TECHPRO.MS

Please go to our Mailbox Server Role Storage Requirements Calculator updates tracking page to see what is in this new version! There are a lot of usability improvements as well as a whole new section on Storage Design.

A blog post explaining the calculator (updated for this new version) is here and the calculator can be downloaded from here.

Comments welcome!

- Ross Smith IV

Share this post :

I’m excited to announce that the Network Monitor 3.2 Beta has released. There are some exiting new features listed below of which many I have already spoken about in this blog:

http://blogs.technet.com/netmon/archive/2007/12/28/santa-s-bag-was-full.aspx

One feature I didn’t mention is our new capture buffer to avoid dropping frames. After adding our drop frames counter, we found out under certain busy situations it would go above zero and we just couldn’t have that. We now buffer the frames before parsing and displaying them. While this does add some complexities to capturing, it insures that packets are more reliably captured which is obviously very important. I will blog about this feature specifically, but I wanted to call it out here. Where are the bits?

As usual we are hosting our beta at http://connect.microsoft.com under the Network Monitor 3 Project. If you are already signed up, you should have it listed on the main page. If not, look for the project and join up with us to help us find bugs. There is also a web page forum front end to our newsgroup if you need to get support or ask general questions. What’s New since Netmon 3.1

• Process Tracking: View all the processes on your machine generating network traffic (process name and PID).  Use the conversation tree to view frames associated with each process.

• Find conversations:  Quickly isolate frames in the same network conversation.  Isolate TCP streams, HTTP flows etc.

• PCAP capture file support
• Capture engine re-architecture to improve capture rate in high-speed networks.   Network Monitor 3.2 drops significantly fewer frames that NM3.1
• Extensive parser set:  Parsers for over 300 protocols!  Parsers for the protocols covered by the Windows Open Protocol Specifications (see http://msdn.microsoft.com/en-us/library/cc216517.aspx).
• NM API: Create your own applications that capture, parser and analyze network traffic!
• Better parser management:  By default only a subset of parsers are loaded.  You can load the full parser set by changing the parser search order in Tools>Options>Parser
• Support for frame truncation.  Go to Tools>Options and limit the number of bytes captured per frame to improve performance.
• More extensive documentation of the NPL which includes documentation on the new NMAPI.  Access the documentation from Help > NPL and API Documentation
• Enhanced filtering on items within NPL while loops or arrays.  You can specify an index into the array or while loop to filter on
• IA64 version now available.
• ContainsBin Plug-in:  Search frames for arbitrary byte sequences or strings. For example, ContainsBin(FrameData, ASCII, “msn”).
• More UI indications of conversation status, dropped frames and the number of frames in the capture buffer.

• … and more.  See our Release Notes in the NM3.2 installation directory for a complete list of new features and known issues with the Beta.

Enjoy!

The Network Monitor Team

Every so often, a question comes up for us that are running this blog: how do you do it? What is the process that you follow for your blog posts? Where do you get ideas from?

Recently - as part of the INTERACT2008 conference, I had a chance to present on this subject to Exchange/UC bloggers. I then made a mental note that we should talk about this on the blog too. After all - there is nothing top secret here and I believe you (our readers) might enjoy it. So let's get started:

Where do we get ideas from?

Ideas for blog posts fall into several categories (listed below). The subjects that we post about are also quite influenced by our release cycles. For example - just before we have a major release (like Exchange 2007 or SP1) you can fully expect that we'll be talking about that major release a lot. We do this because we are trying to make you comfortable with the technology and also to provide the information you need so that when the product is released, you have extra resources that are easy to find.

I have tried to put the overall idea sources categories in the order of "how many" we get from which source. As explained above, that can vary heavily:

• Blog audience - this is stuff you submit to us using this page. We love those. Keep it up!
• Support organization - we work closely with support folks to get clarifications, alerts, solutions of current issues etc.
• Individual employees - those are "one-off posts" where any internal Exchange-related individual can write something up and submit it for posting on the blog. A lot of "pre-release" posts fall into this category, where various Devs, PMs or Beta engineers might want to write about their components.
• Product group announcements.
• Browsing internal discussion groups and following up with authors that are specialists and are answering technical questions that we find interesting.

What process do the posts go through?

I am proud to introduce you to our Simplified Blogging Process v 11.7 Rev. IV:

Simple, huh? OK so that was a joke... now seriously, this is what we actually do:

To go a little more into those steps:

