Extend template file size to 50MB
C:\Program Files\Common Files\Microsoft Shared\web server extensions\12\BIN>stsadm -o setproperty -propertyname max-template-document-size -propertyvalue 5000000
Operation completed successfully.
14 Dec 2011
7 Dec 2011
Unprotect Excel sheet
Open protected sheet, right click an select View Code or press a short cut Atl+F11.
Copy and paste the below code and Run.
Enjoy :-)
Copy and paste the below code and Run.
Enjoy :-)
Sub PasswordBreaker()
Dim i As Integer, j As Integer, k As Integer
Dim l As Integer, m As Integer, n As Integer
Dim i1 As Integer, i2 As Integer, i3 As Integer
Dim i4 As Integer, i5 As Integer, i6 As Integer
On Error Resume Next For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
ActiveSheet.Unprotect Chr(i) & Chr(j) & Chr(k) & _
Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & _
Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If ActiveSheet.ProtectContents = False Then
ActiveWorkbook.Sheets(1).Select
Range(“a1”).FormulaR1C1 = Chr(i) & Chr(j) & _
Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & _
Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
Exit Sub
End If Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
End Sub
6 Dec 2011
DPMRA can not start with error 1168
Verify you COM+ rights for the DPM agent. It could be that there is a missmatch in the rights.
Click START / Administrative Tools / Component Services
Expand Component Services / Computers / My Computer / DCOM Config
Right click on the "DPM RA Services" and choose properties. Verify that under the Security tab / Launch and Activation Permissions you got Customize marked, click the Edit... button in the ACL you should see the computer account for your DPM server. If it's not present add it and mark all allow boxes and try to start the service again.
Click START / Administrative Tools / Component Services
Expand Component Services / Computers / My Computer / DCOM Config
Right click on the "DPM RA Services" and choose properties. Verify that under the Security tab / Launch and Activation Permissions you got Customize marked, click the Edit... button in the ACL you should see the computer account for your DPM server. If it's not present add it and mark all allow boxes and try to start the service again.
15 Nov 2011
Troubleshooting Offline Address Book Generation on Exchange 2010
http://blogs.catapultsystems.com/IT/archive/2010/03/11/troubleshooting-offline-address-book-generation-on-exchange-2010.aspx
23 Oct 2011
Không còn PST nữa...haha....còn lâu...huhu
Mất hơn 2 tuần migrate Exchange 2003 sang 2010 xong và háo hức setup các hot features của Exchange 2010 để giới thiệu với bà con gần xa. Một trong số đó là Online Archive. Không còn pst file nữa, quá đã...haha.
Cho dù phải bấm bụng order thêm Enterprise CAL thì feature này cũng đáng đồng tiền bát gạo. Tạo riêng một mailbox db, enable online archive, vô OWA test thử, NOKIA..:-)...uống 1 ly cafe cho tỉnh táo cái đã để chuẩn bị document và email cho các users thì..... phát hiện nó chưa hề xuất hiện trong Outlook 2010 của mình, bộ Office 2010 Std mới implemented vài tháng trước....hmm
Đào bới các website về licensing thì té ngửa ra rằng feature này chỉ xuất hiện khi sử dụng Office 2010 phiên bản Pro Plus mà chỉ có em Volume Licensing mới có thoi nhehoặc phải sử dụng Outlook OEM or retail...:-(.
Má ơi đúng là lừa đảo kiểu Bill Gates cho dù ....Bill đã nghỉ hưu lâu rồi.
Nếu bạn là dân hay sử dụng đồ chùa thì không nói làm gì nhưng đã là dân sành điệu đã bỏ tiền ra mua chịu hàng hiệu :-) mà còn bị lừa thì đúng là đau còn hơn bò đá :-(. Đúng là không thể trách được tại sao người ta hay dùng crack...
Chính sách licence của Bill đã đủ phức tạp lắm lắm rồi mà còn cố ý cheat các khách hàng của mình nữa...bó tay thật...
