Placing Server Certificates on Mobile Devices

About the only thing that's difficult in setting up Exchange ActiveSync on a mobile device is getting the server certificate on it. Of course, this is a non-issue if you're using a trusted certification authority like Verisign, Thawte, GoDaddy, etc. I wrote these procedures for those of you who don't want the trouble or expense of buying an SSL cert and want to use the Exchange self-signed certificate.


Export the Certificate

• Log into the Exchange server with administrative rights and run IIS Manager
• Expand Local Computer Web Sites
• Right-click Default Web Site and select Properties
• Click the Directory Security tab
• Click View Certificate
• On the Details tab click Copy to File..., Next, Next, Next
• Enter the path and filename to use for the certificate export (i.e., C:\server.cer)
• Click Finish to export the certificate

How to Put the Certificate on the Phone

Option 1, Using Windows ActiveSync

• Download and install ActiveSync 4.5 on a PC (http://www.microsoft.com/downloads/details.aspx?FamilyID=9e641c34-6f7f-404d-a04b-dc09f8141141&DisplayLang=en)
• Dock the phone
• Use Explorer in ActiveSync to drop the cert into My Documents on the phone
• Use File Explorer on the phone to navigate to My Documents
• Select the server.cer file to import it

Option 2, Using Email

• If there is an alternate form of email on the device, email the cert to your device
• Open the attachment and import it

Option 3, Using a Website

• Send server.cer to a compressed folder (zip file)
• Put the zip file on a web server
• Use Internet Explorer on the phone and navigate to the URL of the zip file to open it (i.e., http://www.myserver.com/cert.zip)
• Download, open and import it

If you have an older Windows Mobile 2002 or 2003 device, check out the SPAddCert utility from Microsoft, documented at http://support.microsoft.com/kb/841060.

Beware the iPhone

The iPhone is a (very) expensive consumer device that has no place in the corporate environment. It has no security, cannot connect to enterprise email systems except using unsecured protocols (IMAP), and opens the company up to potential (extremely likely) copyright concerns.

Most companies should have a corporate "Just say no" policy for the iPhone in place by now. That way when the CEO drops his new iPhone on the administrator's desk and says, "Make it work with my email", they'll have a response ready.

On a side note, surveys have shown that people are really interested in three things about cell phones: Service quality (they want to be able to place or answer a call, not be dropped and be heard clearly), battery life, and ease of use (not having to use arcane menuing systems). Everything else is just gravy. When you add email to the mix, people want to be able to easily send and receive emails (tiny keypads and menuing systems inhibit this) and to a smaller degree expect fast delivery.

It seems that cell phone companies are busily trying to create "the next big thing" by adding the last big thing to their already crowded and confusing devices. Most people don't use 1/4 of the features on the phones they already have.

Ping Multiple Computers Until They're Up

Here's a short VBScript I wrote that I used for an Windows 2003 R2 implementation last night. It quickly pings a group of computers in rapid succession.

First, create a list of computers using Notepad and save it to a file named Computer.lst. Next, copy the script below to the same folder.

The script will loop through the list of computers, pinging each one with a small packet and tell you whether it's up or down. The script will loop continuously through the list until all computers are up.

Set ws = WScript.CreateObject("WScript.Shell")
Set fs = CreateObject("Scripting.FileSystemObject")

Do
    downComputers = 0
    Set f = fs.OpenTextFile("Computer.lst", 1, True)
    Do While NOT f.AtEndOfStream
    compName = f.ReadLine
    If ws.Run("ping -n 1 -l 1 " & compName, 0, True) = 0 Then
       WScript.Echo compName & " is UP"
    Else
       WScript.Echo compName & " is DOWN"
       downComputers = downComputers + 1
    End If
    Loop
    f.Close
    WScript.Echo "Unreachable computers: " & downComputers
    WScript.Echo
Loop Until downComputers = 0

This works well when you have a group of computers all rebooting at the same time. One of these days I'll recode this into an HTM application with pretty green and red lights.

Now *THIS* is Funny!

