Brian Redmond's Weblog : Exchange and Messaging

Interesting Performance Monitoring Tool - Download on microsoft.com

btrst4 — Sat, 05 Feb 2005 00:40:00 GMT

I recently found a tool that can help do performance analysis on servers in your environment. This tool gathers the data from the Performance Monitor and does some level of analysis to help diagnose issues. It is especially good at IIS 6.0 and Active Directory.

Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=61a41d78-e4aa-47b9-901b-cf85da075a73&DisplayLang=en

From the Overview:

Service Performance Advisor is a server performance diagnostic tool developed to diagnose root causes of performance problems in a Microsoft® Windows Server™ 2003 operating system, particularly performance problems for Internet Information Services (IIS) 6.0 and the Active Directory® directory service. Server Performance Advisor measures the performance and use of resources by your computer to report on the parts that are stressed under workload.

Consulting from home...

btrst4 — Tue, 26 Oct 2004 16:29:00 GMT

I have posted on this Blog recently about life in MCS. This probably holds true for consulting engagements in general. Setting a comfortable travel schedule is really important when you are on the road all the time. On the other hand, this travel schedule would need to be negotiated with the client. In my case, that negotiation is not done by me, so I have very little to say in that. Once things get rolling and you get acquainted with the client, you can probably figure out a good way to balance this.

Working from home is an interesting idea. On paper it seems to make sense. If you are writing documentation, why would you need to be at the client's location? Depending on your situation, you may get more interuptions at a client site than from little kids at home! For short periods this might work, but in the long run, I believe a big part of consulting is building relationships with the customer. Having face time to discuss the issues and iron out questions can go a long way in building a deeper level of trust. If you are at home all the time, they tend to forget about you and start to stop seeing the value. You could do this here and there, but not all the time.

Information about my current MIIS/Exchange project

btrst4 — Fri, 22 Oct 2004 17:59:00 GMT

My current project is using MIIS to assist with an Exchange Resource Forest. The company has decided to run Exchange in the headquarters and each sub-Company would maintain their own Active Directory for login and security. The Exchange forest has placeholder accounts (mailboxes) that the external accounts have rights to.

MIIS is responsible for two things:

Synchronize the GALs from each sub-company to the central Exchange Resource Forest.
Provision mailboxes when new accounts arrive on the sub-company Active Directories.

It is an interesting project with some intriguing problems.

Access to sub-company AD's: In most cases, the sub-companies do not want to give access to their AD from the central MIIS server. We could certainly refine the access to read-only at certain containers, but there are still firewalls and other political factors that override. In our case, we will likely ask the sub-company to export only the necessary data needed to an ADAM instance that can buffer some of the above issues.

Migration status: Initially, the primary data source for the user data is on the legacy side. Once the users are migrated, my data flow rules need to switch directions for certain attributes. We decided to add a "migration status" field that would be used in our MIIS logic to help customize the attribute flow presedence and direction.

External account IDs/SIDs: In order to permission the mailboxes, we obviously need a trust in place, but we also need the user account and/or the user SID from the sub-company AD. The can prove challenging depending on how you are permissioning. The permission process is also slightly different for a brand spanking new mailbox compared to one that already exists on the store.

Once the migration is over, the whole thing becomes a lot easier. With something this large, it could take a long time....

What it is like to work for MCS...

btrst4 — Sat, 16 Oct 2004 23:41:00 GMT

I got a question asking what it is like to work for Microsoft Consulting Services. This may very well be one of my friends messing with me, but regardless, I thought it might be worth telling some stories now and then.

The particular question was about work/life balance. There is no sugar coating here; there is very little balance a lot of the time. The key is that you find a way to catch up now and then. There are some time periods where you have to learn something new or you are developing something beyond your regular engagement. During these times, you work a full day with the client and a full day that night with everything else.

Sooner or later, it catches up with you and you need to find a way to slow things down. For the most part, the job asks for as much as you are willing to give. I really enjoy the work, but I could use a break now and then. I have a wife and two wonderful girls (4 and 6) who need me to be around. Luckily, we have a pretty flexible travel policy, so I am able to be home a good amount of time.

This is still the place for me and a great place to work.

AD uses different attirbute names from what shows up in ADUC

btrst4 — Thu, 14 Oct 2004 04:20:00 GMT

For the non-LDAP people, this cause quite a bit of confusion. First name is "givenName" and Last name is "sn." Street in ADUC is "streetAddress" in AD (of course, there is also a 'street' attribute to add to the confusion!).

