MIIS 2003 ensures that the ProxyAddresses attribute of Active Directory user objects contains all values of the mulitivalued Forest_LegacyExchangeDN attribute where Forest is not the same as the forest from which the user account is coming. What is the reason for this configuration?
When accounts migrate between exchange orgs and get a new legacyExchangeDN, storing the history of all legDNs in the proxyAddresses attribute ensures that they can still be recognized by outlook with the old legdn.
Tuesday, November 29, 2005
Forest_LegacyExchangeDN - ProxyAddresses of AD
MIIS password management App
1. Installed MIIS. MIIS created five AD security groups. No password management application was installed after MIIS installation.
2. System administrator deleted “MIISPasswordSet” group. Realized two days later that it was a mistake so manually recreated the “MIISPasswordSet” security group in AD.
3. Installed Password management application and getting the error “Could not add the user account to password set group. Check password set group name”. I checked the group name and it was correct. The account that was used to install the application has domain admin access and the account to run password management is already in “MIISPassswordSet” group.
Question: Can action in Step 2 cause issue that I am seeing in 3? If so, Do I need to reinstall MIIS to recreate security groups?
This is a problem with the Password Management setup. It happens whenever the MIISPasswordSet group is not a local security group. The setup does not read the MIIS configuration to see where the MIISPasswordSet group is located, and assumes it is on the local machine.
Work-around:
1. Create a new local group on the machine where you are installing the Password Management application called MIISPasswordSet
2. Run the setup for the Password Management app.
3. Take note of what users were placed into the local Password Management group and add them to the Domain Global group you have configured to be the MIISPasswordSet security group.
4. Delete the local MIISPasswordSet security group.
2. System administrator deleted “MIISPasswordSet” group. Realized two days later that it was a mistake so manually recreated the “MIISPasswordSet” security group in AD.
3. Installed Password management application and getting the error “Could not add the user account to password set group. Check password set group name”. I checked the group name and it was correct. The account that was used to install the application has domain admin access and the account to run password management is already in “MIISPassswordSet” group.
Question: Can action in Step 2 cause issue that I am seeing in 3? If so, Do I need to reinstall MIIS to recreate security groups?
This is a problem with the Password Management setup. It happens whenever the MIISPasswordSet group is not a local security group. The setup does not read the MIIS configuration to see where the MIISPasswordSet group is located, and assumes it is on the local machine.
Work-around:
1. Create a new local group on the machine where you are installing the Password Management application called MIISPasswordSet
2. Run the setup for the Password Management app.
3. Take note of what users were placed into the local Password Management group and add them to the Domain Global group you have configured to be the MIISPasswordSet security group.
4. Delete the local MIISPasswordSet security group.
PCNS Questions
1. Can Password Portal use ADAM as the directory?
They actually use an ADAM instance as their “master” directory, and a combination of MIIS and P-Synch (from M-Tech) to keep passwords up to date everywhere else. Password Portal uses SQL as its own store; to store customizations, question lists, users etc. ADAM can be one of the target directories that receives a password reset.
2. Can we create custom Password Management Agents the same was as we create custom Management Agents?
Yes, as from MIIS SP1 you have the ability to create password extensions for any management agents that don’t have that capability built in (e.g. database, flat files etc.)
3. In fact, why would use P-Synch instead of MIIS for password synchronization?
P-Sync provides agents on other systems so the password synch can be initiated from different places. PCNS initiate password change either from the portal or fromvia PCNS.
They actually use an ADAM instance as their “master” directory, and a combination of MIIS and P-Synch (from M-Tech) to keep passwords up to date everywhere else. Password Portal uses SQL as its own store; to store customizations, question lists, users etc. ADAM can be one of the target directories that receives a password reset.
2. Can we create custom Password Management Agents the same was as we create custom Management Agents?
Yes, as from MIIS SP1 you have the ability to create password extensions for any management agents that don’t have that capability built in (e.g. database, flat files etc.)
