Friday, September 28, 2007

What is in the .DIT DATABASE?

What is inside the .DIT database is one of the most asked question these days while we are interviewing several people were at work at present. Understanding .DIT database is the one of the most important skill when it comes to Active directory. Below is the description of partitions and what they do. If you want to see these partitions you will need to use ADSIEdit.msc which comes with support tools windows 2X server family.

Domain Partition

(Resident directory object)

This partition called RDO and stores below objects

  • User
  • Groups
  • Computer accounts
  • Organizational Units
  • All things you can see from ADUC.msc

All these are resident directory object lives in this partition. DNS zone data also can be found here under CN=Systems, CN=MicrosoftDNS

Schema Partition

Definition of an object is called schema, all domain controllers must be agree definition of an object, and this definition is replicated to all other domain controllers so all domain controllers is agree about the schema. Definition is replicated to all other Domain controllers in active directory FOREST. So all domain controllers are agree about the definition of Object

Configuration partitions

It contains information about all other domain controllers, lets every domain controllers know existence of other domain controllers, where they are, what are the names of those Domain controllers and so on. It stores information about services, including Microsoft Exchange

  • CN=Services
  • CN=Microsoft Exchange

Application partition (windows 2003 .DIT only)

Application partition DNS zone data stores here, therefore it information wont ger replicated to a DC's who are not DNS servers.This was not the case in Windows 2000 Active directory, DNS data was part of Domain parttion, therfore it replicated to other domain which were not DNS server. Microsoft fixed this issue by creating Application partition in windows 2003 .DIT Database.

Best Regards

Oz ozugurlu

Enterprise Exchange Dedicated GC Design

Enterprise design Exchange is always one of the most stunning skills for every Exchange administrator/Engineer would love to involve one day. GC's (Global Catalog) servers are being used to locate mail enabled object within the SMTP domain by Exchange servers. The performance of Exchange Server will directly impacted if the GC The exchange Server is talking too is not fast enough to make the queries back to the Exchange server. In large enterprise environment Exchange administrators may wish to locks down DS (directory Access) for GC's by disabling the Automatic Discovery and hard coding the GC servers. This always been a good idea for large environments in my opinion.

Would it be better if we could dedicate GC for corporate Exchange servers.When I say dedicate I mean DC/GC will serve to Exchange server only and wont involve into any other services as regular DC does.. As we all know the DC (domain Controller) is authentication server, so it will authenticate users. Now we have problem here we want to dedicate the DC/GC for Exchange, how are we going to achieve this goal.

Special thanks to Joe Nagy for passing us his high level approach in scenarios related to Active directory and Exchange design, best performance and practices.


First thing we will do is, creating OU called CG in the ADUC. We will Drag and drop the DC/GC into this organizational unit. Go to properties of OU, and

  • Click on group Policy
  • Click New
  • Name the Policy "DNS GC SRV Record Lift" click edit
  • Expend computer configuration
  • Administrative templates
  • System
  • Net logon
  • DC Locator DNs Records and on the right pane locate
  • Priority Set in the DC Locator DNS SRV Records
  • Set is anything over "33" because The SRV resource record has DNS type code 33,
  • Save it and Exit


Dedication GC in large environment will improve the performance of Exchange, this is fact and this type of design should be considered as high level engineering approach.

Format of the SRV Resource Record:

The SRV resource record has DNS type code 33, with the following syntax: Service.Proto.Name TTL Class SRV Priority Weight Port Target


The symbolic name of the requested service, as defined in Assigned Numbers or locally. Some widely used services (notably POP) do not have a single universal name. If Assigned Numbers names the service indicated, that name is the only name that is legal for SRV lookups. Only locally defined services can be named locally. Service is case insensitive.


TCP and UDP are at present the most useful values for this field, though any name defined by Assigned Numbers or locally can be used (as for Service). Proto is case insensitive.


The domain this resource record refers to. The SRV resource record is unique in that the name searched for is not this name.

  • TTL: Standard DNS meaning.
  • Class: Standard DNS meaning.


