After an upgrade to Exchange 2007 SP1 from 2007 RTM, the Xerox WorkCentre Pro stopped sending email scans. I originally thought it was an LDAP problem, because I had seen an LDAP error the night before and WireShark on the DC was showing the bind request but no other traffic. I finally resolved the Chimney problem with winpcap, but in the interim just used a port mirror on the catalyst.

Attempts to Email Scan on the WorkCentre Pro were throwing out an error page that said ‘Job Status: FAILED Job must have at least one “To:” recipient.’ Under the ‘Message Settings:’ header it listed From: with a valid address but the To: line was empty. Getting wireshark going showed that it was a 5.7.1 SMTP error and the Xerox just wasn’t communicating as much. Whitelisting the IP for the Xerox on the SMTP server resolved the problem.

I picked up “Practical Packet Analysis: Using wireshark to solve real-world network problems” recently by Chris Sanders. Overall, it’s a little fluffy for my taste, I should know better than buying non ORA, AWP or Cisco Press books, but I’ve heard decent things about No Starch Press, somewhere.

If you’ve done any intermediate networking, the first chapter should be a quick review for you. If you’ve done any network troubleshooting with tcpdump/ethereal/wireshark, the next few chapters should be review as well. The rest of the book is mostly examples of traffic and how to tell what’s going on. This is nice, but at least once I felt the screenshots weren’t in the right order (DHCP DORA). All in all, I was really hoping this book would be more advanced than it was, but when you head in that direction, the author tells you to read an RFC.

There wasn’t any talk about TCP checksum offloading that I saw, or the heavier stuff like Chimney that microsoft is doing now that I don’t know anything about. Since I picked up the book because I’m having weird TCP segment timeouts and getting different traffic out of wireshark on the server and my workstation, I was hoping for more information that would be specific to this problem. Back to RFCs and google I guess.

If you consider yourself a senior linux systems administrator, most of this should be review for you. If you haven’t done much traffic analysis in the past, it’s worth picking it up and reading it. It’s a pretty light read, I didn’t skip any chapters but did skim a few and it was only a few hours of reading.

ISBN-13: 978-1-59327-149-7

I did finally get OMSA running fully on the Dell Poweredge 1955 blade with the SAS 5/iR (LSI SAS1068 PCI-X Fusion-MPT SAS) RAID controller (Not PERC5, apparently, which means its the mptsas driver and not megaraid_sas like PERC5). This confirmed my suspicion that ‘omreport storage controller’ listing the device as degraded was because the firmware was below the ‘minimum firmware’ version and not because of the virtual disk which ‘omreport storage vdisk’ listed as Ready and OK. Rainer Sabelka helped me out again noting that you could run the RHEL firmware update off support.dell.com.

The hard part was that I kept selecting RHEL5 in the pull downs, finding the utiltity and clicking “Download Now” which would send the standard Dell self-extracting executable which was very dos looking. I was thinking maybe you could take the firmware file and use some utility to upgrade it, whatever replaced omupgrade. Eventually I found that if you click on the file on dells site instead of download now, it gives you additional options, one of which is a BIN file for redhat. You can download this, chmod 755 it, and run it. It’ll less the release notes, then start the install when you say y. I shut down all the dell omsa stuff via init.d scripts before running this based on recommendations in the release notes. I think ‘file.bin –version’ brings up the notes such that ‘q’ just exits instead of continuing the install. Note that the install doesn’t force a reboot at the end, but recommends it. I didn’t see any changes in the omreport output until the reboot, so you’ll want to do the upgrade when you can reboot to avoid possible wonkyness.

As a side note, this is a decent starting place for Debian on Poweredge gear, although it says:

The three PowerEdge components that cause the most difficulty for new Debian sysadmins are the PERC 5 SAS RAID controllers (megaraid_sas driver), the SAS 5 non-RAID controllers (mptsas driver), and the Broadcom gigabit network adapters (bnx2 driver).