Cho dù phải bấm bụng order thêm Enterprise CAL thì feature này cũng đáng đồng tiền bát gạo. Tạo riêng một mailbox db, enable online archive, vô OWA test thử, NOKIA..:-)...uống 1 ly cafe cho tỉnh táo cái đã để chuẩn bị document và email cho các users thì..... phát hiện nó chưa hề xuất hiện trong Outlook 2010 của mình, bộ Office 2010 Std mới implemented vài tháng trước....hmm
Đào bới các website về licensing thì té ngửa ra rằng feature này chỉ xuất hiện khi sử dụng Office 2010 phiên bản Pro Plus mà chỉ có em Volume Licensing mới có thoi nhehoặc phải sử dụng Outlook OEM or retail...:-(.
Má ơi đúng là lừa đảo kiểu Bill Gates cho dù ....Bill đã nghỉ hưu lâu rồi.
Nếu bạn là dân hay sử dụng đồ chùa thì không nói làm gì nhưng đã là dân sành điệu đã bỏ tiền ra mua chịu hàng hiệu :-) mà còn bị lừa thì đúng là đau còn hơn bò đá :-(. Đúng là không thể trách được tại sao người ta hay dùng crack...
Chính sách licence của Bill đã đủ phức tạp lắm lắm rồi mà còn cố ý cheat các khách hàng của mình nữa...bó tay thật...
18 Oct 2011
Exchange 2010 mailboxes can not send to 2003 mailboxes
PROBLEM
Now we installed a new Exchange 2010 server in the same domain as the exchange 2003 server and installed the CAS, Mailbox and Hub roles. Next we about to move 70 mailboxes to the new Exchange 2010 server. Everything looks fine, users with mailboxed on the Exchange 2003 server can send mail to users on Exchange 2010 server. But the users with mailboxes on Exchange 2010 server can't send mail to mailboxes on exchange 2003. These messages stay in the 'SmtpRelayToTiRg' queue with error : 451 4.4.0 Primary Target IP address responded with: "451 5.7.3 Cannot Achieve Exchange Server authentication"
~~~~~
SOLUTION 2
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1087732&SiteID=17
Integrated Windows Authentication was not turned on, on my Default SMTP Virtual Server.....WORKED FOR ME
~~~~
Now we installed a new Exchange 2010 server in the same domain as the exchange 2003 server and installed the CAS, Mailbox and Hub roles. Next we about to move 70 mailboxes to the new Exchange 2010 server. Everything looks fine, users with mailboxed on the Exchange 2003 server can send mail to users on Exchange 2010 server. But the users with mailboxes on Exchange 2010 server can't send mail to mailboxes on exchange 2003. These messages stay in the 'SmtpRelayToTiRg' queue with error : 451 4.4.0 Primary Target IP address responded with: "451 5.7.3 Cannot Achieve Exchange Server authentication"
~~~~~
SOLUTION 1
I installed a Windows 2007 Exchange server in to my 2003 environment this week. All went well apart from that the mail sending from the 2007 test mailboxes ended up in a queue called smtprelaytotirg. The error message given being 451 4.4.0 Primary Target IP Address Responded with (501 5.5.4 Auth Command Cancelled).
This queue is basically where 2007 is failing to deliver because it can’t route correctly.
The resolution in this case for me was easy. All the connectors were in place as they should be, but the transport for SMTP on the original master 2003 Exchange server had limited access to certain IP addresses.
I added the IP address for the new Exchange 2007 server and bang, 20 mins later the queue is empty.
Just a minor hurdle :) Oh, the other one to watch out for is making sure it can resolve either by IP or FQDN for the SMTP server, it’ll fail on netbios or just a single name. Anyone still relying on WINS needs shot in the face with a screw driver.
~~~~~I installed a Windows 2007 Exchange server in to my 2003 environment this week. All went well apart from that the mail sending from the 2007 test mailboxes ended up in a queue called smtprelaytotirg. The error message given being 451 4.4.0 Primary Target IP Address Responded with (501 5.5.4 Auth Command Cancelled).