• Idea - we get the ideas as described above.
• Finding the author - Once we have identified the suggestion as a good blog post, we figure who would be the best person to write about it. Depending on what it is - this might fall anywhere from Dev to Support or Marketing. Or anywhere else in between. I don't think there is a group in our internal Exchange world that we did not tap into for content.
• Getting it written - Here's the tricky part - this consists of work on the part of the writer and sometimes the work on the part of the Blog team, as there are times when people might need a reminder or three <g>.
• Technical review - Since the Exchange team blog is a technical blog - this is super important. Every blog post gets a technical review (some get a few). Depending on the subject who the writer is as well as the release state of the product - reviewers come from specialists anywhere from Dev, PM, Support Services or - anyone else within Microsoft that is really good in the component being talked about.
• Marketing review - this is something that we usually do when we are talking about pre-release products only. For example, when we RTMed Exchange 2007, our SP1 posts went through Marketing review. But once SP1 RTMed, they did not have to anymore. The idea here is that we have to try strike the balance between what we as technical geeks want to write about and what we as a company are ready to announce or discuss at pre-release time (the decision around this usually depends on "is this feature set in stone already?"). This has been a very painless process for everyone involved.
• Posting - self explanatory... once the post is ready, it gets put into a posting queue and then it goes out when it's time comes. Rarely do we have posts that we want to hold until specific date/time but it has happened. Oh yeah, we use Windows Live Writer to post.
• Follow-up, Updates - this is what happens to the post once it has been posted. We get notifications if there are comments, and someone reads them all. Writers are engaged if clarifications or answers are needed. We might update the post at the later time based on feedback or some later change that impacts the post subject.

Note that some of the arrows in this chart go both directions. That is because posts can go both ways - if for example technical review sends the post back with a lot of changes - it goes back to the writer who makes the corrections and then it is off to technical review again.

How long does all this take? It might take anywhere from 45 minutes to few months.

That's it? Where is the red tape?

Seriously - that is it. We do not do any other stuff with posts really. There is no mandate around post subjects and we are really trying to let our readers (you!) drive that as much as possible by listening what you are asking for. There is also no editing by professional editors of everything that we post - although a couple of us that have been doing this for a while do read through all posts before posting and do go after obvious language issues or typos of course.

Hopefully this answers some of your questions you might have had on how we run this place. It has been a great ride for us and hopefully for you too. Thanks for coming! Now send us a blog post suggestion!

- Nino Bilic

Share this post :

Customers tell us that energy-efficient computing is a top priority for them as they look to control energy costs and reduce their impact on the environment. With Windows Server 2008 we feel we have some very compelling technologies such as Server Virtualization with Hyper-V and the native Power Management capabilities of the platform, that are on by default, which will allow organizations to realize true power savings benefits.

We have been working across multiple teams at Microsoft since last October, and are pleased to release today; a new whitepaper (download link) that outlines the key power savings benefits of Windows Server 2008, which has been designed with energy efficiency in mind.  In this whitepaper we explore how Windows Server 2008 provides customers with a number of new power-saving features including:

· Support for Processor Performance States (P-states): Windows Server 2008 has the native ability, turned on by default, to throttle the amount of voltage to the CPU based on load. Ten times every second, Windows Server 2008 is evaluating the workload on the processor and adjusts the P-States accordingly.  Our testing has shown up to a 10% power savings increase from Windows Server 2003 to Windows Server 2008 while maintaining a comparable level of throughput (performance).

· Server Virtualization with Hyper-V: The implications of these results are significant: if multiple virtual machines can run on a single physical machine without consuming significantly more power than a standalone server while keeping comparable throughput, that means you can add virtual machines at essentially no power cost, as dictated by your hardware and performance needs. The savings continue to scale with the number of servers you are able to virtualize. Running 4 virtual machines means saving the equivalent power output of three physical servers; running 10 virtual machines means saving the equivalent power output of 9 physical servers. Plus, Hyper-V can still throttle the amount of voltage to the CPU based on load – which is something VMware and Xen can NOT do today.

· Support for Advanced Configuration and Power Interface (ACPI) processor power management (PPM): We can fine-tune the power profiles of both Windows Server and Windows Vista through Group Policy allowing organizations to tailor the Power Profile of their systems.  How do you tailor the power settings within Windows Server for the best Power/Performance settings in mind?  The default settings are great in most situations, but you can check out the Windows Server Tuning Guides that have recently been updated for Power Management and Hyper-V settings.

In all, the whitepaper shows us that the inherent power management and virtualization capabilities of Windows Server 2008 can lead to cost and energy savings across the board.

Supporting the whitepaper, which is in .docx or .pdf format, we have 3 appendixes that contain the raw power management data derived from the tests: (Download Link)

• Windows_Server_2008_Power_Savings.docx
• Windows_Server_2008_Power_Savings.pdf
• Appendix_A_-_Test_Results_Spreadsheet.xlsx
• Appendix_B_-_System_Information_and_Test_Tools.docx
• Appendix_C_-_Throughput.xlsx

With Windows Server 2008 we have come a long way with our Power Management capabilities....especially when contrasted to Windows 2000 and Windows Server 2003.  As we look to future versions of the Server OS, Power Management will be a core tenet of our development efforts.

