Microsoft and IT consulting company Unisys are offering a free demo of Exchange Server 2007. This is well worth it to evaluate the big changes and some improvements in this new version of Exchange and Outlook Web Access (OWA).

The trial is only 5 days long, but all that’s required to create a trial account is a name and a valid email address. The trial accounts create an account populated with sample messages, calendar items, and voice mail; you’re allowed to send and receive mail, schedule meetings, and adjust your own account’s settings while connecting via Outlook, OWA, or any Exchange Active-Sync app.

Article tagged: Microsoft, Exchange, 2007, Exchange+2007, server, exchange+server, free, trial, demo, account, OWA, Outlook

I’ve always wondered if most hosting companies even care about supporting their customers when traffic surges hit. A recently Dugg article “How Not To Deal With A Digg” makes it worth revisting those thoughts and putting up a bit of math to support that shared hosting companies are concealing a lot behind the bandwidth they offer in their packages.

Just like most gyms sell memberships to more people than could fit into the workout area if all those members showed up once per day, many hosting companies price their packages at levels that are only profittable if traffic stays very low. In the Seminal’s article, referenced above, they started with a shared web hosting package from iPowerWeb. That package offers 2,000 GB of bandwidth for $8/month - and I’m going to stay focused on that number because bandwidth is the number one place where shared web hosting companies fail to deliver on their promises (plus an 800mhz Pentium 3 with 1 GB RAM webserver that I run at work delivers 10-15 GB/day of web traffic for an application we only use internally, so the meagre specs on that hardware work fine for 275 GB/month [conservatively, 12.5 GB/day for 22 work days each month] over 100 mbps & 1 gbps network connections). A good price for bandwidth, for a hosting company leasing multiple OCx-class connections, is about $0.06/GB. That means that 2,000 GB of bandwidth works out to $120/month. In fact, your $8/month is only enough to pay for about 133 GB of bandwidth before the hosting company starts dropping into the red.

Yikes! The truth is there’s no way those lower-end hosting companies can make money from basic web hosting packages if even a small percentage of their clients are using a good chunk of the allotted bandwidth. It’s true that the numbers presented in the hosting package descriptions are typically loss-leaders, but the packages and services offered by any hosting company should be capable of reaching what they’re rated to. And, if the high bandwidth usage is a problem thsn companies should either ask users causing them a loss to leave (which sure would get those companies a lot of attention on Slashdot and Digg) or they should also institute and disclose a rate-cap of how much bandwidth/second can be used (for example: 2,000 GB/month over 2,592,000 seconds for a max rate of ~768 KBps).

In my experience of content sites’ daily traffic patterns, most non-rich media websites see averaged daily traffic rates that are only 5-15% of their peak daily rate. Let’s assume that a front page link from Digg will only triple your normal peak rate of visits (unlikely) and then work backward from 768 KBps to see what a realistic monthly usage would be from one of those shared hosting packages. One third of 768 KBps is 256 KBps, which represents our peak daily traffic rate when not featured on a big, linking site. Take 10% of that and get 25.6 KBps, or 26 KBps if we round to keep things clean. 26 KBps times the 2,592,000 seconds in a 30 day month is 67,392,000 KB of data, or ~67.4 GB/month when we’re talking in the same terms as those hosting plan providers. That seems more reasonable at a rate of $0.06/GB for an $8/month web hosting plan. Now only about $4/month goes to pay for bandwidth and the rest can pay for the hosting providers servers and staff.

Before we forget the whole point of this, 768 KBps means that an average content site with a 250 KB front page, JS, CSS, and images will take about 1/3rd of a second to transfer. Add another half second of latency, I know average latency isn’t that high but the server and browser take a little while to deal with each individual HTML, CSS, JS, and image to be transferred, and the total page load time is about 5/6ths of a second. Now grab this Browser statistics Firefox extenstion and check your own shared host website. This site has a 156 KB page load, is happily hosted on a 1and1 shared server, and has a 4.5 sec. average page load time and 1.8 sec. minimum page load time according to Google’s webmaseter tools and the large number of page loads their spider does of this site. Odds are you’re looking at a download time a lot higher than 5/6ths of a second. If that’s the case then how can your shared webserver ever stand up to the traffic experienced when being Dugg or Slashdotted?

Plain and simple, that shared web server won’t cut it when you’re Dugg or Slashdotted. The artificial statistics I’m using above, of 768 KBps peak and 26 KBps sustained, make it clear that shared host webservers aren’t capable of profittably delivering the 1,000+ GB/month that most of them advertise. Real world page load times indicate that most shared hosting companies can’t realistically sustain a 768 KBps peak rate or 67 GB/month of traffic to your site. All the caching and HTML/CSS-tweaking in the world won’t save a website when it still has to get squeezed through a skinny pipe.

