Ant Drewery

So you’ve got your nice front-end/back-end topology and you have an application that needs POP3 access to a mailbox. You enable POP3 on the front-end but your application still can’t connect? There seems to be a common misconception (and one that I had when I first started working with Exchange 2000) that in a front-end/back-end environment you only need to enable POP3 on the front-end servers. This isn’t the case. You also need to enable POP3 on any back-end servers that will be hosting the mailboxes that you require access to. This also applies if you are using IMAP4.

Keeping the above in mind the front-end/back-end principle works perfectly. We have several shipping applications that use POP3 to access mailboxes. By pointing them to the network load balanced address of our front-end servers we don’t need to reconfigure the application if we move the mailboxes around. We still have to follow strict change control with any move but it makes our lives and those of the application admins a whole lot easier.

To enable POP3 on a regular back-end mailbox server just enable the Microsoft Exchange POP3 service in the Services MMC console and ensure the POP3 Virtual Server is started in Exchange System Manager. Depending on your policy settings you may also need to enable POP3 on the Exchange Features tab of the user object in Active Directory Users & Computers. However, if the mailbox resides on a cluster server there are a few more steps to follow:

Firstly enable the Microsoft Exchange POP3 service on all nodes. I speak from bitter experience when I say that if you leave it as disabled when you add a POP3 cluster resource the cluster will be unable to bring it online and will try to fail over.

Next you need to add the cluster resource. In Cluster Administrator right click on your cluster group and select New > Resource. Complete the required information making sure you select the correct Resource Type.

On the next screen select the nodes to be the possible owners.

Finally select the Microsoft Exchange System Attendant as a dependency. Once the setup of the resource is complete you should be able to bring it online successfully.

Technorati Tags: Exchange, Cluster, POP3, IMAP4

I use a Linksys WRT54G router (pronounced ‘rooter’ here in Blighty) on my home network. Lately I’ve been having issues with poor Internet speeds and the router becoming unavailable, both of which are usually fixed by a reboot. I suspected it was due to my use of Bittorrent and some Googling seemed to confirm this. First I configured Azureus (my Bittorrent client of choice) to optimise my download speeds. I then looked at ways to optimise my router and to configure some Quality of Service options. This led me to some posts that suggested I would be better served by replacing the default router firmware. I had heard this was possible but had never really given it much thought. It wasn’t something I was interested in doing ‘just because I could’. However, I headed over to http://www.linksysinfo.org to see what it was all about. Using their comparison guide I decided to try DD-WRT. Some of the points that attracted me were:

• A reboot button on the web interface (the Linksys firmware doesn’t have this).
• Scheduled reboots (just in case I continue to have problems).
• A ‘mini’ version of the firmware is available without all the bells and whistles. They have a standard version as well as VPN and VOIP versions if I want more functionality in the future.
• It supports DDNS.
• It’s free.

There’s a whole bunch of other features and functionality but it’s a little over my head. They’re aimed more at people like my friend and Linux weenie Ben Stokes. Installation was well documented and very straight-forward. The basic process I followed was this:

• Connected via Ethernet (don’t try this over WiFi!)
• Noted down my existing settings.
• Backed up my existing config.
• Reset the unit to factory defaults
• Updated the firmware via the router web interface.
• Reset to factory defaults.
• Updated configuration with my settings.

The only other changes I made were to the IP Filter settings as recommended in a post that I didn’t bookmark. I changed the Max Ports to 4096 and the TCP & UDP Timeouts to 120. So far, so good but I’ll need to run it for a week or so to see if it has really improved things.

Technorati Tags: Azureus, Bittorrent, Linksys, Router, WRT54G

A DMZ (de-militarised zone), also known as a perimeter network, is an area of network between the Internet and your internal LAN. It is commonly used to place servers that are accessible from the Internet in an effort to protect your internal infrastructure.

There are differing opinions on how a DMZ should be used with your Exchange/messaging environment. Some feel that Exchange front-end servers should be placed within the DMZ which requires some configuration on the servers and firewall. Others, including myself, feel that port forwarding/filtering on a good firewall is sufficient and the front-end servers can be placed on the LAN, which is a more convenient approach. Microsoft offer a guide on front-end/back-end topology including the use of a DMZ. You can also find information on hardening your front-end servers here.

My ideal topology, and one we have implemented here, is to have a 3rd party mail gateway in the DMZ that then forwards to front-end servers on the internal network. This allows for multiple layers of defence and should prevent the majority of viruses and malicious payloads reaching the internal servers/network. Services like OWA, RPC-HTTP and ActiveSync are offered by port forwarding from the firewall to the front-end servers. In my opinion this approach offers a good balance between administrative overhead and security.

Technorati Tags: Exchange, Firewall, DMZ

Whilst looking for a screen capture utility to help with some documentation I’m writing I came across MWSnap. MWSnap is freeware written by Mirek Wojtowicz and allows you to capture any part of the screen and output to JPG, GIF, TIFF, PNG and BMP. It’s a great tool that is very easy to install and use, and in my opinion worth checking out.

