MS Cluster Servers

How do I monitor MS Cluster server applications?
I really don't know. There appear to be no really good, thorough methods.
- Can watch to see if the cluster service fails - that would be a problem, but doesn't happen when an application fails over.
- Can poll for events in the event log. There aren't any good, specific event id's to watch for. Could monitor for several events that might indicate some kind of problem, but wouldn't indicate a specific problem occurred. This could work if we identified the pattern of events when a node brings a service online.
- Can monitor the existence/free space of the Q: drive on the node that is supposed to be the primary machine in the cluster. When drive Q: goes away we can know when the cluster group has failed over. However in a 2 node active-active configuration this would not tell us when the application running on node 2 failed over to node 1 (if node 1 owns the cluster group.)

It would be nice if there were performance monitor "counters," SNMP MIB's, WMI, or some other exposure of the status of each resource on a cluster server. This would provide alerting possibilities for "abnormal" situations. I understand there is some API that cluster administrator was built on, but writing my own cluster administrator with alerting capability is not attractive. Neither is sitting 24 hours a day and watching cluster administrator to find out whan an app fails over.


Outlook::OST to PST

Here's a useful addition to your toolbox... it's a tool that will create a PST from an orphaned OST file


Cisco VPN 3000 client, WinXP, wierd problems

Using Cisco VPN client v4.0.2(D) and WinXP SP1+a gazillian patches.
My machine does not respond to PING. Checked the obvious stuff. Had ZoneAlarm shutdown, XP Internet connection firewall off/etc.
(and having problems where once in a while I hit Start-Run or try to launch a program and it takes 15-30 seconds before it seems to do anything -- jury is still out whether this is related to the PING issue.)
Anyway, I've learned recently that the Cisco VPN client includes a firewall feature and has the option to always run it, not just when the VPN is connected. I found this check box in options, unchecked it and bingo - I can PING my machine and use TFTP to upgrade my routers again.
This simple little thing has been driving me crazy. Sometimes that's how it goes.


Group Policy Inventory (GPInventory.exe)

Download details: Group Policy Inventory (GPInventory.exe): "File Name:gpinventory.msi
Download Size:306 KB
Date Published:10/3/2003

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel."

Windows XP::Tweaking Memory Management

Common Computer Problems and possible fixes:: "Problem: How can I increase performance with Windows XP?
Possible Solution: Disable Kernal paging using the following regedit:
Click on the Memory Management folder and right-click the LargeSystemCache entry. Select Modify, and type 1 in the Value Data field.
If you have 512MB or more of RAM, you should also locate the DisablePagingExecutive entry and ensure it is set to 1 as well. (This setting keeps as much information as possible loaded into RAM rather than to the swap file.)"


Links::Regular Expressions

PCRE: Writing regular expressions on your own
- A great example of creating regular expressions
I don't do regex's all day every day. But I often find myself in a situation where one would come in handy to search & replace in Textpad or to script something. I find my self looking for tutorials/etc at these times to get myself back up to speed.



commandline: nbtstat -A [ip number]
displays netbios announcements from the machine at that IP number

00 Base computer name and Workgroups
01 Master Browser
03 Message Alert service (name of logged in user)
20 Resource Sharing `server service` name
1B Domain master-browser name
1C Domain controller name
1E Domain/workgroup master browser election announcement


Firewall::Cisco::Outbound PPTP

Can't do PPTP vpn for a client inside cisco firewall to a server outside. Using Pix 6.1x
Must allow GRE ("Generic Routing Encapsulation") protocol from the server in to the client.
This requires: - client must have static IP address.
- Outbound on TCP1723 must be allowed to the server
- Inbound GRE must be allowed from the server to the client's outside static address.
The details of this and other situations is found in Cisco document: "Permitting PPTP Connections Through the PIX"
PDF version -
HTML version


static (inside,outside) netmask 0 0
access-list acl-outside permit gre host host

Assumes acl-outside is already applied to your outside interface via the command:
access-group acl-outside in interface outside



Very interesting location for difficult to find downloads.
Read the welcome.txt at the top level.


Windows 2000::WMI problems - UPDATED

I have a problem for many of our machines. WinMgmt.exe consumes all CPU.
- MS article 225154 refers to an update to Windows Management Instrumentation 1.10 that fixes a similiar problem.
- MS article Q298130 is no longer available on Microsoft's support site, but it recommended stopping the service(s) and deleting all files under %SystemRoot%\System32\Wbem\Repository then restarting the service. - I have had *some* success with this, but does not fix all issues.
- Articles also refer to a fix: Q263119.exe that I can't seem to find.
- There is a download for the WMI Core at (it states that WMI core is already included in Win2K.)
I believe SP3 people don't have this problem. But there doesn't seem to be a release of the updated WMI that is included in SP3. And SP3 pulls some BS on us: autoupdate client enabled by default, Outlook Express, "set program access and defaults" in start menu. We don't want all that crap and don't want to spend a month creating an automated installation that will install SP3 then undo all the BS.


Citrix::ICA Keepalive



After a ICA_TCP session is abnormally terminated, subsequent viewing of the ICA-TCP session in either Citrix Server Administration, mfadmin.exe, Terminal server Administration, tsadmin.exe, or CMC, Citrix Management Console shows the connection in an ACTIVE not a DISCONNECTED state.

TCP/IP uses the initial packet round-trip time at the moment when the session is initiated to determine what is "normal" for that connection. Because of this, it is better to have a consistently slow WAN connection and worse to have a connection that starts out fast and then becomes slow. Such an erosion of connection speed is common when connecting through an Internet Service Provider (ISP), particularly when the connection is opened in the morning and maintained into the work day.

Using an algorithm, TCP tunes itself to the "normal" delay of a connection. Because the default number of retries is five, the round-trip time can double four times (or in other words become 16X slower than its initial value) before the session is dropped. By increasing this number to 10, you are allowing the round-trip time to double nine times instead of four, thereby allowing the connection quality to erode up to 512X its original value before being dropped. For example, a connection that begins with a roundtrip time of 20 milliseconds would have to erode to a round-trip time of 10,240 milliseconds before being dropped by the server.

In environments where the TCP/IP network has high latency, modifying the operation of the Windows TCP/IP stack can improve TCP-based ICA sessions.

The TCP/IP retransmission is controlled by the Windows Terminal Server TcpMaxDataRetransmissions registry value. See Microsoft Knowledgebase Articles Q120642 , Q158474 and Q170359 for more information.

MetaFrame 1.8 (SP1 or higher) for Windows Terminal Server, MetaFrame 1.8 (SP2 or higher) for Windows 2000, and MetaFrame XP Application Server for Windows

In some networks, ICA Clients might time out when connected to a session and then receive a new session upon reconnect, instead of being reconnected to the dropped session. This new session is received on reconnect because the former host server is not aware that the previous session was dropped due to high network latency.

The Service Packs add a new “ICA KeepAlive” feature so the MetaFrame server can recognize broken ICA sessions and take appropriate action. When the ICA KeepAlive expires, the server disconnects or resets the broken session based on the setting “On broken or timed-out connection...,” which is configurable for the user or ICA connection. Two registry values control the ICA KeepAlive feature. Both values can be manually added to the registry key:


IcaEnableKeepAlive REG_DWORD: 0 or 1
When this value is 0, ICA KeepAlives are disabled. When this value is set to 1, ICA KeepAlives are enabled. The IcaEnableKeepAlive is set to 1 by the Service Pack installation.

ICAKeepAliveInterval REG_DWORD:
This parameter determines the interval separating keep alive retransmissions until a response is received. Once a response is received, the delay until the next keep alive transmission is again controlled by the value of KeepAliveTime. The connection is ended after the number of retransmissions specified by TcpMaxDataRetransmissions have gone unanswered. If the IcaEnableKeepAlive value is 1, this value controls the frequency at which ICA KeepAlives are sent to the client. This IcaKeepAlive Interval is set to 60 seconds by this hotfix installation. Sixty seconds is also the default interval if this value is not defined but IcaEnableKeepAlive is set to 1.
Default: 60 seconds

The time that elapses between an ICA broken client connection and the MetaFrame server disconnect (or reset) event may be longer than the IcaKeepAliveInterval. For instance, suppose the IcaKeepAliveInterval is set to 15 seconds. A client’s ICA WAN connection is dropped at 12:00:00. The server may not put the session into a disconnected (or reset) state until sometime after 12:00:15, although the session will usually disconnect (or reset) within approximately IcaKeepAliveInterval +2 minutes. This is because the Windows NT 4.0, Terminal Server Edition TCP/IP stack retransmits the ICA keep alive packet a number of times at increasing intervals before timing out. When the TCP/IP stack finishes its retransmissions, the session is disconnected (or reset).