Which is a little confusing as the 1955 only has the mptsas driver running under etch, not the megaraid_sas, but it’s obviously doing raidish things and since we’re talking about linux and not windows I was thinking it wasn’t fakeraid. This is doubly interesting though:

vmware14:/proc/scsi# cat scsi
Attached devices:
Host: scsi0 Channel: 00 Id: 00 Lun: 00
Vendor: FUJITSU Model: MAY2073RC Rev: D108
Type: Direct-Access ANSI SCSI revision: 03
Host: scsi0 Channel: 00 Id: 01 Lun: 00
Vendor: FUJITSU Model: MAY2073RC Rev: D108
Type: Direct-Access ANSI SCSI revision: 03
Host: scsi0 Channel: 01 Id: 00 Lun: 00
Vendor: Dell Model: VIRTUAL DISK Rev: 1028
Type: Direct-Access ANSI SCSI revision: 05

So it shows both disks, which are “raid1” and this “Virtual Disk”. Theres some jabber here about how it’s not RAID because it’s showing the disk and the other agrees and claims faulty assumptions, but there’s no reference or linkage. Here a Dell engineerish guy says “Yes the SAS 5/iR is just very light weight hardware RAID.”

Supposedly theres an ‘lsiutil’ package hiding in a driver package somewhere but I couldn’t find it in a brief search. The OMSA utilities appear to be working, although I still haven’t tried SNMP yet.

I’ve been playing with omsa on debian etch for a bit (dell 1955 blades) and wanted to post the notes on here. I’ve been using the sara.nl packages. After install, you’ve gotta start the daemon up: ‘/etc/init.d/dsm_om_connsvc start’.

Then you login as root/yourrootpassword. I’ve seen docs somewhere, I forget, that any user in /etc/passwd can login and those that are in the root group are admins. But it doesn’t work. If you check out /var/log/user.log you’ll see pam errors.

For some awesome reason when googling the dell list server archives you always get hits on the monthly gz digests but not the individual messages. I saw a few about this but I’m not going to dig them all back up, but this is good.

Basically you need 32bit versions of the following files and to put them in /lib32:

/lib/libsepol.so.1
/lib/libselinux.so.1
/lib/security/pam_unix.so
/lib/security/pam_nologin.so

You can figure out what package each file comes from with ‘dpkg -S file’, ie, ‘dpkg -S /lib/security/pam_unix.so’ which comes from libpam-modules. Its worth noting this package comes from the PAM master package so it it’ll be in pool/main/p/pam in the repo rather than pool/main/libp or whatever. Grab the i386 version of each package (libsepol1, libselinux1, libpam-modules) and extract them with dpkg -x package temp, then go into the temp tree (cd temp/lib) and copy the respective files to /lib32. I just copied the whole security folder from libpam-modules by the way. I used ‘dpkg -l | grep package’ to find out what version of each package was installed, then grabbed the same version in i386.

Run ‘ldconfig’ then tail /var/log/user.log just to keep an eye on things, and you should be able to log in now.

update: it’s worth linking that the sara.nl folks have revealed an wiki site with many of these answers here.

I had to move openldap from one box to another, different version.

The slap* tools that come with openldap appear to access the files directly while the ldap* tools in ldap-utils go through the ldapserver.

I started by exporting the old server to ldif with ‘slapcat -l oldserver.ldif’. Then copy this file to the new server

Here were some problems. I couldn’t slapadd because some of this already existed. I ran ‘dpkg-reconfigure slapd’ to get the config file to match what was on the old server. In retrospect I could have just copied the old config, but I wanted to make sure there weren’t new config options that were needed. Reconfigure asks you what OU and DNS entries you want to use and creates a new database. Of course, this will have admin entries, so you’ll still have this above problem.

Stopped slapd. I went into /var/lib/ldap and removed all the files. Then used ‘slapadd -l oldserver.ldif’ to import the entries, which created a new database. Make sure all these files are owned by the user that slapd will run as (chown -R openldap.openldap /var/lib/ldap).

Now start slapd and see if it’s running. the init.d script on debian etch was starting it, but it was closing with no errors. I changed the ‘loglevel’ line /etc/ldap/slapd.conf to ‘511’ and restarted, seeing “bdb_db_open: alock package is unstable” in /var/log/syslog before slapd shut down. Somehow I had gotten this created in all my screwing around. I removed alock and log.* from /var/lib/ldap, double checked the permissions which I think slapadd had also mangled at some point, and started the server. Came up fine now. Tested with ldapsearch -x -W -b ‘basedn’ where basedn is the basedn =P.

