Trying to get certified for BES 5.0 I’ve created a VM with Small Business Server 2003 R2 on my Hyper-V server at home so I could get started fast with the new BES. I installed SBS 2003 because the installation of BES 5.0 is not supported on SBS 2008 by RIM and by installing a SBS I would have a Exchange server to test and connect the BES server to. After the SBS was installed I downloaded the trial software from the RIM website and started installing.

The first thing I bumped into was that the setup detected a MSDE (from the SBS SharePoint Services) and it did not created a new instance. Later in the setup I couldn’t connect to the MSDE so I quickly altered the ini file and ran the MSDE setup, man that was a long time ago :-). After the setup was finished and I changed the network connections setting for the MSDE the setup of the BES server continued without problems. If you don’t know how to set the network connection settings check out KB18176 from RIM.
NOTE: If you don’t have the correct connections settings you will get this error in the BES logs files, more specific in the BBAS log file: The TCP/IP connection to the host  has failed. java.net.ConnectException: Connection refused: connect

With the BES 5.0 freshly installed I wanted to logon to the new web interface. But then my second problem presented itself. Instead of the webpage where I should be able to logon I got the nice error page. It did not take long the find out that the problem was this: the BES 5.0 installed a Apache server and tried to bind with port 443. Again you can use the BBAS log file of the BES were you will find this error: LifecycleException: Protocol handler initialization failed: java.net.BindException: Address already in use: JVM_Bind:443.
You don’t have to use the log files of the BES to finger out this one. You can you into the Application log of the server where you can find this event: The description for Event ID ( 4 ) in Source ( BAS-AS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: BAS-AS.
The Blackberry Administration webpage uses SSL, but this was already binded with my Default Website from IIS. Also the BlackBerry Administration Service – Application Server will stop if it cannot bind with the configured port. I didn’t want to change the configuration of the IIS server and started searching through the Blackberry forums. My search let me to this KB18175, which describes how you can change to listening port of the BAS (Blackberry Administration Service).

BES 5.0 is now up and running, let’s get cracking!

Advertisements

The last 2 days I’ve been playing around with this new feature for Windows 7. Before you start downloading the beta for Windows Virtual PC you need check if you pc (CPU) supports a technology like Intel Virtualization Technology or AMD-V and that it is enabled in the BIOS. After you installed the Windows Virtual PC you need a additional download from the Microsoft website which is a MSI-package that actually contains a Windows XP virtual machine, that’s why the download is 456 MB.
Once everything is setup you can start the Windows XP virtual machine in your Windows 7. By default the VM using NAT to connect to the network, but you can change it to whatever you like.

Nothing impressive or new this far, but the cool part is this; You can now start installing applications in this Virtual XP machine and publish them to use in your Windows 7. How cool is that ?!
All you have to do is install your software in your Virtual XP, open the Explorer in the Virtual XP, navigate to the All Users Startup folder and there add your shortcut of the application in the Virtual XP and you’re done.
If you want to start the application from within Windows 7 simply navigate through the Start menu to Windows Virtual PC, Virtual Windows XP Applications and there you will have your published applications.

I’ve been using it for 2 days now to use IE6 because some of the corporate intranet sites don’t render correctly in IE8. Before I solved this via a VM but now I can simply start IE6 via a shortcut on my desktop. The performance seems to be good, but that will depend on your hardware I guess.

I’m always excited to try out something new, IT-related or not. But as you might have guessed already from the title, this is IT-related.
Since the first public beta of Windows Seven (build 7000) I’ve installed it on my laptop in dual boot with Windows Vista. At first I was only using Windows 7 at home but after a few weeks I started using the beta-build at work as well. Why you might ask, because I like it!

Lots of people are complaining about the poor performance of Windows Vista and yes, it can be slow sometimes. Well people, wait until you have installed Windows Seven!
Because it’s installed on the same physical machine as my Vista I can compare the performance pretty good. For starters the boot time is almost twice as fast then Vista, and yes all of my software is installed like on the Vista setup. That being said, not only the boot time as much faster, the shutdown is amazingly fast compared to Vista.
The new taskbar has also improved. At first it is a bit of getting used to but very quickly you grow to love it and see the advantage of it. The best feature of the new taskbar is the history of the programs it keep. You can quickly open document, webpage’s and other stuff that you recently used. It’ actually the My Recent Documents combined with starting you application you need. This is very user friendly.

