Blog (at) Mreza.Info

This post is from ForeFront Server Blog:

As we announced on July 1, 2009, Microsoft is revising its engine mix on Dec. 1, 2009 for the Forefront and Antigen products.  This change will allow customers to utilize a set of engines that help optimize detection, while also allowing us to invest in new areas for increasing overall protection for customers. 

Antimalware Protection

The AhnLab, CA, and Sophos engines will be retired on Dec. 1, 2009.  After December 1^st, customers will not receive any updates for these retired engines. In order to make sure your Antigen and Forefront products continue to scan efficiently and effectively for malware, any customers running the AhnLab, CA, or Sophos engines must DISABLE these engines before Dec. 1, 2009 and select from the new set of five engines – Authentium, Kaspersky, Microsoft, Norman, and VirusBuster.

SPECIAL NOTE: Antigen for SharePoint 8.0 and Antigen for Instant Messaging 8.0 customers – In order to gain access to the new engine set and provide optimal protection for your messaging and collaboration environments, please download the Service Pack 1 releases of these products on the MVLS or VLSC site prior to Dec. 1, 2009.  The updates for the new engine set will use a new update infrastructure as of Dec. 31, 2009 – the Service Pack 1 releases will allow you to continue to receive updates correctly from their new location.

For more information about Service Pack 1 for Antigen for SharePoint and Antigen for IM, see the following KB article:

http://support.microsoft.com/kb/975850/

- SPECIAL NOTE: Antigen for Exchange 8.0 and Antigen for SMTP Gateways 8.0 customers –These products will end of life on Dec. 31, 2009. Customers must upgrade to Antigen 9.0 SP2 for Exchange before this date, as the product will no longer continue to receive anti-malware updates starting Jan. 1, 2010. With the retirement of the CA, Sophos, and AhnLab engines on Dec. 1, customers running Antigen for Exchange 8.0 or Antigen SMTP Gateways 8.0 will only be protected by the Norman engine. For customers who need to continue using this product between Dec. 1, 2009 and the end-of-life date of Dec. 31, 2009, please contact Forefront Contract Administration for access to the revised engine set.

For more information on upgrading your Antigen for Exchange 8.0 or Antigen for SMTP Gateways 8.0 to Antigen 9.0, see the following KB article:

http://support.microsoft.com/kb/932396/

Antispam Protection

One of the most important changes in our engine revision strategy is moving to the Cloudmark antispam engine*, which provides 99%+ detection rate and less than 1 in 250,000 false positives (West Coast Labs).

The Mail-Filters SpamCure antispam engine will be retired on Dec. 1, 2009. Customers using Antigen products for antispam protection must upgrade to the latest service pack releases listed below BEFORE DEC. 1, 2009 to maintain their antispam defenses.  This is the only way to gain access to the new Cloudmark engine.  The service packs can be accessed on the Microsoft MVLS and VLSC sites:

- Antigen for Exchange Server with Antigen Spam Manager 9.0 with SP2

- Antigen for SMTP Gateways with Antigen Spam Manager 9.0 with SP2

For more information on the engine revision strategy, see the Antimalware Engine Notifications and Developments Web page or contact Forefront Contract Administration .  Again, we strongly urge all customers to update to the newest service packs before Dec. 1, 2009 to get the full protection benefits of the Forefront and Antigen server products. 

*Please note:  Customers using Forefront Security for Exchange Server will get access to the Cloudmark engine in the next version release – Forefront Protection 2010 for Exchange Server – scheduled to be available in Q4 CY09.

 

Source: Microsoft ForeFront Server Blog - Action Required by Dec. 1, 2009: Keep your Protection Current!

Pa še eno vabilo… tudi tokrat v ne-angleškem jeziku… :)

Spoštovani!

Vabimo vas, da se nam pridružite na dogodku Nova učinkovitost – novi val tehnologij v 7 slovenskih mestih. Tehnologijo in prednosti, ki jih pri­naša, vam bo približal kot še nikoli, saj bomo obiskali kar 7 slovenskih mest – Koper, Kranj, Ljubljano, Maribor, Mursko Soboto, Novo Gorico in Novo mesto. Najnovejše tehnologije bodo tako prišle dobesedno na vaš prag. Na prijetnih dogodkih z omejenim številom prostih mest boste spoznali izdelke Windows 7, Windows Server 2008 R2 in Exchange Server 2010 ter razvijalske tehnologije na novih platformah. 

