The newest Microsoft security fix MS06-015: titled “Vulnerability in Windows Explorer Could Lead to Remote Code Execution” breaks “My Documents” access and features in IE, Office, Explorer, nVidia, Roxio, and several other 3rd-party applications. The official hotfix for the security fix is Microsoft KB article #918165 and lists the symptoms below as indicating you will need to install it:

• Unable to access special folders like “My Documents” or “My Pictures”.
• Microsoft Office applications may stop responding when you attempt to save or open Office files in the “My Documents” folder.
• Office files in the “My Documents” folder are not able to open in Microsoft Office.
• Opening a file through an application’s File / Open menu causes the program to stop responding.
• Typing an address into Internet Explorer’s address bar has no effect.
• Right-clicking on a file and selecting Send To has no effect.
• Clicking on the plus (+) sign beside a folder in Windows Explorer has no effect.
• Some third-party applications stop responding when opening or saving data in the “My Documents” folder

Unfortunately Microsoft neglected to mention several of the third-party apps that are also broken by this hotfix. These include, but probably aren’t limited to: nVidia drivers with shell extensions, Roxio DragToDisc or Adaptec DirectCD, Hewlett Packard’s Share-to-Web software, Kerio Personal Firewall, and SolidWorkds 3D CAD products. Thankfully someone else has spent the time on the phone with Microsoft tech support to resolve these issues and posted the registry fixes not included in KB #918165.

Microsoft has just released Virtual Server 2005 R2. The software is central to Microsoft’s planned server system, so grab the free download of Virtual Server here. Surprisingly, Microsoft has also announced support for virtualizing Linux in the Virtual Server 2005 system. Currently supported flavors of Linux include Red Hat and SuSE, in both Standard and Enterprise versions. An explanation of why Microsoft is freeing Virtual Server permanently is in this quick interview with Zane Adam, Windows Server director of product marketing.

The support for Linux on Virtual Server does make sense. Microsoft’s denial that their customers were using Linux was driving the same customers to actively search for non-Microsoft and open source replacement programs. This could continue to keep Windows Server relevant as open source OS’s improve and reduce Windows’ feature/ease-of-use advantage - provided that Microsoft can provide a decent level of support for Linux guest servers (virtual systems running inside Virtual Server) and create a good set of tools to manage those Linux systems. With Red Hat and Novell, parent of SuSe Linux, relying on support fees for income it will be interesting to see how they respond to Microsoft’s added Linux support. With the licensing and support fees for both companies’ Enterprise Linux versions this move puts all these server OS players on even closer footing.

One minor player who has responded is VMWare. A new “VMWare Server” product is now free, though it lacks a lot of the failover features and load balancing capabilities that make VMWare’s higher-end versions so useful. It will be interesting to see how VMWare Server and Virtual Server compare to each other, though VMWare has a strong lead in supporting the widest range of guest operating systems.

Article tagged: Microsoft, Virtual, Server, 2005, R2, Linux, guest, OS, support, operating+system, VMWare, virtualization, Red+Hat, Novell, SuSE

While upgrading Windows 2003 servers to the new R2 feature pack, we brought a newly-imaged Windows 2000 test server into the main domain as a backup while one or more Windows 2003 servers were upgrading. About 2 days after we started the upgrades we noticed some unexpected email non-delivery (NDR) messages. The email wasn’t being delivered because the target domain wan’t found even after 2-days or retries by our Exchange servers. Yet the NDR’s primarily happened with email sent to major domains (like yahoo.com, aol.com, gmail.com, etc.) and a majority of messages to those domains were delivered successfully. Initially I expected that our own or our ISP’s DNS servers were being attacked. A type of attack know as DNS cache poisoning is used to either deny outbound services or even to redirect traffic to the attacker’s own systems (usually in hopes of searching it for personal or financial data).

After a good deal of time dealing with our ISP and getting nowhere, one of our sysAdmins found an obscure note that Windows 2003’s DNS server supports Extended DNS (EDNS - UDP packets of more than 512 bytes) by default. Windows 2000 server doesn’t support EDNS (also, some older routers or severely hardened firewalls refuse to pass UDP packets over 512 bytes) and the recently installed Windows 2000 server was acting as a backup DNS server for our WAN. The sysAdmin removed the Windows 2000 DNS services and the NDR’s stopped immediately.

In this case we had actually caused our own problem by adding an older system to backup “non-essential” domain services. With Windows 2003 installed throughout the domain we were advertising that we could handle EDNS, but the Windows 2000 server couldn’t handle it. The few email messages that, by chance, repeatedly requested DNS info from the Windows 2000 server failed to be delivered to domains that had probably cached our EDNS usage.

Note: It’s also possible to disable EDNS on Windows 2003 server to make them compatible with older router and firewall systems that don’t support large UDP packets, or with firewall policies that don’t allow those large UDP packets. Just run “dnscmd /Config /EnableEDnsProbes 0” at the command line (click for details).

