Effective immediately, any subsequent posts to Security is a State of Mind will be done on its new home in the Microsoft Philippines Community Site at http://msforums.ph/blogs/jpaloma/

It's the All Saint's / All Souls holiday season once again. As the rest of the country goes off to visit their long-lost relatives and reunite with their living ones, some of us will take the opportunity to upgrade their Exchange Server 2003 to SP2. This morning, I seized this opportunity on a client.

It was a rather effortless task, but I got a few surprises along the way. Here are some of my personal highlights:

BACKUP! BACKUP! BACKUP!
Backup your entire system and of course your Exchange Stores. 'nuff said!

REMOVE INTELLIGENT MESSAGE FILTER.
This feature, which is installed separately in SP1, is now integrated in SP2. If it is installed on a server that you will upgrade, we need to remove it.
SURPRISE, SURPRISE! some of you may not find Microsoft Exchange Intelligent Message Filter in Add/Remove Programs. Don't worry, I did the hard work for you so that you will not spend 2 hours figuring out how to remove the frikken thing: you just need to log on using the user account of the dude who installed IMF (which may not be the Administrator account). If the user account is no longer existing, tough luck for you! Try recreating the same account name, adding it to Domain Admins and Administrators domain groups and see what happens.

INSTALL SP2
May be a simple task of doubleclicking UPGRADE.EXE and having a few cups of coffee in the pantry, to so many sleepless nights until your coworkers go back to the office after the holidays. For me it was the former. I was out of the client's site within 2 hours.

REINSTATING INTELLIGENT MESSAGE FILTER.
The support articles tell us to enable it in the General properties of the smtp virtual server. I was expecting the same icon in the same place (same level as the SMTP virtual server). 30 mins have passed and we found it in the properties of the SMTP Virtual Server > General tab > Advanced > edit the VS instance > check the Apply Intelligent Message Filter box. Restart the SMTP service after this task

WHERE'S MY STANDARD EDITION 75GB MAIBOX STORE???
Bad news, folks, the promised 75GB mailbox store in Exchange Server Standard Edition is not there by default! Only 2 additional GB's are there (18GB from 1 of maibox store is available after upgrading to SP2). This is for good reason: your hardware might not support the additional capacity yet, and that on top of configuring the maximum store size manually on the registry, we can also configure the warning threshold as well as what time of day do we want Exchange to check if we are exceeding the threshold already.

Locate for the following registry
for keys for Mailbox store:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID

and for Public Folder store:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Public-Public Store GUID

Add the DWORD value name Database Size Limit in Gb. Place there the Decimal value of your hard disk capacity (sans Transaction Logs, ok?)

As of time of writing, I am in talks with Microsoft Philippines on doing a 5-7PM TechNet event on this. Hope it will be very soon  ... but hopefully not shortly before the Microsoft Philippines Community EB on 11/22 ... cuz (shameless plug) my band Plug n' Play will do front act for Hale in that event!

Problem: Joining a client to a domain, promoting a member server to domain controller, or even logging on to the domain results in Domain Controller not found scenario.

Solution: Configure the clients to use Active Directory DNS Servers.

More Info: Ruling out network problems, a classic case of missing Domain Controllers may actually be corrected if proper DNS settings are set on the DNS Client. DNS is required to search for AD resources, inclusive of Domain Controllers and Global Catalog Servers. Simply put, clients cannot be able to locate for Domain Controllers if they do not use a DNS Server or use the DNS server that do not contain --- or at least refer to servers that contain --- the SRV records pertaining to your Active Directory forest.

There had been countless posts in the Microsoft Philippines Forums about ISA and Exchange basics. To answer that, I made this little writeup on Publishing Exchange Server on ISA Server 2004.

Click here to read more.

One of the best features of Active Directory is the ability to manage desktop computers and even servers centrally using Group Policies. Although its benefits are available out of the box, some organizations may be constrained to use very simple GP configurations because of concerns that anything more complicated might result in unpredictability! Unfortunately, having this state of mind causes a more complicated group policy configuration than what’s needed in the first place. This document provides some key points to help admins in designing their Group Policy infrastructure.

Click here to read more

I would like to express my gratitude to the attendees of the Securing your Microsoft Infrastructure with ISA Server 2004 Best Practices TechNet event. I hope to see more new faces in the next Microsoft Windows Server Security Series.

May I recommend that you do the following:

• Subscribe to this blog so you can get announcements, articles, and other important information on securing your systems
• Subscribe also to the Microsoft Philippines Community Forums and be a part of the increasing number of Microsoft technology professionals exchanging their ideas from technology to music to politics, to just plain nonsense!

Looking forward to the next TechNet event!

Securing your Windows Infrastructure with ISA Server 2004 Best Practices
http://www.msevents.ph/technetevents_9222005.aspx

Windows Server Security Series with Jay Paloma
Level 200

This technical briefing provides some best practices on configuring Internet Security and Acceleration (ISA) Server 2004 to provide maximum perimeter security to your Windows infrastructure.

Some of the topics that will be covered are as follows
- New features of ISA Server 2004 compared to ISA Server 2000
- Providing secure Internet access to users
- Securely publishing your Internet servers behind ISA
- Covering easily overlooked ISA configuration for infrastructure servers
- Using the new Reporting and Logging facilities to monitor for and detect anomalies
- Frequently asked configuration options

Date: Thursday, September 22, 2005
Time: 5:00 - 7:00
Venue: Exchange Room Microsoft Philippines 22nd Floor, Tower 2, The Enterprise Center 6766 Ayala Ave, Makati City, Philippines
Speaker(s): Jay Paloma

Securing your Microsoft infrastructure has a lot to do with one's mindset; what technology can deliver only comes second. This blog is a compilation of personal best practices intended to assist other infrastructure architects and administrators in their security efforts.

This compilation covers the infrastructure technologies of Microsoft: Windows Servers, Windows XP, Active Directory, ISA Server, Exchange Server, SMS and MOM. If you believe that additional knowledge in securing these technologies is relevant at what you do, then don't hesitate to Subscribe to this blog!

I hope that this compilation will be helpful to the intended audience. As human error would more often than not prevail in some entries, feedback is very much welcome from the readers.

Jay Paloma
Makati City, Philippines
September 19, 2005
jpaloma@hotmail.com