Very interesting resource of information about locations and people:

NT4::Server service will not start

After applying SP3 the server service will not start. The event log shows an event stating "there is not enough server storage"
Applied SP6 and still have the issue.
Describes my exact event log errors. In the situation reference in the KB a network card had just been installed.
It recommends reinstalling the service pack.
Perhaps for some other reason my Srv.sys file got reverted back to the original CD copy....

A guy on usenet also recommends checking and possibly increasing IRPSTACKSIZE value from 6 to 11 under registry key:


Exchange 2000::Export E-Mail Aliases


ldifde -f c:\email.ldf -l mail,proxyaddresses
The above generates a huge export file designed to import someplace else.

Out of this file extract all the lines that start with: proxyAddresses: smtp: (NOT case sensitive.)

This is a list of all the aliases!

Active Directory Schema Attributes

Default Active Directory Attributes in the Windows 2000 Schema:;EN-US;q257218&

Exchange::E-Mail Address Listing

How in the heck do I export a list of e-mail addresses (including aliases if that's not too much to ask) ????

Here is a good article about using LDAP & VB script to get a list of e-mail addresses:
However I think part of it is missing - I can't get it to run.

The Microsoft Conspiracy

I've never bought into the belief that Microsoft is a plague on the earth sent by satan. I believe most Microsoft "issues" (mildly put) stem from greed and technical oversight and maybe sometimes intentional technical oversight serving the interest of greed.
"Microsoft's Really Hidden Files" is a very interesting article at:
I'm using W2K Professional and IE6 patched and patched and patched and patched. I followed those instructions for seeing the IE hidden cache but didn't find much--a couple URL's from yesterday. However, since I had emptied my cache and cleared my history I really should have seen nothing. I doubt there is a "big brother" at Microsoft planning to read through everybodies deleted mail in Outlook Express or purged URL history, but it makes you think. We all have to be mindful that once we store something on a computer it can be very hard to remove.
I once heard a computer forensics analyst say that when she finds evidence that someone tried to wipe freespace on a drive or otherwise destroy evidence that just made her look even harder because she knows there is something to be found -- and often finds it elsewhere in a place nobody thought to try to purge.


Windows 2000::Security Policy

secedit can be run with switches to force the application of policies from AD.
SECEDIT /refreshpolicy machine_policy [or user_policy] /enforce


IP Accelerator

interesting product:

Citrix Performance Counter Recommendations

Reference from:
Formatted into a table. Most of it is basic common sense and goes for any Windows server.
processor utilizationless than 90%
processor interruptsaverage 100 per second
context switchesless than 500 per second
memory-available bytesgreater than 32 MB + 4-14 MB per user + 1 MB per idle session
memory-pages per secondless than 5
percentage of disk timegreater than baseline
disk queue length1.5 to 2.0, >2 may mean disk hardware incompatibility or failure
NIC Bytes Total / secondless than network transfer rates


Citrix::Outlook::Execute PRF on first run

I haven't tried this but it sounds promising. It might trigger some ideas some day.
From a newsgroup:

Configure the registry to trigger Outlook to import the PRF file when Outlook starts up. You can use the Add/Remove Registry Entries page in Custom Installation Wizard or the Custom Maintenance Wizard to deploy these registry key options to your users. You can also use the wizards to distribute the PRF file to users by using the Add/Remove Files page.
Delete the following registry key value : HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Setup\First-Run.
In the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Setup subkey, set the value of ImportPRF to a string value that specifies the name and path of the PRF file. For example, set ImportPRF to \\server1\share\outlook.prf.

Perl::Script::Rename Files

Below is a sample script depecting file directory operations. This was a fast and dirty script to rename files into a different name format. It doesn't deal with name collisions when users have same last name. I only had a handful of them to deal with:

$indir = 'c:\\dev\\picname\\input';
$outdir = 'c:\\dev\\picname\\output';

opendir(DIR, "$indir");
my @files = readdir(DIR);

my $file;

foreach $file (@files) {
if ($file eq ".") {next};
if ($file eq "..") {next};
#input filename
my $infile = "$indir\\$file";

#output filename

my @temp = split(/(,\s|\s)/,$file);

my $newfile = "$outdir\\P-$temp[0].jpg";

print "$infile --> $newfile\n";

rename ($infile, $newfile);

}#end foreach $file


Citrix/NT Terminal Server Optimization



Terminal Server and Citrix Metaframe

Microsoft Terminal Server is a totally different beast than your standard NT and although most of the tips mentioned in elsewhere there are a number of special considerations that need to be looked at.


In Control Panel / Network / Services / Server / Properties. Set the option to Maximize Throughput for Network Applications. The system default is Minimize Memory and it was originally thought that Maximize Throughput for File Sharing was the best setting but testing has disproved this.


Go to Control Panel / System / Performance and make sure the Best Foreground Application Response is set to maximum.


Control Panel / System / Performance / Change set the Registry Size to at least 50MB. Many people say that it should be set to at least 4 times the default setting to allow for growth. But we believe that for many people this is too large. Our advice would be monitor the growth of your registry and set it accordingly, 50MB will be adequate for most people.


In Control Panel / System / Performance / Change make the Paging File 2.5 times the size of the system memory.


Do not give anyone access to screensavers. This can be done through system policies but we also recommend, once all the applications are loaded onto the system, doing a search for all files ending with a .scr and deleting them.


Stop people changing their desktop wallpaper. Again this is a system policy option but for Metaframe users why not go to Citrix Connection Configuration / Advanced and tick the Disable Wallpaper Option.


In some cases, the logon process may be very slow due to an application searching for fonts. Applications such as Lotus CC:Mail and NWScript can cause this problem. To overcome this issue at Control Panel / System / Environment go to the System Variables section and click on the variable named Path. Add to the end of this string add ;%SystemRoot%\Fonts and click Set.


If you do not use audio in your thin client setup then disable this both on the client and the server. If you use Metaframe this can be done in Citrix Connection Configuration / Client, tick the Client Audio Mapping. However this only works for ICA clients not RDP and the sound is still played on the server even though the client can’t hear it. To disable this entirely go to Control Panel / Sounds and make the scheme No Sounds.


Supercache is the new caching technique introduced by Citrix in hotfix ME180021.EXE for Metaframe 1.8, in ME100044.exe for Metaframe 1.0 and in hotfix SE17B099.EXE for Winframe 1.7.

SuperCache is a new caching technique that can result in a large improvement in usability and performance over a slow connection, or for applications that tend to redisplay a large area of the screen in response to small localized changes. Example applications that will show a large caching improvement over a slow connection are Microsoft Internet Explorer (IE) and Visual FoxPro.

Once the hotfix is installed SuperCache is still disabled and needs to be enabled to work. You do this by going to the Command Prompt and typing:

Keysync ICAThinwireFlags /Enable:2

To disable type:

Keysync ICAThinwireFlags /Disable:2

You will need to reboot inorder for these setting to come into effect.

When SuperCache is enabled, large bitmaps are displayed in a number of columns in left to right order, instead of top to bottom order. This is readily apparent when running a client over a slow line.

CITRIX::Slow/lag in keystrokes

Sometimes when typing a document or e-mail in a Citrix session the server stops accepting keystrokes and my typing gets "buffered" then eventually catches up.
A couple of news group articles warn that if latency gets up to 650ms to 700ms Citrix sessions start to die.
A continuous ping from an affected workstation to the server shows response times of 20-30ms for 99% of the time with occasional responses over 400ms to maybe 550ms max.
On the client I am trying setting the "latency reduction" to ON and check the box to "local text echo"
This can be setup automatically by changing lines in the APPSRV.INI:

This needs changed in the copy of this file in the user profile directory of the client machine:
C:\Documents and Settings\[USERID]\Application Data\ICAClient

(there is also a copy in the program directory - a bit confusing.)

Network Troubleshooting Tools

Hot Tools presentation, Laura Chappell

- NetScan Tools Pro: $199
Many features, excellent help file including RFC references and detailed information.

- Ethereal: Free!
Excellent free traffic capture and analysis. !Can sort the tracefile by column!

