References start here.

You can enable or disable message tracking by using the Exchange Management Console only in Exchange 2007 SP1

Like public folders, Microsoft chose to just leave message tracking out of the GUI.

By default, message tracking is enabled on all Exchange 2007 computers that have the Hub Transport, Mailbox, or Edge Transport server roles installed.

While using the Exchange Troubleshooting Assistant, which I found through the EMC to try to do Message Tracking (damn wizards) I keep getting “The error message is:Access is denied”.

I didn’t set up this Exchange 2007 install, so it’s been fun poking around it. As it turns out, the default permissions groups were redesigned since 2003. Check out this, part 1 and part 2. “Exchange Organization Administrators” is Exchange Root now or ‘Exchange Full Administrator’ if you prefer actually terms. Through some twist of fate (group stacking a few deep) I was in ‘Exchange View-Only Administrators’. You’d think searching the message tracking logs would fall under ‘view-only’. I guess not.

I went and added ‘Domain Admins’ to ‘Exchange Organization Administrators’. Some day when we have a full time exchange dude… hehe, I’ll change this I guess. Logged out and logged back in and the message tracking works now for me.

It’s interesting to note that it seems like the back end is much better. You don’t have to select a server or anything and there are many more new search options, so kudos to the search options.

I also spent a while searching trying to remember how to do the equivalent of ‘gpresult’ to see what groups I was in. Lots of info out there with old NT commands to distract but I guessed at ‘whoami’ and found that ‘whoami /groups’ will tell you what groups you’re in. This was useful, no doubt.

Somehow, wherever I end up working in Seattle there are internal java projects fscking around with memory. At Haydrian I had a problem where a developer said that his code ran particularly slow on our company hardware compared to his, and therefore our hardware sucked and we were stupid. Basically anyways. The sarcasm helps the frustration.

It was java code, and I spent a bunch of time learning about how java “magically” handles memory for you. It’s great that developers don’t have to worry about memory anymore, i guess. Unfortunately the trade off is that they sometimes tend to use TONS of it, and then there are two solutions, 1) throw memory at their boxes (doesnt scale) or 2) learn whats going on and call them on it.

Being of the type that doesn’t like not knowing whats going on. I started learning about Garbage Collection. I’m still waking up this morning for some reason, so I’m writing this from memory rather than making a real stab at it because I should be doing other work, but I’m waiting for my concentration to improve. Besides, documentation should always be written when you’re not concentrating, that way you leave in little mistakes to totally confuse the reader.

That link goes to the big overview on the whole shebang. Basically java takes a bunch of memory, splits it up into different areas and moves data between these areas based on age, throwing it away if it’s not being used anymore. This is called, Garbage Collection. Exactly what methodology is used by default has changed over releases (too often). However, when GC runs aren’t getting enough memory back a “Full GC” is run, which most importantly stops code from running while it shifts the codes data around. If this doesn’t get enough memory, things blow up and java pukes altogether complaining about being out of heap.

Find your jvm installation ( /usr/local/java ?) and in the bin folder there a bunch of useful tools. I like ‘jps -l’ to list the jvms, which gives you their PID which is how you tell them apart. Then ‘jmap -heap PID’ will show you how the heap is split up. This is worth doing once just to see it, I think it makes more sense than a lot of the documentation out there and it’s definitely solidified what I’ve read over the last couple of years. There’s also, i think, ‘jstat -gccause’ which shows a vmstat like output of whats going on in the different areas (the man page should explain the columns) including what caused the last GC run, which keeping in mind can be hard coded in by the developer.

In testing, you can do things like adding “-verbose:GC” and “-XX:+PrintGCDetails” which makes java let you know (to stdout or stderr or whatnot) whenever a GC or Full GC is run and how long it took (this is important) and the latter adds more information such as what GC method was used, the memory in the different areas before and after the GC (so you can tell what area caused the GC run), etc.

