It’s Only Weird if it Doesn’t Work




Meet Timmy. Timmy is a pitcher for the San Francisco Giants. I got this Tim Lincecum bobble head at the August 27th, 2011 fan appreciation day. Timmy sits on my desk at home.






Meet Carl. Carl is a zombie. My kids adopted Carl for me for Christmas in 2011.



The Giants won the World Series in 2010, but their 2011 season wasn’t so great. They didn’t even make the playoffs.  So when I got Carl for Christmas, it seemed only natural to have him ride Timmy to do better in 2012.






Well, that didn’t work out so well for Timmy – his ERA for the 2012 season was 5.18 (his career highest) and his only post-season start in NLCS Game 4 earned him an ERA of 5.40. During that game I took Carl off Timmy’s back and stood him in front of the TV, staring him down. Obviously, it did not work.






So I figured that maybe Carl was too intimidating for Timmy. I put Carl in a drawer. The Giants then took the NLCS and, at the time of this writing, are poised to sweep the Detroit Tigers in the 2012 World Series.



Carl is still in the drawer.  GO GIANTS!!!


How to Configure Public and Private Computer Settings in OWA 2013

The new “streamlined user interface” in Exchange 2013 no longer allows users to select whether they are using a public or private computer to access Outlook Web App.  By default, OWA 2013 assumes your are using a private computer and uses the default timeout value of 8 hours of user inactivity before requiring the user to sign in again.



 


The LogonPagePublicPrivateSelectionEnabled parameter of the Set-OWAVirtualDirectory cmdlet specifies whether the Outlook Web App sign-in page includes the private computer or public computer sign-in option.  The following example will enable the Private Computer checkbox on server EX1, as show below:



Set-OwaVirtualDirectory “ex1\owa*” -LogonPagePublicPrivateSelectionEnabled $True



You need to reset IIS after configuring the OwaVirtualDirectory using the IISRESET command:
iireset /noforce /timeout:120

The default cookie timeout value in OWA for Private Computers is 8 hours of user inactivity.  The default timeout value for Public Computers is 15 minutes of user inactivity.  If you wish to change these values use one or both of the following commands:
Set-ItemProperty ‘HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA’ -Name PrivateTimeout -Value <amount of time> -Type DWORD
Set-ItemProperty ‘HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA’ -Name PublicTimeout -Value <amount of time> -Type DWORD
The values above are specified in minutes.  You’ll need to reset IIS after changing these values.

RPC Client Encryption in Exchange 2013

Exchange 2013 enables RPC client encryption by default (again). 



I say “again” because it was an option in Exchange 2007 and became the default setting in Exchange 2010 RTM.  This caused a fair amount of trouble for organizations using Outlook 2003, since MAPI encryption was disabled in Outlook 2003 by default. 



Symptoms of this problem include the following error messages:

  • Cannot start Microsoft Office Outlook. Unable to open the Office window. The set of folders could not be opened.
  • Unable to open your default e-mail folders. The information store could not be opened.

If your users are using Cached Exchange Mode, Outlook won’t display an error, but will start in disconnected mode.



It was easy to workaround this issue by either disabling RPC encryption on the Client Access Servers or, better yet, enable encryption in Outlook 2003 via Group Policy.  Outlook 2007 and later have encryption enabled by default.



Encryption is enabled by default in Outlook 2013

For some reason, the Exchange product team decided to reverse the decision to require RPC encryption in Exchange 2010 SP1 until now in Exchange 2010.  I suspect encryption is enabled by default again because Exchange 2013 does not support Outlook 2003 or earlier.

 

If your organization has upgraded to Outlook 2007/2010/2013, you’ll probably want to remove or reconfigure Group Policy to enable encryption in Outlook and re-enable it on your CAS servers, if needed. 



The cmdlet to check RPC MAPI encryption on your CAS servers is:



Get-ClientAccessServer | Get-RPCClientAccess | fl server,enc*



And the cmdlet to enable RPC MAPI encryption on all your CAS servers is:



Get-ClientAccessServer | Set-RPCClientAccess -EncryptionRequired $True



When RPC encryption is enabled, the Exchange Remote Connectivity Analyzer (ExRCA) will report a harmless warning that the Name Service Provider Interface (NSPI) bind operation failed due to the encryption requirement.  NspiBind then tries again with encryption enabled and succeeds.  This is expected behavior.




Allowing Messages to be Sent to Recipients of Internal and External Relay Domains



If you have Exchange 2010 Edge Transport servers in your environment you probably have Recipient Filtering configured to “Block messages sent to recipients that do not exist in the directory“.



This setting configures the Edge Transport server to drop messages destined to email addresses that do not exist in Active Directory.  The messages are dropped with a “550 5.1.1 User unknown” permanent error, rather than generating a Non Deliverable Report (NDR) to the sender.  This prevents “backscatter,” a condition where your domain ends up on a real-time block list (RBL) due to issuing NDRs to accounts that never really sent the original email (spoofing).


This type of recipient blocking won’t work for Internal Relay or External Relay domains because the Edge server can’t query those domain’s directories.  This causes emails bound for these domains to fail with the “550 5.1.1 User unknown” error, above.


