers. Servers are added, removed, burst into flames, run out of space, and generally come and go from your network over time. So, if you have trained your end users, trained your desktop software, and installed applications from one particular server, you have problems when one server has to take on a new role.

DFS sidesteps that problem by tying applications and data to the domain name. Instead of \\NTServer01\SharedData, you place your data in \\domain.local\SharedData and DFS tells the users where to actually pull data

Here’s the story of one client that had file server called CLIENTS where all of they’re project files lived, alphabetically organized. They were a graphics design firm with PhotoShop and Illustrator as their primary software so their files were huge. They maxed out and then outgrew CLIENTS in a year after purchasing it so they bought a second server and renamed them as CLIENTS-A-L and CLIENTS-M-Z (no, really, those were their actual NetBIOS names). So, everyone had to relearn where their files were, redo the network logon scripts, and redo the linked images inside their PhotoShop projects.

Servers are added, removed, they die, run out of space, and generally come and go from your network over time. By setting up DFS first, you can avoid a lot of work later on.

DOS Based Applications in 2006

I didn’t think I’d have to still mess with these but I have a client with three company-wide DOS based applications that are mission critical shared amongst 30+ users. DOS – in 2006, what the heck? Haven’t any of these products moved to new technologies? The applications I’m stuck with are AMSI for DOS from Geac, HUD2000, and Dash-29. One of them actually dials up a modem number and then transmitting SMTP traffic to a government agency.

The hardest part was dredging out the tricks for managing these beasts. I started out with DOS but that was in stand alone systems. I didn’t get into serious networking and tech support until the Windows 95 era so I’m a bit rusty. Network printing from DOS apps got me all twisted around until I dug through all of the existing logon scripts. I never did find a decent DOS reference site – just had to Google my way through it. Any suggestions - feel free to post a couple?

What is an SMB?

As a Seattle area consultant, I swim in a sea of Microsoft-centric software. Software that is, unfortunately, not really designed for my small business clients. This blog is just my space to moan, complain, and highlight some of the tricks and best practices that I’ve found that work for small companies.

I do have to be a little specific in my description of “small business”. In the Windows 2000 development days, Microsoft defied “small” as less than 200 computers but now the use a better description of up to 50 computers. I view “small business” as less than 25 users, with a manageable size of roughly 10 employees. the vast majority of software is not written for companies of this size. I spend a lot of time forcing things to fit.

For a good description of the small business issues check out The SMB hype cycle: http://www.it-director.com/article.php?articleid=13395

A new blog coming soon - Please be patient...