You've all seen the viral video of Microsoft's Surface, right? Well check this out...

http://www.flixxy.com/microsoft-surface-computing-spoof.htm

Granting Full Mailbox Access in E2K7

Sometimes administrators need access to another user's mailbox (for example, resource mailboxes). The PowerShell one-liner for this is:

Add-MailboxPermission SF-Conference -AccessRights FullAccess -user admin1234

(where SF-Conference is the mailbox to assign rights to, and admin1234 is the user who gets the rights)

And here's a one-liner that will do the same to all users in the Exchange organization:

Get-Mailbox Add-MailboxPermission -AccessRights FullAccess -user admin1234

I admire her laziness...

NTVDM encountered a hard error

I ran across this one today when trying to run a 16-bit application on a Windows 2003 Server. I run the app and it pops up a Windows dialog box saying, "System Error : NTVDM encountered a hard error."

Turns out that the environment path for "TEMP" and "TMP" is invalid. Normally these paths resolve to their 8.3 pathname, so an enviromental variable set to %USERPROFILE%\Local Settings\Temp will resolve to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp. On my problem server the path resolves to C:\DOCUME~1\ADMINI~1\Local Settings\Temp, note the space in Local Settings. This mix of long filenames and 8.3 names is invalid.

To resolve the issue, I changed the user TEMP and TMP variables to use C:\TEMP.

Custom Address Lists in Exchange 2003

The following procedures describe how to create custom address lists in Exchange Server 2003.

Custom address lists can be used to provide a filtered view of the Global Address List (GAL) based on an LDAP query, similar to the way Query Based Distribution Groups work. It leverages the same mechanism used for the built-in address lists provided by Exchange ("All Contacts", "All Users", etc.). Custom address lists are dynamic and are available to all users in the organization. Common custom address lists might be "All Resources", "All Pagers", etc.

Microsoft article http://technet.microsoft.com/en-us/library/bb124660.aspx describes how to create a custom address list in Exchange 2003. The article http://technet.microsoft.com/en-us/library/bb124384.aspx describes how to create one in Exchange 2007.

Once you create the new address list, you must configure a filter. The following is an LDAP query example that will filter all contacts with the word "carpenter" in the Notes field in the Telephone tab in AD. It is written as a single line, but is wrapped here for clarity.

(&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=contact)) )))(objectCategory=user)(info=*carpenter*)))

Note that objectClass could be changed from "contact" to "user" to filter user objects. The word info in this query is the AD attribute we're searching for. Any AD attribute can be used. Use ADSIEdit to view attribute names and values.

The search string above is "*carpenter*, which uses wildcards and means "contains the word 'carpenter'". A search for "carpenter" (no wildcards) will match only the word. The string "carpenter*" (trailing *) means "begins with the word". The string "*carpenter" means "ends with the word". The search sting is not case sensitive, but it must be spelled correctly to match the filter.

If you were to create two address lists, one for "All Plumbers" and another for "All Carpenters", and the Notes field for a contact contains "Plumber, Carpenter", the contact will be included in both custom address lists.

As another example, this filter can be used for an address list for resource mailboxes, such as conference rooms. Just be sure to begin the display name for the resource mailboxes with "ZZ-".

(&(&(&(& (mailnickname=*) ( (&(objectCategory=person)(objectClass=user)) )))(objectCategory=user)(displayName=zz-*)))

Note: Because custom address lists are dynamically created by Exchange, they are only available to users who are connected to an Exchange server. Users using Cached Exchange Mode who are working offline will not have access to the custom address lists since Outlook can only display one container (the OAB). All contacts will still show up in the OAB.

I've used this process for many clients of all sizes and it works great, with no noticeable affect on AD or Exchange performance.

Today in History

On this date in 1920, the US Postal Service rules children may not be sent via parcel post. Thought you'd like to know.

Buses of Adventure

Wow, we haven't even made it to the party yet and we're already having an adventure.

After waiting outside for 45 minutes through two rainstorms, we finally got on a bus that could hold more than two people. Funny, apparently know one told the bus driver that he was supposed to go to Islands of Adventure because he drove us back to the conference center. Over 50 wet people nearly took over the bus when he stopped and asked, "Where are we going?"