There is a page on MSDN that explains the mapping; this link is your friend.

By the way, ADUC is now a word in my vocabulary. It is pronounced "a duck." I recommend using this pronunciation.

Just update the schema and quit worrying about it!!!

btrst4 — Thu, 14 Oct 2004 04:12:00 GMT

I am a little sick and tired about hearing that people are tentative about modifying the Active Directory schema! Maybe this is Microsoft's fault since we put so many warnings up about doing this. I say modify it like crazy. In fact, I think we should all add a schema attribute called "i-modified-the-AD-schema-try-and-stop-me" to our Active Directory.

Seriously, it is OK to extend the schema as long as you follow the best practices. Here are some important things to remember:

Even if you are only extending the schema for an internal application (something you are not selling), you should still follow proper practices like you are selling it. If you use attribute names or OIDs that end up appearing in future Microsoft products or 3rd party products, you could end up with conflict.
Do not store data in AD that is changing frequently. Frequently changing data belongs in a database.
Prefix your attributes with a lower case company name and a hyphen (e.g. - "fabrikam-shoeSizeEurope").
Obtain an registered OID for your schema changes. This can be done with various ISO Name Registration Authorities or from Microsoft. Info here.
Select a proper syntax (data type) for your attributes. If the item is true/false type data, use Boolean and not a text field. If the data is numeric, use Integer.
For simplicity, keep the cn and the ldapDisplayName of your attribute the same.

Update the schema using one of the following methods:

LDIF scripts. This is generally the best method.
Programatically. MSDN has some good samples.
Using the MMC schema mgmt. snap-in. Let's face it, you might only be adding a couple items and not need to distribute this beyond your company. This might be the easiest method in some cases. Keep in mind that you might need to register the "schmmgmt.dll" on the machine if the snap-in is not available.

Want to see your new attributes in ADUC? You might need to write some code, but it can be done. More info here.

Go for it!

...Of course, you should still test things properly and have a good backup. If you have a complex forest and you are highly concerned, you could isolate a DC schema master (it would have no replication partners) and test your extensions there. In case of failure, you could kill that DC and seize the schema master role back on the other DC's. Kind of a complex procedure and I would only attempt this if I was comfortable. In the end, if you follow best practices, extending the schema should be a safe procedure.

Sorry, but I have been busy

btrst4 — Thu, 14 Oct 2004 04:08:00 GMT

What ends up happening is that I start a new project and get horribly busy and have no time to post. I ended up making a bunch of notes of good things to post, so I have a little backlog of things. Expect a bunch here over the next couple days.

Using the jpegPhoto attribute in AD - Part II

btrst4 — Tue, 07 Sep 2004 18:21:00 GMT

The previous post (http://weblogs.asp.net/btrst4/archive/2004/08/30/222629.aspx) on this topic showed you how to import picture data into AD. This post shows you how to retieve the data and write it back out to a file. It might be more realistic to retrieve the data from AD and display it in a portal. I'm sure someone could adapt this code to do this quite easily. If you know how, please post or email me.

Basically, this is the reverse of the previous code using System.DirectoryServices then System.IO.

Here is the code:
Imports System.IO
Imports System.DirectoryServices

Module Module1
    Sub Main()
        Dim outFile As System.IO.FileStream
        Dim binaryData() As Byte
        Dim strFileName As String

strFileName = "c:\PictureExportedFromAD.jpg"

        'Connect to AD
        Dim strDN As String = "CN=Joe User,OU=Employees,DC=company,DC=local"
        Dim strDCName As String = "DC-01"
        Dim myUser As New System.DirectoryServices.DirectoryEntry("LDAP://" & strDCName & "/" & strDN)

        'Retrieve picture into byte array
        Dim byteArray As Byte()
        byteArray = myUser.Properties("jpegPhoto").Value
        myUser.Close()

        'Open file to export (delete if exists)
        If File.Exists(strFileName) Then
            File.Delete(strFileName)
        End If

outFile = New System.io.FileStream(strFileName, FileMode.CreateNew, FileAccess.ReadWrite)

'Loop through bytes and write to file
Dim singleByte As Byte

        For Each singleByte In byteArray
            outFile.WriteByte(singleByte)
        Next
        outFile.Close()
    End Sub
End Module

If you exporting to AD/Exchange with MIIS, you might need to disable the RUS

btrst4 — Thu, 26 Aug 2004 20:41:00 GMT

I was working on a project recently and the Exchange 2003 Recipient Update Service (RUS) was adding X.400 addresses and other junk to my mail enabled users. I was basically mail enabling a bunch of users in AD to synchronize the GAL with another email system. I could certainly configure the recipient policies on the server, but for these users, it made the most sense to disable the RUS for these particular objects.