Ward Ralston & Eric Rezabek

Hello! This is Tami Gallupe (MSRC Release Manager) and I want to let you know that we just posted our June 2008 Bulletins.  We released seven bulletins today, which includes three bulletins with severity rating of Critical three bulletins with severity rating of Important and one with the severity rating of Moderate.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

Here is a summary of what we released:

 

MS08-030: Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution

 

MS08-031: Cumulative Security Update for Internet Explorer (950759)

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution              

 

MS08-032:  Cumulative Security Update of ActiveX Kill Bits (950760)        

-          Rating: Moderate

-          Impact of Vulnerability: Remote Code Execution

 

MS08-033: Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)          

-          Rating: Critical

-          Impact of Vulnerability: Remote Code Execution

 

MS08-034: Vulnerability in WINS Could Allow Elevation of Privilege (948745)

-          Rating: Important

-          Impact of Vulnerability: Elevation of Privilege

 

MS08-035: Vulnerability in Active Directory Could Allow Denial of Service (953235)

-          Rating: Important

-          Impact of Vulnerability: Denial of Service

 

MS08-036: Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)

-          Rating: Important

-          Impact of Vulnerability: Denial of Service             

 

We also re-released MS06-078 and MS07-068 with a detection only changes.

 

Delving "under the hood" this month, our Security Vulnerability Research & Defense blog this month discusses MS08-036, MS08-033, and MS08-030. You can read about these and more at http://blogs.technet.com/swi/.

 

While we're talking about updates and blogs, I’ll also mentioned that we’ve provided new Knowledge Base (KB) articles that document installation procedures for any possible future SQL Server security updates for Microsoft SQL Server 7, Microsoft SQL 2000 or Microsoft SQL Server 2005. In particular, there are steps that SQL Server 2000 and SQL Server 2005 administrators can take in advance that could help expedite deployment of any possible future security updates.  We encourage all SQL administrators to review all these (KB) articles and consider following the steps now to better prepare for any future SQL Server updates that may be released in the future. Additional information can be found by clicking the below links.

 

·         SQL Server 2000 and MSDE 2000 installers stop dependent services

·         SQL Server 2005 installers stop dependent services

·         SQL Server 2000 installers will not update disabled SQL Server instances

·         SQL Server 2005 installers do not update an instance of the SQL Server service that is in a disabled state

·         Supported method for applying updates to SQL Server 7.0

 

As usual, I also want to remind that our monthly webcast that starts tomorrow (Wednesday, June 10th) at 11:00 AM PST.  This is a favorite event as it gives us a chance to take questions and answer them live, on the air tomorrow. Click here to Register now for the June Security Bulletin Webcast.  We look forward to hearing from you tomorrow.

 

Cheers!

  Tami

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

In our last post, we talked about Pages and Page Tables.  Today, we’re going to take a look at one of the most common problems when dealing with virtual memory – the Page Fault.  A page fault occurs when a program requests an address on a page that is not in the current set of memory resident pages.  What happens when a page fault occurs is that the thread that experienced the page fault is put into a Wait state while the operating system finds the specific page on disk and restores it to physical memory.

When a thread attempts to reference a nonresident memory page, a hardware interrupt occurs that halts the executing program.  The instruction that referenced the page fails and generates an addressing exception that generates an interrupt.  There is an Interrupt Service Routine that gains control at this point and determines that the address is valid, but that the page is not resident.  The OS then locates a copy of the desired page on the page file, and copies the page from disk into a free page in RAM.  Once the copy has completed successfully, the OS allows the program thread to continue on.  One quick note here – if the program accesses an invalid memory location due to a logic error an addressing exception similar to a page fault occurs.  The same hardware interrupt is raised.  It is up to the Memory Manager’s Interrupt Service Routine that gets control to distinguish between the two situations.

It is also important to distinguish between hard page faults and soft page faults.  Hard page faults occur when the page is not located in physical memory or a memory-mapped file created by the process (the situation we discussed above).  The performance of applications will suffer when there is insufficient RAM and excessive hard page faults occur.  It is imperative that hard page faults are resolved in a timely fashion so that the process of resolving the fault does not unnecessarily delay the program’s execution.  On the other hand, a soft page fault occurs when the page is resident elsewhere in memory.  For example, the page may be in the working set of another process.  Soft page faults may also occur when the page is in a transitional state because it has been removed from the working sets of the processes that were using it, or it is resident as the result of a prefetch operation.

We also need to quickly discuss the role of the system file cache and cache faults.  The system file cache uses Virtual Memory Manager functions to manage application file data.  The system file cache maps open files into a portion of the system virtual address range and uses the process working set memory management mechanisms to keep the most active portions of current files resident in physical memory.  Cache faults are a type of page fault that occur when a program references a section of an open file that is not currently resident in physical memory.  Cache faults are resolved by reading the appropriate file data from disk, or in the case of a remotely stored file – accessing it across the network.  On many file servers, the system file cache is one of the leading consumers of virtual and physical memory.