As for MX, the priority of this target host. A client must attempt to contact the target host with the lowest-numbered priority it can reach; target hosts with the same priority should be tried in pseudorandom order. The range is 0-65535.


a load-balancing mechanism. When selecting a target host among those that have the same priority, the chance of trying this one first should be proportional to its weight. The range is 1-65535. Domain administrators should use Weight 0 when there is not any load balancing to do (to make the resource record easier for humans to read).


The port on this target host of this service. The range is 0-65535. This is often as specified in Assigned Numbers but need not be.


As for MX, the domain name of the target host. There must be one or more "A" records for this name. Implementers should, but are not required, to return the "A" record(s) in the Additional Data section. Name compression is to be used for this field. A Target of "." means that the service is not available at this domain.

Best Regards

Oz Ozugurlu

Wednesday, September 26, 2007

BES Server and Network Latency

Below article has been taken from RIM website explaining the latency and its side effects to the Exchange server. We will also attaching to this e-mail official RIM document "Capacity Planning and Performance Tuning for Environments Using the BlackBerry Enterprise Solution".

Pinging [] with 32 bytes of data:


Reply from bytes=32 time=358ms TTL=124

Reply from bytes=32 time=328ms TTL=124

Reply from bytes=32 time=358ms TTL=124

Reply from bytes=32 time=345ms TTL=124

Reply from bytes=32 time=367ms TTL=124

Reply from bytes=32 time=362ms TTL=124

Reply from bytes=32 time=372ms TTL=124

Reply from bytes=32 time=426ms TTL=124

Reply from bytes=32 time=354ms TTL=124

Reply from bytes=32 time=357ms TTL=124

Reply from bytes=32 time=205ms TTL=124


Ping statistics for

    Packets: Sent = 11, Received = 11, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 205ms, Maximum =  426ms, Average =  348ms

When latency between the BlackBerry Enterprise Server and the Microsoft Exchange Server increases, the number of factors that may impede the successful delivery of UDP notifications increases as well. Increased latency lengthens the time required for data transfer--which uses TCP/IP--between applications, for instance, the higher the latency between the BlackBerry Enterprise Server and the Microsoft Exchange Server, the longer it takes for data to travel between them. The increased data transfer time is relational to the latency of the WAN connection, and not necessarily its bandwidth. This is because TCP acknowledgements take longer to be sent if network latency exists, which delays the occurrence of the next data transfer.

If latency exists between the BlackBerry Enterprise Server and the Microsoft Exchange Server, it is expected that latency exists in the messaging environment. To help achieve optimal BlackBerry Enterprise Server performance, refer to the recommendations made in the Capacity Planning and Performance Tuning for Environments Using the BlackBerry Enterprise Solution document.


users are having interruption on their BlackBerry devices. Blackberry users are not getting mail on their hand due to high latency on the network.

Root Cause:

The Current bandwidth seems to be the bottleneck at this point. The extended ping fluctuates dramatically, which indicates the pipe/bandwidth problem from site Exchange server to the national BES server. The connections also are not stable since it spikes at all the times.

  • Overall picture how BES will work when a user receives a message:
  • BES servers will open several worker treats similar to MAPI connections to the Exchange mailbox server to scan the new mails, upon arriving into each BES users mailboxes. Worker treats will pull these mails back to BES servers and push it to RIM facility, and RIM finally will let wireless ISP to deliver these to the handhelds

The latency is indentified by BES support is fact and worker treats to get hang and resulting similar issues is addressed on their best practices.

Identifying latency as root cause:

We have created test account on Local exchange server, reside within the same data canter as BES servers and asked Client to activate his Black berry by using this account. The account was successfully activated and Client was able to send and receive mails by using his black Berry

  • This shows us clearly the latency was the bottleneck.

Recommended Solution:

  • RIM recommends centralized architecture when it is possible. RIM also advices to make sure the latency is less than 35 millisecond between the black Berry server and the mailbox server. SMTP25 Exchange Team also recommends centralizing all mailbox servers along with Black Berry server to prevent such problems happening in the future.