Ob uradnem datumu predstavitve operacijskega sistema Windows 7 smo za skupnost strokovnjakov in razvijalcev za informacijske tehnologije pripravili posebne dogodke, ki bodo z bogatimi in privlačnimi vsebinami predstavili najnovejši namizni operacijski sistem Windows 7. Dogodki na različnih lokacijah bodo potekali vzporedno, ob istem času. Obenem pa vam želimo zagotoviti čim več informacij tudi o drugih dveh izdelkih, ki bosta nedvomno vplivala na vaše delo – strežniški operacijski sistem Windows Server 2008 R2 in sporočilni sistem Exchange Server 2010.

Slovenski strokovnjaki za informacijske tehnologije vam bodo v vašem domačem mestu predstavili prednosti, ki jih novi izdelki prinašajo v informa­cijska okolja podjetij vseh velikosti. Prav tako boste lahko spremljali prenose izbranih predavanj. Na dogodkih boste imeli priložnost spoznati predavatelje in predstavnike Microsoftovih partnerjev, prav tako pa je to enkratna prilož­nost za navezovanje stikov z drugimi strokovnjaki.

Več informacij o dogodku vam bomo posredovali v prihodnjih dneh.

Vabim vas, da se udeležite tehničnega seminarja na tematiko Exchange Server 2010. Prilagam izvorno vabilo…

Spoštovani! Vabimo vas na tehnični seminar Pregled IT novosti sporočilnega sistema Microsoft Exchange Server 2010. O upravljanju, namestitvi in vzdrževanju novega Exchange strežnika bo iz svojih izkušenj predaval Sašo Erdeljanov, strokovjnak in slovenski MVP (Most Valuable Professional) za področje sporočilnih sistemov. Sašo bo na seminarju predstavil nove zmožnosti Exchange 2010, izboljšave glede na prejšnje različice, nove tehnologije, ki pripomorejo k bolj učinkovitemu sporočilnemu sistemu, ter dobre razloge, zakaj bi IT strokovnjak izbral novi strežnik za boljšo podporo sporočanju v svoji infrastrukturi. Skupaj smo za vas pripravili dva termina, da si boste lažje organizirali svoj čas: - 19. 10. 2009, Ljubljana (Predavalnica Microsofta) in - 29. 10. 2009, Maribor (Microsoft Center inovacij). Enodnevni seminar je namenjen IT strokovnjakom in IT vodjem, ki želijo in potrebujejo nova znanja o prihajajočih sistemih za bolj učinkovito vpeljavo novih tehnologij v svoje IT okolje. Predavanje bo v slovenščini, materiali pa bodo zaradi velikega števila tujih izrazov v angleščini. Čas Modul 09:00 – 10:30 Novosti v Exchange Server 2010 10:30 – 10:45 Odmor 10:45 – 12:15 Arhitektura in RBAC 12:15 – 13:15 Kosilo 13:15 – 14:45 Prehod na Exchange Server 2010 14:45 – 15:00 Odmor 15:00 – 16:30 Arhiviranje in visoka razpoložljivost 16:30 – 17:00 Vprašanja in odgovori

 

I noticed that some of the users are running Exchange Server 2007 Edge and public DNS Server on the same server.

Problem

There are some issues with services failing at start up if following is true:

• Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2010 (Edge Role).
• Windows Server 2003, Windows Server 2008, Windows Server 2008 R2.
• DNS Server role is installed.
• Hotfix KB951746 is installed.

You receive following error and all Exchange services are stopped.

Log Name:      System
Source:        Service Control Manager
Date:          14.7.2009 10:19:36
Event ID:      7023
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      EDGE.exchange.pri
Description:
The Microsoft Exchange ADAM service terminated with the following error:
An attempt was made to access a socket in a way forbidden by its
access permissions.

So let’s start troubleshooting… ;-)

If we take a look with netstat we can see that DNS Service (dns.exe) is using 50636 port.

Exchange Server uses Active Directory Lightweight Directory Services (AD LDS), previous known as Active Directory Application Mode (ADAM), for storing Exchange (Organization)configuration. By default, the Edge Transport server uses the non-standard port 50636 for EdgeSync (Secure LDAP). We can check that with dsdbutil.

• Open cmd.exe, type dsdbutil and press Enter.
• Type list instances and press Enter.

Issue is with hotfix KB951746 (MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (DNS server-side): July 8, 2008).

After security update KB951746 is installed on Windows Server 2008 (RTM/SP2), this issue occurs because the DNS server’s method of port allocation changes, and this change could prevent AD LDS from obtaining the port that it requires to function correctly.