Finally, when investigating page fault issues, it is important to understand whether the page faults are hard faults or soft faults.  The page fault counters in Performance Monitor do not distinguish between hard and soft faults, so you have to do a little bit of work to determine the number of hard faults.  To track paging, you should use the following counters: Memory\ Page Faults /sec, Memory\ Cache Faults /sec and Memory\ Page Reads /sec.  The first two counters track the working sets and the file system cache.  The Page Reads counter allows you to track hard page faults.  If you have a high rate of page faults combined with a high rate of page reads (which also show up in the Disk counters) then you may have an issue where you have insufficient RAM given the high rate of hard faults.

OK, that will do it for this post.  Until next time …

Additional Resources:

• MSDN: Working Set (Windows)
• TechNet: Memory Monitoring Specifics

- CC Hameed

Share this post :

Thought TechEd was as good a time as any to give you all some great news…I’VE BEEN UPGRADED! <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

 

Well, it’s been a crazy few months since the Windows Server 2008 RTM. I kept wondering why they were letting me hang around – what business does one Windows Server 2003 have in a farm of WS08s? It was just embarrassing. But there I was, clinging to the remote desktop port on the corporate firewall like Milton to his red swingline stapler.  Then one day the engineers caught wind that I was shopping around for a new job and it all became clear. Wayne, one of the IT guys, pulled me aside and told me that is was in my best interest to cut the whole “woe is me” song and dance.

 

Wayne explained that as the last WS03 server I had an important role at Microsoft.com – I had to try my hardest to prove that WS03 performed as quickly as WS08.  At first I was a little hopeless, but then Wayne then told me the best part – if I won, I get to bask in the glory of winning, but if I lost, there was a good chance that I’d be sent down upgrade row.  I realized I couldn’t lose!  For a minute I thought about throwing the race to expedite my upgrade, but I knew that there are still a lot of WS03s out there and I wouldn’t want my crew to get a bad rep. So I rolled up my sleeves, drank a couple cups of coffee, listened to that song, “Eye of the Tiger” and then I gave it all I had! 

 

Long story short, I just couldn’t keep up with the WS08s. Wayne told me that it all came down to “efficiency” or “cost” of the number of requests per CPU cycle. Looks like WS08 is over 10% more efficient then I am in handling live web platform traffic for www.microsoft.com. Wayne explained that this improved efficiency helps enterprise customers reduce their server footprints in datacenters and ultimately reduces the overall cost of running their site/s.  You can read more about the race results here.

 

So now I am upgraded! For all you ‘03s out there don’t worry…it didn’t hurt a bit!   They said it would just be a Day Upgrade under local anesthetic, and they were right!   Within hours after the procedure I was up and helping on Microsoft.com.  I feel 5 years younger.  The WS08 team even got me a card to welcome me aboard. Everyone signed it.  Shucks.  One person wrote “wishing you a speedy recovery”— I didn’t realize the irony of that slogan until I booted up again!  I AM faster!

This week, TechED 2008 IT Professionals is going on in Orlando, Florida. If you did not make it there, you can still keep up with latest and greatest news announced there by going to TechED Online site:

http://www.microsoft.com/techedonline/default.aspx

There are keynote clips, links to various feeds (News, Videos, Podcasts) - in other words, you can still learn quite a bit without traveling too.

Also, check out these blogs for information about what is going on each day at TechED:

 

Bharat Suneja's blog 
Scott Schnoll's blog

 

Scott and Bharat, along with a couple of other folks from the Exchange team, will be working hard to put up some blog posts of what is going on throughout the day, along with some interesting events they may have seen or heard about. We will also try to put up a couple of summary reports of the day's events from the perspective of these folks... stay tuned!

- Nino Bilic

Share this post :

949429  The virtual IP address of a Windows Server 2008 NLB cluster is bound to the NetBIOS host name of a particular server or of multiple servers

947028  How to restrict SSTP connections to a specific IP address in Windows Server 2008

950826  You cannot establish an IPsec connection between a Linux operating system and a Windows Vista operating system when you initiate the connection from the Linux operating system

950319  On a multiprocessor computer that is running Windows Vista or Windows Server 2008, a network connectivity failure occurs randomly when you run certain utilities

953791  Device Manager and Network Connections may be blank after you install Windows XP Service Pack 3

- Mike Platts

Over the course of our posts on Memory Management and Architecture, we have made several references to Page Tables and Page Table Entries (PTE’s).  Today we’re going to dig into Pages and Page Tables.  If you are new to Memory Management, or need a quick refresher on the basics, I strongly recommend reviewing our Memory Management 101, Demystifying /3GB and x86 Virtual Address Space posts first.

When a program is first loaded, the logical memory address range of the application is divided into fixed size units called pages.  As each page is referenced by a program, it is mapped to a physical page that resides in physical memory.  The mapping is dynamic which ensures that logical addresses that are frequently referenced reside in physical memory.  Remember that each individual process that is launched is allocated its own virtual address space and application program threads are only permitted to directly access the virtual memory locations that are associated with their parent process’ address space.  This is where Page Tables come into play.