When trying to fix problems, always start by paying attention to what -Xms and -Xmx are set to. These control the heap size by default and a lot of java programmers seemed to have learned that setting -Xmx as high as possible makes them not have to deal with this shit. -Xmx is the max heap size and -Xms is the starting heap size. Java controls the heap size as needed, but if you spend a lot of time tuning and know your code you can set these to the same thing.

It’s important to note that the Perm Gen or “Permanent Generation” is controlled separately. Normally you shouldn’t have to mess with this, as only classes and crap are stored here, but I’ve seen this be a problem recently. “-XX:PermSize=256m -XX:MaxPermSize=256m” would fix the PermGen at 256m. You can see the permgen in the aforementioned ‘jmap -heap PID’.

I guess that is about it. I haven’t really figured out debugging java beyond the GC, so I’ll leave that to you developers.

So UAC is basically a big “Do you want to allow this?” annoyance that I imagine gets ignored a lot. I just spent 30 minutes on a vista machine and I’m sure I clicked ‘GO GO GO’ over 30 times at least.

An app that we used modifies the hosts file based on what environment you want to live in, and vista doesn’t think that should happen. Nor does it let you change permissions by default. Whatever

1) go to \windows\system32\drivers and right click, properties on ‘etc’
2) uhm, I think it was advanced, but go to advanced or something.
3) go to the owner tab and change ownership. You’ll want MACHINE\ADMINISTRATORS
4) ok out of everything and come back into properties.
5) edit permissions (there are extra clicks everywhere compared to XP)
6) give everyone modify access
7) ok out of everything and come back into properties.
8) make sure read only is unchecked and apply / ok.

Note that readonly unchecking wasn’t working for me originally until I gave EVERYONE modify instead of just administrators. I think this was because trustedinstall or system or something was trying to do the permission change and was silently failing.

Nice. So I’m running Exchange 2007. Find out exactly what service pack by going into the new EMC (Exchange Management Console) which replaces ESM (Exchange System Manager) I guess. Go to Help, About Exchange Server and grab the version number then check here.

The final RTM build of Exchange 2007 is build 685.25, but in some places it is listed as 685.24.
The RTM version of Exchange 2007 SP1 is build 8.1.0240

Somehow I have 8.0.685.018. Apparently shit is all messed up:

Also, when you click Help, and then click About Exchange Server 2007, you will see a different version number altogether: 685.018

This bit from here is awesome, so so, so awesome.

One of the big disappointments in the Exchange Server 2007 RTM version was the lack of Public Folder management from within the Exchange Management Console (EMC) UI. In Exchange Server 2007 RTM, all Public Folder management has to be done from either the Exchange Management Shell (EMS), which is quite cumbersome to say the least, or from an Exchange 2003/2000 System Manager console on a legacy Exchange server still part of the Exchange organization.

All I wanted to do was hide the email address on a public folder from the address list. But I have no GUI interface to address lists. Thus, I still stand do behind: Do not ever use an MS product before SP1. Sooooo…. Open up the spiffy new Exchange Command Line thingery (the help totally helps)

get-mailpublicfolder publicFolderName | format-list

Format-list actually provides information, while if you don’t use it you just get a list. I know this doesn’t make sense how I describe it and how it reads, but that’s what happens.

Unfortunately it says it’s already hidden from address lists. Annoying, since it’s coming up for me when typing addresses into the address bar in outlook 2007.

It’s worth noting that I checked the setting against another object type (a mailbox) using this:

get-mailbox userNameActuallyMailboxName | format-list

A couple of people asked me about this, so I’m adding what I found here:

Public Folders are included and supported in Exchange Server 2007. Microsoft has communicated that future releases of Exchange Server may not include public folders. If you use Public Folders, read the Exchange Team Blog on the topic of public folders for more guidance.