- Sam Spade: Free!
A smaller multifeatured program like NetScan Tools. Their tools can also be run from their website for testing outside firewalls/etc.

- Snort + IDSCenter: Free!
Free Intrusion Detection utility. IDSCenter -> graphical interface into Snort.

- nMap: Free!
Port/Ping Scanning & OS fingerprinting
Available version for NT

- Ettercap: Free!
Attack tool - use only for testing and with extreme caution.
"Man in the middle" tool to inject characters into datastream or kill connections.

- GRC Tools: Free tools from Jim Gibson
e.g. ID Serve - OS fingerprinting tool

- DSniff: various tools
e.g. passive tools such as MailSnarf - passive packet analysis tool for smtp & active attack tools: Arpspoof, DNSspoof
Macof - attacks a switch attempting to force it into "failover mode" making it "a hub"

- Specter Honeypot: $899 ($599 "Specter Light")
Specter Light - only pretends to be a Windows version.
runs on Win2K.

- White Glove: $99
White Glove = CDROM bootable Linux (separate)
Deception Toolkit = honey pot that runs well under White Glove

- AirMagnet: ?buy through reseller?
Can run on IPaq!
Wireless analyzer to find 802.11a&b traffic on what channels.
Passive listener - doesn't actively probe for access.

- GPS + Antennas
Interface to wireless device to record locations.
amps & antennas - need in depth consulting help to select amp & antennas that go together and suit your needs.

- L0phtCrack - now LC4: $99 - "John the Ripper" <-Linux only
Password auditor/cracking
Has 15 day trial download available - brute force attack not available.

- LANGuard
?free for noncommercial use?
vulnerability scanner - various scans/probes, OS fingerprinting, and various recon: http banner page, file shares, possible vulnerabilities.
GFI has various tools available. Some are freeware: network security scanner and security alerts

- NetStumbler/MiniStumber(pocketPC): Free
actively polls wireless channels - can be averted by disabling poll responses on access points.
Can be interfaced into GPS to log coordinates with access point info - to map active access points.

- Invisible Secrets: $39.95
LSB steganography tool - Least Significant Bit Steganography
2 types = Data injection, Data replacement
steals 1 or more bits from each byte to hide another image inside the carrier image.

- HexWorkshop: $49.95
Hex Editor

- Etherpeek: $995 - standard version
protocol analyzer with Expert assistance built-in (in NX version: $3495)

- Sniffer: $$$thru reseller
protocol analyzer. Strength = it's excellent decode capability.
I use it and I really like it's "scope" view. It's well integrated tools make it easy to use and fairly intuitive (for this category of product.)

- Iris: $
was "capturenet" and "peepnet"
traffic analyzer - useful to reconstruct HTTP web browsing sessions.

- Brutus: Free!
Password cracking tool using your own password file.

- CameraShy: Free!
A cult of dead cow browser created to communicate with Chinese dissidents.
Identifies images with possible steganography altered files. = a test page.
Product "6/4" was also created for peer to peer file sharing and firewall tunnelling.

- PingPlotter: $24.95

- KeyGhost: $99 - $199 depending on memory
Hardware Keylogger - keystrokes stored in the hardware device. Can be viewed from the machine with the password/etc.

-SpyCop: $69.95
Software to check computer for spyware or malware.


Digital Prints Online

I love my digital camera. I use SnapFish to print my digital pictures. When I order 100 or more they are $0.25 per print.
Others available:
and "as low as $0.22 per print" - when you prepay for 500 prints.


Windows 2000 SP4 Issues

Compiled at:

- Includes Citrix logon issues.


Spam::Avoiding address harvesting from your website

I loath people who use robots to walk through websites gleaning e-mail addresses. To help prevent it, some say, you can hide the e-mail address itself and instead calling a script to redirect mailto links. However how soon until the spammers read these articles and rewritten code to guess at e-mail link redirector parameters. (or recognize implementations copied or very close to the examples provided by the helpful people who gave us the information.)

I like the above ideas best, however there are some other possibilities.

Many say we should "munge" your address by writing addresses something like:
datacomguy -at- bigfoot -dot- com

I see this all over the place, but let's face it: most people out there are barely able to deal with such complex ideas as "click that little address and it will send me an e-mail." Expecting people to read your instructions, understand what to do, and use their keyboard and fingers to type your e-mail address into their e-mail software will be excluding 90% of the civilized computer using world who are either too thick or just too lazy to do it.

I've also seen some who turn *all* e-mail address links into graphics and link each of them to their own custom response form. This is going a bit far and is a bit more labor intensive. This method does have the advantage of being able *totally* hide your e-mail address. Sender's will have a much less "feature rich" experience sending you e-mail using a form. Making a paragraph break or a bulleted list will be difficult or impossible. And they are likely to hit the send button impatiently one or several times more while the next page is rendering. Or they might wonder if "it went through" and send you the same message again.


Windows 2000::Resource Kit

Some utilities can be downloaded from MS for free. However I found a spot where a lot more of them are available:


Exchange2000::SendAs Permission

From MS KB
This step-by-step article describes two methods in Exchange 2000 Server that you can use to configure a mailbox so that users other than the mailbox owner can use that mailbox to send messages.

In Exchange 2000 Server, you can permit one or more users to send messages on behalf of a particular mailbox owner by granting "Send on behalf" permissions. You can also permit one or more users to send messages as a particular mailbox owner by granting "Send As" permissions.

Grant "Send on Behalf" Permissions

If you grant a user "Send on behalf" permissions for another user's mailbox, that user can send mail on behalf of the mailbox owner. The name in the From box of these messages appears as

From: DelegateUser on behalf of MailboxOwner

where DelegateUser is the name of the user to whom you granted "Send on behalf" permissions and where MailboxOwner is the name of the user who owns the mailbox.

To grant a user "Send on behalf" permissions for another user's mailbox:

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click Users.
  3. In the right pane, right-click the mailbox of MailboxOwner, and then click Properties.
  4. Click the Exchange General tab, and then click Delivery Options.
  5. Under Send on behalf, click Add.
  6. Type the name of the DelegateUser, click Check Names to verify the name, and then click OK.
  7. Click OK, and then click OK.
  8. Quit Active Directory Users and Computers.

For example, if you grant UserB "Send on behalf" permissions for UserA's mailbox, UserB can send messages on behalf of UserA. The From box in these messages appears as follows:

From: UserB on behalf of UserA

Grant "Send As" Permissions

If you grant a user "Send As" permissions for another user's mailbox, the DelegateUser can send mail as the MailboxOwner. The From box in these messages appears as follows:

From: MailboxOwner

To grant a user "Send As" permissions for another user's mailbox:

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. On the View menu, click to select Advanced Features.
  3. In the console tree, click Users.
  4. In the right pane, right-click the mailbox of MailboxOwner, and then click Properties.
  5. Click the Security tab.
  6. Click Add, and then type the name of the DelegateUser.
  7. Click Check Names to verify the name, and then click OK.
  8. Verify that DelegateUser is selected, and then click to select the Allow check box next to Send As in the Permissions list.
  9. Quit Active Directory Users and Computers.

For example, if you grant UserB "Send As" permissions for UserA's mailbox, UserB can send messages that appear to be sent from UserA. The From box in these messages appears as follows:

From: UserA

For additional information about how to grant a user "Send As" permissions in Exchange, click the article number below

281208 XADM: How to Grant a User "Send As" Rights in Exchange Server 5.5 and Exchange 2000



I've been on an adventure the past few days setting up TLS messaging with one of our clients. I hope to document more of this experience in the next few days. Below is a diagram of message flow to and from entities external to EXCHANGE as I have it now.