This helped me figure out some of the differences between slap* and ldap* and this made me realize that the “DB_KEYEXIST: Key/data pair already exists” error was because the administrative entry was already in the preconfigured database so I had to start from scratch.

I’ve got a dell blade (1955 or 1855 or something) that has a failed SAS disk and I need to get into the RAID array config without rebooting. The box runs debian etch 64bit. While dell has this crafty linux site with lots of info, it’s pretty rpm-based distro oriented (redhat/sles). There are some debian bits hiding in places though like omsa contributions here. (Be sure to go to IdeaStorm and vote for better debian support for OMSA here and here.) OMSA is the “Open Manage Server Administrator”. It looks pretty java oriented. I installed dellomsa_5.1.0-5_amd64.deb from here though, roughly following these directions.

It’s worth noting that the RAID is the new (PERC 5? PERC 6?) “generation” of SAS RAID, using the MPT Fusion drivers LSI. lspci provides “LSI Logic / Symbios Logic SAS1068 PCI-X Fusion-MPT SAS (rev 01)” so I tried using the MegaCLI tools but there’s a lack of documentation and I had to download an rpm, extract it, and try trunning the MegaCli and MegaCli64 tools by hand, which both said I had no controllers (‘MegaCli64 -adpcount’ I think). This uses the ‘mptsas’ kernel module

Theres a qwoot dell wiki project that links to some docs on OMSA. The standard dell download interface totally pisses me off, as it’s table design is hard to read and often broken like here where a lot of the links just go to gpg signatures.

I couldn’t get logged into the web interface, which you start with /etc/init.d/dsm_om_connsvc and runs on port 1311. If you’re connecting and getting a “application/octetstream” MIME type download prompt, it’s probably because you’re not using ssl and it is, reconnect with ‘https://ip.ip.ip.ip:1311’. It’s pointed out here that password information is stored in /opt/dell/srvadmin/iws/config/iws.ini but doesn’t appear to be used. It looks like PAM is used, but I didn’t get so far as to debug PAM to make sure it was getting hit. Just try logging in with the root/rootpassword credentials.

I tried using omreport and whatnot in /opt/dell/srvadmin/oma/bin (use omhelp to get information on onreport, ie: omreport chassis info), but these tools said they couldn’t find any controllers or chassis info. I’m not sure whats msising there.

I removed those debs then installed dellomsa_5.1.0-2_i386.deb with ‘dpkg –force-architecture -i dellomsa_5.1.0-2_i386.deb’ as it’s i386 and this is amd64. Now ‘omreport chassis info’ brought back real data. ‘omreport system summary’ is useful, but ‘omreport storage controller’ still reports ‘No controllers found’.

Maybe I’ll go back to working with the megacli stuff. I wish I could get source instead of rpms.

Seriously people. What the hell is the use of a RAID controller that I’ve got to shut the box down to manage?

update: this looks common (1, 2, 3), I searched the linux-poweredge dell mailing list. Looks like an etch thing, mebbe an etch 64 thing. I just rebooted the box and rebuilt from the bios.

update2: Rainer pointed out on the poweredge list here that he needed to load mptctl before dataeng. so ‘ /etc/init.d/dataeng stop ; modprobe mptctl ; /etc/init.d/dataeng start’ got the storage portion of omreport working for me. Also Bas van der Vlies asked if I had tried their packages so I removed the i386 dellomsa, reinstalled the latest package from their distro on sara.nl (dellomsa_5.2.0-2_amd64.deb) and that worked alright. Interestingly ‘omreport storage controller’ says the array state is degraded. I put a new disk in last night and started the sync in BIOS, so I’m curious if it didn’t finish.

I still can’t login to the web portion, but this is good enough.

update3: noted that he’s arranged many of these notes in a secret clean wiki here, the FAQ has many of the same tips without my rambling. This includes the bits that I figured out from mail list posts on how to get the IWS (web) login working correctly, which I documented here.

This is on an ASA5520 running “Cisco Adaptive Security Appliance Software Version 7.0(6)”

aaa-server protocol nt , ldap, kerberos, radius or tacacs for active directory authentication? I thought googling for “aaa-server protocol nt” might bring up some decent results but instead I found one of my own posts in the first page of results. Fail.

As noted in the above linked post, NT is easy to set up, but I wonder if it’s supported by newer software. Apparently NT uses NTLMv1, bad.