This queue is basically where 2007 is failing to deliver because it can’t route correctly.
The resolution in this case for me was easy. All the connectors were in place as they should be, but the transport for SMTP on the original master 2003 Exchange server had limited access to certain IP addresses.
I added the IP address for the new Exchange 2007 server and bang, 20 mins later the queue is empty.
Just a minor hurdle :) Oh, the other one to watch out for is making sure it can resolve either by IP or FQDN for the SMTP server, it’ll fail on netbios or just a single name. Anyone still relying on WINS needs shot in the face with a screw driver.
SOLUTION 2
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1087732&SiteID=17
Integrated Windows Authentication was not turned on, on my Default SMTP Virtual Server.....WORKED FOR ME
~~~~
Unable to assign "Send As" rights to Organization Units in Microsoft Exchange Server 2010
http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB21225
Configuring the Microsoft Exchange Server 2010 permissions for the administrator account fails with insufficient permissions for the Users container, or any Organization Unit, even when logged in as a domain administrator. Assigning Send As rights to specific users, or groups, works successfully.
PowerShell Command: Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=example,DC=com"
Active Directory operation failed on example.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
PowerShell Command: Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "CN=Users,DC=example,DC=com"
Active Directory operation failed on example.com. This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission
~~~~~~~
~~~~~~~
Blackberry offers an alternative for running that powershell command
1. Open Active Directory Users and Computers.
2. Select the View menu and ensure Advanced Features is checked.
3. Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
4. Click the Security tab.
5. Click Advanced at the bottom on the Security tab.
6. Select Add and enter your Blackberry Service Account name (for example, BESadmin) and select OK.
7. When the permissions screen appears, change Apply onto: to User Objects (or Descendant User Objects on Microsoft Windows Server 2008).
8. In the permissions box, scroll down and check the Allow box beside Send As and press OK.
9. Press Apply and OK to exit.
it worked for me...
1. Open Active Directory Users and Computers.
2. Select the View menu and ensure Advanced Features is checked.
3. Right-click the Domain Name or Organizational Unit where Send As permissions are needed and select Properties.
4. Click the Security tab.
5. Click Advanced at the bottom on the Security tab.
6. Select Add and enter your Blackberry Service Account name (for example, BESadmin) and select OK.
7. When the permissions screen appears, change Apply onto: to User Objects (or Descendant User Objects on Microsoft Windows Server 2008).
8. In the permissions box, scroll down and check the Allow box beside Send As and press OK.
9. Press Apply and OK to exit.
it worked for me...
~~~~~~~~
17 Oct 2011
Adjusting Exchange 2003 mail flow settings for Exchange 2010
Adjusting Exchange 2003 mail flow settings for Exchange 2010
When bringing Exchange 2010 server into an existing Exchange 2003 environment, you can't initially send and receive Internet mail via the hub transport server. This is because Microsoft recommends that you place an edge transport server between the Internet and your back-end Exchange server.
An edge transport server is actually a hardened Exchange server that sits on the network perimeter. It maintains message hygiene as SMTP mail flows in and out of an Exchange organization. The edge transport server also shields back-end Exchange servers from direct Internet exposure.
Using an edge transport server is a good idea, but it's not a requirement. Given the current economic climate, I expect that a lot of organizations implementing Exchange 2010 will initially forgo the edge transport server to save money. If you decide to do this, you'll have to configure your hub transport server to send and receive Internet mail.
Note: If you decide not to use an edge transport server, I recommend that you place your mailbox server role on a different Exchange Server, if possible.
To prepare your hub transport server to send and receive Internet mail, create a send connector. The send connector allows the hub transport server to send mail directly to the Internet.
To create a send connector, follow these four steps:
- Open the Exchange Management Console and navigate to Organization Configuration -> Hub Transport.
-
- Go to the Actions pane and click on the New Send Connector link.
-
- When the New Send Connector Wizard opens, set the connector's use to Internet.
-
- Click Next and set the address to *.