AARRRGGHHHHH!!!

Exchange 2007 High Availability Sessions

Today was an "all Exchange, all the time" day. The sessions I attended dealt with Exchange 2007 high availability and disaster recovery.

One was presented by Ayla Kol entitled, "High Availability in Microsoft Exchange Server 2007 and Exchange Server 2007 Service Pack 1". She did a good job explaining what's offered in E2K7 RTM for HA and went on to explain what's going to be new in SP1. Here are the highlights for RTM:

• Windows 2003 needs KB921181 to enable File Share Witness (FSW)
• Continuous Cluster Replication (CCR) is limited to 2 nodes
• CCR requires hardware from the Geographically Dispersed Cluster category of the HCL
• FSW should be on hub in primary site
• CCR nodes must be in the same subnet. This poses a problem for geo-clustering
• Best Practice to use a CNAME record for the FSW name. This provides easier failover
• Best Practice to increase tolerance of heartbeat failures to 10
• Log shipping to the passive node is a pull model. The Replication Service monitors logs
• Divergence = loss of mailbox data. This is what happens in a "lossy" recovery. Normally, in CCR the hub's transport dumpster will backfill the recovered node with missing data.
• LLR = lost log resilience. This is what the transport dumpster is for.
• The transport dumpster works only with CCR in RTM. It will work with LCR in SP1
• Recovery from transport dumpster is designed to backfill within 30 seconds
• SP1 will have a GUI for cluster management (finally!)

And now for what we've all been waiting for, Single Copy Replication (SCR)!

• SCR will be included in SP1
• Possible scenarios include: Standalone server to SCR, LCR to SCR, and CCR cluster to SCR
• Designed for datacenters
• CCR can use dissimilar hardware. This offers simplified hardware and storage requirements. Does not require hardware from the Geographically Dispersed Cluster category of the HCL
• No subnet requirements! Can work across different subnets, unlike CCR
• Only works with one database per storage group
• Must be same paths

In a future blog, I hope to write more about CCR and SCR. For now, we're off to the TechEd attendee party at Islands of Adventure. The kids are gonna have a blast!

Fun Times at TechEd

Had a good time at the Microsoft Influencer and Double-Take parties last night. Microsoft's party was at Jimmy Buffett's Margaritaville and Double-Take's was at the Hard Rock, both in Universal Studios CityWalk.

Lots of good beer, food, music, and did I mention beer? Hard to say which was better. Double-Take's live band was members of the Double-Take team. Pretty talented bunch of guys!

Today I'm doing sessions on Exchange 2007 sizing and storage. Well, off to the sessions!

Good Day Today

Today was a good session day. I got to start and end it with Marcus Murray, who finished the day to a PACKED session in the TLC Library showing how easy it is to perform a buffer overrun exploit. Scary, scary stuff. The guy is a rockstar.

Other sessions included Paul Robichaux, talking about Forefront Security for Exchange, and a good session on architecting and upgrading WSUS 3.0.

I got to see our friends at Sam's Publishing in the vendor booth. Sams publishes the Microsoft "Unleashed" series, including Microsoft Exchange Server 2007 Unleashed and Microsoft Exchange Server 2003 Unleashed, both of which I am a cowriter of. Fellow CCO consultant, Michael Noel was there at the Sams booth on Tuesday. Be sure to check out his sessions on SharePoint 2007 here at TechEd!

I'll post a summary of the items discussed at the WSUS session in a future blog. For now, I'm going to get ready for the Microsoft Influencer's Party at Margaritaville and the Double-Take party at the Hard Rock. Woo-hoo!

Knocked my Socks Off

My first session this morning was "Why I can Hack Your Network in a Day!", by Marcus Murray. The information and demos he gave were absolutely frightening. He showed how to gain full access to almost any domain with ease. Amazing stuff. It's his first US TechEd and I'm sure it won't be his last. Now if he'd only do a session on securing networks, I'll sleep better.

I'm a Weener!

I just found out that I won a Dr. Scripto bobblehead doll! Now, my training is complete.