It sounds like kerberos would work with active directory (I know AD has kerb likeness, but i never trust microsoft’s implementations of this crap to actually work in the same way as everything else, see the obfuscated SMB/CIFS protocol). There’s an interesting caveat with this implementation not supporting changing passwords during negotiation due to password expiration. I don’t think anything we use currently supports that anyways. I wonder if you can change expired domain passwords via OWA yet.

There are a number of examples (1, 2) out there using RADIUS, but that’s so old skewl. Cisco has some code / walkthrough (adsm) for doing kerb/ldap for authentication and authorization respectively here.

aaa-server mykerb protocol kerberos
aaa-server mykerb host 10.0.0.xx
kerberos-realm CORP.EXAMPLE.COM
aaa-server mykerb host 10.0.0.xy
kerberos-realm CORP.EXAMPLE.COM
aaa-server myldap protocol ldap
aaa-server myldap host 10.0.0.xx
ldap-base-dn ou=CORP_USERS
ldap-scope onelevel
ldap-naming-attribute uid
aaa-server myldap host 10.0.0.xy
ldap-base-dn ou=CORP_USERS
ldap-scope onelevel
ldap-naming-attribute uid

Then testing halfworks:

test aaa-server authentication mykerb host 10.0.0.xx username USER password PASS

This produces “ERROR: Authentication Rejected: Unspecified” when username and password are correct, otherwise “ERROR: Authentication Rejected: Invalid password” or “ERROR: Authentication Rejected: User was not found”. So something’s working right, but I thought a computer account needed to exist for kerb.

The one Cisco page notes two things to check in troubleshooting, 1) clock skew (normal for kerb, I setup ntp already) and 2) “pre-authentication”. They fail to explain the latter. I found the information I needed here. “0x19 – KDC_ERR_PREAUTH_REQUIRED: Additional pre-authentication required”. I take it that windows sends this kerb error if you’re trying to do kerb but aren’t authenticated, say via a computer account. Meh. Checking the “Do not require kerberos preauthentication” box on the account tab of the active directory account brought back a success in the above cisco test command, but I’m not sure that the tradeoff is acceptable. Other cisco access server software has you configure an account for it, however complex the process looks.

Since this is only DES from all I can tell, which makes everyone gawk, but I can’t find any evidence that Windows Kerberos support 3des, whilst I can find evidence of people having to switch from 3des to des to make other kerberos implementations work with Windows. ktpass, a windows utility for fscking around with kerberos has these options:

[- /] crypto : DES-CBC-CRC : for compatibility
[- /] crypto : DES-CBC-MD5 : for compatibliity
[- /] crypto : RC4-HMAC-NT : default 128-bit encryption

So I’m not feeling like kerberos is really a huge step up as far as password security goes. It’s certainly progress over NTLMv1 and it’s low-entropy retardedness, but RADIUS just might be the right choice here. WinKerb would use RC4-HMAC, but I’m sure it’s using DES to talk to the Crisco.

Ken Caruso pointed out some commands in IOS for configuring preauth, but they don’t appear to exist in ASA v7.0.

So, I guess it’s trusting RADIUS + MD5.

It does appear that ASA v8.0 supports NTLMv2, perhaps other features? Worth upgrading? Hmm.

this took far too long to find, longer than a walk to the data center. I’ve removed the serial numbers to protect the innocent. I just wanted to list card models without reading them off the card.

sw01#show inventory
NAME: “WS-C6509”, DESCR: “Cisco Systems Catalyst 6500 9-slot Chassis System”
PID: WS-C6509 , VID: , SN: xxxxxxxxxxx
NAME: “5”, DESCR: “WS-X6148-GE-TX 48 port 10/100/1000mb EtherModule Rev. 6.1”

I removed a bunch of lines there. I was trying to figure out why “switchport trunk encapsulation dot1q” wasn’t an option (there was no encapsulation option) on this card.

Finally found on Page 11 of this that these cards don’t support ISL, so they default to 802.1q:

WS-X6502-10GE
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF

Which was important because I was seeing traffic on the host that didn’t appear tagged, and 802.1q doesn’t tag the native vlan (vlan 1) by default. Of course I have no idea what ISL traffic would look like in a tcpdump, probably thrown away as garbage, but who knows, better to see and know than to guess.