Page Tables are built for each process address space.  The Page Table maps logical virtual addresses for a process to physical memory locations.  The location for a set of Page Tables for a process is passed to the processor hardware during a context switch.  The processor refers to the Page Tables to perform virtual to physical address translation as the process threads are executed.  At this point, there are a few terms to become familiar with when dealing with Pages and Page Tables:

• Working Set Pages:  The active pages of a process currently backed by RAM (also known as Resident Pages)
• NonResident Pages:  Virtual memory addresses that are allocated, but not backed by RAM
• Committed Pages: Pages that have Page Table Entries.  Committed Pages may be either resident or nonresident

As we mentioned above, Virtual Memory Manager ensures that logical addresses that are frequently referenced reside in physical memory.  It does so through the use of a Least Recently Used (LRU) page replacement policy.  The VMM also attempts to maintain a pool of free or available pages to ensure that page faults (which we will cover in our next post) are resolved rapidly.  When the virtual pages of active processes overflow the size of RAM, the Memory Manager tries to identify pages that are older or inactive that are candidates to be flushed from physical memory and stored on disk.  A copy of inactive virtual memory pages is held in the paging file.  The operating system checks to see if a page that it temporarily removed from the process working set has been modified since the last time that it was stored in the page file.  If the copy in the page file is current, there is no need to re-copy the contents to disk before removing them from physical memory.

All this seems fairly straightforward – and if the Memory Manager is successful in keeping the active pages of processes in RAM then the Memory Manager’s operations do not affect the user experience.  However, if there is insufficient physical memory to hold the active pages of running processes, then the system will exhibit performance degradation.

With that, we’re going to wrap up this post.  In our next post, we’ll discuss Page Faults.  Until next time …

- CC Hameed

Share this post :

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, June 10, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Three Microsoft Security Bulletins rated Critical, three Important, and one Moderate. These updates may require a restart and will be detectable using the newly released version of the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

 

As always, we’ll be holding the June edition of the monthly security bulletin webcast on Wednesday, June 11, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357225&Culture=en-US

 

Thanks,

 

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*

The Exchange Server documentation team is pleased to announce updates to the Exchange Server content.

To see what content has changed for Exchange Server 2007 with Service Pack 1, take a look at Exchange Server 2007 Documentation Updates.

To see what content has changed for Exchange Server Analyzer, take a look at Exchange Server Analyzer Topic Updates.

In particular, we would like to highlight the following new or updated topics:

• Overview of Namespace Planning: Planning your namespaces involves examining your physical and logical network structure and choosing an organizational topology. This article presents several different topologies and provides information about how using the different topologies would affect your Exchange organization.
• How to Move a Client Access or Hub Transport Server to a Different Site: Added a step to set the Client Access server Autodiscover site scope due to Active Directory Site change.
• How to Perform a Dial Tone Recovery Using and Staying on an Alternate Server for the Dial Tone Database: Fixed incorrect example code by using Get-Mailbox instead of Get-MailboxStatistics.
• How to Seed a Standby Continuous Replication Target: Updated topic to specify that seeding with Update-StorageGroupCopy should be done on SCR target computer. Also, corrected permissions section that incorrectly referenced CCR.
• How to Upgrade a Single Copy Cluster to Exchange 2007 SP1: Removed step for starting Windows Firewall service, because that step is not needed.
• Planning for Cluster Continuous Replication: Removed old guidance to use DNS CNAME record for file share witness alias in UNC path.
• How to Configure the Node and File Share Majority Quorum: Removed old guidance to use DNS CNAME record for file share witness alias in UNC path.
• How to Configure Network Connections for Cluster Continuous Replication: Fixed incorrect configuration steps for the private network by specifying that Client for Microsoft Networks and File and Print Sharing need to be cleared.
• Applying Exchange 2007 Update Rollups to Clustered Mailbox Servers: Fixed incorrect statement, "The amount of downtime varies based on how long it takes each organization to perform the installation procedure for the entire cluster," by stating that the true downtime is only for as long as it takes to move the CMS between nodes and have it brought online.
• How to Configure Deleted Item Retention for a Mailbox Database: Fixed incorrect example code by using -DeletedItemRetention instead of -ItemRetention.
• Understanding How Transport Rules Are Applied in an Exchange 2007 Organization: Text added to clarify rules only have access to envelope headers in encrypted messages. "Transport rules can access envelope headers contained in encrypted messages, and process messages based on predicates that inspect them. Rules with predicates that require inspection of message content, or actions that may modify content, cannot be processed."
• Help Reference - Recipient Properties > Mailbox Settings Tab > Messaging Records Management (RTM): Removed incorrect information about pre-Outlook 2003 SP2 clients not being able to access a mailbox if Managed Folder Mailbox Policy is applied to the mailbox. Modified to state that older clients do not support Managed Custom Folders (similar text as seen in dialog box when a policy is being applied).

You can see these articles and other Exchange Server documentation content in the Microsoft Exchange Server TechCenter.