Actually, this is just the motivation I need to plug away when I'm having trouble with an ADSI script.

Thanks, Scripting Guys!!!

Exchange 2007 SP1

Some of the details for Exchange Server 2007 Service Pack 1 were released at a session I attended yesterday. Here are some of the new and improved features:

• Public Folders are available in OWA. I like the fact that they will display in the same OWA instance, rather than a new window like Exchange 2003 does.
• Quota notifications in OWA. OWA will no display banner bars if you are approaching your mailbox size limit.
• Web ready opens Office 2007 documents
• Creation and manaement of server-side rules
• S/MIME support
• Ability to recover deleted items
• Ability to permanently delete items from the dumpster
• Confirmation of successful wipe of mobile device
• Ability to add custom applications to OWA
• Move-mail cmdlet can export to a Unicode PST file. No more 2GB limit!
• Powershell syntax improvements
• ESM adds pubic folder management tools
• ESM adds cluster configuration tools
• ESM adds POP/IMAP configuration
• ESM adds "Send as" permissioning
• ESM adds Delegate managment
• ESM adds Folder level permissions
• ID translation across Exchange orgs
• SCR (Single Copy Replication)
• IRM (Information Rights Management) prefetching to boost performance
• IPV6 support

E2K7 SP1 will require Windows SP2.

"Spare No Expense"

Florida is flat. So flat, that Microsoft imported their own mountain right in front of the conference center. I guess that's so the the people from Colorado feel more at home.

Last night was the "official" opening of the vendor areas and reception. I got my bodyweight in t-shirts. One of my colleagues got so much stuff he broke a strap off his Teched backpack.

Today I'll be starting the day with a deep dive into Windows Server 2008 Core and command line administration. This afternoon I'll be participating in focus groups around Windows Mobile security and the Microsoft Solutions Accelerators.

The weather has been nice so far, but we may expect some rain today or tomorrow.

Let the swagging begin!

So while I was attending Steve Riley's presentation on the 'Internet Based Data Center' the vendor area and TLCs opened up. Lines are forming for t-shirts, pens, and plastic trinkets. What's the best swag you've gotten so far?

Pip, plip-plip-plip

A common sound heard around TechEd. It's the sound of pen caps spontaneously falling off the fine quality pens attached to everyone's badge holders. You'd think a small detail like this would be thought out a bit better...

Nerd control at TechEd

Cracks me up. I'm sitting in the conference hall where we're waiting for the morning keynote session. The "red shirts" are herding everyone down one isle, around and backup another isle, essentially making a "nerd parade" for the seated occupants.

Breakfast at the venue was good this morning, but included some hot black water beverage that was billed as "coffee", but most certainly wasn't.

Most of my sessions today are for unified communications, but I have a couple of Windows Server 2008 sessions, too. Tonight's the opening of the vendor floor. Looking forward to that.

Live from TechEd

I'm attending the Exchange pre-conference today. We got here early to register and get our goodie bag. Much better than last year's "man purse", this year Microsft is giving out backpacks similar to the one from TechEd 2004 (San Diego). The only gripe I have is that the zippers get jammed all the time.

The pre-con is pretty good so far. The speakers are knowledgeable and there's lots of good hands on labs.

Greetings from Orlando

Well, the family and I have arrived in Orlando. We just settled in at the hotel and I'll be attending the Exchange 2007 pre-conference tomorrow. Lots of techies here and Microsoft has a good presence all over town. Even our room keys advertise Microsoft/BI Business Intelligence.

I'll right a review of the pre-conference tomorrow.

Being a Cursor is Hard Work

So you think it's easy being a mouse cursor? Go to http://www.1-click.jp/ and move your cursor over the super magnifying dot to see what's really going on inside your computer...

Ontrack PowerControls Rocks!

PowerControls allows you to open a raw Exchange MDB file and export the data from it. You can export to a PST or directly into a live Exchange database.

I've used this utility to recover Exchange data for a couple of clients and it works perfectly. Does just what it needs to do and nothing more, which explains its lightweight size of only 16MB. Check it out at http://www.ontrackpowercontrols.com/