This blog has moved, and is now available here: http://justinho.com/blog/

The RSS feed is available at http://justinho.com/feed/

There will be no new posts at this new location.

I've become increasingly annoyed at dasBlog the past few months.  It was certainly a good package when I started using it, but so much has changed since 2005... and dasBlog hasn't been updated with any new features, and it seems like the codebase is in dire need of a complete overhaul.

Pending the availability of an import tool, I will be migrating my main website and this blog over to GraffitiCMS, written by the folks at Telligent.  I believe that platform gives me the functionality I need, without requiring the constant attention that dasBlog does.  This would also allow me to clean up my homepage, which is currently quite outdated.

Problems I've had/currently have:

• The search sucks.  I usually use Google to search my own blog.
• The "login" feature is inconsistent; even when logged in, some pages randomly render as though I'm not logged in.
• Google can't index anything properly, so users can't possibly locate anything properly.
• The configuration file is disgusting to edit

I started the blog on 2005-02-23 07:34:38 PM (February 2005) and the ~500 odd posts will be sucked into Graffiti sometime the next few weeks, and everything will be consolidated into 1 nice and hopefully clean interface.

More on this soon, hopefully...

Symptoms:

Some of my users are unable to change their passwords via OWA on Exchange 2007 on Server 2008.  My DCs are running Server 2003.

Argh.

Since most ISPs block unencrypted SMTP (tcp port 25) outbound connections, I've configured my managed mobile clients to connect to my mail server on port 465 (SMTPS) and use TLS to authenticate to "phone home".

This allows these clients, even on untrusted client IP segments to authenticate over a secure connection, and deliver email as to their current whereabouts (IP address.)

First, configure RemotelyAnywhere to use port 465, and force TLS/SSL.  (Obviously, you'll have to provide a username/password etc. here.)  I created a dedicated mailbox/user for this purpose.

Next, on the Edge Transport machine, create a new receive connector for port 465.  You'll have to rearrange your existing connector(s) to ensure there's no port/scope overlap:

• Edge Transport
• New Receive Connector
• port 465, enable TLS
• Allow exchange users ONLY
• In the Shell: Get-ReceiveConnector server\connector | add-adpermission -user USERNAME -extendedrights ms-Exch-SMTP-Accept-Any-Sender

Replace USERNAME with the dedicated user.  Replace server\connector with the identity of the connector.  To get the name, do "Get-ReceiveConnector" by itself, and pick the appropriate entry.  Note that this will force the Exchange Edge server to permit ONLY current Exchange Users (ie. not anonymous/unauthenticated users) to submit mail via SMTPS on port 465.

So now, I have machines that can check their local IPs every X minutes, open a secure connection to my email server, and send an email with its current IP address, on any internet connection that permits tcp port 465 (SMTPS) outbound.

Installing the Hyper-V RC0 update for Windows Server 2008 rendered my virtual machines unable to connect to the network.

I installed the hypervisor - Hyper-V RC0 build today.  After rebooting, my network configuration would not function.  I was unable to add an External network and bind it to the NIC successfully.

I'm running Windows Server 2008 RTM x64, and I had the beta (in-box) Hyper-V code running with virtual machines.  My physical machine has two onboard NICs; one was dedicated for the host, and the other was for the virtual machines.

So I removed the HyperV role, and rebooted the box.

The box hung like this.  I power cycled it, which restored service.  The configuration was "resumed" and the role was successfully removed, with an error.  Unfortunately, the Virtual Switches stayed in Network Connections.  I then reattempted install of the Hyper-V role.  This completed, but with an error: it wasn't able to set up the networking components.