3. In fact, why would use P-Synch instead of MIIS for password synchronization?
P-Sync provides agents on other systems so the password synch can be initiated from different places. PCNS initiate password change either from the portal or from
SSL Diagnostics Version 1.0
A common problem for administrators of IIS servers is configuring and troubleshooting SSL enabled websites. To assist in administrators efforts, Microsoft has designed a tool - SSL Diagnostics - to aid in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.
Thursday, November 17, 2005
XADM: How to Find Distribution Groups with Hidden Membership
To find distribution groups that have hidden membership, use the Active Directory Users and Computers snap-in to search for objects that have the hideDLMembership attribute set to TRUE:
1. Start the Active Directory Users and Computers snap-in.
2. Right-click the domain, and then click Find.
3. In the Find box, click Custom Search.
4. Click the Advanced tab.
5. In the Enter LDAP query box, type (hideDLMembership=TRUE).
6. Click Find Now.
All of the objects that are displayed have the hideDLMembership attribute set to TRUE.
More: http://support.microsoft.com/default.aspx?scid=kb;en-us;288342
Can't View Hidden Membership in DG After You Update the Recipient Update Service
If you are a member of the Domains Admins group, but you are not a member of Account Operators and Exchange Domain Servers groups, you cannot read the membership of groups that have hidden membership after you update the Recipient Update Service.
This problem occurs because the Recipient Update Service removes the read property permission for the Domain Admins group.
To work around this problem, you must be added to the Account Operators group. To do so, follow these steps:
1. Click Start , point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand Domain, and then click Built-in.
3. In the right pane, right-click the Account Operators group, and then click Properties.
4. Click the Members tab, and then click Add.
5. Click the user who you want to add to the Account Operators group, and then click Add.
6. Click OK.
7. Log off from the server, and log on to the server.
More: http://support.microsoft.com/default.aspx?scid=kb;en-us;811909
To find distribution groups that have hidden membership, use the Active Directory Users and Computers snap-in to search for objects that have the hideDLMembership attribute set to TRUE:
1. Start the Active Directory Users and Computers snap-in.
2. Right-click the domain, and then click Find.
3. In the Find box, click Custom Search.
4. Click the Advanced tab.
5. In the Enter LDAP query box, type (hideDLMembership=TRUE).
6. Click Find Now.
All of the objects that are displayed have the hideDLMembership attribute set to TRUE.
More: http://support.microsoft.com/default.aspx?scid=kb;en-us;288342
Can't View Hidden Membership in DG After You Update the Recipient Update Service
If you are a member of the Domains Admins group, but you are not a member of Account Operators and Exchange Domain Servers groups, you cannot read the membership of groups that have hidden membership after you update the Recipient Update Service.
This problem occurs because the Recipient Update Service removes the read property permission for the Domain Admins group.
To work around this problem, you must be added to the Account Operators group. To do so, follow these steps:
1. Click Start , point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand Domain, and then click Built-in.
3. In the right pane, right-click the Account Operators group, and then click Properties.
4. Click the Members tab, and then click Add.
5. Click the user who you want to add to the Account Operators group, and then click Add.
6. Click OK.
7. Log off from the server, and log on to the server.
More: http://support.microsoft.com/default.aspx?scid=kb;en-us;811909
Wednesday, November 16, 2005
GetChildRows returns an array of DataRow objects from the child DataTable in a DataRelation. Unfortunately, the System.Web.UI databinding logic doesn't seem to realize that the data source might contain DBNull values if the data source isn't a DataView or DataTable. The end result is that StrongTypingException exceptions get thrown if my data contains any columns whose value is DBNull.Value. How to fix this?
You can use the msprop annotations in your typed dataset xsd file, so that the row accessors will return what you want instead of DBNull.Value. The reason you see the issue is because the datatable row accessors return DBNull.Value where as the strongly typed accessors expect the actual type to be returned and you have a conversion problem from DBNull to the actual type.For reference types [string etc.] returning “null” would be appropriate, but for value types [int etc] you need to assign a non-used value whenever DBNull.Value occurs.