Internal Relay Domains and External Relay Domains are configured in the New Accepted Domain wizard on the Hub Transport server.  The accepted domain configuration then syncs to the Edge server using the EdgeSync process.





External Relay Domains route from the Edge Transport server to the external domain’s mail server.  Internal Relay Domains route email from the Hub Transport server to external domain’s mail server if the email does not resolve internally.  Both relay domains use a dedicated Send Connector for remote domain.


You can disable address book lookups for internal and external relay domains using the Set-AcceptedDomain cmdlet, as shown below:


Set-AcceptedDomain externaldomain.com -AddressBookEnabled $False


This command needs to be run from the Hub Transport server and then synced to the Edge server by the EdgeSync process.  You can force the sync immediately using the Start-EdgeSynchronization cmdlet.


How to Boot Directly into Desktop with Windows Server 2012




I love Windows Server 2012, I really do.  But who’s bright idea was it to boot to the “Modern UI” (aka, Metro) instead of the Windows Desktop?  There’s really no reason for this, so I wrote a PowerShell script that configures Windows Server 2012 to boot directly into the Desktop after signing in.



This is not a hack.  The script simply changes rights on an existing registry key to allow the value to be changed, and changes it.



NOTE: This script does not work on Windows 8 — It only works on Windows Server 2012.  Early beta builds of Windows 8 allowed you to toggle booting to the Desktop.  Microsoft removed those hacks in the RTM build of Windows 8, sorry.  :(



You may also want to read my article, How to Enable Autologon for Windows Server 2008 Member Servers and Windows 7 Member Workstations.  Those procedures also work for Windows Server 2012 and Windows 8.



Copy and paste the following text into Notepad and save it as BootToDesktop.ps1 on your Windows Server 2012 computer:



#Take Ownership of the “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server” registry key
$definition = @”
using System;
using System.Runtime.InteropServices;
namespace Win32Api
{
    public class NtDll
    {
        [DllImport(“ntdll.dll”, EntryPoint=”RtlAdjustPrivilege”)]
        public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
    }
}
“@
Add-Type -TypeDefinition $definition -PassThru
$bEnabled = $false
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(“SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server”, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]”Administrators”)
$key.SetAccessControl($acl)

#Give Full Control of the key to BUILTIN\Administrators

$acl = Get-Acl “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server”
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(“BUILTIN\Administrators”,”FullControl”,”Allow”)
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
$key.Close()

#Set the value of ClientExperienceEnabled to 0 to enable boot to Desktop

Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server” -Name ClientExperienceEnabled -Value 0



Optionally, you can download the BootToDesktop.ps1 script here.



Now simply run the BootToDesktop.ps1 script from an elevated Windows PowerShell prompt and reboot.  The next time you sign in Windows Server 2012 will go straight into the Desktop.



The PowerShell script does three things:

  • It assigns ownership of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server registry key to the local built-in Administrators group.  By default this key is owned by the protected TrustedInstaller security principal.
  • Full control is given on the key to the built-in Administrators group.  By default built-in Administrators only have Read access.  Full control gives us the ability to change values in the key.
  • Changes the ClientExperienceEnabled value from 1 to 0, which configures Windows to start directly to the Desktop.






Windows Server 2012 and Windows 8 secure protected registry keys and files using the TrustedInstaller security principal.  TrustedInstaller is a core part of Windows Resource Protection (WRP) technology.  Windows usually assigns ownership of WRP protected items to TrustedInstaller and they normally cannot be modified or deleted.  This script overcomes that and allows you to change the value of the ClientExperienceEnabled value.



Since this is really just a simple registry change, you can safely use it in your server imaging process for all your Windows Server 2012 computers.  It only needs to be run once per server and affects all users who logon to that server.

Update: How to Configure Fast Cached Exchange Mode Settings for Outlook 2013 Using Group Policy


With the release of Office 2013 right around the corner and quite a number of people already running the Office 2013 Consumer Preview, I thought I’d update a previous article I wrote that speeds up Outlook performance.



How to Configure Fast Cached Exchange Mode Settings for Outlook 2010 and Outlook 2013 Using Group Policy explains how to configure Outlook 2010 and Outlook 2013’s Cached Exchange Mode send/receive behavior.  With these changes Outlook cached mode behaves very similar to online mode.  There is no change in network bandwidth with this configuration – it just configures Outlook to go on “mail runs” more frequently.

One-Day Midlife Crisis #FTW

Today. Was. Awesome.






I spent the day at Club Sportiva in San Jose on one of their Exotic Car Tours.  Five other drivers and I drove European supercars through the winding roads of the Monte Bello Open Space Preserve, Woodside, and along the Pacific Coast.  It was an absolutely perfect day for driving.



We all got to drive each of the following cars over the course of the day:

  • Audi R8
  • Ferrari F430
  • Nissan GTR
  • Lotus Elise
  • Lamborghini Gallardo V10 Spyder
  • Tesla Roadster (well, most of us did)

Here’s a short video I made of the cars when were at our first pit stop and we swapped cars.