Best regards,

Oz Ozugurlu

Tuesday, September 25, 2007

Domain-level role absence on a Global Catalog server

Here is great information straight from TechNet, explaining why Infrastructure master should not be hosts as global catalog server on the same Domain Controller.

Do not host the infrastructure master on a domain controller that is acting as a global catalog server. The infrastructure master updates the names of security principals for any domain-named linked attributes.

For example:

If a user from one domain is a member of a group in a second domain and the user's name is changed in the first domain, then the second domain is not notified that the user's name must be updated in the group's membership list.

Because domain controllers in one domain do not replicate security principals to domain controllers in another domain, the second domain never becomes aware of the change. The infrastructure master constantly monitors group memberships, looking for security principals from other domains. If it finds one, it checks with the security principal's domain to verify that the information is updated. If the information is out of date, the infrastructure master performs the update and then replicates the change to the other domain controllers in its domain.

Two exceptions apply to this rule.


If all the domain controllers are global catalog servers, the domain controller that hosts the infrastructure master role is insignificant because global catalogs do replicate the updated information regardless of the domain to which they belong.


If the forest has only one domain, the domain controller that hosts the infrastructure master role is not needed because security principals from other domains do not exist, because it is best to keep the three domain-level roles together, avoid putting any of them on a global catalog server.



Oz ozugurlu

How to perform basic cleanup on the BES servers

When a mailbox gets deleted the BES server will not notice it until the next reboot. Even after reboot time to time I have seen problems on the BES server due to non existing mailbox users, messing up the BES server. The BES server locates a user mailbox by looking at Server DN (distinguish name) on the Exchange server. The problems arises when a users gets moved within the same exchange server, since BlackBerry cannot locate the user mailbox (DN is the same) worker Treats gets hang. Now we will perform one of the basic tasks to locate the non existing users on the BES server.

Go to command line on the BES server Start, Run, CMD, Drill down to this directory below

C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Utility>


HandheldCleanup.exe -u

Pres okay and enter the BES server name

Please Enter BESName: ->BESServerNameGoesHere, hit enter.

You will get a report showing all the users having trouble (users with no mailbox)

Failed to Resolve Name in HandheldCleanup. User:Varnado, Linda hResult: <8004010


Failed to Resolve Name in HandheldCleanup. User:xxx, xxx hResult: <80040


Failed to Resolve Name in HandheldCleanup. User:xxxxx, Sharon hResult: <800


Failed to Resolve Name in HandheldCleanup. User:Dxxxx, Rebecca Jo. hResult: <8004


Failed to Resolve Name in HandheldCleanup. User:xxxx, Joseph hRes

ult: <8004010f>


Go back to Blackberry manager, and locate these users, make sure they have mailboxes, if they don't have a mailbox delete them from BES


Best regards,

Oz Ozugurlu


Monday, September 17, 2007

.DIT Database is Partitioned Database

We start intewieving people lately for Senior AD Admistrator. We offen ask same questions which I posted in my blog in the interview section. It is really astonishing to see people with many years expeince seems to forgot about .DIT database. Running DCpromo is simple task for every admin but not knowing what is getting installed cannot be forgiven, and everyone must pay attantion what is getting installed into default directories. Here again what they are and where they get installed by default

  • Database NTDS.DIT
  • Log files

Please make sure you understand and know the default foldes , when DCpromo runs. the most important aspect of Active directory is the .DIT database, because if we did not have the .DIT database we would not any place to save any kind of information. Also remember .DIT database is partitioned database, and windows 2000 has 3 partitions whereas windows 2003 has 4 partitons

Windows 2000




Windows 2003






Oz ozugurlu

Friday, September 14, 2007

Wide Area Network Speeds

Here is the report below, showing some of the WAN speeds. It is a good reference to have it. The following chart relates various circuit types with their respective speeds.