You can check the following link for more information on these annotations.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconusingannotationswithtypeddataset.asp
However, from Whidbey we can use nullable generics.
You can use the msprop annotations in your typed dataset xsd file, so that the row accessors will return what you want instead of DBNull.Value. The reason you see the issue is because the datatable row accessors return DBNull.Value where as the strongly typed accessors expect the actual type to be returned and you have a conversion problem from DBNull to the actual type.For reference types [string etc.] returning “null” would be appropriate, but for value types [int etc] you need to assign a non-used value whenever DBNull.Value occurs.
You can check the following link for more information on these annotations.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconusingannotationswithtypeddataset.asp
However, from Whidbey we can use nullable generics.
Documentation of an MIIS installation
Oxford Documentor Tool
The Oxford MIIS Documentor provides fast, accurate, automated documentation for an MIIS deployment. Reading the MIIS configuration, including custom extensions source code and custom content such as diagrams , it generates a report that would take many consulting days to reproduce. Any changes in the MIIS configuration can be speedily reflected in the report by re-running the Documentor.
http://www.oxfordcomputergroup.com/ocg.aspx?nav=resource.tem/ZLEJ21I4AB
The Oxford MIIS Documentor provides fast, accurate, automated documentation for an MIIS deployment. Reading the MIIS configuration, including custom extensions source code and custom content such as diagrams , it generates a report that would take many consulting days to reproduce. Any changes in the MIIS configuration can be speedily reflected in the report by re-running the Documentor.
http://www.oxfordcomputergroup.com/ocg.aspx?nav=resource.tem/ZLEJ21I4AB
Security Assertion Markup Language (SAML)
The Security Assertion Markup Language (SAML) is being developed by the OASIS XML-Based Security Services Technical Committee (SSTC). The Security Assertion Markup Language (SAML) is an XML-based framework for exchanging security information. This security information is expressed in the form of assertions about subjects, where a subject is an entity (either human or computer) that has an identity in some security domain.
Four 'drivers' behind the creation of the SAML standard:
1. Limitations of Browser cookies
2. SSO Interoperability
3. Web Services
4. Federation
More at: http://xml.coverpages.org/saml.html
Four 'drivers' behind the creation of the SAML standard:
1. Limitations of Browser cookies
2. SSO Interoperability
3. Web Services
4. Federation
More at: http://xml.coverpages.org/saml.html
Tuesday, November 15, 2005
Outlook 2003 Commandbar - C#
I want to add a new commandbar in outlook 2000 through C# code. I am able to add a button in command bar but not able to add new commandbar. Can anyone suggest something?
for a complete illustration go to:
http://www.codeproject.com/csharp/commandbars.asp
for a complete illustration go to:
http://www.codeproject.com/csharp/commandbars.asp
Retrieve Network Interfaces - C#
How to Retrieve "Network Interfaces" in C#?
You may recognize the "network interfaces" as "Network and Dial-up Connections": You can access them by using "Start > Setting > Network and Dial-up Connections". C# does not provide a simple way of retrieving this list. The solution includes two main steps, which follow:
Step 1: Retrieve the Network AdaptersGet all the Network Adapters, which are IP-enabled, and their Setting ID. We use the ManagementClass: Win32_NetworkAdapterConfiguration to achieve this. The "SettingID" property of the ManagementObject is actually the Registry key.
Step 2: Extract information from the Registry
More...
http://www.codeguru.com/Csharp/Csharp/cs_network/internetweb/article.php/c6023/
You may recognize the "network interfaces" as "Network and Dial-up Connections": You can access them by using "Start > Setting > Network and Dial-up Connections". C# does not provide a simple way of retrieving this list. The solution includes two main steps, which follow:
Step 1: Retrieve the Network AdaptersGet all the Network Adapters, which are IP-enabled, and their Setting ID. We use the ManagementClass: Win32_NetworkAdapterConfiguration to achieve this. The "SettingID" property of the ManagementObject is actually the Registry key.