W2K & Exchange Upgrade

Quoted from

** Boswell's Q&A: At the Fork In the Exchange Migration Path

I'm moving our network from mixed to native because our Exchange
server is 15.3 G. I've read that Exchange can run in a mixed
environment -- yes or no? In one article I've read, it says that
if you are a member of the Enterprise Domain, Administrators,
Domain Admins and Exchange Admins that you will not have to run
forestprep and domainprep runs when you first try to install
Exchange 2000. Will this let me install Exchange 2000 in a mixed
environment and move mailboxes from my Exchange 5.5 SP4 server,
or will I have to be in native mode?
--Russ Moss

I want to ask you for a recommended upgrade path for Exchange 5.5
to Exchange 2000. My company is preparing to migrate to Exchange
2000 and have had varying opinions. Some say the best approach is
to install Exchange 2000 on a separate box and install the AD
connector. Others have recommended doing a full migration by
creating the Exchange 2000 box, ex-merging all mailboxes out and
importing them into Exchange 2000. Do you have a recommended
approach or is it simply a matter of preference?
-- Marty Kineen, MCSE, CCNP
Plymouth Meeting, Pennsylvania

| HELP? Or maybe you want a better explanation than provided |
| in the manuals? Describe your dilemma in an e-mail to Bill |
| at; the best questions get |
| answered in this column. |
| |
| When you send your questions, please include your full first |
| and last name, location, certifications (if any) with your |
| message. (If you prefer to remain anonymous, specify this in |
| your message but submit the requested information for |
| verification purposes.) |

Russ and Marty,

Your questions are somewhat related. You both are running legacy
Exchange in a Windows 2000 domain and you're looking for the most
efficient upgrade path.

Russ, you'll need to shift your domain to Windows 2000 native mode
so that you can create Universal security groups to act as
Exchange 2000 distribution lists. This means you must either
upgrade or decommission your NT BDCs, then shift the domain to
native mode. This shift does not impact down-level clients nor
does it affect the Exchange 5.5 server.

Marty, in the configuration you've described, the upgrade path
that gets you to a full Exchange 2000 deployment with the least
hassle would be to introduce a new Exchange 2000 server into the
existing sites and use the Active Directory Connector (ADC) to
keep the legacy Exchange directory service in sync with Active
Directory during the migration. You shouldn't need to create a
separate Active Directory domain or a separate Exchange
organization. Once the Exchange 2000 server is in place, move all
the mailboxes and connectors from the legacy Exchange server then
decommission the server and shift to Exchange Native mode. The
documentation walks you through this process.

As for running Forestprep and Domainprep, it's true that both of
these actions are performed when you run Exchange 2000 Setup so
you do not need to run them separately. The documentations calls
them out individually because many organizations divvy up their
admin rights so that one account doesn't have the necessary
permissions to do both. In a single domain configuration, the
simplest way to do the ADC installation and the Exchange 2000
setup is to use the Administrator account for the domain. This
account has full access to the Schema, to the Configuration
container where the Exchange organization will be created, and
to the Domain container where the Exchange system accounts will
be created. The ADC requires a service account in Active
Directory that has Service Account Admin permissions in the
legacy Exchange organization, sites, and configuration container.

Before you can run Exchange Setup, you’ll need to install the ADC
and create recipient and public folder connection agreements to
each of your sites. You should be running Exchange 5.5 SP3 or
higher on at least one Exchange server in each site, although I
recommend getting all your Exchange servers to the latest service
pack prior to deploying Exchange 2000.

The ADC modifies the schema, so you'll need to run it using an
account that is in the Schema Admins group. Plus you'll need
admin rights for the Configuration container. The simplest way
to do this is to use the Administrator account for the domain.
When you run Exchange Setup, you’ll modify the schema again so
the same permission rules apply.

Good luck and let me know how things turn out.

Bill Boswell


T1 Troubleshooting

You can really load down a T1 connection for testing by sending big pings across the wire.
The biggest ping packet I could send on my Win2K pro machine was 17799 so it was:
ping -t -l 17799 [ip dest]

I opened up about 20 of these in separate windows and pegged the line to near capacity.
During this I telenet to routers on both ends and watch the interface stats. For example,
show int s0

to watch for increasing input errors/etc. Cisco "Troubleshooting Serial Connections" a great document.
From this document is a section on doing extended ping testing from a Cisco router on one end in various loopback states. It shows how to use the cisco ping extended commands to send a pattern of all zeros and all ones repeated 2000 times or more.


DHCP over Cisco Router

-configure this on the interface closest to the users.
ip dhcp-server
ip helper-address

T1 Terminology::Line Parameters

AMI = Alternate mark inversion - line coding that provides 56K channels (the other 8 K is for "overhead.")
BPV = Bipolar violation
B8ZS = Bipolar eight zero substitution = framing mechanism using intentional BPV's to encode "overhead" for "clear channel" T1's.
"Clear channel coding" = 64K channels (A T1 has 24 channels) = B8ZS
ESF = Extended Super Frame, a DS-1 framing format of 24 frames. In this format, 2 Kbps are used for framing pattern sequence, 4 Kbps are used for the Facility Data Link, and the remaining 2 Kbps are used for CRC
D4 = Fourth generation digital channel bank = "Super Frame"
DS-1 = Digital signal, level 1; 1.544 megabits per second, the North American standard = T1
Choices for T1 configuration:
- ESF or D4, if EMS choose ANSI or non-ANSI
- B8ZS or AMI
-LBO="Line Build Out" - a configurable attenuator at the CSU to adjust signal to a lower level. This may be necessary for "short" connections in which the voltage may be too high.
Resources Tutorial It's main topic is repeated T1 lines, but has excellent foundational materials and is very well presented. Encoding, Encapsulation, Management


TouchGraph is an interesting tool mapping website links.


DHCP::Windows 2000::Relaying DHCP over routers

Troubleshooting a DHCP issue I came across a great discussion of DHCP in general. The discussion is about a deployment scenario for using DHCP redundantly(using the Microsoft "party line" method) over multiple subnets. Along the way it explains packet level conversation of DHCP client to DHCP relay agent to DHCP server and back and configuration of a DHCP relay agent and configuring DHCP forwarding on Cisco routers.


Security::Windows XP::Disable NETBIOS

This is a good thing to do. A while back I fixed issues on the home computer of a partner at our firm. He had cable internet and no firewall/etc. He constantly received NET SEND messages from a new breed of spammer. And his machine would have been wide open to attach to and run a dictionary attack.
I could not find a link to the article below since it came in an e-mail newsletter so I'm just pasting it's text here:

Step-by-Step Guide: How to block NetBIOS connections to Windows XP Pro

by Laura Hunter, contributor

The Windows server service, while indispensable on a file, print or application server, can create quite a headache when administering Windows workstations. Since the service advertises on well-known NetBIOS ports, it is a common attack vector for hackers attempting to gain access to the computers on your network.

There are a number of ways to block this avenue of attack, including implementing a central firewall or disabling the server service outright. On a Windows 2000 or XP Professional workstation, you can also create an IPsec filtering policy to stop NetBIOS traffic dead in its tracks. Follow the steps below to create an IPsec policy for an individual workstation or a central policy for an entire Active Directory domain or organizational unit.

Step 1: If you're working as part of a domain where you aren't the only administrator on staff, consult the necessary person or persons before changing any settings on a production machine. If someone has already set up group policies at the site, domain or organizational unit level, conflicting settings could spell trouble for your workstation -- causing anything from a minor annoyance to a complete inability to communicate on your network.

Step 2: Open the local computer policy by clicking on Start -> Run, then typing "gpedit.msc."

Step 3: Click on Computer Configuration -> Windows Settings -> Security Settings. Right-click on IP Security Policies on Local Computer and select "Create IP Security Policy."

Step 4: Click "Next" to bypass the initial welcome screen. Enter a name for the IPsec policy and click "Next" again.

Step 5: Remove the check mark next to "Activate the default response rule" and click "Next."

Step 6: Click "Add" to create a new security rule. A security rule consists of two key components: an IP filter list that tells Windows what sort of traffic to look for and a filter action that tells Windows what to do once it has found something.

Step 7: Create two IP filters. Both will filter traffic with a source IP address of "Any IP Address" and a destination of "My IP Address." IP filters monitor traffic according to a source and/or destination IP address, as well as source/destination port numbers. (An IP filter can only handle one type of traffic at a time, which is why security rules rely on filter lists.) One will filter traffic with a destination TCP port 139, the other will affect TCP destination port 445. This will cause the IP security rule to flag NetBIOS traffic directed against your workstation from any point of origin.

Step 8: Create a filter action to block the IP traffic affected by the IP filters created in Step 7.

Step 9: Right-click on the completed IPsec policy and click "Assign" to apply it to your local workstation.

You're done! No rebooting required. Your workstation will now reject any and all NetBIOS connection attempts. If you need to tweak the policy, you can create additional security rules to allow NetBIOS connections from administrative workstations. You can also de-assign the policy if it's not working the way you had intended.

About the author: Laura Hunter is's resident expert on management tools and solutions, storage management and network security. She has spent many years working in the trenches of network design, administration and user support, and she has earned a myriad of vendor certifications, including Microsoft Certified Systems Engineer, Certified Novell Engineer and Cisco Certified Network Associate. She is a senior systems analyst for a major American university.