Sadly, many shared hosting companies are generally happy save money offering poor service and then by allowing higher bandwidth users (costing them $0.06/GB) to move elsewhere. I really hope this practice goes the way of selling CRT monitors based on the tube size instead of the viewable size. Since I’m not a fan of government regulation, I hope some of the bigger or higher-quality shared hosting companies start offering throughput guarantees to compete with the cheap shared hosting packages that can’t deliver.

Have you implemented software restriction policies in Active Directory only to find that they stop working a few months later? Initial investigation may show the executable to still be blocked in the Group Policy - while the same executable now runs just fine on user desktops. This is because Microsoft’s software restriction policies are usually specific to the version of the .EXE file. I’ve heard all sorts of explanations for this, usually related to not wanting to block the function of service packs and other vital updates due to “overly restrictive software policies”… The truth is that Microsoft was smart enough to block program .EXE’s based on a hash value generated when the program was compiled from the prgrammers’ code - which means that changing the filename will not circumvent a software restriction policy.

This article is based on a recent, real-life scenario using the Internet Explorer executable, “iexplore.exe”, as the blocked program. The recent release of the IE 7.0 beta software and some freetime playing around by one of my client’s employees provided a chance for plenty of hours watching ESPN and YouTube videos on a warehouse floor and even slowdowns in getting and filling order downloads because of the use of all WAN bandwidth.

To troubleshoot failed software restriction policies I prefer to start on the client machine. To determine both whether a policy is applied correctly and the version of an executable blocked by software restriction:

• Open regedit
• Open the following key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
• Inside that key will be one or more numbered branches related to the software restriction policies applied to that machine. To see what program each policy covers, open the numbered branch, then open the Hashes branch and click on each GUID.
• Inside each GUID key will be a string value with the data “program.exe (#.#.####.#) … and so on”. The numeric value #.#.####.# describes the program version. In my case the policy applied to “iexplore.exe (6.0.2900.2180)”
• Then, go check the version of the same executable that’s now installed on the system. In this case, I right-clicked on the iexplore.exe file and selected “Properties” and then the “Version” tab. Right at the top was the file version: 7.0.5335.5.

In this case, that was the answer - the IE 7.0, iexplore.exe was blocked with a new policy and everything was back to normal. In case the solution isn’t that simple, the best thing to do is to gether more data. Enable software restriction policies advanced logging by reopening the registry and:

• Navigate to the following key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\
• Create a new string value named LogFileName
• Enter the full path and filename of a text file that can be used for logging, ie: C:\sres_log.txt

Now, every executable run on the system will be logged to the file with a reason for wy it was or wasn’t allowed to run. Details include the executable name, PID number, GUID, path name, and an allowed/disallowed/unrestricted comment with a short reason why. Since EVERY program is logged each time it is run, the log can get quite long. To keep it from getting out of control, either disable advanced logging by deleting the key or add a batch script that will truncate the log file periodically.

The newest Microsoft security fix MS06-015: titled “Vulnerability in Windows Explorer Could Lead to Remote Code Execution” breaks “My Documents” access and features in IE, Office, Explorer, nVidia, Roxio, and several other 3rd-party applications. The official hotfix for the security fix is Microsoft KB article #918165 and lists the symptoms below as indicating you will need to install it:

• Unable to access special folders like “My Documents” or “My Pictures”.
• Microsoft Office applications may stop responding when you attempt to save or open Office files in the “My Documents” folder.
• Office files in the “My Documents” folder are not able to open in Microsoft Office.
• Opening a file through an application’s File / Open menu causes the program to stop responding.
• Typing an address into Internet Explorer’s address bar has no effect.
• Right-clicking on a file and selecting Send To has no effect.
• Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
• Some third-party applications stop responding when opening or saving data in the “My Documents” folder

Unfortunately Microsoft neglected to mention several of the third-party apps that are also broken by this hotfix. These include, but probably aren’t limited to: nVidia drivers with shell extensions, Roxio DragToDisc or Adaptec DirectCD, Hewlett Packard’s Share-to-Web software, Kerio Personal Firewall, and SolidWorkds 3D CAD products. Thankfully someone else has spent the time on the phone with Microsoft tech support to resolve these issues and posted the registry fixes not included in KB #918165.

Microsoft has just released Virtual Server 2005 R2. The software is central to Microsoft’s planned server system, so grab the free download of Virtual Server here. Surprisingly, Microsoft has also announced support for virtualizing Linux in the Virtual Server 2005 system. Currently supported flavors of Linux include Red Hat and SuSE, in both Standard and Enterprise versions. An explanation of why Microsoft is freeing Virtual Server permanently is in this quick interview with Zane Adam, Windows Server director of product marketing.