We each drove alone (no copilot) and were led on the tour by one of Club Sportiva’s fantastic drivers in a Ford Mustang Shelby GT500 .  We got to drive each car for about 30 minutes along twisting roads through the hills below beautiful blue skies.



I made the following video from the Lamborghini Gallardo Spyder by propping my iPhone in the dash.  You can hear the throaty rumble of the Gallardo’s V10 engine as I wind through the hillside.







We stopped half way at Alice’s Restaurant in Woodside, CA to have a nice lunch and let passersby’s gawk at our glistening supercars.  It was a blast to drive through small towns where people told us, “I want to HEAR it!”  I’d push the clutch in, gun it, and watch the smiles light up on everyone’s faces.  People would stop and point at us.  Cameras came out.



All the cars were manual transmissions except for the Nissan GTR and, of course, the Tesla Roadster since it’s a fully electric sports car.  I was a bit worried about driving a stick, since it’s probably been 15 years since I last drove one.  But it’s a lot like a riding a bicycle – you never forget.



The Audi R8 was probably the best all-around supercar.  It had an amazing amount of sure-footedness due to its all-wheel drive and fantastic engine.  It was a powerhouse that didn’t take a great deal of work to drive.  I’d love to have this for my daily commute.



The Ferrari F430 was the most exciting car for me to drive.  It had a deep throaty growl and would actually startle me when I hit the gas and instantly accelerated.  Fantastic handling, but the shifting was very “notchy”.  Apparently this is a common complaint about Ferraris and is what led to the creation of the Lamborghini.



The Nissan GTR had the best electronics.  This was one of the two cars with an automatic transmission and had paddle shifters on the wheel.  You have the option of putting the transmission into manual, where you must use the paddle shifters to change gears.  There’s no manual clutch – the electronic double clutch shifts gears instantly.  The large display had typical GPS functionality and also had screens that reported the amount of Gs you were pulling when accelerating or turning.  Too much automation for me – I found this car rather boring, but FAST!  I got up to 112MPH without blinking an eye.



The Lotus Elise was the most fun to drive.  This car weighs less than 1,900 lbs. and has ~200 HP.  It’s a total slot car.  It has absolutely no electronics in it, so it takes a lot of concentration to drive.  No traction control, power steering, or antilock breaks.  The seats are hard plastic and you’re mere inches above the ground.  An absolutely amazing car to drive that made me smile the whole time.



The Lamborghini Gallardo Spyder is sex in yellow.  It has the most amazing tuned exhaust that makes even blind people turn and look.  With a massive V10 engine it’s a bit heavy, but was amazing to drive.  If you’re looking for a supercar that evokes lusty emotions, this is your car.



Finally, is the Tesla Roadster.  I’d love to tell you about its instant acceleration due to it’s powerful electric motors, but alas I cannot.  It ran out of battery before it became my turn to drive it.  It’s a shame since this was one of the cars I was really looking forward to driving.  Club Sportiva said they’ll make it up to me with a future driving opportunity.  We left the Tesla on the side of one of the mountain roads for a Club Sportiva flatbed to pick up later.  I rode back with Travis from Club Sportiva in the Ford Mustang Shelby GT500.



This was a true once-in-a-lifetime experience.  I highly recommend it if you have the chance to do it!




How to Convert Hyper-V VHD Disks to VHDX

Windows Server 2012 Hyper-V offers a new virtual disk type called VHDX.  VHDX virtual disks have many benefits, including larger maximum disks up to 64TB, protection against data corruption, and improved alignment of the virtual hard disk format to work well on large sector disks.  See http://technet.microsoft.com/en-us/library/hh831446.aspx for more information about the VHDX disk type.



You can convert existing older format VHD disks to the new VHDX format using the Hyper-V Manager console.  This process will create a new VHDX disk and copy the data from the existing VHD to the new disk.  At the end of the procedure you will have two disks, the original VHD disk and a new VHDX disk with the same contents.  You can safely delete the original VHD disk once you have confirmed that the new VHDX disk is fully functional.



Here are the steps to convert an existing VHD disk to a VHDX disk:

  • Shut down the VM that is accessing the disk, if necessary.  You cannot convert a disk that is in use.
  • Open the Hyper-V VM settings, navigate to the hard drive you wish to convert, and click the Edit button, as shown below:


  • The Edit Virtual Hard Disk Wizard will start.  Select Convert from the Choose Action page and click Next.


  • Select the VHDX disk format and click Next.


  • Choose whether the new disk should be fixed size or dynamically expanding.  Note that this gives you the opportunity to change disk types from the previous disk type.  Click Next.
  • Select the name and location for the new VHDX disk and click Next.
  • Review the summary and click Finish to create the new disk.  This may take a few minutes depending on the size of the VHD and the speed of your hard drive(s).  A 30GB VHD converted in less than two minutes on my SSD drive.  The size of the new VHDX disk will be slightly larger than the original VHD disk.




  • The last step is to mount the new VHDX disk to the Hyper-V VM.  Note the new VHDX extension.




Once you have started up your VM with the new VHDX disk you can safely delete the old VHD disk.  There are no other configurations necessary.