Windows 2000::Disk Management

There is a good, concise, discussion of Windows 2000 disk manager at:
Dynamic disks, extending volumes on dynamic disks, mounting a volume to an empty folder on another NTFS volume are all new with Win2K and well explained in the above MSDN article.


Stupid Browser Tricks

What will your browser tell web servers about you? Try this one: That is troubling.

Check out all the rest at:


Life in the internet age

Having is marvelous.
Today I was able to confirm that a part number was actually the cable I wanted.
Not long ago I'd have to find a catalog and hope it had a detailed picture (and none of the catalogs I ever used back in the "paper" days had useful pictures.

T1 Crossover Cable

It's nice to setup routers in advance with CSU's back to back to have everything configured and working before the circuits are installed and routers shipped out to remote site.
I've done this with RJ45 T1 crossover cable:


Another vendor choice:


"Ted's tools" at
has some good utilities.
I like the MXLookup that will lookup MX records from several DNS servers.


Network Security::Spam

I only skimmed this article, I want to go back and read it more thoroughly later. But so far it really creeps me out.
It is a "black hat" article about back door communications. The proposition is using e-mail communication disguised as spam to relay information between a back door creator and it's creator.


Exchange Data Archive Tools

There are HSM/Exchange archive tools available from at least 3 vendors: Veritas, CommVault, & C2C.
Rumors from others who've tested them are:
- CommVault product is better from the administrators perspective - more flexible scheduling of jobs and ability to delegate more granular permissions to the point a helpdesk role could be allowed to restore an Exchange item.
- Veritas exchange storage manager - has more cleaner client integration, not as flexible admin
- C2C Archive1 is much simpler and uses an Exchange Public Folder store on a separate server. And archival jobs are separate from backups.
Veritas has a free Exchange storage evaluation tool:


NT::Event lookup

A great new link to information about NT event log errors:


Internet Mail::MailSweeper

MailSweeper Issue
I want to ONLY receive mail from a single host and block mail from everybody else. (We are using a spam filtering service provider and I want to force all mail to go through them.) The tricky thing with MailSweeper (4.3.patched) is the banned host feature doesn't work when you try to restrict everyone then make an exception for the one that is allowed to send mail.
Fix (partly)
To work around this I removed all the relay target domains (to which relaying is allowed from any host) and setup the IP address of the desired server into the list of relay hosts. This explicitly defines what servers are allowed to relay off this server.
Additional issue
But this only worked for all my "secondary" domains. The primary domain still allowed inbound relaying to that domain from any host. Under the "SMTP Relay" policy folder the "domain object" specifies our "primary" or "default" domain. It doesn't seem to be necessary because I have used forced routes to get the mail delivered. I renamed this domain to NORELAY(domain).com and it worked. It accepted relays to the primary domain from the desired host(s) but when it generated Non-Delivery Receipts (NDR's) it showed up as from "postmaster@NORELAY(domain).com"
Getting rid of the domain object
There were no useful properties of this object and there is no way through the policy editor interface to delete it.
- close MMC
- edit MAILSWP.CFG file
- find and delete the following section:
- find and delete the following line from the [MailServer] section:

But there are still some NDR's that seem to use that address. The silly thing is there is a configuration setting where I tell it the address for the administrator = postmaster@(domain).com

ClearSwift MailSweeper is a Windows internet mail relay server product that will apply content policies/etc.
See more at:

Perl::Regex::Regular Expression Coach

I have got to get this and play with it!
RegEx Coach (
Thanks nf0 (
If it's description is close to how it really works this will be a marvelous way to hone my understanding of regular expressions. The better we understand their in's and out's the more likely we will be to have on the tip of our tongue an elegant solution to a complicated problem.


Collaberation tools

Thanks to MErana for these links:
Free Request Tracker:
Free Forum:
Both of these cheap/free tools look very useful. Hopefully we will hear more about how they turn out in practice at



Stuff everybody needs:
Handheld labeler:
and 1/4" black on white cartridges: TZ211
- label cables, data center devices, etc.

a few of these:
- Make adapters from DB15 to RJ45 - or make a T1 crossover for use with *any* RJ45 CAT5 cable (don't have to build a T1 crossover RJ45 cable...)

General PC Toolkit:

Compact Cable Tester:
CTK-PTCT 10 Base-T Network Cable Tester

rechargable flashlights

Marker boards

Digital Camera

AntiSpam Service Providers

The Postini site has interesting statistics. Something like 65-70% e-mail received by their clients is blocked as spam!

Internet e-mail is fast becoming a big joke and a total waste of time for corporate users.

T1::Wiring::DB15 to RJ45 adapter for T1


CSU(DB15 Male)Router (RJ45 Female)
SignalPin # to Pin #Signal
Send +15Send +
Send -94Send -
Receive +32Receive +
Receive -111Receive -

Thing to make it:



List of P2P stuff to block:

Service Target network serversTarget ports
Kazaa213.248.112.0/24TCP 1214
Morpheus206.142.53.0/24TCP 1214
E-Donkey?TCP 4661 - 4665
Audiogalaxy64.245.58.0/23TCP 21, TCP 9000
WinMX?TCP 6699

See also, great info at:


WinMX - yet another pain in the butt peer to peer file sharing program.
By default it uses: TCP 6699 and UDP 6257
But unfortunately the client has options to change these ports.


Career::Fight to Survive

"Fight To Survive" from Fast Company Magazine
S U R V I V E =
S Size up the situation.
U Use all your senses.
R Remember where you are.
V Vanquish fear and panic.
I Improvise.
V Value living.
A Act like the natives.
L Live by your wits.

This is a great article on it's own about the training of special operations soldiers. The correlation the reader is supposed to draw is that of surviving in your career overall and/or surviving in the corporate environment in tough times.
There wasn't much in the way of reader commentary in the talkback forum. I would like to hear about other peoples application of this article to surviving in the business world.
Rule 1: Only the Mentally Strong Survive
I believe the biggest one is Attitude. "If you have a guy with all the survival training in the world and a negative attitude and another guy who doesn't have a clue but has a positive attitude, I guarantee you that the one with the positive attitude is coming out of the woods alive. Simple as that" - Gordon Smith Special Forces instructor. I've also heard someone say "90% of life is showing up, dressed and ready to play ball, and the other 10% is attitude." Of course this philosophy leaves some gaps - I'd put a bigger than 0% emphasis on training & execution - but the principle is the same. The training and execution also depend 100% on attitude as a prerequisite.
Rule 2: You can Condition Yourself to Stress
I found this section interesting and entertaining. However, in business, what stress are we supposed to put ourselves under to prepare for survival? What is our "possom crawling with maggots" that we have to make ourselves hungry enough to eat? Often mine is dealing with confrontation and adversity on the people side of the job. But I don't think my "training" ought to be jumping into the most hostile and confrontational circumstances I can find.... I do take this as motivation, though, to ease into more people situations I would have otherwise avoided to build up my Mental Strength in that area.
Rule 3: Keep your priorities straight (and simple.)
I believe this is true, however I believe it is much more blurred in business. Different people at various levels of management are interacting with different departments and most of the time they all have a different idea about what priorities are. This is due to a variety of reasons. Often politics and back channel relationships drastically affect the priority things take. In a "fight to survive" situation a business needs clear goals and priorities communicated to all levels of management. And they need a measurement and feedback system to know how long it is until they are dead -- or even if they already are dead! (and just twitching until all neural activity(cash/capitol) is spent .)
Rule 4: Survival takes practice
I think they covered this is #1. But again I also strain to apply it to a business situation. What is our fire that we take for granted but cannot live without and how can we practice it? What tools/materials can we prepare ourselves with for when the time comes for more primitive methods of "lighting the fire?"
Rule 5: You can live off the land
But it ain't always fun. And "before you are deployed to an area, you need to study the flora and fauna there." What's the nasty stuff that is found most everywhere that we can keep the business going on? I believe this speaks to #1-attitude and not being "too good" to dig in there and eat bugs you dig up under a log, but lerking in here is a good story or case study that is missing to *really* apply this to business. And, in business, we pick where we are deployed. Today it just happens there aren't too many choices out there. One of these days the economy will heat back up and there will be a serious bunch of IT (and other) people finding a new "land to live off of." Because they have been screwed by their present companies with economic cutbacks as the excuse. There *are* survival times for every business. But many of us swim in a pool of sharks that will take economic news and twist it into justification to pound staff into dust and run the infrastructure to ground -- and get a bigger bonus for "tightening their belts and meeting budget." To thrive, companies need to be diversified and well capitalized to take advantage of slowdowns and turn them into future growth. When operations is somewhat quiet is the best time to study where you want to go and make investements to get you there--positioned ahead of the "just barely survivers" when things pick back up. In an upturn, those companies with improved processes, modernized infrastructures, and motiviated staff will be taking the best talent away from their competition along with a bigger share of the market. Waiting for an upturn to make capital improvements at the same time as pushing to increase production with a team of people you've demoralized the past 3 years isn't going to cut it. Your old crappy plant run by the people you've beat down yet can't find greener pastures won't be good enough for first place, or even second place.
Rule 6: Survival Takes Imagination
This is definitely true. Many people stuck in the ruts of our corporate world stick themselves there by complaining that things don't go as planned, are not planned well enough, or they weren't given warning or some other excuse they can't or won't do their job. Some issues are indeed roadblocks out of the control of the workers' and require someone in authority to act to remove it. But in more situations than we admit, a creative, intelligent person could dig in and accomplish a lot even in the face of obstacles.
Another point here is that when you are in "survival mode" (which is often all the time in new companies, in IT organizations, Sales/customer service organizations, etc) there is a "good enough" point to planning and preparation past which it is a waste of time. By the end 1/2 of the plan is out the window due to either scope creep or other issues that crop up requiring imaginitive workaround. Being able to go with the flow and improvise is very important in IT and becoming more important for business people in general.
Rule 7: Survival is the Norm
That is really the truth. Yeah, "Get over it. Life has been hard for everybody for all eternity -- your mamma isn't going to bail you out." Dig in for the long haul. I thought the quote was inspiring "Ask McKay how long he could survive if he walked into the woods right now without supplies, and he doesn't hesitate: 'the rest of my life,' he says." (the cynical side of me says, "Yeah, that's true for us all, but how long will your life be compared with anybody else...") But seriously, it would be nice to have confidence to say that whatever comes, I can make my company survive - on bugs and boiled creek water if I have to.