The support for Linux on Virtual Server does make sense. Microsoft’s denial that their customers were using Linux was driving the same customers to actively search for non-Microsoft and open source replacement programs. This could continue to keep Windows Server relevant as open source OS’s improve and reduce Windows’ feature/ease-of-use advantage - provided that Microsoft can provide a decent level of support for Linux guest servers (virtual systems running inside Virtual Server) and create a good set of tools to manage those Linux systems. With Red Hat and Novell, parent of SuSe Linux, relying on support fees for income it will be interesting to see how they respond to Microsoft’s added Linux support. With the licensing and support fees for both companies’ Enterprise Linux versions this move puts all these server OS players on even closer footing.

One minor player who has responded is VMWare. A new “VMWare Server” product is now free, though it lacks a lot of the failover features and load balancing capabilities that make VMWare’s higher-end versions so useful. It will be interesting to see how VMWare Server and Virtual Server compare to each other, though VMWare has a strong lead in supporting the widest range of guest operating systems.

Article tagged: Microsoft, Virtual, Server, 2005, R2, Linux, guest, OS, support, operating+system, VMWare, virtualization, Red+Hat, Novell, SuSE

Running low on drive letters on the Windows server? Tired of splitting tons of semi-related data between separate drives or of having to deal with folder-by-folder permissions? Of reinstalling the OS when the primary partition gets full?

…think like a UNIX admin and use Windows mounted drives to create a heirachical tree of drives. It’s simple, no more drive letters to remember or map in a startup script. Just create one lettered drive and then map each type of data, NAS device, or however else you want to segment it, to a folder in that one drive. No need for expensive LUN-aggregation software, just use the Disk Management tools in Windows. It’s even possible to migrate all the data in C:\Program Files\ to a NAS device and then use a mounted drive to make the Windows-OS see the NAS as that “Program Files” folder. Having some performance issues with Exchange or SQL Server? You can use move or add a mounted drive to a separate NAS device to separate the log and database files for both server systems.

1. Open the Computer Management control panel, then the Disk Management sub-panel.
2. Right-click the volume you want to mount and choose “Change Drive Letter and Paths”
3. Click Add, select Mount in the following empty NTFS folder and then choose one of the following options:
   • Already have a folder created: type the path to an empty folder in an NTFS-formatted volume or Browse to it
   • No empty folder created yet: click Browse and find where you’d like to place the new folder, then click New Folder and create away

Drive Number Limits: Technically you can have an unlimited number of drives when they’re mapped to folder names instead of drive letters. In reality, approaching 100 separate mounted drives can start to bog down most stock 1U or 2U servers. More RAM and a faster OS-drive (C: drive) are needed to optimize support many more mounted drives.

Article tagged: Windows, Server, NAS, SAN, drive+letters, mapped, mounted, drives, extend, add, migrate, data, compress+drive, SQL+Server, Exchange, separate, database, log, files, performance

While upgrading Windows 2003 servers to the new R2 feature pack, we brought a newly-imaged Windows 2000 test server into the main domain as a backup while one or more Windows 2003 servers were upgrading. About 2 days after we started the upgrades we noticed some unexpected email non-delivery (NDR) messages. The email wasn’t being delivered because the target domain wan’t found even after 2-days or retries by our Exchange servers. Yet the NDR’s primarily happened with email sent to major domains (like yahoo.com, aol.com, gmail.com, etc.) and a majority of messages to those domains were delivered successfully. Initially I expected that our own or our ISP’s DNS servers were being attacked. A type of attack know as DNS cache poisoning is used to either deny outbound services or even to redirect traffic to the attacker’s own systems (usually in hopes of searching it for personal or financial data).

After a good deal of time dealing with our ISP and getting nowhere, one of our sysAdmins found an obscure note that Windows 2003’s DNS server supports Extended DNS (EDNS - UDP packets of more than 512 bytes) by default. Windows 2000 server doesn’t support EDNS (also, some older routers or severely hardened firewalls refuse to pass UDP packets over 512 bytes) and the recently installed Windows 2000 server was acting as a backup DNS server for our WAN. The sysAdmin removed the Windows 2000 DNS services and the NDR’s stopped immediately.

In this case we had actually caused our own problem by adding an older system to backup “non-essential” domain services. With Windows 2003 installed throughout the domain we were advertising that we could handle EDNS, but the Windows 2000 server couldn’t handle it. The few email messages that, by chance, repeatedly requested DNS info from the Windows 2000 server failed to be delivered to domains that had probably cached our EDNS usage.

Note: It’s also possible to disable EDNS on Windows 2003 server to make them compatible with older router and firewall systems that don’t support large UDP packets, or with firewall policies that don’t allow those large UDP packets. Just run “dnscmd /Config /EnableEDnsProbes 0” at the command line (click for details).

Article tagged: Windows+Server, 2000+server, 2003+server, windows, 2000, 2003, DNS, EDNS, DNS+server, Exchange, message, mail, routing, failure, NDR, non-delivery