Aaron Tiensivu's Blog

This bug: "You are prompted for your credentials three times and you receive an error message when you use the Outlook Anywhere feature to connect to an Exchange Server 2007 Service Pack 1–based server that is running Windows Server 2008", has been an extreme thorn in my side whenever installing an Exchange 2007 CAS server with Server 2008 as the host OS. Elan has a good writeup about it here. It is just unfortunate that it has taken this long for the issue/fix to be acknowledged and addressed.

There is also a known issue with the Outlook Address Book (OAB) not replicating properly in clustered Server 2008 environments, which is caused by 2 known bugs, and I'm still researching if this rollup fixes that issue. You can read more about the issue here and here, with a few workarounds until an official fix is released.

Download the rollup here, and read about the CAS/IPv6 issue here.

A big thanks goes out to Mark Derosia for portions of this information and a few of the links related to these issues.

Update: It looks like the published links in KB articles are incorrect and point to the old Exchange 2007 RTM Rollup 4. I am waiting for updated links to the real Exchange 2007 SP1 Rollup 4.

As time goes on and I get more Office Communications Server, Exchange 2007 UM and Cisco CallManager integration projects under my belt, the more I learn about the quirky nature of various implementations of SIP and how they interpret RFC behavior.

This problem between Exchange UM and Cisco Call Manager (CUCM) happens when you have "chained" call forwards, which causes diversion headers to be "stacked" with the trail of phone number extensions traversed.

Exchange 2007 RTM will read the bottom diversion header, and Exchange 2007 SP1 will read the top diversion header. The RTM behavior is the correct behavior when interfacing with CUCM, and most other SIP implementations, for the original caller to be identified correctly. The last diversion header contains the original phone number, which is what we want Exchange to use.

On a good note, we can take advantage of a CUCM bug that exists from version 6.0.x to 6.1.1b that will reverse the diversion header order, which works around the Exchange UM SP1 issue.

Workaround: Allow direct transfer to voicemail on the CUCM configuration and this reverses the order in which the diversion headers are sent.

(Un)fortunately, CUCM versions after 6.1.1 contain the fix CSCsl15554, which breaks this temporary workaround. CUCM 6.2 is becoming the popular standard for new deployments, with CUCM 7.x on the horizon. Microsoft is working on fix for Exchange 2007 SP1 to restore the RTM behavior.

I didn't figure out this trick/workaround. The people who are posting in this thread on TechNet are the ones who figured it out!

It is free, based on PowerShell, and has a lot of functionality not present in the native OCS MMC.

Check it out here.

Originally spotted here.

To use this, you will need PowerShell, PowerGui, and the OCS PowerPack.

This sounds a lot like the Home Server bug that was finally fixed in the Power Pack 1 release.

SYMPTOMS
Data corruption may occur on a computer that has Microsoft Forefront Client Security (FCS) installed. When this data corruption occurs, you may experience the following symptoms.

CAUSE
This problem occurs because of a known issue of cache coherency between mapped I/O requests and non-cached I/O requests. Forefront Client Security real-time protection uses memory mapped I/O requests for scanning files. This problem affects non-cached I/O requests. It may cause data corruption or cause truncation operations to be unsuccessful.

Special note to Server 2008 core installations: You need to install this manually - read more about it here.

Taking a tip from here, and due to the fact, in the current Intel/AMD chip architecture, only one hardware-based hypervisor can run at a time, you will want to create a special boot entry for a Hyper-V-less boot time configuration of Windows 2008.

Assuming you are currently booted into Windows 2008, at an administrative command prompt, type the following:
bcdedit /copy {current} /d "Windows 2008 (No Hyper-V)"

The above command should say:
The entry was successfully copied to {guid}.

Copy that {guid} to the clipboard including the curly braces.

Now, type the following command:
bcdedit /set {guid} hypervisorlaunchtype off

In the above command, replace {guid} with what you into the clipboard.

