Monday, February 25, 2008


We finally went alive with two FE (front end server) road balanced behind the contend switch. All BE (Back End) server is using these two OWA FE servers from outside. The OWA traffic is being directed to URL, something like this Https:// , this Cname maps to the IP address of the ISA Virtual IP Address. ISA (Proxy) server accepts all the traffic and passes over to inside network. The way we configured ISA, is with two interfaces. One is Public other one is internal interface. When ISA accepts traffic on Port 80, it redirects it to SSL (443) and passes inside network VIP (Virtual IP of the content switch). The Content switch is configured to distribute the traffic in round robin fashion, one session for one server A, second session for server B, third for server A forth for server B and so on. This is where you get the "Road Balance" type of configuration.

Anyway after completing this entire existing task, we realized we forgot to enable "Password Change" future. Now I am writing all the notes I put together to archive the mission with little finding. Creating Virtual directory called "Iisadmpwd" is the first step as shown below. Of course all these little things we do it not required in exchange 2007, because it is all build in, so upgrade to Exchange 2007 whenever is possible (-:

  • Open IIS, click start, Run, InetMGR, and hit enter.
  • In IIS Manager expand SERVERNAME, expand again Web Sites, and then expand Default Web Site.
  • Right-click Default Web site and choose New, then select Virtual Directory.
  • In the Welcome screen click next.
  • In the Virtual Directory window type Iisadmpwd Click Next.
  • In the Website Content Directory screen navigate to %Systemroot%\System32\Inetsrv\Iisadmpwd. Click Next.
  • In the Virtual Directory Access Permissions grant Read, Run Scripts and Execute permissions. Click Next Finish.
  • On the "Iisadmpwd" directory make a right click on go to properties and make sure

    Executive permissions set to "Scripts and executables"

    Application pool "ExchangeApplicationPoll" also one more thing to do. Click on Directory security, Under Authentication and access control, Click edit and make sure only "Basic authentication (password is sent in clear text) is selected.

    Now you need to enable a register key. All you need to do it copy and paste below code into notepad and save as "DisablePassword_to_0.reg", after this double click on the red file to make the changes in the register

Windows Registry Editor Version 5.00




Here is the trick after you have done all the hard work you will have to reset IIS and make sure the information store service is restarted on the BE (back end server) to get this working otherwise you won't see the option change password when you log into OWA.
There is one property in MetaBase: PasswordChangeFlags. The default value in
Windows 2003 (IIS 6.0) is 6.PasswordChangeFlags, Metabase , Property With the value set to 6 u cannot change the password in OWA when the user password expires/Change password at next logon is selected.
You can run the below command on the server to check the value
If everthing is not working, but you are not getting "User must Change password" password expired, you have to run below scripts to get it going on the FE servers, so Click run, cmd, and go to"C:\Inetpub\AdminScripts" directory, use get script first if you get "6" it means prompt for expired password is not allowed, so use the second script to set it to "0" after IISRESET, OWA will happly will prompt you, your password expired and must be changed window.
C:\InetPub\AdminScripts> cscript adsutil.vbs get w3svc\PasswordChangeFlags
Set the value by following command on the server:
C:\InetPub\AdminScripts> cscript adsutil.vbs set w3svc\PasswordChangeFlags 0



if there is more problems after this check this link out KB894825

You receive an "Object Required" error message IIS 6.0

To register the file in IIS 6.0, type the following command at a command prompt:

regsvr32 c:\windows\system32\inetsrv\iisadmpwd\iispwchg.dll


Oz ozugurlu

Systems Engineer
Security Project+ Server+ (Blog)

Tuesday, February 12, 2008

OWA and IE7 - Red X

Question: I am experiencing red 'x' on OWA, can someone please help me out

Solution: Follow the Steps to remediate Red X issue

If you are unable to compose or reply a messages within OWA and you are seeing a red square with an "X" in it follow the steps to solve the problem

where IE7 do not accept ActiveX and MIME

  • OWA, click on the "options" in the left Task Pane.
  • Under "E-mail Security" and Click Install or Upgrade the S/MIME Control. This will download a new add-on.
  • Click "RUN" when asked about the Microsoft Outlook Web Access S/MIME install and security warning.
  • There is also a update for Vista & IE 7.0 KB 911829

In Vista dynamic HTML editing ActiveX control is being removed from IE.


