Malinda's Blog

Unable to install certificate in mobile devices

2006-11-09T19:23:00Z

Smart phones with mobile 5 do not allow to install certificate display the warning “Security permission was insufficient to update your device”.

To resolve this issue you have to change few registry keys and give necessary permission to install the certificate.

Download regeditSTG.zip and extract in the mobile device it provides you view of all registry keys then change following registry keys.

HKLM\Security\Policies\Policies

00001001 to 1
00001005 to 40
00001017 to 144

Regards,

Malinda

Vacancies @ MIT Microsoft Division

2006-11-09T19:20:00Z

I think this is a good place to find promising techies; we are looking for good technical people for Millennium IT Microsoft division we spotted few people from the forum and looking for some more please let us know if you interested.

Job Description:

Candidate should able to provide reactive and proactive support to Enterprise Customers for the most technically complex environments.

We are looking for two types of candidates that is for Microsoft Infrastructure products and Communication can Collaboration products. Candidate must have good knowledge in his domain and at lease 3 years experience in similar role.

Contact details:

Malindap@millenniumit.com

077 3147273

ROOT CA

2006-11-09T14:36:00Z

Information security is very important topic for any organization, there are many technologies to secure information one common method is public key infrastructure. Microsoft certificate service based PKI is secured way of exchanging data, this article is not about how to secure data using certificates. This article about how to protect public key infrastructure, among all other components root CA is the most critical component because that is the only self signing certificate authority. All other subordinate CA’s are required certificate sign by another CA upon the certificate hierarchy. If root CA compromised it affect down the certificate hierarchy that mean entire public key infrastructure will be at a risk. Because of that it is very important to protect root CA. Entire certificate hierarchy should plan in a way to minimize risk, today we cant say anything 100% secure no one guarantee computer networks, then best option is keep root CA unplug from the network. If that the case how root CA communicate with Active Directory, root CA should not be an enterprise CA it can be a stand alone CA. If that the case best option is implement stand alone root CA in a stand alone server which not plug to the network that will be more secure than network connected server and use portable media to transfer certificate to subordinates (issuing of intermediate CA). Issuing CA’s can be enterprise CA which can use benefits of Active Directory integration. Depend on the requirement certificate hierarchy can be extended up to multiple tiers by adding more CA into the hierarchy and make intermediate CA’s offline it make the environment complex but it gives you more secured environment. Other than offline the root CA it can be protected by providing physical security system with use special hardware security modules which design to protect CA’s and issue couple of smartcards to which required access the server.

Exchange cluster registry corruption

2006-11-03T16:20:00Z

Mail system is one of the most critical systems in any organization. Most of the companies use e-mails as primary communication between partners, suppliers and customers in case of mail system failures have an effect on business operation in great extend. As a solution for server failures most of the companies are willing to invest for server clusters. If all the nodes in the cluster fails what will be the solution, why all nodes in the cluster fails same time. Last week I had to face similar kind of issue all nodes in the cluster failed same time. After restarting the server all resources in the cluster online except Microsoft search instance. I tried to start search instance couple of times but those attempts were not successful but I able to successfully restart search services in windows. After few minutes of trouble shooting I able to recognize registry keys belong to MS search instance is not available in both servers. Then I recreate those registry keys and try to restart search instance in cluster resources, but it failed again. Then only I identified real issue; registry keys which I created earlier were deleted when I am restarting search instance. I recreate registry keys again and try to restart search instance again but results were same in both servers. Now this become a real issue no way to recreate registry keys because it get deleted automatically every time I create it and no system state or registry backup. After considering all the facts I didn’t had any option other than recreate Exchange virtual server. My main consideration when deleting Exchange system attendant was data. Before I delete system attendant dismounted all databases, after successfully deleting system attendant I recreate it back, new system attendant able to successfully mount all databases and recreate missing registry keys. Delete and recreate system attendant not a solution for every problem because in other words you delete the Exchange cluster with that, have to consider all aspects before delete it, but it solve many issues because it recreate all dependencies again. Still I couldn’t able to figure out why those registry keys were deleted.

Exchange 2007 & 64-bit

2006-10-06T15:24:00Z

I saw couple of questions about Exchange 64 bit version and hardware compatibility issues in Tech2guys forum, that’s why I though to write this article. Here I attached a document I have done some time back there you can find more information about Exchange 64-bit version with the reference URL’s.

URL for article: http://tech2guys.com/forums/ShowPost.aspx?PostID=770

Don’t miss understand I am going to promote any hardware vendor, I just wanted to share what ever knowledge I gathered in last few months.

Microsoft recommends for anybody who is looking for new Exchange 2003 deployment purchase 64-bit hardware because you don’t have invest again for hardware to deploy Exchange 2007.

