Summary:

You get a message that the Transport Service is unable to offer STARTTLS SMTP verb for "fqdn.yourdomain.com".  So tell it to use the certificate for SMTP as well.

Problem Description:

Event Type: Error
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12014
Description:
Microsoft Exchange couldn't find a certificate that contains the domain name FQDN.domain.com in the personal store on the local computer. Therefore, it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of FQDN.domain.com. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.

Solution:

Fire up the Exchange shell. =)

1. Identify the certificate currently installed, selecting for information we care about:
   Get-ExchangeCertificate | fl CertificateDomains, Services, thumbprint, status, isSelfSigned
   (we are looking for the FQDN certificate, that is valid, active, and presumably not self-signed.  We want the thumbprint of said certificate.  You can also use a filter of * to get all properties/attributes.  ie. Get-ExchangeCertificate | fl *)
2. Now find the thumbprint of the certificate in question and enable it for SMTP.
   Enable-ExchangeCertificate -services IIS, UM, SMTP, IMAP, POP -thumbprint XXXXXXXX

Further reading:

http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Far too often, I come across RSS feeds put up by print magazines and newspapers that completely defeat the purpose of RSS feeds.

I understand that release cycles of articles are supposed to line up; a whole bunch of articles may come out on 1 day, followed by a break.  But the problem is, some of these publications actually release articles THROUGHOUT the day - a visit to their website, as well as the timestamps on articles reveals this.

Alas, the RSS feeds do not reflect this.

(Yes, I deliberately put the image inline just to make a point.)

The purpose of the RSS feed is to make content available to your readers as it becomes available.  A sudden flood of 50-100 articles (as shown in this screenshot above) is quite irritating.  The problem is compounded by the fact that the "RSS" feed shows a subject field, and a link.  No summary.  No synopsis.  No details.  Just a "catchy" subject.

If you're not going to release articles as they're finished, and prefer to release 50 articles at the same time, then perhaps a digest form is best.  Why not just syndicate these titles, packaged into 1 post?  If you're going to use cryptic, uninformative titles, then a 1 line summary is simple courtesy to a reader.

This "RSS" feed is getting removed from my reader.  I just mark all as read, anyway. =)

Abstract

In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the nothing to hide argument. When asked about government surveillance and data mining, many people respond by declaring: I've got nothing to hide. According to the nothing to hide argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The nothing to hide argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the nothing to hide argument and exposes its faulty underpinnings. 

Keywords

privacy, nothing to hide, data mining, surveillance

Paper

SSRN-id998565.pdf (235.95 KB)

Source

SSRN via http://www.schneier.com/blog/archives/2007/07/privacy_and_the.html

• YouTubeX let's you download and save YouTubeX videos to your computer's hard drive.
  • http://www.youtubex.com/
• Transcode your existing videofiles to the advanced Flash Video (FLV) format with this free Riva FLV Encoder.  At present you can transcode the following formats: AVI, MPEG, Quicktime, WMV.
• Supported codecs: http://www.rivavx.com/index.php?encoderhelp&L=3
• Get Riva FLV Encoder: http://www.rivavx.com/index.php?encoder&L=3
• Watch Michael Geist, Putting Canadian "Piracy" in Perspective
• http://www.michaelgeist.ca/content/view/2094/125 or
• http://www.youtube.com/watch?v=6TloG6qL3gg

Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.

AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer's comparison functionality to see what objects, attributes and security permissions changed between them.

AD Explorer works on Windows 2000 and higher.

http://www.microsoft.com/technet/sysinternals/utilities/adexplorer.mspx

Yep - my blog got spammed.

http://www.resquel.com/ssb/PermaLink,guid,ac6327d4-b323-4b92-9311-50f47efd137a.aspx has a nice tool to get rid of DasBlog referral spam.

Hopefully that cleans things up... but how did they do it...?  No time to waste figuring it out.

Got a nice giggle out of this one.

Problem

ActiveSync devices, and Outlook clients happily sync against an Exchange 2003 server.

Then you migrate to Exchange 2007.  "Error 0x80072f0d" starts appearing on the devices.  If you publish (via ISA) your RPC directory without HTTPS/SSL encryption, everything works fine.

No matter how you install your CA cert - it doesn't work.  Same error message.

Discussion

The reason behind this is because in Exchange 2007, the Autodiscover service – which is used to find things like free/busy, OOF, Automatic e-mail profile configuration, OAB, etc for Outlook 2007 clients – requires SSL. Therefore, the certificate used needs to have the FQDN of Autodiscover added as a Subject Alternative Name.

As you may know, when you create a certificate there's a 'common name' associated with that certificate...usually in the form of something like "mail.domain.com."

The Subject Alternative Name field is used to add additional DNS names to the certificate. So if it doesn't have an SAN for autodiscover.domain.com it means that it won't validate requests to the Autodiscover service. If you would be using Outlook 2007 clients connecting remotely using RPC/HTTPS and purchasing a 3rd party certificate then you will need to contact your certificate vendor for a certificate that includes the Subject Alternative Name. Instructions for generating a certificate request that can be sent to a 3rd party or Microsoft CA - which includes the SAN for autodiscover is documented as below.

Please note that  the new certificate from your 3rd party Certificate vendor  or Internal CA  should contain the “Subject Alternative Name” (SAN) with the below DNS values.
 
The entries that the “SAN” should contain are as below:
 
DNS Name = Internet Published OWA URL
DNS Name = CAS machine NETBIOS name
DNS Name = CAS machine Full Computer  Name
DNS Name = Internal Domain Name (FQDN )
DNS Name = autodiscover.<InternalDomainName>
DNS Name = autodiscover.<ExternalDomainName>

Please note the first DNS name should always be the Internet Published OWA URL. The order of the other DNS name don’t matter.