And it looks like they’re moving to sharepoint eventually:

For all new collaborative application development, we recommend WSS v3 and the new E12 web services as your platform

Wow. Contrary to what some past coworkers feel, I like recruiters in general. Except those Corp to Corp ones that consistently want to hire me for random Microsoft jobs that often have nothing to do with my skill set at $28.something an hour.

That you all want me for different jobs for the same rate makes me feel like this is a huge scam and you’re the ones making bank off it. Weren’t pyramid schemes illegal? Even small ones?

After I started at Widemile I was still getting calls/emails daily from random bulk recruiters from all over the country(!) for jobs all over the place. The vast majority of this is noise as it’s crappy jobs with recruiters taking a huge cut via this corp to corp bullshit that totally doesn’t give me piece of mind that a company appreciates me as an employee.

So I updated my resume on monster to show that I was now employed. Then someone I had emailed telling them I was all set emailed me back and was all “I saw you updated your resume! want a job?!”. No, did you read it? I’m in a job! Stop reading between non-existent lines. I figured this stuff would cool down after a while.

But today my recruiter from my current job calls, worried, saying that they saw my resume on monster. Jeez guys. So I’ve set my monster profile to private. I’m now officially in hiding to reduce the stress.

I’m sure if someone wants to offer me a yacht, a bank, and 10 months vacation to do SA work for them, they aren’t going to be looking for me on monster anyways.

I had never heard of this trick so I thought I’d pass it along as I just got it from Dell. This may be OEM, so it may apply to other hardware.

Enter BIOS
Turn on num, caps and scroll lock
Press ALT-E to erase the nvram
Press ALT-F to load factory defaults
Press ALT-B to reboot.

I did this through a KVMoIP so I wasn’t sure it was working until the ALT-B when the box did reset.

Today is the day of lots of uneducated information on the internet while researching.

I’m trying to get ntpd to sync off a Windows Server 2003 SP1 box that has the PDC role. There’s a lot of information out there about how w32time between 2000 and 2003 are different, as well as possible 2003 SP1. Complaints from the open source people about how w32time is a crappy SNTP server instead of an NTP server, however a lot of it sounds like their education on the matter is out of date.

This bit here looks close. What follows is what I did, with an attempt made to make it clean looking.

rem pretend we’re reliable
w32tm /config /reliable:yes
rem someone said this being too high was a problem
w32tm /config /localclockdispersion:5
rem changes to ntp from nt5ds or whatever
w32tm /config /syncfromflags:manual
rem use an external server ( NEEDED! )
w32tm /config /manualpeerlist:pool.ntp.org
rem tells w32time to reread it’s config
w32tm /config /update
rem just for kicks
net stop w32time && net start w32time

It’s worth noting that this didn’t work until I synced ntp with something. Apparently w32time doesn’t fake its stratum in such a way that ntp believes. It’s working though. Tomorrow I’ll play more.

update: things seem good now. Wanted to through in this link which had good information about some of the registry keys associated with w32time. This tech article at Microsoft was [surprisingly] the best article I found regarding integrating ntpd + w32time. This blog post has much of the same information as mine and makes more sense in the aftermath. And this article is microsoft’s registry key reference.

I used to bookmark daily sites in a firebox folder just right click, open in tabs to get all my daily sites. I’ve mentioned previously that ones needs to take an additional step (setting ‘browser.tabs.loadFolderAndReplace’ to false as it oddly is set to true) to prevent firefox from mangling your existing tabs, essential for tab heavy people like me. On that note I’d also recommend using the Tab Mix Plus plugin. I turn on “Multirow” which much better supports over ten tabs or so than firefox, and use it’s session restore feature over firefox’s, turning on “ask on startup” so whenever I restart instead of crash, I can still get my old sessions back (tabs!).

Having started a new job, among other things, I’ve had to create these same folders too many times. I’ve just started using del.icio.us today and I’ve installed the full bookmarks plugin which is importantly different than the buttons plugin as it gives you sidebar and top bar access to your del.icio.us (online!) plugins in realtime. Alas, I installed that first, and the bookmarks plugin detected the buttons plugin and disabled it, as it has some of the same buttons and operates in the way I wanted.