By default, after security update KB951746 is installed, the DNS server randomly allocates 2,500 UDP ports in the ephemeral port range. This is new behavior that is introduced by this update. A conflict may occur if one of these randomly allocated ports is a port that an AD LDS instance has to use.

We can check the size of socket pool with dnscmd:

 

Background information

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535.

We can check ephemeral port range in Windows Server 2008 witch netsh.

This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000.

In Windows Server 2003 or in Windows 2000 Server, the value of the MaxUserPort registry entry defines the ephemeral port range. The range is from 1024 to the value that is defined by the MaxUserPort registry entry.
After you install security update 953230 on Windows Server 2003 and down-level platforms, the following conditions are true:

• If the value of the MaxUserPort registry entry is set, the ports are allocated randomly from the [1024, MaxUserPort] range.
• If the value of the MaxUserPort registry entry is not set, the ports are allocated randomly from the [49152, 65535] range.

In Windows Server 2008:

• Ephemeral port allocation and the MaxUserPort registry entry:
  In Windows Server 2008 or in Windows Vista, the value of the MaxUserPort registry entry signifies the number of ephemeral ports. The range is from the [start port, start range + MaxUserPort]. The default start port is port 49152.
• Effective ephemeral port range:
  Ephemeral port allocation occurs in the [49152-65535] port range before you install security update 953230 on Windows Server 2008. This port allocation behavior does not change after you install security update 953230.

Solution for Windows Server 2003

We need to reserve Ephemeral port range for Exchange Server 2007 Edge AD LDS instance. We need to specify reserved ports in registry.

• Start regedit.exe
• Locate following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
• Create New Multi-String Value with name ReservedPorts
• Enter following values for EDGE Ports that we want to exclude:
  50389-50389
  50636-50636 
  
  
     
  
   
• Reboot server

Solution for Windows Server 2008

Although we can change port range in Windows Server 2008 there is simple trick that does the job. We can change DNS Server service startup type to Automatic (Delayed Start).

Solution for Windows Server 2008 R2

Windows Server 2008 R2 DNS Server provides SocketPoolPortExclusionList that would allow us to exclude certain ports from DNS Server.

Dnscmd /Config /SocketPoolPortExclusionList

Exchange Server 2007 & Windows Server 2008 R2?

I was warned that mentioning Windows Server 2008 R2 in post of Exchange Server 2007 could be misleading (Thanks to Miha Pihler!). Some quick facts about Exchange Server 2007 and Windows Server 2008 R2:

• Exchange Server 2007 is NOT supported on Windows Server 2008 R2
• You need to deploy Update Rollup 9 for Exchange Server 2007 SP1 or SP2 for Exchange Server 2007 if you intend to run DC/GC servers on Windows Server 2008 R2
  
  

Links

• KB929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
• KB956188 - You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
• KB959215 - AD LDS service start fails with error "setup could not start the service..." + error code 8007041d
• KB812873 - How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
• MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (DNS server-side)
• KB929851 - The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

Microsoft today released the first public beta of upcoming Exchange Server 2010 (Code name Exchange 14).

 

Microsoft Exchange® Server 2010 Beta helps IT Professionals achieve new levels of reliability with greater flexibility, enhanced user experiences, and increased protection for business communications.

• Flexible and reliable - Exchange Server 2010 gives you the flexibility to tailor your deployment based on your company's unique needs and a simplified way to keep e-mail continuously available for your users.
• Anywhere access - Exchange Server 2010 helps your users get more done by giving them the freedom to securely access all their communications - e-mail, voice mail, instant messaging, and more - from virtually any platform, Web browser, or device.
• Protection and compliance - Exchange Server 2010 delivers integrated information loss prevention, and compliance tools aimed at helping you simplify the process of protecting your company's communications and meeting regulatory requirements.

This software is intended for evaluation purposes only. You must accept the license terms before you are authorized to use this software. There is no product support for this trial software. You are welcome to participate in the forums to share your trial experiences with others and to ask for advice.