The equivalent for this is to un-check the "Automatically update e-mail addresses based on recipient policy" on the object in AD. This is quite simple to handle in export attribute flow from MIIS. Just set the "msExchPoliciesExcluded" attribute on the object to a constant = "{26491CFC-9E50-4857-861B-0CB8DF22B5D7}". You can set a value in attribute flow to a constant by using the Advanced attribute flow setting. This will keep the RUS's hands off your objects.

Pretty cool. More details in this KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;318072

The article also notes that you are now responsible for these attributes once you set this:

mail
proxyAddresses
textEncodedORAddress
msExchPoliciesIncluded

Of course, this should not be used across the board. In many cases, you need the RUS to take care of properly stamping attributes. Use with care.

Oh mighty Scriptomatic!!!

btrst4 — Tue, 17 Aug 2004 23:12:00 GMT

I guess I can write WMI scripts if I have to, but it sure is nice to find samples to do the work. I guess I thought most people were aware (and lived by) the Scriptomatic Utility. I have had a few questions about WMI lately and this excellent utility came to the rescue.

Basically you browse many of the WMI classes available and it will create runable scripts for you. Download here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9ef05cbd-c1c5-41e7-9da8-212c414a7ab0

It is also worth mentioning a newer Scriptomatic for ADSI. I have not used this one, but if it is half as good as the WMI one, it will be a good utility to have on hand. http://www.microsoft.com/downloads/details.aspx?familyid=39044e17-2490-487d-9a92-ce5dcd311228&displaylang=en

Go be a Scriptomanic!!!

Cool Performance Monitor tools

btrst4 — Thu, 12 Aug 2004 17:31:00 GMT

If you have ever used Windows Performance Monitor and had trouble changing the time period for really big perf log files, there is a helpful tool for you. I have often driven myself crazy trying to squeeze that time window down to the hour I want and gone crazy. The link below points to a few helpful tools for performance monitoring. Relog.exe is the tool that will help you create a new perf log file with a subset time period from a larger file.

Logman.exe: Allows you to remotely manage perf logging on servers and manage centrally.
Relog.exe. Allows you to create new perf log files with changed counters, time period, log file type, etc.
Typeperf.exe. Allows you to get perf data from a server in a command window.

http://support.microsoft.com/default.aspx?scid=kb;en-us;303133

Changing Exchange server OU's

btrst4 — Mon, 28 Jun 2004 20:38:00 GMT

If you change the OU membership of your Exchange 2000 servers, you may run into a common issue. This issue might be benign, but the events in the event log certainly are disconcerting. The article (271335) explains in detail.

After you move Exchange servers into a new OU, you might see the following events:

Event ID: 9186
Source: MSExchangeSA
Type: Warning
Category: General
Description:
Microsoft Exchange System Attendant has detected that the local computer is not a member of group 'cn=Exchange Domain Servers,cn=Users,dc=microsoft,dc=com'. System Attendant is going to add the local computer into the group.
The current members of the group are 'CN=SERVERNAME,OU=NEWOU,DC=microsoft,DC=com; '.

-and-

Event ID: 9187
Source: MSExchangeSA
Type: Error
Category: General
Description:
Microsoft Exchange System Attendant failed to add the local computer as a member of the DS group object 'cn=Exchange Domain Servers,cn=Users,dc=microsoft,dc=com'.
Please stop all the Microsoft Exchange services, add the local computer into the group manually and restart all the services.

The article explains what you should do, depending on what else you are seeing.

This brings up an interesting topic to discuss. What types of OU's should I setup for my Exchange servers? Of course, the answer is always, "it depends." A very common design (picture below) is to break out the servers into different types. This allows you to set a base company policy at the top level Server OU. Then each server of various kinds can be locked down differently if needed. We often see people placing a single policy object to all servers. Certainly all servers are not the same and a policy setting on an IIS server may not make sense on an Exchange cluster node (and vice-versa).

"Access is denied" is so frustrating!!!

btrst4 — Tue, 08 Jun 2004 22:50:00 GMT

Grrr.... I spent a bunch of time recently troubleshooting one of these, so I thought I'd share in case it saves someone else some trouble.

We setup some Exchange 2003 servers on Windows 2003. Some clustered and some not. In a number of places, we would get “Access is denied” messages and error ID c0070005. In the most critical case, we saw it when trying to join a second node to our cluster. Since access was denied, we could not continue. We would also see it when using Exchange System Manager and accessing some of the properties of a server.