Exchange 2003 cannot be install on top of Windows 64-bit because of that Windows 32-bit has to deploy on top of 64-bit hardware which you purchase.

Recently I deployed three Exchange & Windows 2003 32-bit clusters on top of 64-bit hardware from three different hardware vendors that is HP, SUN Microsystems and IBM. Actually I haven’t face a single issue because of 64-bit hardware, backward compatibility works well there. I can ensure 64-bit HW works well for Exchange 2003 it is worthwhile to invest for 64-bit.

Please let us know Tech2guys members who really interested about these technologies I may able to arrange site visit for few people (because of practical difficulties I can’t take all members for a site visit) to get real experience.

We can have session also about clustering, Exchange and 64-bit technology; let us know about your interest.

Will make sure Tech2guys is productive and successful forum which help to develop career of SL IT professionals.

Solution for NLB from ISA 2006

2006-09-29T14:53:00Z

Problem with existing Windows load balancing technology is application awareness for example will take Sharepoint or Exchange Front-End load balancing server farm in case of failure of application like SMTP, Sharepoint services……etc. Windows NLB services cannot detect it. In that case still Windows NLB sends the traffic for problematical server because of that requests from some users will fail.

As a solution for that ISA 2006 provide application aware load balancing services for server farms, it can detect the application failure of particular server and stop sending request to that server until fix the problem.

This feature called “Web publishing load balancing” this illuminate use of Windows NLB in server farm, ISA Server 2006 will automatically balance the request stream coming from a remote user to an array of published servers.

This is how OWA publishing works;

Web load balancing features are automatically implemented when you publish Outlook Web Access and Outlook Anywhere. Outlook Web Access automatically selects a rule by using cookie-based load balancing. With cookie-based load balancing, all requests related to the same session (the same unique cookie provided by the server in each response) are forwarded to the same server. Outlook Anywhere uses source-IP based load balancing. With source-IP based load balancing, all requests from the same client (source) IP address are forwarded to the same server.

Read Only DC in Longhorn directory services

2006-09-23T00:00:00Z

RODC is an Additional Domain Controller in a Domain, Host a Read only replica of Active Directory Services Database. Design primarily for branch office with fewer Users, poor Physical Security, relatively poor network bandwidth to hub server, no Dedicated Administrator.

RODC hold all object and attribute of a writeable DC, changes to any Object or attributes NOT Allowed and malicious user at branch locations cannot pollute or corrupt AD database.

RODC replicate only one way it pulls changes from writeable domain controllers.

It reduces the workload of bridgehead servers in the hub site and reduces effort to monitor replication.

By default, RODC will not store any password, except for its own account computer account and special krbtgt (Kerberos Ticket Granting Ticket) account, RODC is advertise as Key Distribution Center (KDC) for the branch then forward the authentication request to Hub if password not in cache.

Exchange server 2007 OWA access to internal portal server

2006-09-17T19:58:00Z

As all of us now in Exchange 2003 and Outlook 2003 we can use Sharepoint portal server or services to store Exchange attachments, Outlook can send the mail with the URL for sharepoint document workspace.

This was a very valuable feature because it helps to reduce bandwidth usage for e-mails attachments but there was major bottleneck people who access the mails from outside the organization couldn’t able to access the internal URL.

Now Exchange 2007 comes up with new solution for this matter. People who access email from outside the organization allow to access internal portal server. Portal server can reside internal network without publishing through firewall but Exchange 2007 OWA enables access to internal portal server.

This is a cool feature which enables true product integration to increase productivity and ROI.

Why WINS for Exchange clustering?

2006-07-16T22:11:00Z

After release of Windows 2000 and 2003 most of companies wanted to wipe out WINS from there networks to reduce burden of maintain this service. Everyone one new DNS will be the ultimate solution for name resolution in future.

Now there are companies who runs there systems without WINS since couple of years, that include Microsoft clusters also.

Especially in Exchange clustering some are telling WINS is needed but from my experience it is working well without WINS.

What is the actual answer for this; is WINS mandatory for clusters? I have done some research on this and had found some evidence why WINS is required.

As all of us know it is recommended not to use WINS or DNS in private NIC in a cluster but public NIC we can have either WINS or DNS, or both.

Exchange setup program and server clustering use NetBIOS but it is not necessary to have WINS; DNS should be support dynamic updates. In some cases Exchange 200x servers may work without WINS but not fully tested without WINS in larges sub-netted networks, because in large environments NetBIOS name resolution broadcast may not function well.

Considering all of these facts it’s better to keep WINS if you have Exchange 200x, MS clusters or large network doesn’t support NetBIOS name resolution broadcast.