Oz Ozugurlu
Systems Engineer
Security Project+ Server+ (Blog)

Sunday, February 10, 2008

Does the LSASS.EXE have enough memory, on your Domain Controller?

The Key performance of the DC (Domain Controller) is the how much of the database can be cached into the memory. The process is responsible from this task is the LSAAA.EXE caching mechanism, releases cache to free memory when OS requires it. The Domain controller who are not strong enough (low memory) will not be able cache as much and this will be noticeable performance issue on the Domain controller. Therefore it is a good idea to make sure the DC's have enough memory installed on them and the other processes are not eating up from DC memory.

The core Process LSASS.EXE is also responsible from replication, authentication, Net logon, and KCC. If the LSASS is not happy this is going to cause Busy and tired DC (Domain Controller). Any other process other than LSASS MUST be investigated on the domain controllers if they are utilizing most of the CPU resources on a Domain Controller.

The similar behavior in Exchange is the Store.exe if you remember.

What is LSASS.EXE, The LSAS management of local security authority domain authentication and Active Directory Management?

The Lsass.exe process is responsible for management of local security authority domain authentication and Active Directory management. This process handles authentication for both the client and the server, and it also governs the Active Directory engine. The Lsass.exe process is responsible for the following components:

  • Local Security Authority
  • Net Logon service
  • Security Accounts Manager service
  • LSA Server service
  • Secure Sockets Layer (SSL)
  • Kerberos v5 authentication protocol
  • NTLM authentication protocol

Lsass.exe usually uses 100 MB to 300 MB of memory. Lsass.exe uses the same amount of memory no matter how much RAM is installed in the computer. However, when a larger amount of RAM is installed, Lsass can use more RAM and less virtual memory

Have you ever used Server Performance Advisor V1.0 this is FREE Utility from Microsoft. Service Performance Advisor is a server performance diagnostic tool developed to diagnose root causes of performance problems in a Windows Server™ 2003 operating system.


Oz Ozugurlu
Systems Engineer
Security Project+ Server+ (Blog)

Windows 2003 to windows 2008 some of the Cluster improvements no more upgrade with CLUSTERS in windows 2008

I heard (Cluster setup steps, never counted there were 23 steps) to setup cluster in windows 2003. The new cluster has couple steps to get the cluster up and running.The windows 2008 brought new Cluster MMC 3.0 so ClueAdmin is gone. Windows 2008, the clustering is being called "Failed over Clustering"

Cluster logging (Text Logging is gone along with ClueAdmin), the new MMC is the tool to use for Windows 2008 Clusters, there is a tool called Validate tool build into the Cluster MMC. This toll provides multiple tests.

What to do when cluster is hang, enable User Mode Hang Detection

  • The following symptoms typically indicate that the cluster node has stopped responding: • You can confirm IP connectivity to the server that is hanging by pinging it.
  • You cannot successfully establish a connection to the server by using the net use command.
  • You cannot successfully connect to the server by using a Terminal Services client.
  • You can move the mouse pointer when you log on locally to the server.
  • You cannot start programs or utilities when you are logged on locally to the server

KB is here

Of course this is build right into windows 2008 architect. There is also reporting function build into new cluster configuration management.