I like seeing things happening. If you’ve never tested SMTP by sending a test message by hand with HELO/MAIL/RCPT/DATA, you really should give it a shot. You can use mailsend or such to do this testing somewhat by hand, but when things fail I find it easier to see it directly.

‘EHLO domain’ via smtp should list what AUTH options are available when testing SMTP AUTH (which lets you use authentication to allow relaying). Sometimes this is different when you’re over SSL (‘250-AUTH GSSAPI NTLM LOGIN’) than when you’re not (‘250-AUTH GSSAPI NTLM’), for good reason such as some of the AUTH options aren’t encrypted or are simply obfuscated (read: base64).

openssl s_client has built in functionality for testing smtp:

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

But when connecting to an exchange server, it just hangs at CONNECTED. Trying again with the ‘-debug’ flag shows why:

write to 080B01E8 [BFFFED30] (10 bytes => 10 (0xA))
0000 – 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 080B01E8 [080AA400] (8192 bytes => 28 (0x1C))
0000 – 35 30 33 20 35 2e 35 2e-32 20 53 65 6e 64 20 68 503 5.5.2 Send h
0010 – 65 6c 6c 6f 20 66 69 72-73 74 0d 0a ello first..

There’s chatter and bugs (1,2) about this out there.

My openssl versions are ancient (such as OpenSSL 0.9.7a Feb 19 2003 (‘openssl version’)), so nobody else will likely have this problem anymore because they added code in ‘openssl-0.9.8e/apps/s_client.c’ to send a ‘EHLO openssl.client.net’ before starttls. On second thought, ubuntu feisty is still on 0.9.8c, so mebbe you will.

Once connected, you can try authing. If you’re using AUTH PLAIN, which I have no idea if exchange supports this but others due, you’ll want to encode your username and password with base64 something like this (thanks crash), I think:

printf “\0username\0password” | openssl enc -a

Then send this in the smtp session with ‘AUTH PLAIN base64’ where base64 is whatever you get out of openssl. It’s worth noting that you’ll get different results if you use “echo -n” instead of printf. crash says to use ‘echo -ne’ to get escape characters working right. YMMV.

Testing ‘AUTH LOGIN’ is similar. Send ‘AUTH LOGIN’ and you’ll get back ‘334 VXNlcm5hbWU6’ which says ‘334 Username:’ when you decode the crap with base64 with ‘printf VXNlcm5hbWU6 | openssl enc -a -d’. Encode your username with ‘printf “username” | openssl enc -a’ and paste this back to the server. You’ll get a ‘334 UGFzc3dvcmQ6’ response which again is ‘334 Password:’. Send your password back in the same manner, base64 encoded (not encrypted, heh. that’s what the ssl is for).

If all works you’ll get something such as ‘235 2.7.0 Authentication successful’ in response. Remember that sometimes throwing -debug on the end of openssl gives you more information. Now try your MAIL/RCPT/DATA shit and make sure you can still relay.

I’d love to provide a way to test NTLM, but it appears, no surprise, to not be that popular. Exchange 2007 will support LOGIN. Open EMC. Server Configuration -> Hub Transport (Or Edge Transport on an edge server). Under Receive Connectors right click and go to properties for the connector. On the Authentication tab make sure “Basic Authentication” is checked and make sure to check the following box limiting to only allow this after starttls.

References start here.

You can enable or disable message tracking by using the Exchange Management Console only in Exchange 2007 SP1

Like public folders, Microsoft chose to just leave message tracking out of the GUI.

By default, message tracking is enabled on all Exchange 2007 computers that have the Hub Transport, Mailbox, or Edge Transport server roles installed.

While using the Exchange Troubleshooting Assistant, which I found through the EMC to try to do Message Tracking (damn wizards) I keep getting “The error message is:Access is denied”.

I didn’t set up this Exchange 2007 install, so it’s been fun poking around it. As it turns out, the default permissions groups were redesigned since 2003. Check out this, part 1 and part 2. “Exchange Organization Administrators” is Exchange Root now or ‘Exchange Full Administrator’ if you prefer actually terms. Through some twist of fate (group stacking a few deep) I was in ‘Exchange View-Only Administrators’. You’d think searching the message tracking logs would fall under ‘view-only’. I guess not.