I’ve only got this set up on my current work desktop, but when I get home I’ll migrate my bookmarks over and I think I’ll be quite happy. I’m certainly down with the UI so far. Of course, del.icio.us is designed to be pretty “public” and others can see your bookmarks. I guess you can mark certain bookmarks as private, such as your pron or whatnot, but I’m a public kind of guy so I’m not worried about it.

It took me far too long to realize that right clicking on the toolbars gave me the option to uncheck the built in bookmark toolbar and make it go away. I probably wouldn’t use this at home as I use RSS bookmarks to track certain wiki’s and planets, but at work I currently have a crappy monitor and needed the real estate. Looks like I can put rss feeds in del.icio.us and they work as expected though.

Starting today at a new job at WideMile, a Seattle startup (someone not from Seattle might not realize that 5-10 years is still often “startup”) that makes web software and systems to make other companies web sites not suck. Which is noble AND cool.

Of course, it’s more complex, and I don’t REALLY know what it does, but that’s okay. Today I’m building myself a chair and a desktop. So yeah. Startup. The data center is here, big time, high bandwidth, but has grown naturally. So I’ve been there, let’s call Haydrian a dry run for this. Should prove to me more entertaining.

Anyways, goodtimes. Glad to be back to work and be producing something, even if it is just a chair. I’m in downtown now too, so we’ll see how that works out, but any lunch suggestions would be grand.

A bit ago I posted about getting a Western Digital My Book World WDG2NC10000 1TB box. I had it drop off the network a couple times and stopped trying to move data over to it en mass until I could resolve the problems. After digging through one of those crappy knowledge bases (when will people learn what a wiki is?) I found this: “If there is heavy I/O load put on the network and WD My Book World Edition hard drive, it is recommended that a static IP address be used rather than DHCP.” with no explanation.

I switched to a static IP and I’v moved 50gb or so now without it dropping off the network onces, whereas before it’d drop somewhere around 10gb or so. Working much better now.

While at Haydrian we began toying a bit with Oracle database. Using Ubuntu a debian package was needed but Oracle has it’s own out of control installer that’s gui based. I’m not an Oracle DBA, so this was a learning experience. I couldn’t find deb’s out there, so I wrote a build system to make one in a cheating way. This is in no form ready for public use, but it’s a great place to start if you want to put Oracle in a deb.

Grab the tar file here Basically you need to take a build box that’s clean and run the build.sh there. You’ll need to either have the oracle archive ready locally or on a server, see build.sh before you run it. It’ll check for dependencies and try to make an install, then package it up. It won’t pass a lintian check or anything at all. it doesn’t meet any LSB shit. It’s a mess. but it was working for us best as anyone could tell me.

the build shell runs a few python scripts that poke around that box and try to ensure it meets the requirements that oracle presents in the lengthy install document. It builds some trees, then runs the oracle installer headless in a preseed/unattended mode. Note that the install is big, a couple of gigs. You’ll need more than that because of the hacked up way I stuff it into a deb.

A former coworker said there is something better out there than when I last looked. Maybe he’ll comment and add it. Anyways, ask me any questions. I got permission to GPL all of this, so feel free to do something decent with it. There’ll be proprietary configurations in there (like the non-FSB directory trees). I figure at this point it’s best it’s just out there, as I don’t have the time or the desire to work with it.

Looks like the startup I work for is going to possibly be very unstartup soon, so depending on the next week or two I may be looking to move on. It’s always fun surfing job descriptions for Sys/net admin. jobs because it seems like they take a list of every technology they have in the office and list it as a requirement. Fortunately this is Seattle, so there’s some reasonable folks out there especially on craigslist who write listings that amount to “must be a motivated linux geek”. Which I’m totally in agreement with. I come from a background where I learned a lot by leveraging my skills and open source to do great things for cheap for small companies that knew little about linux and pals. but knew they didn’t have any money to spend. In these situations and many that have followed the situation was such that a business person would provide a need, and I’d find a solution. Anyways, props to people who have been in the trenches and value experience making shit work. Back to working on the resume and linkedin.