64 Kb

(1) channel (1/24) of a DS1



1.536 Mb

Also known as a T1



44.736 Mb

(28) DS1s (or T1s) Also a T3



51.840 Mb

(1) DS3 @ 44.736mbits/sec with SONET (Synchronous Optical NET) overhead = 51.840mbits/sec



51.840 Mb

(1) STS1 on Optical Carrier facilities



155.52 Mb

(3) OC-1s



466.56 Mb




622.08 Mb

(12) OC-1s or (4) OC-3s



933.12 Mb




1.244 Gb




1.866 Gb




2.488 Gb

(48) OC-1s or (4) OC-12s or (16) OC-3s



9.953 Gb

(192) OC-1s or (4) OC-48s or (64) OC-3s



This multiplexing scheme is set by the equipment manufacturers and has pretty much been adopted as standard in the Telecommunication industry. Therefore, rarely will you see implementations of the less common bandwidth aggregations like OC-9, OC-18, and etc. The OC-3 is technically an exception to this as it was needed to allow the upper-level hierarchy to work.

All speed values are expressed in Kb (Kilo bits per second), Mb (Mega bits per second), or Gb (Giga bits per second).



Oz ozugurlu

Thursday, September 13, 2007

Rename Exchange Server

Is this even possible, renaming Exchange server, when I was contributing to Microsoft Exchange TechNet discussion groups for exchange administrator? One Exchange administrator was asking if he could rename his exchange server, would that be fine.

First answer was from one of the Exchange MVP

  • You just broke your exchange server, congratulation

Second answer was from another MVP

  • Only if you don't want Exchange to work afterwards.

Here are some more notes I have found interesting to read.

It is not possible to rename an Exchange 2003 server. Even if it becomes possible to do this in a service pack, be wary. However, you should be able to name your new server whatever you would like. The recommended approach would be to add your new Windows 2003 server, install Exchange 2003 into the existing Exchange Organization and Administrative Group, and then use the Move Mailbox feature to migrate the data. Before you decommission the old server, you need to do a few things that are documented in some famous Microsoft Knowledge Base articles about removing the "First Server" in the Routing Group or Site.
Finally here is the Microsoft supported way of doing this.
Swing upgrade method
Basically it is talking about bringing another server into existing environment, and moving all mail boxes, public folder, system folders and etc on the new server, after that either decommission the old one or make upgrades and move everything back again.

Where ever you look it is a serious move, needs to be planned, and time consuming.

The Exchange services won't start after a server rename.  Build a new server
with the new name and move the mailboxes to it would be the option if you insist to rename your exchange server

After reading all I have seen easily leave your exchange server alone, don't attempt to rename it unless you deliberately want to break your exchange server.


Swing upgrade method

First Server" in the Routing Group or Site

Have a great week folks,


Oz ozugurlu

How to Detect Slow Link with a formula

Here is the scenario; you have connected to the client PC, who is complaining about seeing big Christmas balloon "Exchange is retrieving information from ExchangeServer". The outlook freezes up client cannot do anything, the windows are not responding to anything, task manager is the only way to kill the outlook and get back to a desktop. As soon as outlook opens up the problem arises.16000 ms (number miniseconds per minute) divided by /average millisecond on the extended ping. Slow link detection is accomplished with consecutive ICMP pings that are sent to the Authenticated Domain Controller. IF the response from any of the pings is less than 10 Millisecond (ms) the link considered to be a fast link.

If the response from any of the pings is higher than 10 Millisecond, this indicates latency. Here is the magic formula as below

Link Speed = 16000 / (average ping for 2048 byte packet)

Now we will do troubleshoot and find out the culprit. The message may cause for several reasons, including

  • Poor Network Connection (Not enough bandwidth) this is what the cause in most of the cases. If VPN is being used, even WORST, Because now every traffic is going inside of VPN tunnel which is encrypted, so implement RPC/HTTPS or recommend to use
  • Exchange server is performing poor
  • I/O issues, CPU, HD, Memory Bottleneck
  • GC is performing poor, when Exchange does the queries, this is Chocking exchange down.
  • Local PC related issues (NIC speed, HD, CPU, Memory)

Now let's get to a work and show you the use a formula and find out the speed of the client

  • Click Start, Run, CMD

You need to know the IP address of the Exchange server, so in this example the IP Address of the Exchange server is

In the CMD windows type below

  • -l is resizing the ICMP Packet Size
  • -t (Extended ping, Ping the specified host until stopped.)