Of course, we checked all the usual stuff and the accounts in question had all the rights you could possibly want.

In the end, it was caused by permissions on a particular registry entry: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SecurePipeServers\winreg

This registry key is used by a number of different things and often impacts remote registry access, performance counter access, etc. In our case, the LOCAL SERVICE account did not have read permissions on this reg key. Many of the things we were trying to do were really being performed by the local service. I did some google searching and it seems that some security scanners will remove this permission to stop certain issues. I was never able to determine if this was the root cause for us because the security people would not tell us anything. Refused to come out of their boxes I guess.... :)

What is the Exchange Intelligent Message Filter?

btrst4 — Tue, 18 May 2004 17:06:00 GMT

SPAM, SPAM, SPAM. This is always a hot topic for Email Administrators. For all of the good work you do in the messaging world, users will only see the SPAM they get and complain. It really can be a big nuisance to a worker and hinder productivity. There are a ton of technologies out there to help resolve this. Some are server based and some are client based. It is likely that a combination of approaches will be necessary to fight this problem.

Microsoft Exchange 2003 has some methods for SPAM prevention built-in. This includes sender filtering, connection filtering, real time block lists, etc. There are also a number of 3rd party technologies that integrate with Exchange 2003 to handle SPAM filtering.

When SP1 for Exchange 2003 is released, Microsoft will be releasing a technology called “Exchange Intelligent Message Filter” or IMF. Intelligent Message Filter is based on Microsoft SmartScreen Technology from Microsoft Research. SmartScreen technology enables Intelligent Message Filter to distinguish between legitimate e-mail messages and unsolicited commercial e-mail or other junk e-mail. SmartScreen tracks over 500,000 e-mail characteristics based on data from hundreds of thousands of MSN® Hotmail® subscribers who volunteered to classify millions of e-mail messages as legitimate or as spam. More info: http://www.microsoft.com/exchange/techinfo/security/imfoverview.asp

Spam Confidence Level (or SCL) is a rating assigned by SPAM prevention technologies to determine the likelihood that the given message is SPAM. This allows client technologies to setup rules based on the level of SCL. Some users will have different thresholds for the level of SCL they are willing to accept.

How do I get this? Prior to the release, the licensing has not been determined. It is likely to be offered to Software Assurance customers at a minimum. Once it is released, you will get a clear picture of how it can be licensed.

Backup, backup, backup. Exchange and VSS backup information

btrst4 — Fri, 14 May 2004 17:59:00 GMT

Obviously, backing up your Exchange server is quite critical. Unfortunately, there is no magic solution to the process to backing up Exchange. Here are a couple types of approaches:

1. Simple ntbackup process. Ntbackup is made to work directly with the Exchange IS and safely backup Exchange storage groups while they are online. It also backs up the current set of transaction logs. After completion, the transaction logs are flushed and the backed up tlogs are removed. During the restore, if you have multiple backups, you need to be aware of the "Last Backup Set" and the Exchange recovery process. More info: http://support.microsoft.com/default.aspx?scid=kb;en-us;232938&Product=exch2003

2. VSS Integrated backup. With Windows 2003 Server, the Volume Shadow Copy Service (VSS) was introduced. This allows hardware vendors to backup data such as databases and open files without possible data corruption. A number of hardware vendors support this for things like snapshots and BCV's. This requires Windows 2003, Exchange 2003, supported backend hardware, and a supported backup program. In Windows 2003, ntbackup uses VSS as well, though it can be disabled if needed.

Getting VSS to work can be difficult due to the 3rd party software integration and the "newness" of the technology. Working closely with the backup provider is key here. Generally, the troubleshooting must start from this angle.

Here are some helpful hints:

- Turn on VSS debugging: You must add the following reg keys.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Debug\Tracing]
"TraceFile"="c:\\trace.txt"
"TraceLevel"=dword:ffffffff
"TraceEnterExit"=dword:00000001
"TraceToFile"=dword:00000001
"TraceToDebugger"=dword:00000000
"TraceFileLineInfo"=dword:00000001
"TraceForceFlush"=dword:00000000

- Command line tools: vssadmin.exe, volperf.exe.

- KB article: http://support.microsoft.com/default.aspx?scid=kb;en-us;822896&Product=exch2003

Keep in mind that VSS is also used to shared folders. It is the same underlying technology, however the the Shadow Copies for Shared Folders technology is more related to self service file recovery. More info here.