Log Name:      Microsoft-Windows-Hyper-V-Network-Admin
Source:        Microsoft-Windows-Hyper-V-Network
Event ID:      14070
Level:         Error
User:          SYSTEM
Description:
Switch set up failed, name='6d861a9b-39ef-4d01-a181-e163e5a21908', external port='f6400f7a-0dea-4b1f-bf91-3a78b00092f5', internal port='30b4be1c-5c03-48a6-84ed-7f590a3ffae7', NIC='{506E5818-0E27-4E13-8835-DDC8B7393D36}', internal name='9e3e1874-09ab-423b-904e-75420369499f', internal friendly name='New Virtual Network', error=2147749889, mof code=0.
Event Xml:
  <System>
    <Provider Name="Microsoft-Windows-Hyper-V-Network" Guid="{0a18ff18-5362-4739-9671-78023d747b70}" />
    <EventID>14070</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <EventRecordID>88</EventRecordID>
    <Correlation />
    <Execution ProcessID="1088" ThreadID="1196" />
    <Channel>Microsoft-Windows-Hyper-V-Network-Admin</Channel>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
      <Switch>6d861a9b-39ef-4d01-a181-e163e5a21908</Switch>
      <ExternalPortName>f6400f7a-0dea-4b1f-bf91-3a78b00092f5</ExternalPortName>
      <InternalPortName>30b4be1c-5c03-48a6-84ed-7f590a3ffae7</InternalPortName>
      <NIC>{506E5818-0E27-4E13-8835-DDC8B7393D36}</NIC>
      <InternalName>9e3e1874-09ab-423b-904e-75420369499f</InternalName>
      <InternalFriendlyName>New Virtual Network</InternalFriendlyName>
      <Error>2147749889</Error>
      <MofCode>0</MofCode>
    </NvspSwitchSetupError>
  </UserData>
</Event>

I've posted to some MSDN blogs' comments... but I doubt I'll hear back.

So now, I have no Hyper-V machines running anymore, and I can't get rid of the Virtual Network Switches.  I have heard from some people that manually removing the entries in the registry for the NICs will cause everything to "blow up".  I'm unable to delete the Virtual Switches in Network Connections, or in Device Manager.

My physical box has production workloads on it, so I can't blast it away.  Since the "finish line is in sight," I was kind of hoping that these kinds of things wouldn't happen, especially since they shipped the beta I was running inbox with the RTM code.

I can't find any evidence of Hyper-V on Connect, so there doesn't appear to be a way to report this.

Advice:

I would suggest that you remove not only the machines, but also the virtual networks, AND the Hyper-V role, before applying the update for Hyper-V RC0.  Then reinstall the role to make sure things are cleanly in place.

Further reading:

http://support.microsoft.com/kb/949222/ and http://support.microsoft.com/kb/949219

It took me around a day to notice... but after I installed IE8 beta, all my RSS feeds from my "Common Feed List" stopped updating.

As a result, a few things have happened/I have noticed several things:

• Outlook 2007's RSS folder deletion sucks.  I created a "temp" folder, and dragged all my old folders into the temp folder, then deleted the whole temp folder.  Result of design by committee: Your product sucks at very simple tasks because not all use cases end up being included.
• RSS feeds are background noise.  And after a day or so, I "miss" the noise.  Makes me wonder if I should be spending more time on important things instead of reading all this "news".  RSS feeds are a form of noise pollution in my life.
• I manually re-added the 8 or so feeds that I actually need, into Outlook 2007.  Reddit and Digg are both cut, due to the poor signal to noise ratio.
• IE8 opens a lot more connections - and loads sites faster.  Also mentioned here: http://www.ajaxperformance.com/2008/03/07/ie8-the-performance-implications/
• Outlook 2007's RSS functionality is... decent... but still leaves much to be desired.  I have 3 machines, each with Outlook on them against my Exchange server.  This means that most of my RSS feeds come in THREE times over.  Who decided THAT would be a good idea?  The committee did.

I downloaded the nightly trunk of VLC 0.90 on Win32 today.

I've only used it for about 10 minutes, but:

• New privacy warnings - good idea
• Volume goes up to 200% - nice
• The UI has some strange artifacts, but is easy to use
• The preferences window is usable!
• Dragging files from UNC \\server\share\filename causes VLC to crash

For the past few weeks, I've been trying to email users at Yahoo.com.  Their MTAs continuously reject email I send:

421 Message from (209.161.207.163) temporarily deferred - 4.16.50.
Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

I've already put in reverse DNS entries, so cairo.justinho.com <--> 209.161.207.163 both resolve, whichever way you try.

I'm not even sending spam.  I'm trying to send emails to friends or responding to friends' emails.  I had a Craig's List post a few days ago - and I was responding to a Yahoo user.  But it's no use - I still can't email Yahoo.com users.