Exchange Server 2010 also uses a default receive connector to receive Internet mail. The hub transport server expects to receive mail from an edge transport server, not directly from the Internet. Because of this, the receive connector is configured to block all unauthenticated inbound SMTP traffic.
Since most Internet mail is not authenticated, you must configure the receive connector to allow anonymous SMTP connections. To do so:
- Open the Exchange Management Console and navigate to Server Configuration -> Hub Transport Server.
-
- Right-click on the receive connector and select Properties. Windows will display the receive connector's properties sheet.
-
- Go to the Permission Groups tab and select the Anonymous Users check box.
-
- Click OK.
Typically, the MX record for your domain will point to a firewall, which will reroute inbound SMTP traffic to an internal server. Therefore, you must reconfigure the firewall port forwarding to send SMTP traffic to the edge transport server or to the newly configured hub transport server.
Converting recipient policies to Exchange 2010 email address policies
Most Exchange organizations' internal domain names are different than the external domain names. For example, my primary external domain name is brienposey.com, but my Exchange servers reside on an internal domain named production.com. In this case, you must use recipient policies to define the appropriate external email addresses for your users.
Microsoft has replaced recipient policies with email address policies in Exchange Server 2007 and Exchange 2010. This means that when migrating from Exchange 2003, you'll need to convert your recipient policies into email address policies.
Doing so is quite simple. Open the Exchange Management Shell and enter the following command:
Get-EmailAddressPolicy | where {$_.RecipientFilterType –eq "Legacy"} | Set-EmailAddressPolicy –IncludeRecipients AllRecipients
This EMS command compiles a list of all mailboxes that use a legacy recipient policy. The command then converts the recipient policy into an email address policy.
http://searchexchange.techtarget.com/Adjusting-Exchange-2003-mail-flow-settings-for-Exchange-2010
16 Oct 2011
14 Oct 2011
RoutingGroup cmd
New-RoutingGroupConnector -Name "RGC 2003-2010" -SourceTransportServers "exchange2010FQDN" -TargetTransportServers "Exchange2003FQDN" -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true
6 Oct 2011
Configuring Pass-through Disks in Hyper-V
Jeff Hughes
http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
A question the CORE Team gets asked frequently deals with configuring Hyper-V Guest with Pass-through disks. In this blog I will cover this topic.
Pass -through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a physical disk internal to the Hyper-V server or it can be a Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. To ensure the Guest has exclusive access to the storage, it must be placed in an Offline state from the Hyper-V server perspective. Additionally, this raw piece of storage is not limited in size so, hypothetically, it can be a multi-terabyte LUN.
After storage is mapped to the Hyper-V server, it will appear as a raw volume and will be in an Offline state (depending on the SAN Policy (Figure 1-1)) as seen in Figure 1.
Figure 1: Raw disk is Offline
Figure 1-1 SAN Mode determination using diskpart.exe
I stated earlier that a disk must be Offline from the Hyper-V servers' perspective in order for the Guest to have exclusive access. However, a raw volume must first be initialized before it can be used. To accomplish this in the Disk Management interface, the disk must first be brought Online. Once Online, the disk will show as being Not Initialized (Figure 2).
Figure 2: Disk is Online but Not Initialized
Right-click on the disk and select Initialize Disk (Figure 3).
Figure 3: Initialize the disk
Select either an MBR or GPT partition type (Figure 4).
Figure 4: Selecting a partition type
Once a disk is initialized, it can once again be placed in an Offline state. If the disk is not in an Offline state, it will not be available for selection when configuring the Guest's storage.
In order to configure a Pass-through disk in a Guest, you must select Attach a virtual disk later in the New Virtual Machine Wizard (Figure 5).
Figure 5: Choosing to attach a virtual disk later
If the Pass-through disk will be used to boot the operating system, it must be attached to an IDE Controller. Data disks can take advantage of SCSI controllers. In Figure 6, a Pass-through disk is attached to IDE Controller 0.