Article tagged: Windows+Server, 2000+server, 2003+server, windows, 2000, 2003, DNS, EDNS, DNS+server, Exchange, message, mail, routing, failure, NDR, non-delivery

The new Windows Server 2003 R2 operating system upgrade is a bundle of several separate feature-packs with Windows Server 2003 SP1. This is supposed to mean that W2k3 R2 is compatible with everything that ran correctly on the SP1 version of the OS. However, a quick round of testing is in order for any operations that have had problems caused by any post-SP1 security updates. Many security updates released since SP1 was released are already bundled into R2.

As for real features added to R2: Microsoft’s hype-machine-generated list of features added to R2 highlights several technologies, including the .NET 2.0 libraries and upgraded identity managment (Active Directory Federation Services), as “new”. Nonetheless, it looks like R2 does have some hype-worthy features that should have been better marketed. These features include the new WAN communication algorithms, for better network synchronization with less bandwidth use, and more granular storage management & SAN configuration tools.

An earlier article on using Windows Server disk quotas received a shocking number of readers. There are a lot more admins paying attention to these making-life-easier tasks than I expected, asking about disk quotas is one of those simple questions that many sysadmin interviewees somehow missed. I’ve always figured Microsoft should require one extra exam completion per year to maintain an MCSE certification. The extra test might actually reduce the number of “paper MCSE’s”, instead of the IT field having to deal with a constantly growing number of them. Although, none of my interviewers at my current employer knew that Microsoft certification transcripts can be verified online.

Getting back to disk quotas, some readers may be interested to know that it’s possible to backup and restore Windows disk quota settings. That linked article references Windows XP, but the same steps also apply to Windows Server 2000 and 2003. Refer to the Microsoft KB article for details; here’s my summary:

Open the quota tab on a disk where quota managment has been enabled.

Select the “Quota Entries…” button at the bottom.

From the Quota Manager, choose the Quota menu > Export > enter a file name and save the settings. Or, drag a quota setting or settings from the Quota Manager to a folder and they will be saved there automatically.

Import by choosing that option from the Quota menu and then navigate to the correct export file.

Windows DFS is supposed to do all sorts of useful things in a domain, like reducing mapped drives, acting as an online backup in the event of downed servers, and caching files locally so WAN usage doesn’t spike (see Microsoft’s DFS Infrastructure marketing info). for Windows DFS basics and setup information: WindowsNetworking.com has a good article explaining Microsoft’s DFS terminology and function, plus I don’t feel like explaining everything and creating the screenshots like they offer.

Like all “infrastructure” tools it adds complexity to the system and requires extra resources to function correctly. In particular, Windows DFS buffers all files that are changed locally before it copies them over the other replicas. Unfortunately, since DFS (as of Windows 2003 SP1) copies entire files and not just the changes it uses a lot of drive space as a buffer - and it can’t even replicate files that may exceed the buffer size. The default buffer size on windows 2000 and 2003 Server is 4GB, so consider not replicating the files causing this problem. After all, pushing 4GB+ files around the WAN isn’t exactly efficient for DFS or any system.

To bump up the DFS buffer size, first make sure you have enough disk space locally to allocate it to the buffer and enough disk space remotely to accommodate the multi-GB mile you’re about to send. Then open regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\. Change the value of the DWORD “Staging Space Limit in KB” to accommodate your largest files (remember MS still uses binary KB and MB based on multiples of 1024, instead of digital 1000x units).

One thing worth activating on any server hosted user shares (hosted user profiles, redirected “My Document” folders, or folders assigned on a per-project basis - by using Active Directory groups) is Windows Disk Quota Management. I see it turned off, its default state on new Server 2003 installs, all the time. Many admins assume that it’s only useful if they plan to enforce user quotas, while many of them don’t spend the time to use quotas right.

So, on any server: right click on the drive letter > select the “Quota” tab > check the “Enable Quote Management” box > make sure “Do not limit disk usage” is checked and then click OK. Quota Management is now enabled without any quotas being established or enforced. Revisit the Disk’s Quota tab in an hour (or less for smaller domains) and click the “Quota Entries” button at the bottom of the tab. A window will open to display a per-user list of disk usage. That’s some good info to have, even if quotas aren’t going to be enforced (and it’s accessible from WMI scripts, and I may share some scripts to harvest it at a later date).

The reason most admins never implement quotas is that they assume the only way to do so is the “Limit disk space to…” option in the Disk’s Quota tab. What good is it to set a quota if a few users are constantly bumping into it (ie: Administrator, your supervisor, and some C-level Exec who makes a lot of noise every time he can’t use more disk space). …thankfully Server 2003 supports per-user quotas. Revisit the “Quota Entries” window and right-click on any user-name > select “Properties” from the menu. That’s it! Per-user quotas can be configured from this pop-up. Unless your server is sporting a few spare terabytes, I would recommend adding quotas for everyone, including the C-level Exec. Try to set a quota that spares a few GB of disk space. With a few GB spared from disk-hogs there aren’t 90 other users who can’t save anything to the server. Plus, if your disk-hog is an Executive, they’ll sometimes pass on enough budget dollars to buy new disk space.