I picked up a Netgear sc101 a few days back as it was on sale. Turns out everyone hates it. Theres been some reverse engineering work, likely from Google SoC. But for the most part it tries to be a really cheap SAN. Avoiding the SAN vs NAS argument, it has a proprietary protocol and filesystem and requires windows drivers that just provide a drive letter. The aforementioned sc101-nbd code isn’t compatible with these drives, but does give linux access to the disks. In the end the simplest solution is sharing the drive via windows box with smb/cifs, which is of course, very lame. Mostly it’s supposed to be slow and sometimes blows up from the complaints I’ve read. But i had a couple 250gb ide drives in a loud server in my bedroom that I’d prefer to leave off, so it should serve as an acceptable house for those.

My long time friend Matthew is in town visiting since I’ve been out sick for a bit due to my motorcycle accident. He said he had used one and it ended up sucking so he got a a WD MyBook. I had seen one at Fry’s the other day but it was $$$. We stopped by Best Buy looking for some parts on Friday and they had a 1TB My Book World Edition II on clearance for about $300 after tax. This is nice because it’s dual 500gb drives which can be set to raid1. I don’t know what filesystem it uses yet so I don’t know about out of band disk recovery but it provides smb/cifs access which is certainly slick. There’s a bunch of small business features like proprietary remote access technology that I certainly won’t use but Matthew uses and says is great. It’s got ACL shit that’s configurable via web, but again, this is only useful for real small business solutions. It has a USB port and there’s bits in the web interface that talk about sharing USB drives. If I can hang one of my many external USB drives off this rather than my windows box that’d be great.

At PAX I started watching the Yahoo Wii Buyers Guide and Wii Tracker. So far only Walmart has had Wii’s available online, and it’s been as a part of their $540 special (Wii Retail is $249) that is a Wii + extra wiimote/nunchuck, big brain academy, 1 choice accessory, and the choice of three games. Kind of a deal, but a big investment for a console who’s nice retail price is a big part of it’s merit.

There were conflicting reports of Metriod Prime 3: Corruption coming out on the Wii today or tomorrow. I thought perhaps Nintendo would send out some extra wii’s for the occasion. I left work today on a wii/motorcycle adventure. In search of a wii, by motorcycle, I figured I’d have a nice ride if nothing turned up.

1) I stopped by Toysrus in Bellevue. It’s in a weird location, and is currently under construction adding a babysrus or something. I figured they’re out of the way and hopes for stock. It’s also near my office. Asked at the counter. No such luck.

2) Best Buy in Bellevue. Didn’t ask, but didn’t see any either.

3) I headed south and went to Fry’s. I’d never been to Fry’s before, it was pretty impressive. I ran into a coworker and gabbed for a bit. I’ll note that Fry’s had tons of Metriod Prime 3. I didn’t look everywhere, but this gave my theory some hope.

4) Renton Walmart. No Wiis. This is the emptiest I’d ever seen this Walmart. Growing up I always expected places like Seattle to have 24 hour Best Buys for the geeks in town. Not true, so I’ve occasionally found myself at walmart at 10:30 or something looking to get some needed cord or game. The nice woman in electronics told me she never knew when they were gettings wiis. “Sometimes I go to lunch and I come back and I’m like, when did we get 15 wiis? Call ahead or keep stopping in, theres no way to tell.”

I was growing tired of the hunt and feeling far from home. I saw southcenter mall, and headed inside.

5) Sears – Southcenter. Seemed like the kind of place nobody would look. They had a price tag for wii’s, but no wiis.