Exchange 2003 runs on SUN Microsystems and AMD 64 bit

2006-06-22T20:21:00Z

Microsoft is going to release Exchange server 2007 only in 64 bit. They wanted to avoid existing limitation of existing 32 bit version of Exchange. Since Exchange more critical and heavily stressed application current 32 bit version pushes to its limits. Exchange 2007 64 bit will be better relief for those burning issues because it will easily exceeds current memory bottlenecks and help customers to go for consolidated server environment.

Since Exchange 2003 doesn’t have 64 bit version and couldn’t able to run on Windows 64 bit, because of that still people don’t thing about benefit of using 64 bit hardware. Since 64 bit hardware having backward compatibility to run 32 bit versions, it is worth while to invest for 64 bit hardware and do the migration to 64 bit applications after the release of Exchange 2007.

Recently I did a proof of concept at Singapore SUN labs about implementing Exchange 2003 and Windows 2003 R2 32 bit versions on SUN Microsystems servers and storage using AMD 64 bit opteron processors. Results were quit good I implemented two node Exchange active passive cluster with two dual processor servers and SUN storage. According to the calculation one server able handles nearly 5,000 users very easily and storage also performed well because disk utilization was 14% for 1000 users.

Still waiting to test on Exchange 64 bit; seems to be Exchange 2007 will be dominant mail server in future.

Exchange Geographical cluster

2006-06-22T20:18:00Z

Today most of the organizations invest millions of dollars for IT to enhance productivity and business continuity. To get the return of investment definitely those IT systems has to play major roll in their business operations. Once those systems integrated to organization business process of failure of those systems heavily affect the business. Business continuity is very important factor for any organization that is one of the key areas for IT vendors to focus.

In this article discuss about business continuity of one of the major IT application that is Microsoft Exchange server.

Exchange server plays major roll in present IT market as dominant mail server. There are couple of ways to make exchange server available all the time.

Option one is Exchange cluster running on single site, it provide high availability within the site but in case of site failure whole system will goes offline.

Option two make Exchange server geographically available.

There are few third party Exchange replication tools, which enable to replicate data among geographical sites and automate the failover in case of site failure. There are some doubts about third-party replication software’s like data integrity issues, time taken to release of new version updates and patch updates for new Microsoft patch update and version update.

Microsoft Exchange geographical cluster can be implemented without using third party products.

Microsoft always recommends going for majority node clustering, to implement MNS cluster three sites required because in MNS cluster always majority number of nodes should be online, if cluster doesn’t have majority it will go offline.

In two site MNS cluster only one site can have majority number of nodes, if that site fails cluster will go offline because other site doesn’t have majority.

In three site MNS cluster always two sites can keep majority, single site failure cluster does not affected the cluster, but in case of two sites failure cluster will go offline. Failing two sites simultaneously will be a rare situation.

In MNS cluster no need to have Exchange server and storage in third site; third site will act as only a witness. There should be SAN level replication between two Exchange server sites to replicate information and always recommend having 500ms maximum latency between three sites.

In two site cluster scenario there is high chance of split-brain, because in case of WAN link failure two sites are unaware about other sites but in MNS cluster this can be avoided.

How to Calculate Exchange Server Disk System Requirements

2006-06-19T22:37:00Z

Exchange server disk system plays a major roll in large Exchange environments because it is heavily affect the performance.

Only having performing servers can’t achieve required performance. Microsoft always recommend to have disk usage counter

below 0.80 to meet user performance requirement.

Disk usage counter can be calculated by IOPS per mailbox multiply by number of users and then divide it by Total IOPS/sec.

Disk Usage = ((number of users) × (current IOPS per mailbox)) ÷ (total IOPS/sec)

Best way to pupulate Exchange databases

2006-06-18T22:09:00Z

Exchange 2003 recommends having more storage groups rather than having all databases in few storage groups. In earlier versions it is recommended to have few storage groups because each storage group allocates 250 MB memory for the version store, schema cache, JET resources.

Having multiple storage groups transaction log traffic can be reduce. Other thing is having many databases within single storage group, number of transaction logs will increase; it is a huge disadvantage because in recovery process all transaction logs has to be replayed.

Best advice is populate your databases within all four storage groups, it will give better performance and fast recovery processes, it will not degrade performance like earlier versions of exchange.

Solution for RPC over HTTP publishing

2006-06-17T17:30:00Z

Microsoft introduced RPC over HTTP as new feature for Exchange, but configuration of this feature not an easy task. I have experience few problems when configuring this, one of the main problem I had face is publishing RPC over HTTP through ISA 2004.

Here I configured RPC over HTTPS using Microsoft certificate service, it works well in LAN but couldn't able to access from out side after publishing through ISA 2004.

Solution for this is add record to ISA host file using internal IP of front-end server and external domain name. Then publish Exchange front-end server using external domain name it works well because outlook can maintain FQDN.