The following downloads are also available for SP1 content:

• Microsoft Exchange Server 2007 Service Pack 1 Help
• Microsoft Exchange Server 2007 Service Pack 1 Shell Help

BTW, if you haven't noticed, all our topics in the Exchange Library now have a "Topic Last Modified" date at the top of the topic. And, if you wonder which topics apply to Exchange Server 2007 with Service Pack 1, we now have an "Applies to" tag for Exchange 2007 content.

You can now annotate topics in the Exchange Server 2003 and Exchange Server 2007 documentation. Scroll to the Community Content section at the end of any topic in the Exchange Server Library, and click Add Community Comment. You'll be asked to sign in with your Windows Live ID and to register as a participant. Then, share your insights with the Exchange community.

- Cathy Anderson, Content Release Manager, Exchange User Documentation

Share this post :

If you've wanted to know more about why high item counts and restricted view requests can impact the performance of your Exchange environment, we've just released some detailed information about the behavior you may see as item counts in your critical path folders grow. Critical path folders include the Calendar, Contacts, Inbox, and Sent Item folders. Restricted views are data views that restrict information based on search criteria that result in views of only a subset of items in a folder. Performance issues related to these situations are frequently related and can become visible to end-users in the form of slow client access and the dreaded RPC dialog-box popping-up. It only takes a few users who have abnormally high item counts in their critical path folders to cause performance issues which are felt throughout your whole Exchange organization. Learn more about the issue in the topic Understanding the Performance Impact of High Item Counts and Restricted Views: http://technet.microsoft.com/en-us/library/cc535025(EXCHG.80).aspx

- Tom Di Nardo

Share this post :

...YOU.

We've just opened up the Exchange 2007 product library to community annotation.  That gives you the ability to add content to our topics that you think others might find helpful.  The basic idea here is allow members of the Exchange community to share their knowledge and experience by adding relevant information to specific topics.

The process is straightforward:   The first time you click on the "Add Community Content" link at bottom of a topic (shown in the screen shot below), you'll be asked to register as a participant (you sign in with your Microsoft Live ID).   From then on, you'll be able to add information about topics that you feel others would benefit from having.   Within moments of typing in an entry, you (and everyone else reading the topic) will be able to see your contribution as entered on the page.

Here is the page section you should use for this (click to see bigger version):

By the way, this new annotation option isn't intended to replace the existing content feedback process.   That process (see the five-star widget on every page that reads "Click to Rate and Give Feedback") is still the best way to let us know whether a particular topic has or hasn't been helpful, and why.  Our Exchange UE team reads and evaluates all the feedback it gets through that channel, and a lot of our content improvements originate that way.  Microsoft people will be reviewing the Community Content for appropriateness, but not to identify content bugs. 

Keep in mind, too, that when you have a specific Exchange question that you haven't found answered in the core content, you can log on to an Exchange forum and pose your question directly to others working with Exchange.

So-to summarize: Continue to use the feedback chrome to rate and critique our content.  When you can't find an answer to your question in the core content and you need the information quickly, go to an Exchange forum and ask your question directly.   And when you've got valuable information to share on a particular topic, consider adding it via the community annotation option. 

Thanks.

- Tim Lulofs

Share this post :

I am sure we have all seen access violations occur since we took ownership of our first x86 PC's.  The infamous "Bluescreen", application crashes, it doesn't really matter, access violations are all over the place.  For any of you that remember the good old Windows 9x days, a General Protection Fault and Invalid Page Fault are basically the same thing (and a segmentation fault too).  To many people, the phrase 'access violation' is synonymous with "crash". But what exactly is an access violation?

To put it simply, an access violation occurs any time an area of memory is accessed that the program doesn't have access to.  This can be due to bad code, faulty RAM or even a bad device driver. It really doesn't matter who the culprit is, the root issue is basically the same.  For instance, memory location zero is reserved for the operating system, so any application that tries to access this address will crash with an access violation.  The problem with this is that it is very easy to end up with a value of zero.  If you set a pointer and initialize the value to NULL (which is 0), then try to access it, you will crash in this fashion.  We call this a NULL Pointer and it is very common. The error you will receive should be similar to the following:

Unhandled exception at 0x00032b15 in Application.exe: 0xC0000005: Access violation reading location 0x00000000

This states that the program Application.exe, which was loading at the arbitrary address 0x00032b15, attempted to read address 0x00000000.  The code 0xC0000005 is the code for access violation, so expect to see this quite a bit.  In a memory or user dump, you may see if referred to as STATUS_ACCESS_VIOLATION.  This type of error can occur when either reading or writing, so it is pretty common.  Below is an example of how this may look in a bugcheck dump, by simply doing a "!analyze -v". In this case, it was due to a driver fault causing an access violation.

You will also get an access violation if a program triggers Data Execution Prevention (DEP).  This is a feature that uses both hardware and software to minimize the threat of malicious code like viruses.  How this works is that memory locations can be marked as being used either for executable code or for data.  Viruses commonly dump their payload into a data location and then execute it from there (like in a buffer overflow scenario).  This is exactly what DEP is designed to prevent.  If something tries to execute code from a data location, DEP will trigger an access violation to protect the system.  The reason this is important to us is that some applications do the same thing simply due to the application's programmer not quite following the rules.  For instance, if an application dynamically generates code, such as in a Just-In-Time scenario, and do not explicitly mark the code as executable, they will run into the Wall of DEP (OK, I couldn't resist the pun).