I went and added ‘Domain Admins’ to ‘Exchange Organization Administrators’. Some day when we have a full time exchange dude… hehe, I’ll change this I guess. Logged out and logged back in and the message tracking works now for me.

It’s interesting to note that it seems like the back end is much better. You don’t have to select a server or anything and there are many more new search options, so kudos to the search options.

I also spent a while searching trying to remember how to do the equivalent of ‘gpresult’ to see what groups I was in. Lots of info out there with old NT commands to distract but I guessed at ‘whoami’ and found that ‘whoami /groups’ will tell you what groups you’re in. This was useful, no doubt.

Somehow, wherever I end up working in Seattle there are internal java projects fscking around with memory. At Haydrian I had a problem where a developer said that his code ran particularly slow on our company hardware compared to his, and therefore our hardware sucked and we were stupid. Basically anyways. The sarcasm helps the frustration.

It was java code, and I spent a bunch of time learning about how java “magically” handles memory for you. It’s great that developers don’t have to worry about memory anymore, i guess. Unfortunately the trade off is that they sometimes tend to use TONS of it, and then there are two solutions, 1) throw memory at their boxes (doesnt scale) or 2) learn whats going on and call them on it.

Being of the type that doesn’t like not knowing whats going on. I started learning about Garbage Collection. I’m still waking up this morning for some reason, so I’m writing this from memory rather than making a real stab at it because I should be doing other work, but I’m waiting for my concentration to improve. Besides, documentation should always be written when you’re not concentrating, that way you leave in little mistakes to totally confuse the reader.

That link goes to the big overview on the whole shebang. Basically java takes a bunch of memory, splits it up into different areas and moves data between these areas based on age, throwing it away if it’s not being used anymore. This is called, Garbage Collection. Exactly what methodology is used by default has changed over releases (too often). However, when GC runs aren’t getting enough memory back a “Full GC” is run, which most importantly stops code from running while it shifts the codes data around. If this doesn’t get enough memory, things blow up and java pukes altogether complaining about being out of heap.

Find your jvm installation ( /usr/local/java ?) and in the bin folder there a bunch of useful tools. I like ‘jps -l’ to list the jvms, which gives you their PID which is how you tell them apart. Then ‘jmap -heap PID’ will show you how the heap is split up. This is worth doing once just to see it, I think it makes more sense than a lot of the documentation out there and it’s definitely solidified what I’ve read over the last couple of years. There’s also, i think, ‘jstat -gccause’ which shows a vmstat like output of whats going on in the different areas (the man page should explain the columns) including what caused the last GC run, which keeping in mind can be hard coded in by the developer.

In testing, you can do things like adding “-verbose:GC” and “-XX:+PrintGCDetails” which makes java let you know (to stdout or stderr or whatnot) whenever a GC or Full GC is run and how long it took (this is important) and the latter adds more information such as what GC method was used, the memory in the different areas before and after the GC (so you can tell what area caused the GC run), etc.

When trying to fix problems, always start by paying attention to what -Xms and -Xmx are set to. These control the heap size by default and a lot of java programmers seemed to have learned that setting -Xmx as high as possible makes them not have to deal with this shit. -Xmx is the max heap size and -Xms is the starting heap size. Java controls the heap size as needed, but if you spend a lot of time tuning and know your code you can set these to the same thing.

It’s important to note that the Perm Gen or “Permanent Generation” is controlled separately. Normally you shouldn’t have to mess with this, as only classes and crap are stored here, but I’ve seen this be a problem recently. “-XX:PermSize=256m -XX:MaxPermSize=256m” would fix the PermGen at 256m. You can see the permgen in the aforementioned ‘jmap -heap PID’.

I guess that is about it. I haven’t really figured out debugging java beyond the GC, so I’ll leave that to you developers.

So UAC is basically a big “Do you want to allow this?” annoyance that I imagine gets ignored a lot. I just spent 30 minutes on a vista machine and I’m sure I clicked ‘GO GO GO’ over 30 times at least.