Since yesterday I’ve upgrade to RC1 (build 7100). On my laptop I have a fingerprint reader that I used with my Vista machine but didn’t use it yet in Windows Seven. Your fingerprints can now be managed by Windows out of the box. After scanning some of my fingers I was again surprised with the speed of the OS. Previously in Vista I had to install additional software (from HP on my case) which was really slow, after wiping my finger it could take up to 5 seconds before the fingerprint was approved or not. No with Windows Seven the logon start immediately after wiping my finger.

There are many more new or improved features in Windows Seven, make sure to get your copy and install it. I’m sure you’ll like it within no time 🙂

You probably stumbled upon this problem as well. Your friend or family knows your into to computers and they bought a new pc with Vista Home Edition installed on it. They want all of their data migrated to the new machine so what do you is, you copy the files from the old XP-box(if you’re lucky:p) over the network to the VISTA-box using the admin share. So on the XP-box you go to Start, Run and type \\VISTABOX\d$ and you get your credentials window. You enter in the credentials and it says logon was unsuccessful. Strange because you’ve entered the correct credentials.

This is actually a safety measure that was build into Windows Vista Home Editions. On the Microsoft TechNet website there is a article that gives you a workaround; http://technet.microsoft.com/en-us/library/bb727037.aspx
Microsoft actually recommends that you create you own share so that you know that you have a share, which is a good way for non administrators pc’s. But if your an IT-minded guy you probably what to have the admin-shares available to you on your own pc.
Well, it’s possible to do this by creating a extra registry key. Open the registry and go to

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

Click right in the right pane and create a new DWORD value name LocalAccountTokenFilterPolicy and set it’s value to 1.
Now reboot the computer and you’re done.

HAPPY HOLIDAYS and best wishes for 2009!!!

Wondering if you can use Microsoft Hyper-V on your machine? Well your system will have to:

  • have a 64-bit capable CPU.
  • have DEP capability (data execution prevention).
  • have a CPU that supports hardware-assisted virtualization (Intel VT or AMD-V) technology

If you don’t know this you can use a tool that’s called SecureAble. You can download the tool from this website: http://www.grc.com/securable.htm. It’s a free tool that will test these things for you and report them.
Note that in some cases DEP and VT need to be enabled in the BIOS so be sure to check for those options on your system if the result comes back negative.

If you have a HP Server you can also check this url to see if your servers supports Hyper-V: http://h71028.www7.hp.com/enterprise/cache/458915-0-0-0-121.html.
Other vendors will probably have a alike matrix for their systems.

The last day of what’s been a great week. A quick run along on the beach just aside the shore of the ocean and the sun rising over the horizon. That should get the alcohol out of my system that was consumed in the bar last night :-).
I did almost 22km this week in Barcelona and I most say that there are lots a people running in Barcelona. I crossed many runners these past few days. After a shower and breakfast it’s back to the conference center.

1st session today is Auditing in Windows Server 2008. Auditing is something lots a company think that they should have after an event occurred where data was breached or settings changed, misconfiguration etc. and they want to know who did what, where and when? The problem is that you can’t audit everything, it’s not feasible to implement or manage and it would have impact on the performance of your systems. Tracking changes is hard to do, think about when you open up the AD Users and Computers console, do you know or think about to which DC you are logon onto?
To develop on audit plan your first step should be to see what needs to be audited. Then you need to identify how the information is logged in the security event log because this will vary on the type of events that has occurred. Third step is to implement audit policy and ACL’s. In Windows Server 2008 the there are subgroups defined in the Audit Policy which makes it easier to manage. And finally you need to collect this information. My new friend Operations Manager can help you with this by using the ACS, Audit Collection Services. Isn’t this is nice product :-).

For the second session I was indecisive on what session the follow, so I did another hands on lab on Operations Manager. Some of these labs that are here at the conference you can do online if you have a TechNet Subscription. You should take time to do these, there are many tracks available and you don’t need to setup the environment yourself, which gains some time.