I hope this helps explain some of the common causes of access violations.  See you next time.

- Tim Newton

Share this post :

949821  Two options in the “Customize Advanced Key Exchange Settings” dialog box are truncated on a computer that is running the Russian version of Windows Vista Service Pack 1 (SP1) or the Russian version of Windows Server 2008

949825  The Notify window in the DNS Manager is clipped in the Italian version of Windows Server 2008

949796  If you are running the Czech version of Windows Server 2008, you cannot locate the "Add" and "Remove" buttons on the "Server Farm" tab in the TS Gateway Manager component

942835  When client computers try to access resources on a Windows Server 2003-based file server, the Server service on the file server may stop responding

- Mike Platts

This has been discussed / asked about several times on this blog (namely in various posts comments) - so I wanted to make sure you knew that this was now released. You can find the download here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=94274318-27c4-4d8d-9bc5-3e6484286b1f&DisplayLang=en

This is of course an optional component, not everyone needs it. If you have been waiting for the package that installs on Windows 2008, the wait is over.

Thanks for the tip, Scott!

Update: I also just learned that Stephen Griffin has documented a lot of tips about this release on his blog. Check it out.

- Nino Bilic

Share this post :

Hi,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

This is Tim Rains.

Very quickly, I wanted to let you know that we’ve just posted Microsoft Security Advisory 953818. This security advisory talks about new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari web browser for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default: it must be installed independently or through the Apple Software Update application.

If you run Safari on the affected platforms, we encourage you to review this advisory.

We’ve activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue. We have identified steps customers can take to protect themselves in the workaround section of the advisory.

We are currently not aware of any attacks and are monitoring the issue and are working with our MSRA partners to help protect customers. We will update the advisory and this blog as new information becomes available.

Tim

*This posting is provided "AS IS" with no warranties, and confers no rights.*

The Purpose

Hello,

Our names are David Pracht and Steve Martin.  As Networking Support Professionals at Microsoft we support IPSec but historically it has not been a high call generator.  We designed this lab to explore an increasingly popular scenario – IPSec Domain Isolation. While it can be the most difficult scenario to deploy it is also very tempting to have the ability to protect all the traffic in your network without requiring specific application support.  The reality is somewhere in between and we wanted to see if we could identify where people might encounter issues and document in a series of posts any problems we uncover while attempting to setup this scenario.

Domain Isolation vs. Server Isolation

IPSec provides technological support to implement a number of scenarios that improve enterprise network security:

■ Secure Server to Server: IPSec can be used to encrypt traffic between two servers.  An example of this is Outlook Web Access and Exchange.  All communications between the OWA server and the Exchange server could be authenticated and encrypted.

■ Server Isolation: IPSec can be used to isolate a server from unauthenticated (and possibly rogue) clients.  A good example of this is a line of business application server.  The application server would only grant access to machines that belong to the domain.  All other clients would not be able to even establish a TCP connection; guaranteeing the application server is isolated from the unknown clients.

■ Domain isolation: IPSec can be used to isolate domain members from non-domain members.  All domain members would be able to connect to each other securely.  Non-domain members would not be able to connect to any domain machine, as they are not successfully authenticated.  However, domain members may be able to connect to non-domain servers.

Why Domain Isolation is becoming more popular

Despite the historical difficulties in deploying an administering IPSec it has some compelling features and is becoming easier to implement.

Here are some of the benefits provided by IPSec:

■ Defense-in-depth against vulnerabilities in upper-layer protocols and applications.

IPSec protects upper layer protocols, services, and applications.  With IPSec enabled, initial communication packets to access an application or service running on a server, for example, will not be passed to the application or service until trust has been established through IPSec authentication and the configured protection on packets for the application or service have been applied.  Therefore, attempts to attack applications or services on servers must first penetrate IPSec protection.

■ Requiring peer authentication prevents communication with untrusted or unknown computers.

IPSec security requires peers to authenticate their computer-level credentials prior to sending any IP-based data.  By requiring peer authentication using credentials based on a common trust model, such as membership in an Active Directory domain, untrusted or unknown computers cannot communicate with domain members.  This helps protect domain member computers from the spread of some types of viruses and worms being propagated by untrusted or unknown computers.

■ IP-based network traffic is cryptographically protected.

IPSec provides a set of cryptographic protections for IP-based traffic based on your choice of AH, ESP without encryption, or ESP with encryption.  Your IP-based network traffic is either tamper proofed (using AH or ESP with no encryption), or tamper proofed and encrypted (with ESP and encryption).  Requiring cryptographic protection of IP traffic helps prevent many types of network attacks.

■ Applications do not need to be changed to support IPSec.

