Digital Whisper is a digital magazine in Hebrew, that provides excellent articles in Hebrew that cover common IT issues and technologies (e.g. Security etc.).

The digital magazine can be obtained for free from the following link.

• Read more
• No comments

Exchange Network Port Reference

• Read more
• No comments

Mr. Chris Pietschmann (MVP) initiate a nice open source project named “Virtual Router - Wifi Hot Spot for Windows 7 / 2008 R2” ; “Virtual Router turns any Windows 7 or Windows 2008 R2 Computer into a Wifi Hot Spot using Windows 7's Wireless Hosted Network (Virtual Wifi) technology.” The open source project can be downloaded from the following link.

• Read more
• No comments

The following article provides a few tips and tricks to optimize Exchange 2010 DAG (Database Availability Group) performance.

General

1. Use the latest Exchange 2010 Service Pack/Rollup, if it applicable.

2. Depend on the server hardware and drivers, you may need to disable the following settings:

netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled

3. Use Microsoft recommendation for antivirus deployment in Exchange 2010 servers.

CAS and DAG Optimization

1. Please remember that Exchange DAG wouldn't be useful without operational CAS server. So, the best practice (from my opinion) is to use a CAS Array to provide a High Availability solution to the CAS role.

2. Please remember that exiting Exchange 2010 mailbox database/s wouldn’t set automatically the RpcClientAccessServer attributes. Due this reason, you may need to use the following commands to redirect exiting mailbox database/s to the new CAS Array:

New-ClientAccessArray –Name “MyCASArrayName” –FQDN “outlook.mydoaminname.local” –Site “Default”
Set-MailboxDatabase MailboxDatabaseName -RpcClientAccessServer “outlook.mydoaminname.local”

3. Lower the TTL value of the CAS Array DNS record (e.g. outlook.mydoaminname.local).

4. Please remember that without a CAS server, GC and DNS servers in the DR site, the Exchange 2010 DAG in the DR site wouldn’t be operational.

5. Configure the Autodiscover Service to Use Site Affinity

DAG Optimization
1. Use at least three (network) adapters for Mailbox role deployment:

a. Public (e.g. to users outlook etc.).

b. Private (a dedicated replication VLAN). Its recommended to unmark the checkbox “Register this connections address in DNS” from the TCP/IP properties on the private NIC.

c. Storage (e.g. FC HBA, iScsi etc.)

2. Change the network adapter binding order, so the “Public” interface will get a higher priority than the other network adapters.

3. Lower the TTL value of the DAG DNS record (e.g. MyDAGName).

4. In the main site, choose a witness server with high uptime.

5. Use only static IP/s for the Mailbox role servers and DAG.

New-DatabaseAvailabilityGroup -Name MyDAGName -WitnessDirectory C:\MyDAGName -WitnessServer MyWitnessServerName -DatabaseAvailabilityGroupIpAddresses 10.0.0.200 -Verbose

Add-DatabaseAvailabilityGroupServer -Identity MyDAGName -MailboxServer Exchange2010FQDNMainServerName -Verbose

Add-MailboxDatabaseCopy -Identity 'MailboxDatabaseName' -MailboxServer Exchange2010DRFQDNServerName -ActivationPreference 2

Note: It’s important to set the correct –ActivationPreference value during DAG setup.

If you have an existing DAG implementation, you may need to use the following command instead:

Set-DatabaseAvailabilityGroup -Identity MyDAGName -DatabaseAvailabilityGroupIpAddresses 10.0.0.200

6. Check the network performance/latency. According to your tests, set the correct values to Replay Lag Time and Truncation Lag Time attributes:

Set-MailboxDatabaseCopy -Identity 'MailboxDatabaseName\Exchange2010MainFQDNServerName' -ReplayLagTime 0.0:5:0 -Verbose

Set-MailboxDatabaseCopy -Identity 'MailboxDatabaseName\Exchange2010DRFQDNServerName' -TruncationLagTime 0.0:5:0

Note1: 0.0:5:0 = 5 minutes of delay.

Note2: Check the network performance/latency in a lab environment, before moving to production deployment. Using incorrect values may lead to high downtime. Usually, If the DAG members reside in the same Active Directory site and VLAN, you wouldn't need to change the settings above.

