Outlook Affliction

Various “discoveries” regarding Outlook and its functionality (or lack thereof):

  • Fax numbers as electronic addresses:  When you open the Address Book to address an email, you will see two entries for any contacts for which you have both an email address and a business fax number.  If you’re at all like the CEO of my company (or any other rational human being), you’re asking yourself “why on earth would I want to send an email to a fax number?”  Unfortunately, this behavior is by design.  It is intended to make fax numbers “first class” electronic addresses for fax-server/unified messaging scenarios.  It is hard-coded into a DLL for Outlook and cannot be turned off or changed.  The only real workaround is to put an F or “Fax” at the beginning of each fax number – the alpha character(s) prevent Outlook from recognizing the contents of the field as a valid fax number.  You could also store fax numbers in one of the other phone fields, as “Business Fax” is the only field that comes in for this special treatment.  Megaweak.
  • You know that drop-down of cached email addresses that you get when you start typing in the “To” field?  That’s populated from an NK2 file that stores addresses that you’ve either typed in or selected from “Contacts” or your Exchange OAB/GAB.  The thing is, when you select addresses from your Global Address Book, they’re not stored as regular SMTP addresses in the NK2 file.  Instead, they’re stored as Active Directory addresses pointing to the user object in AD.  The CN at the end of the address is a GUID-type string.  And guess what?  Outlook uses THAT CN as the search term when populating the drop-down.  So, for instance, “Alisa Hernandez” shows up when you type a “b” because her GUID starts with a B.  Awesome!
  • Office 2010 has a “compatibility issue” with Type 1 Helvetica fonts from Adobe.  Specifically, touching anything in Word or Outlook with text formatted with these (INCREDIBLY COMMON)  fonts will cause a massive insta-crash, every single time.  Supposedly this issue will be fixed in SP1.  In the mean time, there’s a registry hack that will prevent the crashes.  Open HKLM\Software\Microsoft\WindowsNT\CurrentVersion\FontSubstitution and delete the key that lists a font to substitute for Helvetica (usually Arial).

My feelings about these issues could best be summarized as “meh”.

Mobile Device Management

In Exchange 2003 SP2 (which introduced mobile device management), you can initiate remote wipes of mobile devices that are party to ActiveSync relationships.  HOWEVER, there’s a huge catch – if you don’t enforce a password requirement on your mobile devices, there are a whole slew of other policies that you can’t enforce – including remote wipes.

In Exchange System Manager under Global Settings, right-click on Mobile Services and click the “Device Security” button:


Although it doesn’t explicitly say so on this panel, if you don’t have “Enforce password on device” checked, the “Wipe” option will simply not appear in the Mobile Administration Console:



Speaking of PowerShell…

The Lazy Admin has series of excellent brief introductions to administrative functions in PowerShell:

Part 1, Part 2, Part 3

Exchange Online’s absurd lack of administrative tools (plus a little PowerShell goodness)

Here’s what I have learned from our horrific experience migrating to Exchange Online: it’s great once you get there, but Microsoft clearly intends the migration process to be a gravy-train for consultants and “channel partners”.  The migration tools provided by Microsoft itself are hilariously weak and simplistic, but third party firms like MessageOps have all these bad-ass utilities for getting past the many (mostly undocumented) pain-points.

Which, you know, is awesome for firms like MessageOps (about which firm I cannot say enough good things, incidentally — Chad Mosman will answer your calls and emails like you’re his old buddy, and the guy has real answers instead of the call center scripts you get when calling MS).  But this also tells me that Microsoft created all the APIs and whatnot necessary to administer your Online Services subscription, and then just decided not to provide any tools that work against those interfaces, and that right there is some seriously weak sauce.  I have done greenfield deployments of Exchange 2003 and 2007, and migrations from 2003 to 2007 and 2007 to 2010, but NOTHING has been as fraught with difficulty as this move from on-premises Exchange 2003 to Microsoft’s Exchange Online.

Anyway, as is usually the case with Microsoft products these days, PowerShell turns out to be the solution to most of my troubles.  Example: there is no clear way in the Administration Center (or anywhere else) to grant one user permissions on another user’s mailbox, something Exchange administrators have been doing since the dawn of time.  And since MAYBE your existing permissions will be migrated by the “Migration Tools” and maybe they won’t, you’ll need to know how to do this:

First, you need to be doing this in PowerShell on a machine that has Microsoft’s sucky BPOS migration tools installed.  Also, you might need to launch PS as an administrator — I always do, anyway.  Add ye olde required snap-ins thusly:

Add-PsSnapIn Microsoft.Exchange.Transporter

Now define some variables to put together a credential that you can securely transmit to gain access to Microsoft Online:

$powerUser = "admin@mycompany.microsoftonline.com"
$powerPass = "YourWeakP@ssword"
$password = ConvertTo-SecureString $powerPass -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PsCredential -ArgumentList $powerUser,$password

Now the $cred variable is populated with an automation object suitable to log you in securely.  Finally, the good stuff:

Add-MsOnlineMailPermission -Identity sharedmailbox@mycompany.com -Credential $cred -TrustedUser guywhowantsaccess@mycompany.com -GrantFullAccess True -GrantSendAs True

Transmitting information…with LASERS!