Boot into the 'Windows 2008 (No Hyper-V)' instance and you will no longer bluescreen while running VMWare guests.

Sorry to anyone that has tried to leave comments the past week or two. There was a bug in the blog site that essentially disabled any new comments from being submitted. Special thanks to Alun Jones and others who let me know that it was broken!

Sometimes anti-spam measures work a bit TOO well.

This update adds support for the following Advanced Encryption Standard (AES) cipher suites in the Schannel.dll module for Windows Server 2003:
TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

With this update, you can support 128-bit and 256-bit cipher suites without Cryptography Next Generation (CNG). This update enables you to use a higher cipher strength. This update also fixes the interoperability issue between the Exchange server and the Sendmail server. This update also fixes the interoperability issue between the Exchange server and the Postfix server.

If you need your Server 2003 server to be able to read SHA2 certificates created with Server 2008's Certificate Services (of the CNG variety), which are more secure than RC4 based certificates, you will need KB 938397.

And last but not least, if you want to upgrade your Server 2003's IIS certsrv site to support Vista and 2008 clients properly, you'll want KB 922706.

Hopefully, someone at MS is watching and they will release all 3 of these updates as a Certificate Services update rollup for Server 2003 to make life easier for Exchange 2007/Office Communications Server admins that want to take advantage of stronger crypto.

After rereading my post here about buying the Hava device, I remembered that I never updated that post to reflect how I fixed Sabrina's PC lockup issue. Although I no longer have any of the crash dumps that happened while the Hava client was running on her computer, it seemed as though the system was crashing in the middle of processing a network packet. To go along with that theory, the network adapter in her older PC, a CNet Pro200WL, would stay 'lit up' on the physical interface lights on the card until the system was physically powered down. You could soft boot numerous times but the chip onboard would never recover from the crash. It was acting like a hardware bug or defect more than a driver problem.

Unfortunately, I think many of these cards at one time or another were bundled with Dell PCs because they were so low priced compared to quality chipsets. Her PC in question is a Dell PC that was donated to her by her grandparents not too long ago, much to her delight.

Running with that theory, and not wanting to have a kid constantly complaining about an unstable computer, I popped in my trusty SMC EtherPower, which is over a decade old. Not to be confused with the truly awful EtherPower 2, it is based on the excellent Digital DECchip 21140 (Tulip) chipset, which eventually was used as the "virtual chipset" that Virtual PC uses as an emulation platform for 10/100 ethernet.

Although it had higher latencies than some of the busmaster capable NICs that would come out after it, it was always a workhorse that had support in virtually every operating system. It has outlived a dozen of my personal PCs so far and was going to prove itself again in the year 2008.

Long story short: I put the old SMC network card in the 'practically new' PC and XP identified it correctly as an "Intel 21440 ethernet adapter". Intel bought the rights to Digital's network IP when Digital went out of business. I fired up the Hava client and no matter how many network packets I throw at the system, I can no longer blue screen the system once it starts seeing multicast/HAVA traffic.

Moral of the story: DEC chipset good, Davicom chipset bad.

This hasn't been my first encounter with flaky behavior from a Davicom network card. I remember having nothing but trouble under Linux with the Davicom network adapter that was built into a MSI Book PC.

Thanks go out to Allen Lamb for showing me this program.

Consider this scenario: You buy a brand new laptop or workstation from your local Big and Large to find that it has 10 or 20 various unneeded and unwanted trial versions of software on the system already. You spend hours uninstalling each piece of software individually, or get suckered into paying Big and Large to get their Nerd Herd to do it for you.

Solution: The PC Decrapifier

Not only does it have a funny "non-PC" product name, it does all the work of getting rid of these programs for you.

I could write pages of ranting about this trend in OEM builds that are sold at stores to subsidize the cost of the hardware, but that is for another day.
I could also write volumes about the trend of bundling applications together in deceptive ways. No software company seems immune/innocent of it anymore.