6) Radio Shack – Southcenter. I didn’t know if they carried game consoles. I know Radio Shack had in the past. They also used to carry Ham Radios though. I was shocked at this one. For how small it was, it still had soldering irons, some small parts drawers, scanners (radio) and antennas. No Wiis though.

7) Game Stop – Southcenter. A travesty. Three wii boxes on display, looking like wiis, but no wiis in stock.

I had a soda, and headed back out, wandering around a bit.

8) Target – Southcenter. I got a pretzel. Went to electronics. I saw wii boxes in a glass case. Not to be fooled like at Game Stop, I waited to ask. The employee was busy with other, I got his attention and he said they were real. Yay! He said he’d help me in a few. I tried to figure out if I needed the AV cables or if the 3rd party ones were just stupid “gold plated” markups (The employee didn’t know what was in the Wii box). I grabbed up a Wii points card and classic controller as they only had one and two of each respectively. They game selection stunk, and they had no nunchucks. So I grabbed three wiimotes and assumed I could use another sd card I had lying around rather than buying the wii cards. We’ll see. Eventually I finished my pretzel and wandered around in search of above employee. I found him trying to help a customer figure out why none of the stereos worked. As he gave up and started walking back to his station he was camped by another customer. Fortunately he saw me and realized he had forgotten about me. He apologized profusely and checked me out.

So as of today, there are at least four more Wiis at Target Southcenter, if you’re looking. Might save you eight stops and four hours. I know I could have called, but it was a nice ride.

edit 8/28:

slashdot linked to a couple articles at 1up and gamasutra regarding console sales. The information I was looking for, how long the Wii has been out, was there. this image at gamasutra shows the Wii and PS3 being out the same number of months, with the Wii selling basically double the units. Of course it’s what, half the price as well? But I wonder if the PS3 would have supply issues if it was selling twice as many units. Back in Februrary in response to SCEA President Jack Tretton’s statements about the PS3 being rare, penny-arcade went out in search of them and found tons. The PA guys are from Bellevue and there’s only one best buy in Bellevue, which was my second stop last night. I saw lots of PS3’s on my rounds, but never considered buying one. I did consider getting an XBOX 360 if I couldn’t find a Wii, but it comes down to still wanting to put my hardcore gaming dollars into my PC (Gears is going to require a massive upgrade). I wanted the Wii because, like everyone else, I have fun playing it.

Anyways, crammed five people into my bedroom for Wii Tennis last night, and a good time was had by all.

I may be missing the boat here as this seems a little easy. I bet it’s just out of date. Googling for something like ‘active directory cisco pix’ brings up a number of blogs and forums (1, 2, 3) on enabling active directory authentication for aaa server groups on a pix. All of these examples use IAS to provide radius to the cisco. However, the following works for me:

aaa-server ADGroup protocol nt
aaa-server ADGroup (core) host 192.168.0.10
nt-auth-domain-controller ad-dc1
aaa-server ADGroup (core) host 192.168.0.11
nt-auth-domain-controller ad-dc2

aaa authentication ssh console ADGroup LOCAL

Replace ad-dcX with the netbios name of the server and 192.168.0.x with the actual IP address of the server. The last line configures ssh use to this group and then fall back on the local user database if it can’t access active directory. I just did this for testing, keep in mind that this effectively allows anyone in AD to login to the pix, so you’ll want to look at ‘aaa command authorization’ if you kept this.

Configuring a vpn to use this configuration would be:

tunnel-group TunnelGroupName general-attributes

authentication-server-group ADGroup

I may still use LDAP instead, as I like the granularity of being able to specify a baseDN and creating an LDAP bind account that has limited read access. At the moment I haven’t gotten to playing with Authorization (keeping in mind AAA = Authentication, Authorization and Accounting, and that they have different roles) yet because I usually dial around ASDM with the ‘preview commands before sending them to the device’ preference set and 5.2(2) has a bug (CSCsg92142) that leaves the Authorization tab of VPN Tunnel Groups blank.