Cluster signature managements over better GUI in windows 2008. GPT is supported. New Symantec Foundation for Windows will be supported. The DHCP is supported now. Any network cluster resource will be able to use DHCP support, I am not sure if anyone would really use this because this is supported, I personally would not (-:, but this is supported in windows 2008 cluster configuration just to let you know. NetBIOS is not needed anymore in windows 2008. The Cluster GUI is build into MMC 3.0, so windows 2008 is promising no MORE hourglass simply because the ClueAdmin is gone, and MMC cannot crash (-:

The cluster migration tool will make thing easy, this tool will assist for cluster configurations from one cluster to another one.

Geographically dispersed clusters

Allow cluster nodes to communicate across network router (Wow), configurable heartbeat timeout, no more cluster distance limitations (Wow).

The Cluster management is finally getting retired to be the rocked scientist job to regular admin type of job. The windows 2008 CSA runs the service account as local System which is very nice. No more worry about cluster special account.

I am very excited to expose myself into new cluster management MMC and tolls. Hopefully windows 2008 servers will get deployed fast into most of the network and we will have opportunity to explore the new futures in production environment


Oz Ozugurlu
Systems Engineer
Security+Project+ Server+ (Blog)

Thursday, February 7, 2008

Mailbox manager settings Exchange Policies

Let's say the company decided to implement mailbox policies for all mail enabled users. You are assigned to get this task done based on the company policy. Regular mailbox policies would be delete such e-mails older than X number of days and to set this up on the Exchange org you need to start from ESM, and drill down to recipient policies, under recipients folder in ESM. New recipient policy selects "mailbox manager settings"


Name your policy, once you get there makes a right click and click modify and select where you want to apply this policy, in my case I choose a single server. Click on mailbox manager settings (Policy) and complete the each filed corresponds or satisfies to your company policy. On the bottom there is an option to send mail to clients and let them know what happening.

When all looks good click apply and save the policy in ESM.


Go to properties of exchange server

Mailbox management, click on custom schedule, and I picked 6AM every day. Click on reporting and point it to a DL (Exchange administrators), also we want detailed report.


Manually initiating Mailbox Management

If you right-clicking the new Mailbox Management recipient policy and select Apply This Policy Now the policy gets applied right away regardless the schedule. Also right-click the Recipient Update Service, under "Recipient Update Service" select Update Now after doing this select Rebuild.

This will kick off the RUS with the new policy and then applies the policy to existing objects that meet the search criteria. For better redundancy dedicating multiple bridge head server and different DC/GC would be a good way of making sure RUS steps all policies and the SMTP Proxy addresses.



Oz ozugurlu



Security+, Server +,Project+

Friday, February 1, 2008


You want your users to update their own setting within the GAL, and you dedicated to use GALMODE utility, which was supported with exchange 5.5. The companies won't like spending money and get some other/better product; instead they like to make their existing tool work with any version of exchange. So I was tasked to make the GALMODE work in a large environment mix with exchange 2000 and 2003.

First you will need GALMODE.EXE, if you don't have it ping me. Second follow the steps in KB-272198

Follow the steps below

  • Click Self
  • Click ok
  • Next
  • Create Custom task to delegate , next
  • Only the following objects in the folder
  • Highlight anything and press letter "U" which will take you to
  • User object put a checkmark in there
  • Next
  • Select Property-specific
  • Now time to choose what to pick , I am going to choose following
  • Write ZIP/Postal code

In the following Active Directory folder:

The groups, users, or computers to which you have given control are:


They have the following permissions:

  • Read Assistant
  • Write Assistant
  • Read Company
  • Write Company
  • Read Department
  • Write Department
  • Read Fax Number
  • Write Fax Number
  • Read Job Title
  • Write Job Title
  • Read Notes
  • Write Notes
  • Read Pager Number
  • Write Pager Number
  • Read Street Address
  • Write Street Address

  • Read Telephone Number
  • Write Telephone Number
  • Read Title
  • Write Title
  • Read ZIP/Postal Code
  • Write ZIP/Postal Code

Oz ozugurlu,



Security+, Server +, Project+