IPSec is integrated at the Internet layer of the TCP/IP protocol suite, providing security for all IP-based protocols in the TCP/IP suite. With IPSec, there is no need to configure separate security for each application that uses TCP/IP.  Instead, applications that use TCP/IP pass the data to IP in the Internet layer, where IPSec can secure it.  By eliminating the need to modify applications, IPSec can save application development time and costs.

In short if you need security IPSec is the way to protect you network.

Why Domain Isolation is difficult to implement

In the past with Windows Server 2003 and Windows XP, all these scenarios rely on machine-level authentication, which is what the IKE protocol that is supported by these operating systems supports.

Note: In addition to IKE Windows Vista and Windows Server 2008 support a new keying protocol called AuthIP.

IPSec policy configuration in many scenarios, such as server isolation and domain isolation, consists of a set of rules to protect most of the traffic on the network and another set of rules for protected traffic exceptions.

Exceptions are needed for unprotected communication with network infrastructure servers such as DHCP, DNS, and Domain Controllers.  For example: When a computer is starting, it must be able to obtain an IP address, use DNS to find a domain controller, and then log in to its domain before it can begin to use Kerberos authentication to authenticate itself as an IPSec peer.

In some cases, there are dozens or even hundreds of exceptions, which makes it difficult to deploy IPSec protection on a private network and to maintain it over time.  There is an optional feature called “Fallback to Clear” but the 3 second delay it introduced was often too long for networking scenarios like obtaining an IP address to complete.

Note: In Windows Server 2003 and XP this was addressed by the Simplified IPSec Policy Configuration update.

914841 How to simplify the creation and maintenance of Internet Protocol (IPsec) security filters in Windows Server 2003 and Windows XP

http://support.microsoft.com/default.aspx?scid=kb;EN-US;914841

Summary

That sums up why we are taking on this adventure and hopefully we will be able to provide some insight for other people planning to implement IPSec Domain Isolation.

Next post – We will define our scenario and see what issues come up that we will need to address.

David Pracht – Support Escalation Engineer

Steve Martin – Support Engineer

The Server Message Protocol (SMB) is the file sharing protocol used by default on Windows-based computers.  Although file sharing and network protocols are primarily supported by our Networking team, it is important to understand how SMB works given its importance to network activities.  SMB 2.0 was introduced in Windows Vista and Windows Server 2008.  SMB 1.0 was designed for early Windows network operating systems such as Microsoft LAN Manager and Windows for Workgroups.  SMB 2.0 is designed for the needs of the next generation of file servers.  Both Windows Server 2008 and Windows Vista support SMB 1.0 and SMB 2.0.

There are several enhancements in SMB 2.0, including:

• Sending multiple SMB commands in the same packet which reduces the number of packets sent between a client and server
• Larger buffer sizes
• Increased scalability, including an increase in the number of concurrent open file handles on the server and the number of shares that a server can share out
• Support for Durable Handles that can withstand short network problems
• Support of Symbolic Links

The version of SMB used for file sharing is determined during the SMB session negotiation.  If both the client and server support SMB 2.0, then SMB 2.0 is selected during the initial negotiation.  Otherwise SMB 1.0 preserving backwards compatibility.  The table below shows the version of SMB that will be used in different client / server scenarios:

Client Server SMB Version Windows Server 2008 / Vista Windows Server 2008 / Vista SMB 2.0 Windows Server 2008 / Vista Windows 2000, XP, 2003 SMB 1.0 Windows 2000, XP, 2003 Windows Server 2008 / Vista SMB 1.0 Windows 2000, XP, 2003 Windows 2000, XP, 2003 SMB 1.0

Both SMB 1.0 and 2.0 are enabled by default on Windows Vista and Windows Server 2008.  In some testing and troubleshooting scenarios it may be necessary to disable either SMB 1.0 or SMB 2.0.  However, it should be noted that this is not a recommended practice.  To disable SMB 1.0 for Windows Vista or Windows Server 2008 systems that are the “client” systems (accessing the network resources), run the following commands:

sc config lanmanworkstation depend= bowser/mrxsmb20/nsi sc config mrxsmb10 start= disabled

To disable SMB 1.0 on a Windows Vista or Windows Server 2008 system that is acting as the “server” system (hosting the network resources), a registry modification is required.  Navigate to the HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters key.  If there is no REG_DWORD value named Smb1, you will need to create it.  This value does not exist by default.  Once the value is created, set the value to 0 to disable SMB 1.0 or 1 to enable SMB 1.0.

Finally, to disable SMB 2.0 on Windows Vista or Windows Server 2008 systems that are acting as the “server”, navigate to the registry key listed above.  Instead of creating the Smb1 REG_DWORD value, you would create a REG_DWORD value called Smb2.  Set the value to 0 to disable SMB 2.0 and 1 to enable SMB 2.0.

And with that, we have reached the end of our Two Minute Drill on SMB 2.0.  Until next time …

- CC Hameed

Share this post :