Monday, October 29, 2007

Granting "Send As" rights in Exchange 2007

Many times it is necessary to grant a service account the ability to open a users mailbox and/or send email as that user.  Products that tightly integrate with Exchange like Blackberry Enterprise Server (BES), Quest Archive Manager (QAM), and many others need this in order to function properly.  This is accomplished by granting the service account the "Full Mailbox Access" and "Send As" rights for all mailboxes in the organization (assuming the application in question is to be rolled out enterprise-wide).

For those that are unclear, it is critical to understand the difference between "Send As" and "Send on Behalf Of".  "Send As" allows a user to "impersonate" another user and send email as the other user.  For example, if User A is granted "Send As" rights to User B's mailbox, then User A is able to send messages directly as User B and means that the recipient of the message will think that User B has sent the message, even though it was actually User A that sent it.  The "Send As" right can only be done by an administrator; a user cannot grant the "Send As" right to another user.

"Send on Behalf Of" allows a user to send email from another user's mailbox, but the sending user is not impersonated.  For Example, if User A is granted "Send on Behalf Of" rights to User B's mailbox, then User A is able to send message from User B's mailbox and the recipient would receive a message that is from "User A on behalf of User B".  By looking at the "From" field in the email, it is always very clear who is sending the message.  Like "Send As", the "Send on Behalf Of" right can be granted by an administrator, but unlike "Send As", "Send on Behalf Of" can also be established by the end user.  Through the Outlook client, a user can grant another user the ability to send on behalf of them.

For more information on granting "Send As" in an Exchange 2003 environment, or granting "Send on Behalf Of" permissions, check out this tutorial from

Now back to the problem at hand...

"Full Mailbox Access" and "Send As" rights can be granted on a single mailbox (or batch of mailboxes) with the following PowerShell cmdlets (using User A and User B from the examples above):

Add-MailboxPermission UserB -AccessRights FullAccess -user UserA

Add-ADPermission UserB -ExtendedRights Send-As -user UserA

Note that granting "Full Mailbox Access" does not include the "Send As" permission; "Send As" must be explicitly granted.

The problem with this method is that even if the script is such that it will grant the appropriate rights on all mailboxes in the environment, this will not automatically grant the rights to the service account for new mailboxes and the script must be re-run on a regular basis.  For message archival applications in particular this is a problem as some data may be missed because the service account was unable to access the mailbox.  So you must use a method to grant the required permissions automatically.

A personally recommended best practice is to create a group that has the "Send As" rights in Exchange and add the appropriate user accounts to that group.  Because there is risk with any account that has these rights to your entire Exchange organization, those account must be as secure as possible and the membership of that group must be controlled and monitored tightly.

To grant the required permissions, follow these steps:

  1. At the command prompt, type ADSIedit.msc. This requires the Windows Server 2003 Support Tools.
  2. In the Action menu, select Connect to…
  3. Select the Select a well known Naming Context radio button.
  4. Select Configuration from the drop-down list.
  5. The Default (Domain or server that you logged in to) radio
    button is selected. Leave this button selected if the machine you are
    logged in to is in the same domain as the Exchange 2007
    organization. If the machine you are logged in to is in a different
    domain, select Select or type a domain or server and enter the
    domain controller name.
  6. Click OK to return to the ADSI Edit window.
  7. Select the Configuration node that contains the name of the domain
    controller that holds your Exchange 2007 organization.
  8. Navigate to CN=Services | CN = Microsoft Exchange |
    CN=”Your Exchange Organization”
  9. Right-click the organization node and select Properties.
  10. Select the Security tab and click Advanced.
  11. Click Add, and select the appropriate user or group.
  12. In the Permission Entry window, ensure that Apply Onto is set to This object and all child objects.
  13. Check the box for Full Control in the Allow column.
  14. Click OK to add the entry, and click OK to exit the windows.
  15. Close ADSIedit.

Be very sure that the accounts you use are not also in any groups which are denied "Send As" rights, or you will still be denied.  By default, the Domain Admins, Enterprise Admins, and Exchange Organization Administrators groups are denied "Send As" rights (and should be kept that way).


A friend emailed me this today and although I had seen it a while back, it still cracked me up.  I'm not sure why it would be comforting to know that nothing I do will be as awesome as this, but it's still funny.


Friday, October 19, 2007

PdaNet vs. Internet Sharing on the AT&T Tilt


One of the things I've been trying to get working with my Tilt is the ability to tether it to my laptop for data connectivity. AT&T offers a tethering option to data plans for $20, but I don't intend on using this 24/7 for an Internet connection, just something to use in a pinch. The AT&T cops swarming down on me is a chance I'm prepared to take.