Little by little, the TV and the PC are merging.

Hava v1.7.4 has been released and, although it isn't listed as a feature of this firmware/software release, the picture quality coming from the composite, component and S-Video inputs from the Hava seem to have better picture quality when streaming on the local network. I don't publish the Hava device, which is much like a Slingbox without the one PC limitation, to the Internet, so I am not sure if the external video quality has improved at all.

Overall a very good update that seems to work perfectly fine on my rebadged Pinnacle box I bought off of Woot on a whim, which I wrote about here.

The device has been used so much that it now has a dedicated DVD player so that we can stream movies other than what is being shown out in the living room. The DVD player, Dish Network "TV1", Dish Network "TV2", the Wii, and the Xbox are all connected into a switchbox that leads into the Hava in case we want to stream any of those to the computer systems in the house. The Dish's HD content and the over-the-air HD channels I can pull in transcode amazingly well over the component input. Some people might consider that overkill, but we have found it to be an invaluable piece of hardware in our home audio/video system.

Today, my kids watched the Spiderwick Chronicles movie in their own rooms on their own computer LCDs while I watched something else on the PVR in the living room. Previously, we would have needed two DVD players, two copies of the movie, and two TVs to accomplish the same thing. Even better, they can pause the movie independent of each other if they need to go the bathroom because the software has the same kind of 'pause/rewind/fast forward' feature found in most PVRs, even though it technically isn't a PVR unit. I was a happy camper because movie time with both of the kids in the same room can sometimes result in shouting matches between them and fights over the remote control. Needless to say, they are very competitive with each other.

You can read the forum post announcing the release here and you can download the updated code here.

One other item of note: The setup/installation code seems to have improved vastly and I've been able to get the client software installed on some previously incompatible Windows OS versions of the 32-bit and 64-bit variety. I have even been able to get it to play decently under VMWare Workstation 6.5 using XP SP3 and the experimental 3D support enabled.

True geek moment: My Dish Network dish had been misaligned in the middle of the night at some point during my vacation last week and the only available client OS I could use at the time on my laptop with the older version of the Hava software was a VMWare XP SP3 instance. Not wanting to wake anyone up to watch the signal strength meter on the TV in the living room, I fired up the VM with the Hava transcoding the Dish output to my laptop over our wireless network. No walkie-talkie, cell phone or second person required.

Although I will admit I am biased against ZoneAlarm due to prior problems I've had with the product in the past, the July 2008 MS Security patch related to a DNS exploit does not 'play well' with the ZoneAlarm software. It is highly recommended that you download the updated version of ZoneAlarm from here before installing the security patch from KB 951748.

The initial knee jerk reaction to this problem might be to uninstall KB 951748, but I would advise against that due to the fact that there is an updated version of ZoneAlarm available.

Personally I am more of a fan of ESET's security suite and I have also had good experiences with Comodo's personal firewall, which is free. Of course, despite having a bit of a bad reputation in the past, the built in Windows Firewall isn't half bad these days either. You can even do per-process outbound blocking with Windows Live OneCare and the updated firewall in Vista and Server 2008 is much more feature-ful than what was included in XP.

Currently I'm "dogfooding" builds of the Forefront Threat Management Gateway at home on my EVDO connection and all the devices in our home are the clients. It is what would normally be called ISA 2008 or ISA 2009, renamed. The differences between ISA 2004 and ISA 2006 were pretty minimal, overall, for a compelling reason to upgrade from 2004 to 2006, but this version has a lot going for it, including Snort-like blocking signatures and other additions.

This problem occurs because a recent revision to an Office 2003 Service Pack 1 update causes some WSUS 3.0 servers to incorrectly synchronize the revised update with the update’s approvals. When the affected client computers communicate with such a server, the Web service is unable to process the approvals. Therefore, the detection is unsuccessful. To resolve this problem on a server that is running Windows Server Update Services 3.0 Service Pack 1 (WSUS 3.0 SP1), install the 954960 update.

Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks.

A handy tool to use to check over code to help prevent the nasty automated attacks that have been occurring against sites on the Internet.

My wife comes from a Flash background and I've been slowly but surely convincing her to look more into the Expression Studio, first with v1 last year with Silverlight 1.0 and this year with the updated Expression Studio 2.0, which eventually will have Silverlight 2.0 support if I am reading all the documentation correctly. I'd love to have a dual MVP household much like Charlie and Sharon have.

One nice thing about Expression Studio 2 is that it supports the EPS (Encapsulated PostScript) file format, which earlier betas of Expression Studio 1 had support for, but apparently had issues with the exporter so it was removed from the final release of v1. Cassandra needs this format to upload her vector graphics/illustrations to iStock for publication.

Strangely enough, Expression Studio v1 was a great round-about way of getting a licensed copy of Visual Studio 2005 Standard, and Expression Studio v2 continues that tradition with a bundled copy of Visual Studio 2008 Standard.

With all that said, I spotted the Beta 2 release of the Silverlight Tools for VS 2008 on the Microsoft download center today.

Silverlight Tools Beta 2 for Visual Studio 2008 includes:
Visual Basic and C# Project templates, Intellisense and code generators for XAML, Debugging of Silverlight applications, Web reference support, WCF Templates, Team Build and command line build support, Integration with Expression Blend, and Enhanced Setup with upgrade support.

You can download the update for Visual Studio 2008 here.

Issues that the update rollup fixes:

1. Error message when an Exchange 2007-based user sends a meeting request to a resource that is located in a Lotus Domino resource reservation database: "Error autoprocessing message"

2. How to disable the "Sent by Microsoft Exchange Server 2007" branding sentence in an Exchange Server 2007 DSN message

3. You cannot log on to Outlook Web Access in an Exchange Server 2007 environment, and you receive an error essage: "HTTP Error 403.4"

4. It takes a long time for the Exchange Management Console to load in an Exchange Server 2007 organization that was deployed in a multiple-domain environment

5. The e-mail address of a contact does not appear in the Outlook Address Book after you use Exchange Web Services to edit the contact in Exchange Server 2007 with Service Pack 1

6. Error message when you import a .pst file by running the Import-Mailbox cmdlet in Exchange Server 2007: "Unable to make connection to the server"

7. The icons that represent TIFF attachments may not be shown correctly if the e-mail message is viewed by using Outlook Web Access 2007 in an Exchange Server 2007 environment

8. A storage group may not mount after you move the resources from the active node to the passive node while the backup is in progress in Exchange Server 2007

9. Web services sends meeting request information that has an incorrect time if a delegate modifies an appointment in an Exchange Server 2007 environment

10. The heading of the "State" column is translated incorrectly in the German version of the Exchange Management Console in Exchange Server 2007

11. Error message when you enter logon credentials after an Outlook Web Access session times out in Exchange Server 2007: "Server Error in '/ExchWeb/bin' Application"

12. The W3wp.exe process may intermittently stop responding, and event ID 1000 is logged in Exchange Server 2007 Service Pack 1

13. You cannot control the behavior of attachments on mobile devices by using the ActiveSync policy in Exchange Server 2007 Service Pack 1

14. You cannot run the New-X400AuthoritativeDomain cmdlet successfully in an Exchange Server 2007 environment if an X.400 address contains a space character

15. MS08-039: Vulnerabilities in Outlook Web Access for Exchange Server could allow elevation of privilege

16. You cannot resolve a sender name or a recipient name when the name belongs to an alternative domain tree in Exchange Server 2007

17. OVA announces "Unrecognized caller" in an Exchange Server 2007 environment even though Outlook and Outlook Web Access correctly resolve the caller address

18. External e-mail message senders receive an NDR when you select the Turkish language setting on a computer that is running Exchange Server 2007 Service Pack 1