Step 2: Extract information from the Registry
More...
http://www.codeguru.com/Csharp/Csharp/cs_network/internetweb/article.php/c6023/
MIIS Community Web Site
Where can I find discussion groups related to MIIS?
Ask questions, share information, or exchange ideas with others, including experts from around the globe...
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.metadirectory
Ask questions, share information, or exchange ideas with others, including experts from around the globe...
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.metadirectory
PCNS - Retry password sync
While changing user password on AD and notifying a system that has a synchronized password through MIIS. What happens when Password Change Notification Service (PCNS) notifies MIIS about the password change but a synchronized system is offline?
You can configure the MA to retry password sync events.
Configuring a retry:
1. Right click an MA in Identity Manager, Properties, Extensions page
2. Click the Settings button next to Password Sync Target Settings (there are two on the page, it’s the bottom one)
3. Set the max retries and retry interval. They default to 10 retries, one every 60 seconds. Obviously, if your target system is offline for a long period of time, the retries won’t save you and you’ll just get an error, but it is sufficient for intermittent system downtime.
Another factor to consider when setting the retry counts/times may be that waiting too long between retries to compensate for extended downtime may delay the new password from propagating to that system
You can configure the MA to retry password sync events.
Configuring a retry:
1. Right click an MA in Identity Manager, Properties, Extensions page
2. Click the Settings button next to Password Sync Target Settings (there are two on the page, it’s the bottom one)
3. Set the max retries and retry interval. They default to 10 retries, one every 60 seconds. Obviously, if your target system is offline for a long period of time, the retries won’t save you and you’ll just get an error, but it is sufficient for intermittent system downtime.
Another factor to consider when setting the retry counts/times may be that waiting too long between retries to compensate for extended downtime may delay the new password from propagating to that system
Thursday, November 10, 2005
Service Principal Name (SPN)
A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. An SPN must be unique in the forest in which it is registered. If it is not unique, authentication will fail.
For more information about SPN format and composing a unique SPN, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/name_formats_for_unique_spns.asp
Before a client can use an SPN to authenticate an instance of a service, the SPN must be registered on the user or computer account that the service instance will use to log on. Typically, SPN registration is done by a service installation program running with domain administrator privileges. user and computer objects have a servicePrincipalName attribute, which is a multi-valued attribute for storing all the SPNs associated with a user or computer account. If the service runs under a user account, the SPNs are stored in the servicePrincipalName attribute of that account. If the service runs in the LocalSystem account, the SPNs are stored in the servicePrincipalName attribute of the account of the service's host computer.
Setspn.exe:
This command-line tool allows you to manage the Service Principal Names (SPN) directory property for an Active Directory directory service account. SPNs are used to locate a target principal name for running a service. SetSpn allows you to view the current SPNs, reset the "host" SPNs, and add or delete supplemental SPNs.
For more information about SPN format and composing a unique SPN, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/name_formats_for_unique_spns.asp
Before a client can use an SPN to authenticate an instance of a service, the SPN must be registered on the user or computer account that the service instance will use to log on. Typically, SPN registration is done by a service installation program running with domain administrator privileges. user and computer objects have a servicePrincipalName attribute, which is a multi-valued attribute for storing all the SPNs associated with a user or computer account. If the service runs under a user account, the SPNs are stored in the servicePrincipalName attribute of that account. If the service runs in the LocalSystem account, the SPNs are stored in the servicePrincipalName attribute of the account of the service's host computer.
Setspn.exe:
This command-line tool allows you to manage the Service Principal Names (SPN) directory property for an Active Directory directory service account. SPNs are used to locate a target principal name for running a service. SetSpn allows you to view the current SPNs, reset the "host" SPNs, and add or delete supplemental SPNs.