System Requirements

• Supported Operating Systems: Windows Server 2008; Windows Vista 64-bit Editions Service Pack 1

• Operating System for Installing Management Tools: The 64-bit editions of Microsoft® Windows Vista® SP1 or later, or Windows Server® 2008.
• PC - x64 architecture-based computer with Intel processor that supports Intel 64 architecture (formerly known as Intel EM64T) or AMD processor that supports the AMD64 platform

Additional requirements to run Exchange Server 2010 Beta

• Memory - Minimum of 4 gigabytes (GB) of RAM per server plus 5 megabytes (MB) of RAM recommended for each mailbox
• Disk space
  • At least 1.2 GB on the drive used for installation
  • An additional 500 MB of available disk space for each Unified Messaging (UM) language pack that you plan to install
  • 200 MB of available disk space on the system drive
• Drive - DVD-ROM drive, local or network accessible
• File format - Disk partitions formatted as NTFS file systems
• Monitor – Screen resolution 800 x 600 pixels or higher

Exchange Server 2010 Beta Prerequisites
If these required prerequisites are not already installed, the Exchange Server 2010 Beta setup process will prompt and provide links to the installation locations; Internet access will be required if the prerequisites are not already installed or available on a local network.

• Microsoft® .NET Framework 3.5
• Windows PowerShell v2
• Windows Remote Management

 

Microsoft Exchange Server 2010 Beta

If you installed Microsoft Data Protection Manager 2007 SP1 on Windows Server 2008 RTM you receive Error ID 3013 if you select Reporting from DPM Management console.

DPM could not connect to SQL Server Reporting Services server because of IIS connectivity issues.

On the computer on which the DPM database was created, restart the World Wide Web Publishing Service. On the Administrative Tools menu, select Services. Right-click World Wide Web Publishing Service, and then click Start.

ID: 3013

Problem resides in Reporting Services virtual directory in Internet Information Services (IIS) named ReportServer$MS$DPM2007$.

Workaround is simple:

• Run Internet Information Services (IIS) Manager, expand Web Sites, expand Default Web Site, and then click the virtual directory for the report server.
• Under Features View, double-click Handler Mappings.
• Under Actions, click Edit Feature Permissions.
• Click to select the Scripts check box, and then click OK.

I was attending Microsoft MVP Summit 2009 in Seattle at the beginning of March. It was nice meeting all great people from around the world! I would like to thanks to Microsoft for organizing such a great event with 700 sessions, EMP party, breakfast and lunch, hotels were covered,…

I must say that Exchange team is really great! I enjoyed talking with every member of Exchange team that I meet.

During Steve Balmer’s keynote we were part of I’m a PC campaign. For sure it was fun. :) Video is available from Microsoft home page.

MVP "I'm a PC" Video

Pictures

Microsoft Surface in hotel Sheraton, Seattle

Panoramic view from “smoking area” in hotel Sheraton, Seattle

Pike Place Market, Seattle

Luka Manojlovic, Miha Pihler, Dejan Sarka

 
Football field in Microsoft Campus

Vladimir Meloski, Helio Panissa Jr, Luka Manojlovic

Slovenian flag in center ;-)

EMP Party

Regional Dinner with MVP Lead Allesandro Teglia

Links:

• Saso Erdeljanov – Skydrive Gallery
• Luka Manojlovic – Gallery
• Alessandro Teglia – Be_Lead Blog

I received a pleasant surprise on January the 1st from Microsoft MVP Award Program. I was awarded as Microsoft Most Valuable Professional in year 2009 for Exchange Server. It’s a privilege and honor to serve as MVP!

I would like to thank Microsoft for noticing my efforts in the community over the last years!

You can also read Welcome post from my MVP Lead Alessandro Teglia!

I was attending MCT Summit 2009 in Prague. Prague is definitely beautiful and cold city during winter. :)

Great job Tjeerd Veninga and thanks to all speakers for another great MCT Summit!

Cheers to everyone I met there (Gasper, Joze, Vincent, Andy Malone,..., and of course Slavko and Marko ;-))!

Here are some pictures from Prague:

After updating my Microsoft System Center Data Protection Manager 2007 (DPM 2007) to Service Pack 1 (SP1) I received a bunch of errors regarding inconsistency and recovery points creation.

 

 

I was looking trough MSDPMCurr.errlog (located in C:\Program Files\Microsoft DPM\DPM) and found following error:

GetDifferentialSoftwareSnapshotMgmt3Interface () failed: (0x80004002)

It appears that Service Pack 1 does not correctly register VSS writer...

After searching around I found solution on Ask The Core Team blog. You need to re-register vss_ps.dll on server.

Solution:

• Run cmd.exe (with administrative privileges in Windows Server 2008)
• Run regsvr32 %windir%\System32\vss_ps.dll
• Restart Volume Shadow Copy service

Link:

• Error 207 - No such interface supported 0x80004002 after installing DPM SP1