Summary

An error occurs while migrating mail from mailboxes on a legacy Exchange 2003 server, when moving to an Exchange 2007 mailbox server.

Error
The mailbox has been moved, but an unexpected error occurred while trying to apply policies or clean source mailbox: An Exchange 2007 server on which an address list service is active cannot be found.

An Exchange 2007 server on which an address list service is active cannot be found.

A dump is being generated.

Solution

• Start Microsoft Exchange System Attendant
• If the service repeatedly bombs out, verify functionality of your DCs - and the global catalogs
• Run "netdom query fsmo" (from Support Tools)
• Next, run "dcdiag /s:SERVER /v" where SERVER is each of the servers handling roles above, and all of your DCs.
• Run "netdiag" on each of your DCs as necessary to verify that the NICs are functional.  Ensure the NICs are configured to register themselves in the DNS.

Background

While installing first Exchange 2007 server in an Exchange 2003 domain, setup fails during /PREPAREAD

Error Message

Preparing Exchange Setup
No server roles will be installed

Performing Microsoft Exchange Server Prerequisite Check
    Organization Checks              ......................... COMPLETED
Configuring Microsoft Exchange Server
    Organization Preparation         ......................... FAILED

The object 'CN=All Groups,CN=All Address Lists,CN=Address Lists Container,CN=<name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<name>,DC=<name>,DC=<ending>' already exists.

This can also happen to "All Contacts" and "All Users", and is likely inherited from an Exchange 5.5/2000/2003 upgrade.

Solution

1. Access ADSIEdit (available via Support Tools on Server CD, \SUPPORT)
2. Open Configuration, Configuration Folder, Services, Microsoft Exchange
3. Open Domain folder (ie. "Company Name")
4. Address List Container, All Address Lists
5. Right click on each of All Contacts, All Groups, All Users and choose Properties.
6. Locate the property, "purportedSearch", of type "Unicode String" and verify their contents as follows:
   All Contacts
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (& (objectCategory=person) (objectClass=contact)) ))
   with (& (mailnickname=*) (| (objectCategory=group) ))
   All Groups
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (objectCategory=group) ))
   with (& (mailnickname=*) (| (objectCategory=group) ))
   All Users
   Replace (& (| (mail=*) (proxyAddresses=*) (textEncodedORAddress=*)) (| (& (objectCategory=person) (objectClass=user)) ))
   with (& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))
   
   Be careful with wraparound.
   Update: http://support.microsoft.com/kb/936907/en-us may have more information that you may find useful!
7. Re-attempt setup /prepareAD

Background

A ADC was previously used in a domain to migrate from Exchange 5.5.  The server was formatted/lost without removal of the ADC, leaving ghosted AD entries in the metabase.

Error message

     One or more Active Directory Connectors have been found. Please remove all Active Directory Connectors before installing Exchange 2007.

Solution

1. ADC was installed and uninstalled from Exchange 2003 media.  \ADC\i386.
2. Replicate all DC connections in Sites and Services.
3. Next, access ADSIEdit - install from \SUPPORT on Server 2003 disk if necessary.
4. Open the Configuration container, the the Configuration folder, CN=Services.
5. Open the Microsoft Exchange folder, and the Active Directory Connections folder.
6. Only the default ADC policy should exist - DELETE any references to Exchange 5.5 in a secondary connector.
7. The image below shows a fully functional configuration, with the EXCH/5.5 connection removed.
8. Replicate all the AD connections via Sites and Services before reattempting installation.

If, during installation, you are not connected to the Internet, use this checklist to ensure you have the necessary prerequisites installed prior to installing Exchange Server 2007. These checks are done automatically when connected to the Internet during installation. By completing this checklist, your system will be better prepared to deploy Exchange Server 2007.

http://www.microsoft.com/technet/prodtechnol/exchange/2007/deploy/prereqs.mspx?wt.svl=preparing

Problem

Event Type: Warning
Event Source: MSDTC
Event Category: SVC
Event ID: 53258
Date:  06/07/2007
Time:  12:08:38 AM
User:  N/A
Computer: <name>
Description:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 1524
No Callstack,
 CmdLine: C:\WINDOWS\system32\msdtc.exe

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 07 80               ...€ 

Solution

• Start, Control Panel, Administrative Tools.
• Open Component Services.
• Open the Console Root, then Component Services.
• Computers, My Computer.
• Right click, Properties
• MSDTC tab, click "Security Configuration" at the bottom under "Transaction Configuration"
• On the dialog box that opens, click "OK" - with no changes.
• Restart MS DTC (Right click on My Computer in the tree view.)

Abstract

Windows 2003 Volume Shadow Services (VSS) scheduled snapshots/backups do not run.
To resolve the problem, delete the file located in "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\" then recreate all scheduled tasks.

Problem

Windows 2003 Volume Shadow Shadow Services schedules snapshots based on user schedules.  This functionality does not appear to work on some machines.  Even when VSS is disabled and re-enabled, snapshots do not occur at scheduled times.

Solution

Delete the file located in "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\" then recreate all scheduled tasks.

Discussion

After a machine is promoted to a domain controller, or joined to a domain, these scheduled tasks do not appear to run due to permission problems.  Deleting this file will nuke all scheduled tasks - and everything will have to be rescheduled.  Ensure also that the Task Scheduler service and the Volume Shadow Services are running correctly.

Bibliography

See also http://www.aniltj.com/blog/2005/12/18/SBS2003BackupsNotRunningKeysetDoesNotExistError.aspx