Figure 6: Attaching a pass-through disk to an IDE Controller
Note: If the disk does not appear in the drop down list, ensure the disk is Offline in the Disk Management interface (In Server CORE, use the diskpart.exe CLI).
Once the Pass-through disk is configured, the Guest can be started and data can placed on the drive. If an operating system will be installed, the installation process will properly prepare the disk. If the disk will be used for data storage, it must be prepared in the Guest operating system before data can be placed on it.
If a Pass-through disk, being used to support an operating system installation, is brought Online before the Guest is started, the Guest will fail to start. When using Pass-through disks to support an operating system installation, provisions must be made for storing the Guest configuration file in an alternate location. This is because the entire Pass-through disk is consumed by the operating system installation. An example would be to locate the configuration file on another internal drive in the Hyper-V server itself. Or, if it is a cluster, the configuration file can be hosted on a separate cluster providing highly available file services. Be aware that Pass-through disks cannot be dynamically expanded. Additionally, when using Pass-through disks, you lose the capability to take snapshots, and finally, you cannot use differencing disks with Pass-through disks.
Note: When using Pass-through disks in a Windows Server 2008 Failover Cluster, you must have the update documented in KB951308: Increased functionality and virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role installed on all nodes in the cluster.
This completes our discussion. I hope you will find this information useful and share it with your colleagues.
Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
A question the CORE Team gets asked frequently deals with configuring Hyper-V Guest with Pass-through disks. In this blog I will cover this topic.
Pass -through Disk Configuration
Hyper-V allows virtual machines to access storage mapped directly to the Hyper-V server without requiring the volume be configured. The storage can either be a physical disk internal to the Hyper-V server or it can be a Storage Area Network (SAN) Logical Unit (LUN) mapped to the Hyper-V server. To ensure the Guest has exclusive access to the storage, it must be placed in an Offline state from the Hyper-V server perspective. Additionally, this raw piece of storage is not limited in size so, hypothetically, it can be a multi-terabyte LUN.
After storage is mapped to the Hyper-V server, it will appear as a raw volume and will be in an Offline state (depending on the SAN Policy (Figure 1-1)) as seen in Figure 1.
Figure 1: Raw disk is Offline
Figure 1-1 SAN Mode determination using diskpart.exe
I stated earlier that a disk must be Offline from the Hyper-V servers' perspective in order for the Guest to have exclusive access. However, a raw volume must first be initialized before it can be used. To accomplish this in the Disk Management interface, the disk must first be brought Online. Once Online, the disk will show as being Not Initialized (Figure 2).
Figure 2: Disk is Online but Not Initialized
Right-click on the disk and select Initialize Disk (Figure 3).
Figure 3: Initialize the disk
Select either an MBR or GPT partition type (Figure 4).
Figure 4: Selecting a partition type
Once a disk is initialized, it can once again be placed in an Offline state. If the disk is not in an Offline state, it will not be available for selection when configuring the Guest's storage.
In order to configure a Pass-through disk in a Guest, you must select Attach a virtual disk later in the New Virtual Machine Wizard (Figure 5).
Figure 5: Choosing to attach a virtual disk later
If the Pass-through disk will be used to boot the operating system, it must be attached to an IDE Controller. Data disks can take advantage of SCSI controllers. In Figure 6, a Pass-through disk is attached to IDE Controller 0.
Figure 6: Attaching a pass-through disk to an IDE Controller
Note: If the disk does not appear in the drop down list, ensure the disk is Offline in the Disk Management interface (In Server CORE, use the diskpart.exe CLI).
Once the Pass-through disk is configured, the Guest can be started and data can placed on the drive. If an operating system will be installed, the installation process will properly prepare the disk. If the disk will be used for data storage, it must be prepared in the Guest operating system before data can be placed on it.