An app that we used modifies the hosts file based on what environment you want to live in, and vista doesn’t think that should happen. Nor does it let you change permissions by default. Whatever

1) go to \windows\system32\drivers and right click, properties on ‘etc’
2) uhm, I think it was advanced, but go to advanced or something.
3) go to the owner tab and change ownership. You’ll want MACHINE\ADMINISTRATORS
4) ok out of everything and come back into properties.
5) edit permissions (there are extra clicks everywhere compared to XP)
6) give everyone modify access
7) ok out of everything and come back into properties.
8) make sure read only is unchecked and apply / ok.

Note that readonly unchecking wasn’t working for me originally until I gave EVERYONE modify instead of just administrators. I think this was because trustedinstall or system or something was trying to do the permission change and was silently failing.

Nice. So I’m running Exchange 2007. Find out exactly what service pack by going into the new EMC (Exchange Management Console) which replaces ESM (Exchange System Manager) I guess. Go to Help, About Exchange Server and grab the version number then check here.

The final RTM build of Exchange 2007 is build 685.25, but in some places it is listed as 685.24.
The RTM version of Exchange 2007 SP1 is build 8.1.0240

Somehow I have 8.0.685.018. Apparently shit is all messed up:

Also, when you click Help, and then click About Exchange Server 2007, you will see a different version number altogether: 685.018

This bit from here is awesome, so so, so awesome.

One of the big disappointments in the Exchange Server 2007 RTM version was the lack of Public Folder management from within the Exchange Management Console (EMC) UI. In Exchange Server 2007 RTM, all Public Folder management has to be done from either the Exchange Management Shell (EMS), which is quite cumbersome to say the least, or from an Exchange 2003/2000 System Manager console on a legacy Exchange server still part of the Exchange organization.

All I wanted to do was hide the email address on a public folder from the address list. But I have no GUI interface to address lists. Thus, I still stand do behind: Do not ever use an MS product before SP1. Sooooo…. Open up the spiffy new Exchange Command Line thingery (the help totally helps)

get-mailpublicfolder publicFolderName | format-list

Format-list actually provides information, while if you don’t use it you just get a list. I know this doesn’t make sense how I describe it and how it reads, but that’s what happens.

Unfortunately it says it’s already hidden from address lists. Annoying, since it’s coming up for me when typing addresses into the address bar in outlook 2007.

It’s worth noting that I checked the setting against another object type (a mailbox) using this:

get-mailbox userNameActuallyMailboxName | format-list

A couple of people asked me about this, so I’m adding what I found here:

Public Folders are included and supported in Exchange Server 2007. Microsoft has communicated that future releases of Exchange Server may not include public folders. If you use Public Folders, read the Exchange Team Blog on the topic of public folders for more guidance.

And it looks like they’re moving to sharepoint eventually:

For all new collaborative application development, we recommend WSS v3 and the new E12 web services as your platform

Wow. Contrary to what some past coworkers feel, I like recruiters in general. Except those Corp to Corp ones that consistently want to hire me for random Microsoft jobs that often have nothing to do with my skill set at $28.something an hour.

That you all want me for different jobs for the same rate makes me feel like this is a huge scam and you’re the ones making bank off it. Weren’t pyramid schemes illegal? Even small ones?

After I started at Widemile I was still getting calls/emails daily from random bulk recruiters from all over the country(!) for jobs all over the place. The vast majority of this is noise as it’s crappy jobs with recruiters taking a huge cut via this corp to corp bullshit that totally doesn’t give me piece of mind that a company appreciates me as an employee.

So I updated my resume on monster to show that I was now employed. Then someone I had emailed telling them I was all set emailed me back and was all “I saw you updated your resume! want a job?!”. No, did you read it? I’m in a job! Stop reading between non-existent lines. I figured this stuff would cool down after a while.

But today my recruiter from my current job calls, worried, saying that they saw my resume on monster. Jeez guys. So I’ve set my monster profile to private. I’m now officially in hiding to reduce the stress.

I’m sure if someone wants to offer me a yacht, a bank, and 10 months vacation to do SA work for them, they aren’t going to be looking for me on monster anyways.

I had never heard of this trick so I thought I’d pass it along as I just got it from Dell. This may be OEM, so it may apply to other hardware.

Enter BIOS
Turn on num, caps and scroll lock
Press ALT-E to erase the nvram
Press ALT-F to load factory defaults
Press ALT-B to reboot.

I did this through a KVMoIP so I wasn’t sure it was working until the ALT-B when the box did reset.