Remember when fiber optics was something we’d have in The World of Tomorrow?

The reality:

Considerably less sexy, but still pretty rad!

Um…hi, WordPress!

Apparently, all Windows Live Spaces face a choice of either moving over here or, you know, eating the big one.  This kind of surprises me, but it’s no big deal, as I’ve run a self-hosted WordPress blog for years (mostly politics, which I try to keep very separate from my work life).  So here we are!  And since I had to move, I took the opportunity to change the name…”Nerdpocalypse!” is now “The Curious Admin”.  “The Confused Admin” would probably be more apt, but I am trying to market myself a bit here.

Anyhow…lots going on in my life.  I’m still studying for my MCITP exams, but some unfortunate developments made me feel like I needed to leave my old job sooner than I had hoped.  So, now I’m in the middle of a job hunt too!  I’ve got a second interview tomorrow for a position that I think would be a great fit for my skills, so hopefully my job hunt will be over as quickly as it began.

I’m going to be posting more in coming days.  As I have started job-hunting, I’ve realized that my unfamiliarity with VMware virtualization solutions is a real gap in my skills.  As a first step in addressing this gap, I’m converting my home lab setup from Hyper-V to ESXi, and I hope to come up with a few posts that might be helpful for folks like me who have virtualization experience on Hyper-V but are new to the world of VMware.

Happy Fun Time with Windows Server 2008 Server Core – Part II

So this post is probably going to be sort of boring – it’s mostly just odds and ends for getting your Server Core into a manageable state by configuring Windows Update and enabling various forms of remote administration.

Keeping Your Server Core Updated

I should preface this whole discussion by stating that in a production environment, you’d probably be using a WSUS server infrastructure to manage updates and patches for your servers and clients, and that’s definitely the easiest way to manage updates for Server Core.  Conversely, however, you probably don’t have WSUS set up in your test environment.  Since my test networks are fully virtual, I like to create a fully updated VM as a template, and then use that VM’s disk to create child differencing disks (in Hyper-V) or linked clones (in VMware Workstation) to provision my test set-ups — this saves a LOT of time, as you can spin up new servers and clients in minutes to test new configurations). 
On a Server Core machine, you have to configure Windows Updates from (surprise!) the command line, but Microsoft has included a script that simplifies this task (and serveral registry settings) considerably.  It’s called scregedit.wsf, and while it’s not the most verbose or informative thing in the world, it does work as advertised.  To use scregedit.wsf, you have to move your command line to the directory where it is located:
cd c:windowssystem32
On Windows NT 6.0 (the 2008/Vista generation of Windows products), Windows Update has five basic modes, which correspond to five possible decimal values for the registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateAUOptions:
  1. Disabled
  2. Notify before downloading, notify before installing
  3. (Default setting on a full install) Download updates automatically and notify when they are ready for install
  4. Automatically download, automatically install on a specified schedule (default 3 AM)
  5. Allow local administrators to select the configuration mode.

Because Server Core lacks the Exporer.exe shell that provides the functionality for any sort of configuration or automatic notifications, options 2, 3 and 5 are unavailable.  With Server Core, your choices are 1 or 4, and 1 (disabled) is the default setting.

If you’re unsure about the current mode, type

cscript scregedit.wsf /AU /v

To set the machine to automatically download and install updates, type:
cscript scregedit.wsf /AU 4
That updates the registry setting, but for those settings to take effect, you need to restart the Windows Update service:
net stop wuauserv
net start wuauserv
At this point, you can either leave the VM running and let it auto-update itself (must be nice to have that kind of time!) or you can kick off update detection manually like so:
wuauclt /detectnow
You don’t’ get any progress indicator or reboot notifications, of course, so the only way to watch how things are going is to kick off taskmgr.  When the TrustedInstaller.exe process shuts down, you’re good to reboot.  Rinse and repeat.

Remote Management

Remotely managing a server core machine from a full-install Windows Server machine (or a Windows Vista or 7 machine) is the easiest and most enjoyable route in the long run, but it takes a little configurin’ on the Server Core box itself.  As is the case in ALL remote management scenarios, this will be precisely one billion times easier if the server and the management console belong to the same domain. 

I should also note that if you’re using the Server Core version of Windows Server 2008 R2, the sconfig.exe utility greatly simplifies this whole area.  Use it.

First, we want to be able to control the firewall settings from a remote MMC console, so we’re going to enable remote administration of the Windows Advanced Firewall:

netsh advfirewall set currentprofile settings remotemanagement enable

Now you can create new firewall rules, etc., from a remote system. 

Next, we want to configure general remote management settings:

netsh advfirewall set rule group=”Remote Administration” new enable=yes

Finally, we want to enable remote desktop access just in case we want to remote in for some command-line suffering.  This is another easy one thanks to scregedit.wsf.  Just remember to cd to %windir%system32 and type

cscript scregedit.wsf /AR 0

0 enables RDP, whereas 1 disables it.

And now you can remotely manage your Server Core!  I know, try to control your excitement.