Windows Installer

Tool to modify MSI files.
Darwin says to watch for the next version:
Article from Desktop Engineer's Junk Drawer
He has a TON of great stuff about Windows Installer and other topics.

Exchange::Moving users between servers

From Google Groups:

From: Eric Cooper
Subject: Re: Moving mailbox using Exchange Administrator's Tools--->Move Mailbox
Date: 2001-07-25 15:03:57 PST

if you are moving a large amount of data or if the
Exchange servers are connected across a WAN link. Perform the move from the
destination server console. It will occur much more quickly. At the very
least try to avoid using a separate workstation to do the moves, as this
will really slow things down. My 2 cents from experience.

Exchange 2000::Moving Server

From Google Groups:
Subject: Tested and True - Move Server Method for Exchange 2000
From: "David Nandell, MCP"

For anyone who needs to move an Exchange 2000 server from one hardware
server to a new one, here is how I did it. Minimal problems (mostly
Anti-Virus software issues) and everything works just fine.

Move Server Method for Exchange 2000
*Environment: 2 Dell PowerEdge servers, both running Windows 2000 Sp1, DNS,
and Active Directory.

1. Make sure all conditions for installing Exchange 2000 on the new server are met:
-Active Directory is functioning properly.

-DNS functioning properly.

-Windows 2000 Service Pack 1 installed.

2. Install Active Directory Connector from the Exchange 2000 CD onto the new server. I had un-installed ADC after upgrading to Exchange 2000 as it is not needed afterwards. However, to install Exchange 2000 YOU MUST HAVE ADC INSTALLED! You do not need to create any connector agreements however. Once you are done with the initial install, you can un-install ADC again.

3. Install Exchange 2000.

4. After the installation successfully completes make sure all services are running in the Services MMC.
Check System Manager - Administrative Groups - Group - Servers
to see if your new server has been added.

5. Reboot.

6. Install hotfix roll-ups provided in Q291222.

7. Reboot.

8. Open System Manager - Administrative Groups - Group - Servers and make sure Properties are the same for both servers. Make sure all the settings for Protocols, Mailbox Store and Public Folder Store are the same on both servers.

9. Open System Manager - Recipients - Recipient Update Service. On the right hand side of the MMC window Right click on the object for your server and choose Properties. Change the server to the new server. Right click on the service again and choose Rebuild. You need to do this in order to add new users.

10. Open System Manager - Administrative Groups - Group - Folders - Public Folders and:
-Right click on ALL of your Public Folders and choose Properties. Go to Replication and add the new server as a replication
-Right click on Public Folders and choose View System Folders and do the same with ALL System Folders. Make sure they are replicated to the new server.

**I waited 24 hours for things to replicate.

11. Open System Manager - Tools - Monitoring and Status and make sure your notifications and status monitors are the same for both servers.

12. Unless you have an Exchange 5.5 server, don't worry about Routing Groups. Exchange 2000 Native-mode relies on SMTP virtual server for mail transport.

-Shut down ANY AND ALL anti-virus software on BOTH servers! This will interfere with Active Directories Move Mailbox wizard. You will get 80004005 errors moving mailboxes!

14. To move mailboxes:
-Open Active Directory Users and Computers.
-Right click on a User object and choose Exchange Tasks
-Choose Move Mailbox - NOT DELETE MAILBOX! and then Next
-Choose the new Mailbox store you want to move the mailbox to
and choose Next.
-The Wizard will complete the mailbox move.
-When you are all done moving mailboxes run Cleanup Agent on
both Mailbox stores. Once replication is complete Users will be able to
access their mailboxes.

15. Restart your antivirus software.

16. Make sure your users can connect to the new server. If they are having trouble:

-Go to their machine and Start - Settings - Control Panel -Mail
and make sure the Exchange settings properties are pointing to the new server. I have found that removing the Exchange Server and then re-adding it improves performance

17. You are done. You can delete the old server from the Administrative
Group and shut it down.


Video Conferencing::Bridging IP & ISDN

Today somebody asked us if they can link up with our video conferencing unit(Tandem ISDN video conferencing system) from home with their webcam. If you believe it, we are going to have to go to great lengths to convince them they can't do it....
In the vein of video conferencing: has a great list of Video Conferencing manufacturers.
RadVision has a decent product line, I hear. They have a component based offering that can size a solution to exact ports/etc to reduce cost for midsized businesses.
RidgeWay has a product to "fix" NAT and other firewall issues:

Citrix::Metaframe::Terminal Services License

Microsoft Terminal Server is licensed per seat which means every computer you access a TS from the internet burns a license. There's some "timeout" that allows a license to be released after a period of time. There is also some over the internet MS Licensing service changes that will release it.
To skip this for a temporary fix, create a .REG file from the info below and merge it on the client machine:

Windows Registry Editor Version 5.00


Citrix XP Info

I think I got this from the Citrix KB.
XP Technical Information

Misc Registry Tips

I'm cleaning house and found this great PDF of registry tips. I'm not sure where I got it and it isn't "signed" by it's author. If it's yours, e-mail me and I'll gladly delete it or give you credit.

Registry Tips

Exchange 2000::Allow rule generated messages to internet

To permit rule generated and Out of Office messages to get to the internet:
Open Exchange System Manager and go to:
Global Settings > Internet Message Format
Click "Default" item in the right pane and go to properties
Check "Allow out of office responses" and, if desired, check "allow automatic forward"

Exchange 2000::Disclaimer

How do I make a disclaimer at the end of each e-mail message?
I believe there was some registry entry that could be created that did this in Exchange 5.5.
We do it with a 3rd party internet mail server that all our mail passes through.
This product at will do this for you for Windows 2000. $150 per server.
Another product is "From $139..."



Perl script to test for open relay:
A very interesting resource to test for open relay using serveral methods yourself without queuing a relay test someplace like:


Cisco::Router::Clear counters

why is it so difficult for me to remember?
clear counters

answer Yes and it resets the interface statistics.

