If a user is unable to save the “Run Once” page that comes up after installing IE7 (http://rononce.man.com/runonce3.aspx), there is a manual way of disabling it.

Open regedit, goto [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Look for the following two keys.
RunOnceHasShown
RunOnceComplete

If the keys aren’t there create both as new DWORD Value and set the value to 1 for each.

How to update the GAL manually

Update-GlobalAddressList -Identity <GlobalAddressListIdParameter> -DomainController

For most it would be Update-GlobalAddressList -Identity “Default Global Address List”

How to check the logging in Exchange 2007

get-EventLogLevel

See which certificates Exchange 2007 are using

Get-ExchangeCertificate

Get-ExchangeCertificate |fl  (for more information)

Enable Exchange services for certificate

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

See what URL the CAS server has for autodiscover

Get-ClientAccessServer -Identity CASServer | FL

Change the autodiscover URL

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.yourdomain.com/Autodiscover/Autodiscover.xml

Configure all the InternalURLs for each web distributed service

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.yourdomain.com/OAB

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.yourdomain.com” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.yourserver.com/Microsoft-Server-Activesync

Find out your inbound/outbound message limits

get-transportconfig

With a couple of clean installs of Backup Exec 12D/12.5, sometimes the selection list in Backup Exec shows no local or remote selections to choose from. One thing to check is the Remote Operators group which is a default group in SBS 2003, the Administrator account or whichever account you use for Backup Exec should not be in this group. Secondly, Backup Exec needs a group policy setting for the credentials that Backup Exec uses: add the Backup Exec user to the setting “Log on as a batch job” in the Default Domain Controllers Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/ Once you’ve added the Backup Exec user, go to Start –> Run –> and type “gpupdate /force” This will update Active Directory. Close and re-open Backup Exec, the selections should now be available.

You may have trouble sending mail to certain domains while using Exchange Server 2007 on Windows Server 2008. The Queue Viewer displays the following status error for the domain in question:

“451 4.4.0 primary target IP address responded with “421.4.4.2 unable to connect.”attempted failover to alternate host, but that did not succeed.Either there are no alternate hosts, or delivery failed to all alternate hosts.”

This problem occurs because routers do not support the TCP autotuning settings in Windows Server 2008.

To disable autotuning, follow these steps:

Run CMD as Administrator

At the command prompt, type the following command, and then press ENTER:

netsh interface tcp set global autotuninglevel=disabled

This command disables the Receive Window Auto-Tuning feature.

Exit the Command Prompt window.

Restart the computer.

To add the Active Directory Schema Admin for the mmc, you need to first register a dll before you can see the Schema Admin tools. Go to start –> run –> type: regsvr32 schmmgmt.dll and click enter. You can now open the mmc, and add Active Directory Schema.

http://kb.eset.com/esetkb/index?page=content&id=SOLN146

In the situation I came across, Outlook 2007 clients were constantly prompting for a password eventhough the users were on the LAN, members of the domain, and logged in to the PC with domain credentials.  While I found several potential causes, the solution ended up being an SSL setting in IIS on the mail server. 

The solution was to allow client certificates on the virtual directory for Exchange Autodiscover.  It turns out the clients were attempting to use the Autodiscover service with Exchange 2007 to detect settings and the website wasn’t accepting their client certificate.  The client certificates are apparently used for encryption between the client and the server.  Disabling the checkbox to enable that type of communication may also have been a solution, but this is a better one because it maintains the security of an encrypted channel.  Here are the instructions:

1. Using IIS6 - Click Here
2. Using IIS7 - Open the IIS manager.  Expand the Sites group and expand down to the Autodiscover virtual directory.  Select this virtual directory then selec “SSL Settings” from the center pane.  In the settings window, select “Accept Client Certificates”.

In addition, the authentication settings on this virtual directory can also cause this to happen if not configured correctly.  Just make sure that Integrated Windows Authentication is checked.

After installing the latest version of Trend Micro Scanmail 8.0 on an SBS 2008 server, the Exchange Transport service kept stopping and reporting the following errors in the Application event log:

Event ID: 16023 Source: MSExchangeTransportMicrosoft Exchange couldn’t start transport agents. The Microsoft Exchange Transport service will be stopped. Exception details: Failed to create type ‘TrendMicro.SMEX.hookE12TransportAgent.hookE12RoutingAgentFactory’ from assembly ‘D:\Program Files\Trend Micro\Smex\hookE12TransportAgent.dll’ due to error ‘Invalid agent assembly path.’ …

Event ID: 1052 Source: MSExchange Extensibility

The creation of an agent factory for the agent ‘ScanMail Routing Agent’ failed with error ‘Failed to create type ‘TrendMicro.SMEX.hookE12TransportAgent.hookE12RoutingAgentFactory’ from assembly ‘D:\Program Files\Trend Micro\Smex\hookE12TransportAgent.dll’ due to error ‘Invalid agent assembly path.’.’. Verify that the corresponding transport agent assembly and dependencies with the correct version are installed.

The issues turned out to be a permission issue on the SMEX program file directory.  Exchange uses the Network Service account for the Transport Service credentials but this account didnt get security permissions to the Trend Micro SMEX program folder after install.  Adding the appropriate read permissions did the trick.

I experienced this issue on an SBS 2008 server with IIS7.  The fix was to enable the “Execute” permission on the CGI and ISAPI modules for the web application, but it was tricky with IIS7.  Heres how to do it. 

1. Open IIS Manager (Start->Run->Inetmgr)
2. Select the SMEX Virtual Directory
3. Select Handler Mappings
4. Find CGI-Exe and ISAPI-dll and select “Edit Feature Permissions” in the action pane.
5. Make sure “Execute” is checked and close.

Prior to this, make sure you complete the following other actions (from the Trend Readme):

      (1) Install ASP and CGI Role Services
          a.Go to the Server Manager.
          b.Select Roles and then right-click on the Web Server (IIS).
          c.Click Add Role Services.
          d.Under Application Development, select ASP and CGI.
          e.Click Next > Install.

      (2) Allow ScanMail CGIs (if ISAPI and CGI restrictions are
          implemented).
          a.Go to the IIS Manager.
          b.Select the server node and then select ISAPI and CGI
            Restrictions.
          c.Verify that both cgiDispatcher and cgiCmdNotify are
            allowed.
          d.Re-open the ScanMail product console.

Often, we run across spyware that may disable registry editing.  When you try to access regedit, you may get the following prompt:

“Registry editing has been disabled by your administrator.”

There are several methods to re-enable the registry editing from this point.  First, the easiest is usually to run this command from the run command or from a command prompt:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

 Log off then back on and try again.  If that didn’t work, you can try the other steps below:

Use GPEDIT to modify the local security policy:

1. Click Start, Run
2. Type GPEDIT.MSC and Press Enter
3. Go to the following location
   • User Configuration
   • Administrative Templates
   • System
4. In the Settings Window, find the option for “Prevent Access to Registry Editing Tools” and double-click on it to change.
5. Select Disabled or Not Configured and choose OK
6. Close the Group Policy Editor and restart your computer
7. Try opening REGEDIT again

Download this VBS file:

www.dougknox.com/security/scripts_desc/regtools.htm