7. Review: Understanding Datacenter Activation Coordination Mode article and consider to enable DAC mode:

8. If you like to use iSCSI, please review the following Microsoft guide: Managing Database Availability Groups

Set-DatabaseAvailabilityGroup -Identity MyDAGName -DatacenterActivationMode DagOnly

Testing

Test the new DAG implementation by using the commands:

Get-DatabaseAvailabilityGroup | fl   and Get-DatabaseAvailabilitygroup  MyDAGName -status

Test-ReplicationHealth

Get-MailboxDatabaseCopyStatus

Move-ActiveMailboxDatabase -Server Exchange2010FQDNMainServerName -ActivateOnServer Exchange2010DRFQDNServerName

Move-ActiveMailboxDatabase  MailboxDatabaseName  Exchange2010DRFQDNServerName

Simulation tools to measure Exchange 2010 Performance

Microsoft Jetstress 2010
Microsoft LoadGen 2010

• Read more
• 2 comment(s)

The following article provides a short introduction on Microsoft ADFS 2.0 (Active Directory Federation Services) technology to the IT staff.

The article is based on Mr. Manu Cohen-Yashar (Sela Group), Windows Azure Security Identity & Access lecture that was presented in Microsoft Israel office.

In Windows 2003 R2, Microsoft released the first generation of the ADFS services.

According to Microsoft official post,  “Active Directory Federation Services (ADFS) is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications. ADFS helps you use single sign-on (SS0) to authenticate users to multiple, related Web applications over the life of a single online session. ADFS accomplishes this by securely sharing digital identity and entitlement rights across security and enterprise boundaries.”

I Windows 2008/2008 R2, Microsoft released the second generation of ADFS services. ADFS 2.0 provides a new feathers, like:  Advanced integration in Visual Studio, WCF technology support, PowerShell integration, WS-Trust, WS-Federation, and Security Assertion Markup Language (SAML) protocols.

A common mistake of junior IT staff is to  think that the ADFS technology basis is a new invention. However, you should be note that the technology basic is used by a third party providers more then 12 years (e.g. Citrix etc.).

From the user end point, the ADFS technology provides a transparent SSO (Single Sign On) solution.  In the old technology (Domain/Forest trusts) , to allow user from Active Directory Forest A to logon to resource of Active Directory Forest B, we had to established domain/forest trust.

The old technology force us to have a full connectivity (e.g. How to configure a firewall for domains and trusts) between the two forests and provides a low security solution. Also, the old technology required from us to invest much more time and resources to setup the connection between the two

Active Directory forests. Other scenarios, like the need to intergrade with a third party operating system/realms may lead us to more complex deployment issues.

In ADFS technology, the user obtain a Token from Forest A and present it to Forest B. The Forest B is trust Forest A ticket provider (STS) and after verity the user ticket signature etc. , it map the user from Forest A to some identity/role/user etc. in Forest B.

To allow ADFS to function, you only need to allow one way HTTPS (SOAP) connection. By implementing ADFS and ticket provider (STS), you can create multiple secure connection to a third party resources by using a secure and ,ore comfortable solution.

You can even use a additional tool to synchronize Forest A account to Forest B accounts and by this creating a easy 1 to 1 user mapping. The same technique is used by Microsoft Office 365 solution. 

The following slides will provide a short overview how ADFS 2.0 is implemented in Microsoft Azure platform.

 

 

 

 

 

 

 

 

 

To downloaded Microsoft ADFS 2.0, please use the following link: Active Directory Federation Services 2.0 RTW

For further information, please review the following links:

Using Active Directory Federation Services 2.0 in Identity Solutions

Active Directory Federation Services (AD FS) 2.0

Testing Experience - the Magazine for professional testers

• Read more
• No comments

Office 2010 Service Pack 1 released today and it available for downloading from the following links:

Service Pack 1 for Microsoft Office 2010 (KB2460049) 64-bit Edition

Service Pack 1 for Microsoft Office 2010 (KB2460049) 32-bit Edition

• Read more
• No comments

During restore operation in Exchange 2010, the “Application Tab” may be missing.