Citrix::Outlook::PDA's::T1 Communication:: and Life In General

A glimpse into my life.
We use Citrix MetaFrame machines to serve our remote offices. This saves the money and administrative pain of remotely administering application servers, domain controllers, etc for an office of 15 people. We have some issues. Most surrounding large print jobs. But it was a decent plan with tradeoffs supposedly made clear up front and users were "trained" how to act for this all to work out fine over a T1 connection. I am told after the users logon they open a Citrix session that is maximized on their screen and they were trained not to work outside of Citrix. Now, 18 months into it people forget (or don't care) what they swore to and want to fit a round peg into a square hole.
User Issue
Below is an e-mail thread quoting an IT manager, me, and a user. All of us will go nameless to hide the shameful stupidity that is their lives and is becoming mine.
From: [IT Manager]
To: [Me]
CC: [about 10 other people, 2 of which might actually care or be remotely involved....]
Mr. _________ has reported the following issue.
He has a laptop and opens his Outlook on the local PC. (For
a reason that I can not remember, I believe we instruction
the [remote] office LAPTOP users to open e-mail on
their local PC.)

He is the local counsel for [blah blah] in the [blah blah]
case, so he is getting e-mails with 2MB to 5MB attachments.
It is taking a long time (35 seconds in above e-mail, up to a
minute on others) to open just the e-mail, not the attachment.

When he opens the e-mail at home (or in the office) on
Citrix, it opens immediately.

Is there a setting on his e-mail system that would improve
this response time? Is there a cause for this slowness.

[He] also had an e-mail in his inbox that showed as being 5MB.
When he forwarded that same e-mail to me the size showed as
only 2MB. This defies my explanation.

From: [me]
To: [them all]
1. Regarding the size difference you observed:
- Exchange 2000 accepts and stores internet messages in "internet mail format" to save time converting the message to "microsoft mail format." Internal messages are created in and stored in "microsoft mail format" so when you forwarded the message it was converted from one format to the other and compressed some as a result.
- I sent test messages to myself from internet accounts and recreated a similar size reduction when I forwarded the message to an Outlook/Exchange recipient.

2. Regarding the speed of opening an attachment:
- When opening an e-mail the entire message (2MB or 5MB) must be transferred to the machine where it's being opened. So regardless of whether you open the attachment or not, the whole thing, including the attachment is copied to your computer.
- So when a message is opened from Outlook running on the laptop across the interoffice connection the whole thing must be transferred over the slower link. At the best possible connection speed sharing the connection with noobody else 5MB will take about 54 seconds to be transferred. At an average connection rate (about 70% of max) 5MB would take about 76 seconds to transfer.
- Also during the time Outlook is downloading this message and it's attachment across the network link performance is degraded. The larger the file, the longer the download time, and the more noticable this diminished performance will be to the other users. This drop in performance would also be apparent if laptop users forget and use the laptop window to browse the internet, download internet documents, etc. Using the Citrix server to perform these operations reduces the amount of information that must be transferred over the network link. In the case of the Outlook message, the Citrix machine opens the message and only shows you it's screen, it doesn't have to transfer the entire message file over the network link to the laptop.
- I was not aware laptop users were instructed to use Outlook from their laptop computer intstead of Citrix. If anyone uses offline folders or is synchronizing Palm pilot, that is possibly the reason for this recommendation - because those operations require transferring the data to the laptop. However, once these synchronizations have completed, it is not necessary to continue working in Outlook off the laptop the entire day - only at the beginning or end of the day to synchronize. I realize that can be confusing and also easy to forget.

User Response:
Thank you for the response and I think I understand. I'll try not to shoot the messenger, but now I remember why I didn't like this rigged-up system for the satellite offices at the inception of the conversion. If I'm sitting at my desk working on the Citrix screen and somebody calls to schedule a conference call for next Thursday and I put it in on my calendar and then an hour later I leave to go to a meeting at another firm and they ask if I'm available next Thursday for another meeting, unless I remembered to go back to my blue screen and sync my PDA (which now automatically syncs to Outlook whenever I enter a change on my desktop), I run the risk of double booking meetings. You may think this is a remote possibility, but I'm here to tell you that it's not.

For a firm our size with our resources, I can't believe we can't come up with a better plan.

This brings out a lot of issues. One is that no matter what "management of expectations" you do, it wears off over time. And another is the total disconnect in how things, big things, run in a medium size company. One group of penny-pinchers runs the up front part of a project and then dumps it off on people who do the real work. Somehow everybody agrees to it all in the beginning. Then people start complaining about "the level of support" they get. Forget that my "level of support" is greatly dependant on how the big picture was conceived and implemented. Then people start asking why this and why that and how much would be if we just . . . . . .
And on it goes until people just start whining behind our backs and drop it or we spend the money to do it right.
On the technology front, it would be nice if I had time to research Microsoft Mobile Information Server and get a straight answer on when it will support "pushing" updates to wireless clients. (I was told it would by a MS rep.) And if this guy would get a Blackberry I think we can get him setup so his calendar syncs wirelessly, but not his contacts. But this guy has had about 8 different PDA's in the past 20 months so he's probably got some whiner reason not to use it. And Good Technology has some decent looking devices that will wirelessly sync everything.
Another thought would be to block traffic on the routers to *only* allow them to get to Citrix. This would undoubtedly lead to a lot of other apps being blocked that nobody else knows are going on.
This also brings to the front of my mind that when users (or worse management) asks a direct question like "would it work if..." or "how much would it cost to _____" they don't *really* want the truth. Every one of these questions I get 10 times a day really requires a day of consulting (and possibly therapy) to get to the true need behind the question. But the few times that happens they don't like the answer. They a) don't believe you and move on to another sucker b) can't make it fit into a scenario in which they can resolve a big problem and take credit so they drop it (costs too much, requires actually committing to a list of desired deliverables, and/or they can find a bigger sucker to allow a piddly question to scope creep into a nightmare and get blamed for failure)
I've got to work on my mind reading skills.


Windows 2000::Startup Items

Help! Something is autostarting from somewhere an I can't get rid of it.

- If you are running Win98 you can run MSCONFIG to view and disable items configured to startup in various places.
- If you are running Win95 or NT you can download a utility to do the same thing at: (I have used this utility on Win2000 and it works okay.)
WinXP has a new version of MSCONFIG at and it works on Windows 2000 as well.

Happy hunting.



Reality set in as I reviewed MailKeeper. However I still like the product.
It's a simple idea which is why it's so cheap - and it's still not the silver bullet solution either.
It replicates the mailbox folders as file system folders and saves the messages out into them in either text, html, or outlook message file format. Explorer or Outlook can be used to browse this folder structure and read the items.
I used it to save a copy of the public folder structure to a directory on my C: drive.
- It is a slow process. All combined there was 153MB in the public folders and it took 2 hrs, 18 minutes to complete the process.
- Outlook reported the size of these items to be 33626 KB, so in this case there was significant "uncompression" of data. (This might be an extreme case because of all the calendar items, which I don't recommend we export anyway.) But to be sure someone exporting stuff from folders that are say 300MB should probably have 450-500MB free on the destination volume when starting the process.
- There were a lot of calendar folders in my public folders and it is *not* an acceptable solution to save a calendar folder (saves all the appts as messages.)
- If there were custom views stored in the folders exported they will likely not be saved in the file system folder and messages saved into outlook file format would be opened with the default form/view.
- To point Outlook to the file system folder requires using the Outlook Bar which we have turned off. This is not a technical issue, but a user support/training issue. This was the recommended method provided in the FAQ. I spent a short time fiddling in Outlook and still could find no other way to create a shortcut to a file system folder on the Outlook toolbar(s.)
- Users *still* could not do this themselves - it would require someone with their password or access to their mailbox to export all the stuff and burn it to CD.


Outlook::Archive::Readable CDROM Archive

Wickett Mailkeeper


Earth shattering for us if it works. I'm getting soooo sick of dealing with Exchange server space problems.
If only our users could run this thing for themselves it would be perfect. (no handholding required.)

I'm off to download the eval.


Perl::Compile PL to EXE

I've often seen a great application for a perl script but then dreaded having to implement and maintain a perl build on all my workstations or wherever I want to deploy my great script.
Check out PAR
This really works and is FREE. As opposed to Perl2EXE and PerlApp that will come up with your google search for perl compilers.

Exchange::Data Recovery

An interesting product to investigate. Search & restore items from an offline mailbox store - directly from the .EDB file!
I have never used it but it might be worth the $1500 even just to try it.
OnTrack PowerControls
Please e-mail me if you have any experience with this product that you are willing to share.


HTML Character Entities

Helpful to "encode" text to obscure links and e-mail addresses.
See for a quick way to encode.