During lunch a went to a session on Managing GPOs with Advanced Group Policy Management. The new version of GPMC has some great new features in it. First one is the possibility to do a check in/check out when editing a policy. This is to prevent that 2 administrators would open the same group policy and  make changes on the same setting.
Roles can be defined on which group of administrators can do what in GPMC. You can for example create a group that only can edit policies but can’t deploy them. The administrator will receive a email (if the GPMC is configured to do so) that a editor has changed a policy that needs to be approved for deployment. The administrator can generate a report that displays only the changes made to that policy. The administrator can then approve and deploy the policy or reject it and give some comments that the editor will then receive in a mail with a note from the administrator.
A rollback system has been implemented. This is actually a archive of the policies that have been changed. From within this archive you can simply redeploy a older policy if something has gone wrong after deploying the new policy.
Something was mentioned that I wasn’t aware of: When you change settings in a group policy the replication of this change to other DC’s starts even before exiting the console.

Next session was Windows Mobile as Secure as Blackberry: Are you joking? One of the first things the speaker brings up is the fact that management people usually use their influences and power to let the IT-department deploy mobile devices that they like. A few years ago this started the Blackberry trend and so corporation were implementing Blackberry-server into their network. Now because of the iPhone we see that corporations are starting to deploy Active Sync.
This is not directly linked to security but up to 40.000 Windows Mobile devices can be managed on one server instance and in SP1 this would scale out to 60.000 or 80.000 devices. Since a BES-server uses MAPI to connect to the mailboxes the devices should by limited to 250 connections by default. I haven’t found any official documentation on this but even though the BES-server has 5 agent threads connecting to the exchange server this would not scale up to as much user as on the Microsoft platform.
A potential issue on a Blackberry installation is that when a user leaves the company and the account is disabled but the user still has the Blackberry device he would still be able the retrieve information from  his mailbox because the BES-server uses a super user account to retrieve the content of the mailbox.
In regards to using encryption on the removable storage card there could be a issue with Windows Mobile. If the device is been given a wipe-command the data on the device and the storage card get formatted. If the card was removed when the wipe has started al the data on the card becomes useless if encryption was applied to it because the encryption key was stored in the device memory that you just wiped. The encryption key on Windows Mobile device gets generated during the device initialisation.

The last session I attended was Windows Vista, take 2, understanding Windows Vista SP1 from A to Z. This session was given by the best speaker I’ve seen during the last week, Mark Minasi. Most of the stuff Mark showed I had already some knowledge of accept for this one. In SP1 there was an improvement made when you have 2 network interfaces on your pc, lets say a wireless connection on your laptop and your ethernet connection. If both are connected to a network Windows Vista is now smart enough to use the fastest connection you have. It will not just look at what the maximum speed of the network interface is but will test the speed is use only  the network card that has the fastest connection.
Another thing he pointed out is that if you have a problem with Windows Vista SP1 Microsoft is offering free support until 18 March 2009.

Well, that was it. It’s been a great week and hope that I can do this again next year when it’s a bit closer to home. Next year Tech-Ed EMEA is in Berlin. Hope to blog again from there :-).

Not only did I had a early bird registration for Tech-Ed, I was the early bird today. The sessions today start a half hour earlier because this evening there is a community party. When checking up on my 2 colleagues to go for breakfast there was no response, probably still tired after yesterdays country drink ;-).

First session today was:  Windows Server 2008 Active Directory Best Practices! The first interesting topic they talked about was the Fine-Grained Password Policies (FGPP). By creating Password Setting Object (PSO) in Active Directory and assigning these object to groups you can set multiple password policies which was only possible on the domain level before this feature was implemented.
If you are going to deploy a Read Only Domain Controller (RODC) in a branch office you can use the install from media option. With this option it is possible to create a media via ntdsutil on the command line and burn it on cd. You can then send/use this disk to your branch office to deploy your RODC without sending the complete AD-replication over the WAN, only the delta’s need to be send over the WAN. All the secrets from this media is removed so if the media has fallen in the wrong hands no data is compromised.
If you audit your AD and you have multiple DC’s in your domain there is no consolidated view (yet) for these auditing events. You can use forwarding events from the new event viewer to forward these to one server or use System Center for this.
When you have your Global Catalog Servers in Hyper-V and it faces Exchange Servers you’ll need to take in account that this could create lots of I/O on your disk so take this in account when planning your Hyper-V. Another feature that need consideration is when you want to use Bitlocker in Hyper-V. This could be a potential problem because Bitlocker stores the encryption key in AD but if all your DC’s are on Hyper-V and you have a problem with your Hyper-V so that the DC’s can’t start, you cannot access your data that is encrypted with the Bitlocker. Therefore Microsoft recommends that you keep 1 DC on a physical machine.