This issue usually occur if you installed the Windows Backup software after completing Exchange 2010 installation.

To resolve the issue, please review the following Microsoft note Windows Server Backup API Registry Keys.

The credit for finding this solution should be given to:  CroC_Microsoft.

 

 

 

• Read more
• No comments

To find the location of the user profile on the local disk, please use the following instructions:

1. Find the user SID by using one of the following scripts: VBS script Determine SID of Windows user (Wrote by Mr. Kevin van Zonneveld) or PowerShell script Get SID from AD (Active Directory) User / Group using PowerShell.

Note: GetSid utility isn't supported currently on Windows 7/2008/2008 R2 platforms.

2. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%MyUserSIDNumber%

and review the value of: ProfileImagePath

• Read more
• No comments

To find the last Exchange 2010 database backup time of all the Exchange databases in the organization, please use the following PowerShell (Exchange Management Shell) command:

Get-MailboxDatabase -Status | select LastFullBackup

Get-MailboxDatabase -Status | select LastDiffBackup

Get-MailboxDatabase -Status | select LastIncBackup

 

To find the last Exchange 2010 database backup time of specific Exchange database, please use the following PowerShell (Exchange Management Shell) command:

Get-MailboxDatabase   DatabaseName -Status | select LastFullBackup

Get-MailboxDatabase   DatabaseName -Status | select LastDiffBackup

Get-MailboxDatabase   DatabaseName -Status | select LastIncBackup

• Read more
• 2 comment(s)

“Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.” The tool can be downloaded from the following link.

• Read more
• No comments

After copying files/folders by using xcopy/robocopy utilities etc., some files/folders may seems “lost”.

Usually, this issue occur due hidden attribute that was set to the  files/folders. You can review the hidden data settings by using the command:

attrib filename or attrib x:\foldername . For example:

A  SH   I    C:\Users\administrator\NTUSER.DAT

To remove the hidden attribute, please use the command:

attrib -r -h x:\foldername

• Read more
• No comments

“Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool” is currently available for downloading from the following link.

• Read more
• 1 comment(s)

The following command set the PDC emulator to use external NTP server named: pool.ntp.org.

w32tm /config /manualpeerlist: "pool.ntp.org,0×1" /syncfromflags:manual /reliable:yes /update

Note: The the default synchronization interval is set to 3600 seconds (1 hr). The synchronization interval  can be change by navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\w32time\TimeProviders\NtpClient
and edit the following DWORD (Decimal) value: SpecialPollInterval.

Usually I prefer to change the synchronization interval to 300 seconds (5 minutes).

Please note, the NTP protocol is blocked by default in most of the firewall implementations. To allow NTP to function as normal, you may need to allow NTP queries (UDP 123) from  the PDC emulator to the external NTP server.

After making the required changes, restart the Windows Time service by using the command:

net stop w32time && net start w32time

You can review the new NTP settings by using the commands:
w32tm /query /peers

#Peers: 1

C:\Users\Administrator.BDZ-JR>w32tm /query /peers

Peer: timeserver.iix.net.il,0x1
State: Active
Time Remaining: 22.0344335s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 6 (64s)
HostPoll Interval: 6 (64s)

w32tm /query /status

C:\Users\Administrator.BDZ-JR>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0358734s
Root Dispersion: 0.0839534s
ReferenceId: 0xC0723EFA (source IP:  192.114.62.250)
Last Successful Sync Time: 25/06/2011 03:03:46
Source: timeserver.iix.net.il,0x1
Poll Interval: 7 (128s)

 

w32tm /query /configuration

C:\Users\Administrator.BDZ-JR>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 300 (Local)
Type: NTP (Local)
NtpServer: timeserver.iix.net.il,0x1 (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

 

Note: The following command output provided the default time settings for a common domain controller:

C:\Users\administrator.BDZ-JR>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

• Read more
• 1 comment(s)

The attached link point to a nice script script from "Impulz Labs" that create a CSV report file, with details on the local administrators group membership.

The script can be obtained from the following link.

• Read more
• 1 comment(s)

Microsoft released Update Rollup 4 for Exchange Server 2010 Service Pack 1. The new update can be downloaded from the following link.

• Read more
• No comments