C:\>ping -l 2048 -t

Pinging with 2048 bytes of data:

Reply from bytes=2048 time=570ms TTL=126

Reply from bytes=2048 time=253ms TTL=126

Reply from bytes=2048 time=397ms TTL=126

Reply from bytes=2048 time=216ms TTL=126

Reply from bytes=2048 time=322ms TTL=126

Reply from bytes=2048 time=405ms TTL=126

Reply from bytes=2048 time=708ms TTL=126

Reply from bytes=2048 time=157ms TTL=126

Reply from bytes=2048 time=217ms TTL=126

Reply from bytes=2048 time=207ms TTL=126

Ping statistics for

Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 157ms, Maximum = 708ms, Average = 345ms

Average is 345 so the formula will be

16000 / divide into 345 = 46Kbpc

The link would be considered slow, the trash hold round-trip time for a fast link (default = 500 Kbps) is 32 ms. This is great way to see the link speed and make some assumptions and recommendations. If you remember on 100meg LAN connection the Speed would be less than 1ms, if you perform the same test within the LAN.

From Experience if these ms go above 200 and up, good luck even opening up Outlook. The bandwidth is the culprit and client must get better conection.

Best Regards,

Oz ozugurlu

Wednesday, September 12, 2007

BlackBerry Policy Service is stopping

Below is one of the newest problems we had recently , The Policy service is keep quitting every couple hours and we end up manually starting the service. The BES support is still looking into log files to figure out what is going on. We have taken some trouble shooting steps and listed them below to remedy the problem. The root cause of the problem seems to be BES servers not being able to push the policies for some of the clients.


BlackBerry Policy Service is stopping in couple hours

Policy Service:

Supports wireless IT Policy, service books, and third-party application delivery for the BlackBerry Enterprise Server.


Some of the policies which are not getting pushed on to some of the handhelds, therefore the Policy service seems to be quitting every some hours.


Log into BES server, highlight the BES server on the right pane, scroll until you see the "IT Policy" Column

Locate the users in error stage, make a right click on each user, having trouble , go to Properties , click on IT Admin m click on Reset Policy.

Go back and make sure the error condition is no longer exist

Event Type:    Warning

Event Source:    BlackBerry Policy Service

Event Category:    None

Event ID:    20000

Date:        9/12/2007

Time:        1:46:53 PM

User:        N/A

Computer:    NHQBES4


{, PIN=23D087A2, UserId=1141}RequestHandler::SendSwitchService - Sending Switch Service command to device, Source UID S84988338, Destination UID S89893656



Oz ozugurlu

Tuesday, September 11, 2007

Need full access for all users’ mailboxes in Your SMTP mail organization

Exchange 2003 administrators have explicit denied access to user's mailbox, except their own. This was not the case before. Let's think a scenario for some reason you need to have full mailbox access to all users mailbox. (You don't have to tell me, why) how can this be achieved. Below I will illustrate how an Exchange administrator may achieve this goal. You can permit yourself to see everyone mail box on the entire company easily. Below register hack is for a user profile, so you are just making changes on the account you have logged in.

  • Copy and paste the code into notepad
  • Click file Save
  • Name the file ShowSecurityPage.reg
  • Click on save as type, change it to all files
  • Save it on your desktop as ESMShowSecurity.Reg, and double click on it to make the changes
  • Click OK two times
  • Open ESM now you will see security tab.