Character Entities for ISO Latin-1

<!-- (C) International Organization for Standardization 1986
Permission to copy in any form is granted for use with
conforming SGML systems and applications as defined in
ISO 8879, provided this notice is included in all copies.
This has been extended for use with HTML to cover the full
set of codes in the range 160-255 decimal.
<!-- Character entity set. Typical invocation:
"ISO 8879-1986//ENTITIES Added Latin 1//EN//HTML">
<!ENTITY nbsp CDATA "&#160;" -- no-break space -->
<!ENTITY iexcl CDATA "&#161;" -- inverted exclamation mark -->
<!ENTITY cent CDATA "&#162;" -- cent sign -->
<!ENTITY pound CDATA "&#163;" -- pound sterling sign -->
<!ENTITY curren CDATA "&#164;" -- general currency sign -->
<!ENTITY yen CDATA "&#165;" -- yen sign -->
<!ENTITY brvbar CDATA "&#166;" -- broken (vertical) bar -->
<!ENTITY sect CDATA "&#167;" -- section sign -->
<!ENTITY uml CDATA "&#168;" -- umlaut (dieresis) -->
<!ENTITY copy CDATA "&#169;" -- copyright sign -->
<!ENTITY ordf CDATA "&#170;" -- ordinal indicator, feminine -->
<!ENTITY laquo CDATA "&#171;" -- angle quotation mark, left -->
<!ENTITY not CDATA "&#172;" -- not sign -->
<!ENTITY shy CDATA "&#173;" -- soft hyphen -->
<!ENTITY reg CDATA "&#174;" -- registered sign -->
<!ENTITY macr CDATA "&#175;" -- macron -->
<!ENTITY deg CDATA "&#176;" -- degree sign -->
<!ENTITY plusmn CDATA "&#177;" -- plus-or-minus sign -->
<!ENTITY sup2 CDATA "&#178;" -- superscript two -->
<!ENTITY sup3 CDATA "&#179;" -- superscript three -->
<!ENTITY acute CDATA "&#180;" -- acute accent -->
<!ENTITY micro CDATA "&#181;" -- micro sign -->
<!ENTITY para CDATA "&#182;" -- pilcrow (paragraph sign) -->
<!ENTITY middot CDATA "&#183;" -- middle dot -->
<!ENTITY cedil CDATA "&#184;" -- cedilla -->
<!ENTITY sup1 CDATA "&#185;" -- superscript one -->
<!ENTITY ordm CDATA "&#186;" -- ordinal indicator, masculine -->
<!ENTITY raquo CDATA "&#187;" -- angle quotation mark, right -->
<!ENTITY frac14 CDATA "&#188;" -- fraction one-quarter -->
<!ENTITY frac12 CDATA "&#189;" -- fraction one-half -->
<!ENTITY frac34 CDATA "&#190;" -- fraction three-quarters -->
<!ENTITY iquest CDATA "&#191;" -- inverted question mark -->
<!ENTITY Agrave CDATA "&#192;" -- capital A, grave accent -->
<!ENTITY Aacute CDATA "&#193;" -- capital A, acute accent -->
<!ENTITY Acirc CDATA "&#194;" -- capital A, circumflex accent -->
<!ENTITY Atilde CDATA "&#195;" -- capital A, tilde -->
<!ENTITY Auml CDATA "&#196;" -- capital A, dieresis or umlaut mark -->
<!ENTITY Aring CDATA "&#197;" -- capital A, ring -->
<!ENTITY AElig CDATA "&#198;" -- capital AE diphthong (ligature) -->
<!ENTITY Ccedil CDATA "&#199;" -- capital C, cedilla -->
<!ENTITY Egrave CDATA "&#200;" -- capital E, grave accent -->
<!ENTITY Eacute CDATA "&#201;" -- capital E, acute accent -->
<!ENTITY Ecirc CDATA "&#202;" -- capital E, circumflex accent -->
<!ENTITY Euml CDATA "&#203;" -- capital E, dieresis or umlaut mark -->
<!ENTITY Igrave CDATA "&#204;" -- capital I, grave accent -->
<!ENTITY Iacute CDATA "&#205;" -- capital I, acute accent -->
<!ENTITY Icirc CDATA "&#206;" -- capital I, circumflex accent -->
<!ENTITY Iuml CDATA "&#207;" -- capital I, dieresis or umlaut mark -->
<!ENTITY ETH CDATA "&#208;" -- capital Eth, Icelandic -->
<!ENTITY Ntilde CDATA "&#209;" -- capital N, tilde -->
<!ENTITY Ograve CDATA "&#210;" -- capital O, grave accent -->
<!ENTITY Oacute CDATA "&#211;" -- capital O, acute accent -->
<!ENTITY Ocirc CDATA "&#212;" -- capital O, circumflex accent -->
<!ENTITY Otilde CDATA "&#213;" -- capital O, tilde -->
<!ENTITY Ouml CDATA "&#214;" -- capital O, dieresis or umlaut mark -->
<!ENTITY times CDATA "&#215;" -- multiply sign -->
<!ENTITY Oslash CDATA "&#216;" -- capital O, slash -->
<!ENTITY Ugrave CDATA "&#217;" -- capital U, grave accent -->
<!ENTITY Uacute CDATA "&#218;" -- capital U, acute accent -->
<!ENTITY Ucirc CDATA "&#219;" -- capital U, circumflex accent -->
<!ENTITY Uuml CDATA "&#220;" -- capital U, dieresis or umlaut mark -->
<!ENTITY Yacute CDATA "&#221;" -- capital Y, acute accent -->
<!ENTITY THORN CDATA "&#222;" -- capital THORN, Icelandic -->
<!ENTITY szlig CDATA "&#223;" -- small sharp s, German (sz ligature) -->
<!ENTITY agrave CDATA "&#224;" -- small a, grave accent -->
<!ENTITY aacute CDATA "&#225;" -- small a, acute accent -->
<!ENTITY acirc CDATA "&#226;" -- small a, circumflex accent -->
<!ENTITY atilde CDATA "&#227;" -- small a, tilde -->
<!ENTITY auml CDATA "&#228;" -- small a, dieresis or umlaut mark -->
<!ENTITY aring CDATA "&#229;" -- small a, ring -->
<!ENTITY aelig CDATA "&#230;" -- small ae diphthong (ligature) -->
<!ENTITY ccedil CDATA "&#231;" -- small c, cedilla -->
<!ENTITY egrave CDATA "&#232;" -- small e, grave accent -->
<!ENTITY eacute CDATA "&#233;" -- small e, acute accent -->
<!ENTITY ecirc CDATA "&#234;" -- small e, circumflex accent -->
<!ENTITY euml CDATA "&#235;" -- small e, dieresis or umlaut mark -->
<!ENTITY igrave CDATA "&#236;" -- small i, grave accent -->
<!ENTITY iacute CDATA "&#237;" -- small i, acute accent -->
<!ENTITY icirc CDATA "&#238;" -- small i, circumflex accent -->
<!ENTITY iuml CDATA "&#239;" -- small i, dieresis or umlaut mark -->
<!ENTITY eth CDATA "&#240;" -- small eth, Icelandic -->
<!ENTITY ntilde CDATA "&#241;" -- small n, tilde -->
<!ENTITY ograve CDATA "&#242;" -- small o, grave accent -->
<!ENTITY oacute CDATA "&#243;" -- small o, acute accent -->
<!ENTITY ocirc CDATA "&#244;" -- small o, circumflex accent -->
<!ENTITY otilde CDATA "&#245;" -- small o, tilde -->
<!ENTITY ouml CDATA "&#246;" -- small o, dieresis or umlaut mark -->
<!ENTITY divide CDATA "&#247;" -- divide sign -->
<!ENTITY oslash CDATA "&#248;" -- small o, slash -->
<!ENTITY ugrave CDATA "&#249;" -- small u, grave accent -->
<!ENTITY uacute CDATA "&#250;" -- small u, acute accent -->
<!ENTITY ucirc CDATA "&#251;" -- small u, circumflex accent -->
<!ENTITY uuml CDATA "&#252;" -- small u, dieresis or umlaut mark -->
<!ENTITY yacute CDATA "&#253;" -- small y, acute accent -->
<!ENTITY thorn CDATA "&#254;" -- small thorn, Icelandic -->
<!ENTITY yuml CDATA "&#255;" -- small y, dieresis or umlaut mark -->

Table of printable Latin-1 Character codes