The second session was The Case of the Unexpected… This session was given by Mark Russinovich who is the developer of the SysInternals tools that we all use. If you don’t you must certainly check them out!! These tools are great for trouble shooting performance problems and hangs in your systems. During a demo of Process Explorer, which is much better then the standard task manager of Windows, he explained how you can even see the stack of a process for even deeper troubleshooting. Another nice feature of this tool is the Windows Owner button that you can use to troubleshoot error message when not clear from what process the message is.

During the lunch I went to see what improvements there have been made in the Security of Internet Explorer 8. One of the new feature is Inprivate Browsing or like I like to call it, the porn surfer :p. When you use these feature it will open a new browser window for surfing. If you close this browser all history, typed url’s and cookies that were used in that browser session will be erased from the disk so that no one can tell from the browser history which sites you have surfed to. I think that if this information was written to disk it is still possible to retrieve this information with undelete tools, but it is a nice feature.
Like Google’s browser Chrome Internet Explorer 8 will also have a process per tab which means that if when sites hangs it doesn’t interfere with the rest of the browser.
There was no final release date announced because there is still coming lots of feedback from the beta 2 version from the users for the moment.

The fourth session of the day was Learn about the Cross Platform Extensions Beta for System Center Operations Manager 2007. I don’t have to monitor any Unix/Linux machines at my current job but since I’m developing my skills/interest in Operations Manager I preferred this session above others. There will by made a API available, probably in the RTM of R2 or else in a resource kit, to create scripts that read input and give output to this API which provide the data to a created Management Pack. These scripts can be Phyton, Perl,  Bash ….
Concerning monitoring network devices out of the box which was actually out of the scope of this session, this will be implemented if V10 (2010) of Operations Manager.

The next session was about Virtual System Center: Running and Maintaining the System Center Suite on Microsoft Hyper-V. This session was more of a best practices of System Center running on the Hyper-V platform. For optimising performance you should use pass trough disks on disks that need high I/O. It’s a bad idea to use dynamically expanding disk because they create even more I/O.
Microsoft recommends that you down rate your processor by 10% when planning your machine in Hyper-V, so a 2,2GHz processor in Hyper-V would be 2GHz.
For planning your Hyper-V environment you can use the Microsoft Assessment and Planning Toolkit 3.2. And as being a fresh Operations Manager fan, there is off course a management pack for Virtual Machine Manager.

The 6th session of today was Troubleshooting Group Policy for Windows Vista and Group Policy Preference Extensions. Not much new to me was told in this session, like use the Group Policy Management Console reporting option to troubleshoot if the policy isn’t applying as expected.
What was new to me was the command line tool GPlogview which can be downloaded from the Microsoft website. This tool needs to run on the client receiving to policy and keeps running in the background while you refresh the group policy with gpupdate and it will then parse all the events related to group policy for you. You can even create a html-report out of the result.

The last session of the (longest) day was Creating an Adaptive Infrastructure with HP Proliant and Microsoft. This was more of a partner session where HP presented their superior blade servers and software solutions they offer as well as HP Services that you can use to help you with the planning and/or deploying Hyper-V infrastructures. Lots of information that was told in this session can be found on the HP-website.
Oow, yes! HP creates managements packs for HP Proliant Servers that are free to download for all HP customers :p.

A website that I should mention for those of you that don’t know it is Codeplex, it’s actually the SourceForge of Microsoft. Having said that, it’s been a very long day, 7 sessions and probably even more beers and my longest blog this week I’am off………