Windows Registry Editor Version 5.00




Now go to ADUC create an account, to be used to look at all users mailbox. Let's say we will create account called "MailMaster" Now we will go back on top of ESM and add this account there and give full permissions, which will inherit all the way down to your entire mail organization. Great now we have an special account which has full permissions on all mail enabled object, including send as receive as

Go to your OWA now and log on with your user ID and password, such as Https://, OWA will ask you your user name and password before you see your own mailbox. Go ahead supply your credentials and login.

After you log in all you need to do is add at the end of your Browser the user ID of the user's mailbox you wish to visit. Let's say you want to see, Brad's mail and his NT Id is Brads, After last slash in the address bar with browser add simply brads ID, OWA will ask you( Now you are telling OWA open Brad mailbox )

Who you are, and you will be "MailMaster", which has FULL permission on any mail enabled object, type the password for this account, OWA will gracefully open up and show you Brad's mailbox, while Brad is logged in on to his mailbox you will be a shadow looking at all his E-mails and he will have no idea, what is going on

Be careful privacy is serious issue and do not misuse your knowledge


Oz ozugurlu

The Exchange Services and Executables

We are asked time to time the name of the Exchange services and their default settings. We put a little table together and wanted to post here at my blog. Knowing these services is essential


Microsoft Exchange Event

Monitors folders and fires events, for Exchange 5.5-compatible server applications.



Microsoft Exchange IMAP4

Provides Internet Message Access Protocol (IMAP4) Services to clients. If this service is stopped, clients are unable to connect to this computer using the IMAP4 protocol.



Microsoft Exchange Information Store

Manages the Microsoft Exchange Information Store. This includes mailbox stores and public folder stores. If this service is stopped, mailbox stores and public folder stores on this computer are unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.



Microsoft Exchange Management

Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, Exchange management information is unavailable using WMI



Microsoft Exchange MTA Stacks

Provides Microsoft Exchange X.400 services. Exchange X.400 services are used for connecting to Exchange 5.5 servers, and by other connectors (custom gateways). If this service is stopped, Exchange X.400 services are unavailable.



Microsoft Exchange POP3

Provides Post Office Protocol version 3 (POP3) Services to clients. If this service is stopped, clients are unable to connect to this computer using the POP3 protocol.



Microsoft Exchange Routing Engine

Provides topology and routing information to Exchange Server 2003 servers. If this service is stopped, optimal routing of messages will not be available.



Microsoft Exchange Site Replication Service

Microsoft Exchange Site Replication Service



Microsoft Exchange System Attendant

services and connectors, defragmenting the Exchange store, and forwarding Active Directory lookups to a Global Catalog server. If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.





Oz ozugurlu

Sunday, September 9, 2007

Finding ProxyAddresses with ADFIND

One of the most common requests for Exchange administrators is to find out who owns such SMTP address or if an SMTP address ever exist on your SMTP Domain. Those of you, who is performing troubleshooting daily bases will understand this right a away. The Classic way of verifying if, such SMTP address is valid or no would be opening outlook and pasting the address into "TO" column. If outlook resolves the address, it means address is valid (owned by an object within your SMTP Domain). If outlook puts underline on to the SMTP address, it means this mail address is not present within your environment. The more advance way of doing this would be opening up ADUC and going to search option , pasting the mail address in it,, than we would expect this would return an object.

The most advance way of accomplishing same result would be

Start, Run, Dsa.msc, Click Search button, Click Drop down menu, select Custom search, Click Advance

In the LDAP Query write down below (change my mail address to one you need to lookup)

Now let's do it much better way. Go download ADFIND from Joe Ware . I place this into System32 so that I can get to it from any ware it is a little exe file.

Adfind -b dc=SMTP25, dc=org -f (proxyAddresses=SMTP: oz*) name proxyaddresses

This will find all the SMTP Proxy address contains OZ.

We can also find the object with below switch; don't forget the Change my name to whatever the name you are looking within your search

Adfind -b dc=SMTP25, dc=org -f (samaccountname=oozugurlu)


ADFInd is fast and incredibly efficient, it is a free utility and if you have not get your hands on it don't lose a time go get it and start using it.


Oz ozugurlu