I've contacted Yahoo tech support lots of times.  I've requested to be "unblocked" - heck, I've even filled out their form.

Why is it that I somehow need Yahoo's permission to send email to their users?  Why do they even NEED my contact information?  Two weeks since sending all this information they wanted, I STILL can't email @yahoo.com email addresses.

This is ludicrous.  If you are a Yahoo.com user, I strongly suggest you get an email account at another provider.

Applying for Permission to Email Yahoo.com Addresses

1. Please provide all ACTIVE IP addresses you are currently using to send mail.
2. Do you have a dedicated IP address or do you use a shared mail server/IP address (i.e., the mail server/IP address is hosted by a service provider and is also being used by organizations other than your own)? If you use a shared server, please specify which service provider you use.
3. Please indicate all types of email being sent from the servers above, e.g., personal/corporate emails, transactional mailings, mailing list postings, marketing messages, newsletters? (Indicate which IP sends which type of mail, if applicable.)
4. If you send periodic or subscription-based mailings, please indicate the means by which a user is signed up for your subscription list. 
   1. Do you take any steps to confirm that the subscription is valid, or was initiated by the true owner of the email address?
5. How many subscribers do you currently have? And approximately how many emails do you send on a monthly basis?
6. Do you remove email addresses from mailing list if emails to them bounce--i.e., for soft (4xx) and hard (5xx) SMTP response codes?
   1. If yes, how many bounced emails are required before you consider an email address to be inactive and subject to removal from your list?
7. How long does it typically take for an email address to be removed from your list once an unsubscribe request has been received?
8. Please provide the URL of your web site, including the links to your Privacy Policy, Affiliate Policy, and/or Terms of Use pages, if available.
9. Please copy and paste a text-only example of a recent mailing, including the full Internet headers. Or, include the entire error message you're seeing in your SMTP logs if email is being deferred or blocked.
10. Where possible, Yahoo! uses DomainKeys to determine the original sender of a message. Do you plan to or currently use DomainKeys to authenticate your mailings?
11. Please provide the following contact information:  Company name, Contact information, Postal Address, Email address

When was the last time you applied for permission to send email to someone?

Background:

I'm running Exchange 2007 SP1 with UR1 on Windows Server 2008 x64.

Problem:

The UI seems to have a few bugs in it.

I opened:

• Microsoft Exchange Management Console
• Organization Configuration
• Hub Transport
• New Remote Domain...
• Double click on new Remote Domain... (Properties window)

Weird:

• The title of the tab looks wrong
• "sender's" has a strange character in it

Whoa.  New feature in my Lenovo Screen Magnifier.  (At least, a new ADVERTISED feature.)

In the name of "accessibility", I think this feature is actually more useful than the buttons in Windows / OS X / most shells, as it allows you to use your secondary monitor in a way that is more difficult otherwise: dragging and then maximizing a window on a second screen.

Cool.  A free software upgrade of a utility that actually does something "novel".

Abstract:

Windows Server 2008 introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Server.  Therefore, additional configuration steps are necessary to get WPAD to work, when clients are running against a 2008 DNS server.

Details:

The block feature provides a global query block list to reduce vulnerability associated with dynamic DNS updates. Dynamic update makes it possible for DNS client computers to register and dynamically update their resource records with a DNS server whenever a client changes its network address or host name.  This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address. This convenience comes at a cost, however, because an authorized client can register any unused host name, even a host name that might have special significance for certain applications. This can allow a malicious user to "hijack" a special name and divert certain types of network traffic to that user's computer. WPAD is a commonly deployed protocol vulnerable to this type of hijacking, and by default WPAD look up is disabled by the blocking mechanism.

If you want to use WPAD with a Windows Server 2008 DNS, note the following behavior:

• If WPAD entries are configured in DNS before the DNS server is upgraded to Windows Server 2008, no action is required.
• If you configure or remove WPAD after you deploy the DNS server role on a server running Windows Server 2008, you must update the block list on all DNS servers that host the zones affected by the change. The affected zones are those where you registered the WPAD servers.
• To update the block list, use the dnscmd command-line tool. Open a command line prompt, and do the following:
• To check whether the global query block is enabled, type:
  dnscmd /info /enableglobalqueryblocklist. A value of 1 is returned if the block list is enabled.
• To display the host names in the current block list, type:
  dnscmd /info /globalqueryblocklist
• To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type:
  dnscmd /config /enableglobalqueryblocklist 0
• To remove all names from the block list, type:
  dnscmd /config /globalqueryblocklist

Further reading:

   "DNS Server Global Query Block List" from TechNet at http://technet.microsoft.com/en-us/network/bb629410.aspx.

