How to Add SMTP Verb Commands to ISA Server 2006

Wednesday, March 5, 2008

If you have an ISA 2006 server between a Microsoft Exchange 2007 Edge server and the Exchange Hub Transport server, you may have a problem where messages queue on the Edge with 500 5.1.1 "unrecognized command" errors.

This Microsoft article partially explains how to resolve the problem. When the Edge Transport server tries to send mail through Microsoft Internet Security and Acceleration (ISA) Server 2006, with SMTP filtering or Secure SMTP (SMTPS) filtering enabled, the SMTP filter blocks the communication. You fix this by either disabling the SMTP filter on the ISA server or adding the verbs (and optionally their maximum length) to the SMTP filter.

What the article doesn't say is which verbs to add or their maximum length. Well, here they are:

  • PIPELINING

  • DSN

  • ENHANCEDSTATUSCODES

  • STARTTLS

  • X-ANONYMOUSTLS

  • AUTH

  • X-EXPS NTLM

  • 8BITMIME

  • BINARYMIME

  • CHUNKING

  • XEXCH50

  • SIZE

All the verbs have an empty maximum length except for possibly SIZE. That should be set to the maximum message size allowed in your org in bytes (for example, 10485760 for 10MB).

Read more ...
by at No comments:
Tags , , , ,

How to Enable Autologon for Windows Workgroup Servers and Computers

Tuesday, March 4, 2008


Update: I've confirmed that the following procedures work for all versions of Windows and Windows Server. 
Click here for instructions for enabling AutoLogon for Windows Server member servers and member workstations.
There may be times that you want/need to enable Autologon for Windows computers and servers.  Examples may be lab machines or kiosks.  Here's how to do it:
  • Click Start Run and enter control userpasswords2
  • Clear the checkbox for Users must enter a user name and password to use this computer and click OK. If this checkbox is missing, see my article about enabling AutoLogon on member servers and workstations.
  • Enter the user name and password that will be used for Automatic Logon and click OK
When the computer starts up the account you specified will be logged in automatically. Note that the password is encrypted on the computer.

This tip works for all versions of Windows and Windows Server.

Since you're here, be sure to check out my article about building a super-fast Windows Hyper-V lab server for under $1,000!

Read more ...
by at 12 comments:
Tags , , ,

40% off code for new Microsoft Technet Subscriptions

Tuesday, March 4, 2008


Here's a 40% off code for NEW Microsoft Technet Subscriptions. It will work with either the Direct or DVD option.

Use coupon code: TMSAL06

Read more ...
by at No comments:
Tags , ,

Good article on the SCOM Root Management Server function

Tuesday, March 4, 2008
The Operations Manager Product Team posted a good article explaining the role and purpose of the SCOM Root Management Server (RMS).

Microsoft could do better in the business continuance/disaster recovery arena by providing a simple wizard to automate the promotion/demotion of the RMS.

In my experience, most DR scenarios usually involve a site failure (power or network) that simple clustering won't resolve. The steps required to failover to a remote site (importing the RMS keys and updating the agents) currently require someone with sufficient rights to follow a separate DR procedure document. It would be nice if this could be done from the GUI (where most of the admins live). This would facilitate the DR process when resource and time constraints are most critical.
Read more ...
by at No comments:
Tags ,

Temporary fix for "Performance Module could not find a performance counter"

Monday, March 3, 2008

The SCOM Team has posted a temporary fix for the "Performance Module could not find a performance counter" we've all been seeing after applying SCOM SP1.

Check out this post on the Operations Manager Product Team blog.

Read more ...
by at No comments:
Tags , ,

Automatically Reset the FTP Service in Windows Server 2008

Monday, March 3, 2008

One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Read more ...
by at No comments:
Tags , , , , , ,

You can't get there from here...

Saturday, March 1, 2008

This weekend I'm starting the migration of my production network from Windows 2003 servers running VMware for virtualization to Windows Server 2008 with Hyper-V.
I have it all planned out like this:
  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive

  • Convert the VMware VMs to VHDs using System Center Virtual Machine Manager 2007

  • Mount the VMs on my new isolated W2K8 host; test

  • Create a new W2K8 DC VM to upgrade the domain

  • Create a new W2K8/E2K7 VM and migrate all the mailboxes to it

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Drink a beer to celebrate. OK, there might be some pre-celebration drinking throughout the process...

By following this plan, I'll minimize downtime to a few minutes and I'll always be able to roll back to the old server simply by turning it back on.

Sounds like a good plan, but here's why it won't work -- the only tool that can convert VMware VMs to VHDs is Virtual Machine Manager 2007 (Hyper-V can't do this on its own), but VMM 2007 can't create or convert x64 VMs. Both my DC and E2K7 server are 64-bit, so at this time there's no way to get there from here. I only wish I'd have remembered this before I spent 4 hours configuring the VMM2007 server and domain. Doh!

By the way, the failure I got during the x64 VM conversion was on step 1.5, "Make operating system virtualizable." This happened right after the plug and play system reported it was "Installing Microsoft Virtual Server Storage devices."

Microsoft Virtual Machine Manager 2008 is expected to create and convert 64-bit guests, but the earliest bits whon't be available for it till around March.

So, my updated migration plan is this:

  • Clone my existing W2K3 VMware VMs (DC and E2K7) to a USB drive as backups

  • Build a new Windows Server 2008 Hyper-V host

  • Introduce a new W2K8 DC Hyper-V guest into the domain

  • Create a new W2K8/E2K7 Hyper-V guest

  • Configure a new Edge server on the W2K8 host

  • Migrate all the mailboxes from the old E2K7 server to the new one

  • Decommission the W2K3 DC and E2K7 VMs

  • Test the new environment

  • Move my blog and websites to the new W2K8 host

  • Turn off my old W2K3 box and re-IP the W2K8 server with the W2K3 server's IP. This will put it into production.

  • Test the web, Exchange, OWA environment again

  • Commence said beer drinking celebration

Read more ...
by at No comments:
Tags , , , , ,
Subscribe to: Posts (Atom)