The first thing I tried was PdaNet from June Fabrics. I used version 1.80 because it added WM6 support. I was wholly unsuccessful in getting this to work over USB or Bluetooth. I consistently got a "Modem is Busy" error, so I did a little more digging and found several others that had tried and failed to get PdaNet working with the Tilt. In the process, I also found out about Internet Sharing, a feature that (apparently) was offered on the 8525.

On the AT&T Tilt (the successor to the 8525), Internet Sharing was replaced by Wireless Modem in Connections. While Internet Sharing is no longer listed in Connections, it is still present on the device and can be used. Internet Sharing effectively does the same thing as PdaNet.

To locate Internet Sharing:

  1. Go to Start>Programs>Tools>File Explorer.
  2. Open the Windows Folder.
  3. Scroll down until you locate Internet Sharing.

To add a shortcut to an existing folder on your device:

  1. Tap and Hold on Internet Sharing and select Copy from the pop up menu.
  2. Navigate to a folder where you would like to put your shortcut and select Menu>Edit>Paste. I placed it in \Windows\Start Menu\Programs\Tools.

To use Internet Sharing:

  1. Pair your device with your PC (Bluetooth or USB).
  2. Locate the Internet Sharing shortcut you created and tap on it to open the application.
  3. Select USB or Bluetooth from the PC Connection type drop down (depending on your needs, obviously).
  4. Select MEdiaNet from the Network Connection drop down.
  5. Tap on Connect.

I tested this with Vista and didn't have any trouble with it.

UPDATE 03.12.08 - After a reader commented on not being able to get this to work with Vista, I realized I forgot one piece of the puzzle that I did well before I started to figure out Internet Sharing. In its default configuration, the Tilt wouldn't connect to Vista at all via USB (at least not with my laptop, so it's possible it is specific to my hardware). To fix this, go to Settings - Connections - USB to PC and turn off "Enable advanced network functionality" (whatever that is). You will need to re-enable this when you want to use it with XP.

Friday, October 05, 2007

Clustering in VMware Workstation 6

UPDATE 02.15.08: I updated the last line of the VMX file in step 4 (Thanks for the heads up Jim!)

I have a need to build an Exchange 2007 single copy cluster on Server 2003 in VM environment. This is something I've done before with Microsoft Virtual Server, but haven't had the opportunity to do it with VMware Workstation (OK, I had the opportunity, but never needed to until now). Since VMware Workstation is a paid product, I assumed clustering and setting up a shared SCSI bus would be included and pretty straightforward. Wrong. No options in GUI exist for this, and the VMware help files and knowledgebase provide no assistance. I love VMware, but come on, no easy way to set up a cluster in a product that is meant for lab testing various configurations and applications?

Anyway, after poking around on the web for a while, I was able to compile a working method for setting this up. Here are the steps I took:

  1. Create two VMs with a single disk on SCSI bus 0, install Windows, get updates, etc.

  2. On one VM, add two new SCSI disks (one for data, one for quorum) on SCSI bus 1 (I put them on SCSI1:1 and SCSI1:2), make them independent, persistent, and fully allocate the drive space so that the VMs don't fight over expanding/managing the disk file size.

  3. On the second VM, add the two already created SCSI disks on SCSI bus 1 (again, I put them on SCSI1:1 and SCSI1:2), and again make them independent and persistent.

  4. Edit the .vmx files for each VM and add the following lines:

    scsi1.sharedbus = "Virtual"
    disk.locking = "false"
    diskLib.dataCacheMaxSize = "0"
    diskLib.dataCacheMaxReadAheadSize = "0"
    diskLib.dataCacheMinReadAheadSize = "0"
    diskLib.dataCachePageSize = "4096"
    diskLib.maxUnsyncedWrites = "0"

  5. Fire up the VMs and both should have two disks ready for formatting and clustering.

Admittedly, the lines added to the .vmx file came from Geert Baeke’s Blog, specifically his posting on clustering in VMWare Workstation 4.5 and higher. Also, he has another good post around clustering in VMware Workstation using iSCSI. Trying that out is already on my “to do” list.

As a side note, when you complete botch the configuration of your Windows Cluster (like I did) and want to start over, use this command from the C:\windows\cluster directory on each node, then reboot the node:

cluster node <node_name> /forcecleanup

Wednesday, October 03, 2007

Exchange 2007 Autodiscover White Paper

Newly updated.

This white paper provides detailed information about the Microsoft Exchange Autodiscover service. It also includes information about how to configure this service in various deployment scenarios. Use the conceptual information and procedures in this white paper to help you deploy the Autodiscover service.