If you have an enterprise and/or high volume environment you may want to consider load balancing your front-end servers to improve resilience and performance. In the current organisation that I manage we use three HP blade servers as load balanced front-end boxes in each routing group. We use the load-balanced addresses for offering OWA, HTTP-RPC and ActiveSync, as well as for SMTP and POP3.

Microsoft provide an excellent FAQ on load balancing with Windows 2000/2003 which includes information on configuration and best practices.

Some points worth considering:

• You need to specify the ports that you wish to load balance so if you are going to use it for SMTP, POP3, HTTPS etc you’ll need to know the port numbers. You can configure a range of ports but I prefer to be specific.
• A host entry for the load balanced address is not automatically created in DNS.
• Your routing group and SMTP connectors don’t support the load balanced address as a bridgehead so you’ll have to specify your front-end servers individually.
• As touched on in a previous post you may have issues when accessing a load balanced address through a firewall. Specifically, one particular server is favoured and if it goes offline then the other nodes do not take over. These issues have been documented by Cisco.

This morning I tried to watch some of my downloaded TV shows on my video iPod whilst on the train to London. After about 20-30 seconds the playback would freeze for a couple of seconds then resume without any sound. This happened on every TV show I tried but video podcasts were fine. A bit of Googling once I reached the office shows that this is a known bug with version 1.1 of the firmware. This site has a procedure for downgrading your firmware without needing to reformat your iPod. I’ll be trying it as soon as I get home.

Update: The downgrade procedure at http://www.ipodbank.com/showthread.php?t=143 worked perfectly. I’m back on the original firmware without needing to wipe my data and I no longer have the video playback issue.

There are plenty of tools out there for converting videos files to iPod and PSP compatible formats but my favourite is 3GP_Converter. It’s a free tool that lets you select your desired output format then simply drag and drop your source files to queue them up for conversion. It’ll accept any source that you have an installed codec for e.g. DivX, XviD etc.

Download and extract the Zip file then run the setup file. Note that the setup does not install the files, merely sets up the config so make sure you have extracted them to a suitable location.

Choose your language and the output format you wish to use.

Choose your specific output settings and the output directory. Now all you need to do is drag and drop your source files. When finished the software will open iTunes and add the completed video file to your library.
The config files can be manually edited to tweak the settings. You can find them in \default_setting in the 3GP_Converter folder. After you change any config files you’ll need to run the setup again.

I’ve made a tweak to my config file to handle widescreen source files. If you don’t make this change the output will appear stretched. You can download my updated config file here (change the extension to ini). These settings give me respectable quality when I hook my iPod up to the TV.

If you’ve stumbled across this posting because you have a Play-yan device then you can download a Play-yan config file for 3GP_Converter here (change the extension to ini). You’ll also need a file called playan.fup in the root of your SD card to play MPEG4 on a Play-yan.

I’ve been listening to various podcasts over the last few weeks, mainly during my commute. A few of them have made it to my subscription list in iTunes:

43 Folders

Handy tips to improve your organisation and productivity in a compact format.

Inside the Net

The latest products, tools and technologies on the web.

Security Now

Security guru Steve Gibson discussing security related topics.

This Week In Tech

Leo Laporte hosting discussions about all things tech.

The Ricky Gervais Show

A humorous podcast with Ricky Gervais, Steve Merchant, and Karl Pilkington.

We’ve been running in mixed-mode for some time and occasionally come across a user that was migrated from NT4 with two accounts in Active Directory. This is often flagged because they cannot log in to Outlook Web Access. On inspection only one of the user accounts has a mailbox associated with it. A closer look shows that the account without the mailbox has the correct user ID (the one they log in with), whereas the account with the mailbox has a garbage user ID that has been auto-created by the Active Directory Connector. We therefore need to swap the mailbox association and delete the incorrect account. Here’s the process that we use:

• In Active Directory Users & Computers note SMTP addresses, group memberships, address and phone details of the account currently associated to the mailbox.
• Note the current mailbox store.
• Remove the Exchange attributes from the account.
• Rename the account to have a prefix of ‘Disabled –‘. Disable the account and move to the Disabled Accounts OU (this is an OU we have created in our AD).
• Connect Exchange Admin to the Exchange 5.5 server at the other end of the relevant connection agreement.
• Delete the mailbox entry in Exchange Admin.
• In ESM find the correct mailbox store. Expand and right click on the Mailboxes folder and select ‘Run Cleanup Agent’.
• Refresh the view and the mailbox should now have a red cross on it.
• Right click on the mailbox and select ‘Reconnect’. Select the correct account when prompted.
• In ADUC add the necessary SMTP addresses, groups, address and phone information.
• Update Custom Attribute 15 with you initials, date and comment saying corrected account/mailbox mapping (this is part of our process for any changes made to mail-enabled objects).
• Create a new Outlook profile for the user.

I’d like to think that I’m fairly organised but this year I’m going to give David Allen’s Getting Things Done method a serious go. There’s plenty of information available on how to implement this with Outlook but if like me you’re a frequent Blackberry user then you may find Gary Slinger’s recent article useful.

I also found an excellent post on the 43 Folders blog that talks about making a fresh start with your email Inbox.