ASP.NET for Persistent SQL Server Session
I gave a problem with ASP.NET application with SQL Server to hold session state. Everyday encounter blocking on the ASPState database. On busy days waiting times increase.
sessionState element in web.config file :
cookieless="false"
sqlConnectionString="Server=iMySQLServer;Integrated Security=SSPI;"
timeout="5"/>
TempGetStateItemExclusive2 is seen in the connection buffers.
1. Why do we see KEY range locks? e.g. KEY: 7:133575514:1 (0a027a6605d7)
2. Why do the connections have two open transactions?
1) Use the persistent version of AspState db which does not use the temp db
HOW TO: Configure ASP.NET for Persistent SQL Server Session State Management:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q311209
2) Add an index to the Expires column in the AspState db
3) Configure the DeleteExpiredSessions job to run every two or three minutes instead of every minute
sessionState element in web.config file :
sqlConnectionString="Server=iMySQLServer;Integrated Security=SSPI;"
timeout="5"/>
TempGetStateItemExclusive2 is seen in the connection buffers.
1. Why do we see KEY range locks? e.g. KEY: 7:133575514:1 (0a027a6605d7)
2. Why do the connections have two open transactions?
1) Use the persistent version of AspState db which does not use the temp db
HOW TO: Configure ASP.NET for Persistent SQL Server Session State Management:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q311209
2) Add an index to the Expires column in the AspState db
3) Configure the DeleteExpiredSessions job to run every two or three minutes instead of every minute
Find SQL Server Version and SP
To determine the service pack that's installed on your SQL Server, open ISQLW (Query Analyzer) or ISQL or OSQL. Connect to your server.
Execute the following command:
SELECT @@VERSION
go
or
Execute the following command:
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition')
go
To determine the service pack that's installed on your SQL Server, open ISQLW (Query Analyzer) or ISQL or OSQL. Connect to your server.
Execute the following command:
SELECT @@VERSION
go
or
Execute the following command:
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY ('productlevel'), SERVERPROPERTY ('edition')
go
Wednesday, November 09, 2005
ASP.NET applications performance
Contention, poor performance, and deadlocks when you make Web service requests from ASP.NET applications
You may also receive the following exception error message when you make a call to the HttpWebRequest.GetResponse method:
“System.InvalidOperationException: There were not enough free threads in the ThreadPool object to complete the operation.”You may also receive the following exception error message in the browser:
“HttpException (0x80004005): Request timed out.”
Recommended Solution:
http://support.microsoft.com/?id=821268
You may also receive the following exception error message when you make a call to the HttpWebRequest.GetResponse method:
“System.InvalidOperationException: There were not enough free threads in the ThreadPool object to complete the operation.”You may also receive the following exception error message in the browser:
“HttpException (0x80004005): Request timed out.”
Recommended Solution:
http://support.microsoft.com/?id=821268
Using sp_create_plan_guide with a plan
SQL 2005: Using sp_create_plan_guide with a plan
The BOL article: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/4f5182ec-6a9a-46eb-be6c-87c5d77d9f93.htm elaborates on this limitation.
Plan forcing can be used for most types of SELECT queries. These include queries against tables, clustered and nonclustered indexes, indexed views, and partitioned tables and indexes. USE PLAN cannot be specified with INSERT, UPDATE, or DELETE statements.
The BOL article: ms-help://MS.SQLCC.v9/MS.SQLSVR.v9.en/udb9/html/4f5182ec-6a9a-46eb-be6c-87c5d77d9f93.htm elaborates on this limitation.
Plan forcing can be used for most types of SELECT queries. These include queries against tables, clustered and nonclustered indexes, indexed views, and partitioned tables and indexes. USE PLAN cannot be specified with INSERT, UPDATE, or DELETE statements.
Subscribe to:
Posts (Atom)