Tuesday, October 02, 2007

Windows Server 2008 Core: Read-Only DC

New in Windows Server 2008 is the option to create a read-only domain controller (RODC). To deploy an RODC, the domain controller that holds the PDC emulator operations master role (also known as flexible single master operations or FSMO) for the domain must be running Windows Server 2008. In addition, the functional level for the forest must be Windows Server 2003.

Because the administration of a Server Core is done from the command line only (at least initially), dcpromo must be run with a host of options to promote the Server Core installation to a domain controller (read-only or standard). From the Windows Server 2008 Technical Library, here are the command line options for dcpromo. The options can optionally be specified in an answer file.

So, to create a RODC on a Server Core installation without also installing DNS, the command line would be:

dcpromo /unattend /ReplicaDomainDNSName:<FQDN_of_Domain> /ReplicaOrNewDomain:ReadOnlyReplica /SiteName:<site_name> /InstallDNS:No /DatabasePath:"C:\NTDS" /LogPath:"C:\NTDS" /SysVolPath:"C:\SYSVOL"

Obviously, the paths for the database, logs, and sysvol would need to be changed to the appropriate location for your environment. The bulk of the parameters are pretty self-explanatory, but two need attention called out. First, the /ReplicaOrNewDomain:ReadOnlyReplica parameter is what defines the DC as a RODC. Using /ReplicaOrNewDomain:Replica creates a standard DC in an existing domain. Using /ReplicaOrNewDomain:NewDomain should be pretty obvious, but it does introduce a slew of different required parameters and options. Also, when creating a RODC you must specify the site name using the /SiteName parameter. I’m not sure, but I would assume this is for the enabling of universal group membership caching. So, if you haven’t figured it out, you’ll need to create the site for the RODC in AD DS before you promote the server to a RODC.

Other handy parameters:

  • /ConfirmGC:No – Do not configure the server as a GC (Default is Yes).
  • /CriticalReplicationOnly:Yes – This forces dcpromo to only replicate the critical directory information before rebooting, postpoting the full replication of the remaining AD DS information until after a reboot; can be useful for large directories to speed up the dcpromo process (Default is No).
  • /ReplicationSourceDC:<FQDN_of_DC> – This forces the replication operation to use a specific domain controller.

Windows Server 2008 Core: The Basics

The Server Core installation option of the Microsoft Windows Server 2008 operating system is a new option for installing Windows Server 2008. A Server Core installation provides a minimal environment for running specific server roles that reduces the maintenance and management requirements and the attack surface for those server roles. A Server Core installation supports the following server roles:

  • Active Directory Domain Services
  • Active Directory Lightweight Directory Services (AD LDS)
  • Dynamic Host Configuration Protocol (DHCP) Server
  • DNS Server
  • File Services
  • Print Server
  • Streaming Media Services
  • Web Server (IIS)

Local administration of a Server Core installation is done from the command prompt, but all roles can be administered from other computers running the appropriate MMC console. The Server Core Team Blog has a nice posting on the basics of getting a Server Core installation up and running. Here are the extreme basics to get a Server Core up and running on your network:

Change the Administrator Password

net user administrator *

Configure the IP Address and DNS Server

netsh interface ipv4 set address name <interface_name> static <ip_address> <default_gateway> <subnet_mask> 1

netsh interface ipv4 set dnsserver <interface_name> <pri_dns_server_ip> primary

netsh interface ipv4 add dnsserver <interface_name> <sec_dns_server_ip>

Join the Domain

netdom join %computername% /domain:<domain_name> /userd:<domain_user> /passwordd:*

shutdown –r

Rename the Server

netdom renamecomputer %computername% /newname <new_server_name>

shutdown -r

Activate the Server

slmgr.vbs -ato

Allow Remote Administration (should really be done via GPO)

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

Active Directory Topology Diagrammer

With the Active Directory Topology Diagrammer tool, you can read your Active Directory structure through Microsoft ActiveX Data Objects (ADO). The Active Directory Topology Diagrammer tool automates Microft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work withthe objects in Microsoft Office Visio.