Source:

http://blogs.technet.com/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx

Abstract:

Even with Exchange 2007 SP1 installed, some users are still unable to edit rules in Outlook Web Access (OWA).  The problem appears to be caused by rules that are present that OWA cannot handle; removing the problematic rules appears to restore access.  The logging is quite poor as the UI doesn't really provide any reason for the failure.

Potential Causes:

• Remove any rules that contain "and stop processing more rules"
• Remove any rules that contain "clear message's categories"

• Rules that have the toolset icon next to them, as above, are not editable in OWA.
• First log on in OWA after mailbox is moved may result in rules not being editable.  Log off and log back on.
• Ensure Rules are Enabled in Exchange System Manager (Server Configuration, Client Access, Right click on OWA directory, Properties, Segmentation tab)

The Microsoft Transporter Suite is a set of interoperability and migration tools to migrate content from Lotus Domino servers or Generic POP/IMAP servers. For Lotus Domino the suite contains a set of tools for Directory and Free/Busy interoperability between Lotus Domino 6 or 7 and Exchange Server 2007 and Windows Server 2003 Active Directory. In addition for Lotus Domino the suite contains migration tools to migrate users, groups, personal address lists, mailboxes, personal mail archives, and applications from Lotus Domino 5, 6 or 7 to Active Directory, Exchange Server 2007, and Windows SharePoint Services 3.0. For generic POP/IMAP servers the suite contains a set of tools to bulk migrate mailboxes from any generic email servers that support the POP3 or IMAP4 protocol to mailboxes in Exchange Server 2007

http://www.microsoft.com/downloads/details.aspx?FamilyID=35fc4205-792b-4306-8e4b-0de9cce72172&displaylang=en

Abstract:

My quest to eliminate the Dell CERC 1.5/6ch SATA (due to its poor performance) from my production environment has been a long one as I opted to wait for Windows Server 2008 and Exchange 2007 before migrating to my 3Ware card.  This post contains a summary of all the issues I encounter, and will be updated as I proceed.

Solutions:

• Backup headaches - Setting up Exchange 2007 to back up on a Windows 2008 Server:
  "Exchange 2007 Aware Backups on Windows Server 2008"
  http://blog.justinho.com/2008/03/10/Exchange2007AwareBackupsOnWindowsServer2008.aspx
• CAS problems with RPC proxy - Some tweaks are necessary to get Outlook Anywhere to work with Exchange 2007 on Server 2008
  "Outlook Anywhere RPC over HTTPS Proxy on Windows Server 2008 Fails to Communicate with Exchange 2007"
  http://blog.justinho.com/2008/03/10/OutlookAnywhereRPCOverHTTPSProxyOnWindowsServer2008FailsToCommunicateWithExchange2007.aspx
• More to come...

Abstract:

Outlook Anywhere may not work properly on a Windows Server 2008 machine with Exchange 2007.  The DSAccess RPC proxy listens on ports 6001 and 6002 on the IPv6 stack, and listens on ports 6001, 6002, and 6004 on IPv4.  The missing listener on port 6004 causes connectivity to fail.
A workaround exists and is documented which gets this working, regardless of where the RPC proxy is installed (on the Exchange box, or otherwise.)

Details:

If your RPC proxy is on 2008, but not on the same box as Exchange 2007, remove the IPv6 binding to force the proxy to communicate with Exchange on IPv4.

Otherwise, modify your host file, as per: http://weblog.bassq.nl/?p=79

• Comment out the line “:::1 localhost”
• Add the following two lines:
  <IPv4 address> <hostname of the computer>
  <IPv4 address> <FQDN of the computer>

So, for my server, I have:
10.0.0.5 servername
10.0.0.5 servername.subdomain.domain.com

To confirm functionality:

Open telnet to localhost 6004

Sources:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2975122&SiteID=17