Monday, October 01, 2007

Microsoft Certification Changes

So Microsoft is dropping the MCSE moniker in favor of “Microsoft Certified IT Professional” (MCITP) in flavors for specific Microsoft products or technologies. The MCP moniker is now “Microsoft Certified Technology Specialist” (MCTS). Basically, the MCTS is the entry level certification on a Microsoft product or technology, and MCITP is the advanced certification. At the top level there is the “Microsoft Certified Architect” (MCA) which is a whole other animal. That’s all fine, well, and good with me - I was one that never liked the “Engineer” designation anyway. Here are the currently available MCITP certifications:

The other big change, beyond the names, is that certifications will now expire after three years. For the most part, rather than tying MCITP certifications to specific products, Microsoft has chosen product agnostic names for these certifications (I’m not sure why they chose to specifically call out Project Server 2007, but that’s not one I’d likely be after, so it’s irrelevant to me anyway). To renew your certification, you will be required to take the current MCTS exams for your area of expertise. So the MCTS exams under the MCITP certifications will rotate out as products age, but the MCITP certificate name will remain constant. Many people won’t, but I like this approach. It reduces the number of certifications someone has, and if they have any of the new MCITP certifications, you know they are up to date. I like the idea of reducing the number of certifications because I personally have the following:

  • MCITP: Enterprise Messaging Administrator
  • MCTS: Microsoft Exchange Server 2007 Configuration
  • MCSA: Security on Windows Server 2003
  • MCSE: Security on Windows 2000
  • MCSE: Security on Windows Server 2003
  • MCSE: Messaging on Windows 2000
  • MCSE: Messaging on Windows Server 2003
  • MCSA: Messaging on Windows Server 2003
  • MCSA on Windows Server 2003
  • MCSE on Windows Server 2003
  • MCSE on Windows 2000
  • MCSE on Windows NT 4.0
  • MCP+I
  • MCP

I am not going to list these on a business card or email signature, and most people couldn’t care less about my experience with NT 4.0. So after getting the new MCSE equivalent certification, I would be simplified to:

  • MCITP: Enterprise Administrator
  • MCITP: Enterprise Messaging Administrator

Much better, and should carry more weight in time.

You’ll notice that “Enterprise Administrator” is not on the list of currently available MCITP certifications. Neither is “Server Administrator”. The “Enterprise Administrator” (MCSE equivalent) and “Server Administrator” (MCSA equivalent) certifications are based on Windows Server 2008, which is obviously not available yet, so neither are the certifications. Upgrade exams will be available for both the MCSE and MCSA path. Trika from Microsoft Learning notes on her blog that the MCSE/MCSA upgrade exams will be available October 29, 2007, but these exams only get you part of the way. Below is a summary of all the exams needed to get the new “MCITP: Enterprise Administrator” and “MCITP: Server Administrator” certifications.

Now get studying…

Starting Fresh (No Upgrades)

MCITP: Server Administrator (3 Exams)

  • 70-640 (MCTS: Windows Server 2008 Active Directory, Configuring)
  • 70-642 (MCTS: Windows Server 2008 Network Infrastructure, Configuring)
  • 70-646 (MCITP: Windows Server 2008 Administrator)

MCITP: Enterprise Administrator (5 Exams)

  • 70-640 (MCTS: Windows Server 2008 Active Directory, Configuring)
  • 70-642 (MCTS: Windows Server 2008 Network Infrastructure, Configuring)
  • 70-643 (MCTS: Windows Server 2008 Applications Infrastructure, Configuring)
  • 70-620 (MCTS: Microsoft Windows Vista, Configuring) OR 70-624 (MCTS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
  • 70-647 (MCITP: Windows Server 2008 Enterprise Administrator)

Upgrading from MCSE 2003

MCITP: Enterprise Administrator (3 Exams)

  • 70-649 (MCTS: Upgrading Your MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist)
  • 70-620 (MCTS: Microsoft Windows Vista, Configuring) OOR 70-624 (MCTS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
  • 70-647 (MCITP: Windows Server 2008 Enterprise Administrator)

MCITP: Server Administrator (2 Exams)

  • 70-649 (MCTS: Upgrading Your MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist)
  • 70-646 (MCITP: Windows Server 2008 Administrator)

Upgrading from MCSA 2003

MCITP: Enterprise Administrator (4 Exams)

  • 70-648 (MCTS: Upgrading Your MCSA on Windows Server 2003 to Windows Server 2008, Technology Specialist)
  • 70-643 (MCTS: Windows Server 2008 Applications Infrastructure, Configuring)
  • 70-620 (MCTS: Microsoft Windows Vista, Configuring) OR 70-624 (MCTS: Deploying and Maintaining Windows Vista Client and 2007 Microsoft Office System Desktops)
  • 70-647 (MCITP: Windows Server 2008 Enterprise Administrator)

MCITP: Server Administrator (2 Exams)

  • 70-648 (MCTS: Upgrading Your MCSA on Windows Server 2003 to Windows Server 2008, Technology Specialist)
  • 70-646 (MCITP: Windows Server 2008 Administrator)