If a Pass-through disk, being used to support an operating system installation, is brought Online before the Guest is started, the Guest will fail to start. When using Pass-through disks to support an operating system installation, provisions must be made for storing the Guest configuration file in an alternate location. This is because the entire Pass-through disk is consumed by the operating system installation. An example would be to locate the configuration file on another internal drive in the Hyper-V server itself. Or, if it is a cluster, the configuration file can be hosted on a separate cluster providing highly available file services. Be aware that Pass-through disks cannot be dynamically expanded. Additionally, when using Pass-through disks, you lose the capability to take snapshots, and finally, you cannot use differencing disks with Pass-through disks.
Note: When using Pass-through disks in a Windows Server 2008 Failover Cluster, you must have the update documented in KB951308: Increased functionality and virtual machine control in the Windows Server 2008 Failover Cluster Management console for the Hyper-V role installed on all nodes in the cluster.
This completes our discussion. I hope you will find this information useful and share it with your colleagues.
Chuck Timon
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support
28 Sept 2011
XP Screen saver has no settings option
1) Open the Registration Editor by Start menu > Run > enter "regedit"
2) Go here: "HKEY_CURRENT_USER\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\CONTROL PANEL\DESKTOP" (or use Ctrl + F)
3) Double click the binary data files and change their "value data"
ScreenSaveActive --> whether you're applying a screensaver
ScreenSaveTimeOut --> seconds after screensaver is activated
9 Jun 2011
Problems with "File Association" in Windows 7 64-bit
Symptom: + Associate program with file extension does not work. Program selected does not appear in the Open With window.
+ Default Program also does not work or it ignores all changes.
Problem: The program that you're pointing to isn't registered correctly.
~~~~~~~~~~~~~~
http://answers.microsoft.com/en-us/windows/forum/windows_7-files/problems-with-file-association-in-windows-7-64-bit/8a84fcec-22df-4942-8e35-d98dbe96e327
+ Default Program also does not work or it ignores all changes.
Problem: The program that you're pointing to isn't registered correctly.
Solution:
In regedit: Navigate to Computer\HKEY_CLASSES_ROOT\Applications and find your .exe name.
Navigate under its name to shell>open>command. In the Default change its location to the actual location of the executable, hit okay and then try and reassociate the file type as you normally would.
~~~~~~~~~~~~~~
http://answers.microsoft.com/en-us/windows/forum/windows_7-files/problems-with-file-association-in-windows-7-64-bit/8a84fcec-22df-4942-8e35-d98dbe96e327
5 Apr 2011
SSL Enabling OWA 2003 using your own Certificate Authority
1. Configuring the CA 2. Creating Certificate Request 3. Getting the Pending Request accepted by our CA 4. Appending the Certificate to the Default Website 5. Enable SSL on the Default Website 6. Testing our SSL enabled Default Website | |||||||
1. Configuring the Certificate Authority
The first thing to do is to decide which server should hold the Certicate Authority (CA) role, it could be any server as long as it’s at least a member server. If you have a single box setup, such as a Small Business Server (SBS), the decision shouldn’t be very hard.Note:
In order to add the Certificate Service Web Enrollment component (subcomponent to CA), which we’re going to use in this article, the server needs to be running IIS, so if you haven’t already done so, install IIS before continuing with this article. If you plan on installing the CA component on the Exchange server itself, then there’s nothing to worry about, because as you know, Exchange 2003 relies heavily on IIS, which means It’s already installed.
To install the CA component, do the following:
- Click Start > Control Panel > Add or Remove Programs
- Select Add/Remove Windows Components
- Put a checkmark in Certificate Services
We now have to select what type of CA to use, choose Enterprise root CA and click Next
In the following screen we have to fill out the Common name for our CA, which in this article is mail.testdomain.com.Leave the other fields untouched and click Next >
We now have the option of specifying an alternate location for the certificate database, database log, and configuration information. In this article we will use the defaults, which in most cases should be just fine.
Now click Next >
The Certificate Service component will be installed, when it’s completed, click Finish
2. Creating the Certificate Request
Now that we have installed the Certificate Services component, it’s time to create the Certificate Request for our Default Website. We should therefore do the following:- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Expand Websites > Right-click Default Website then select Properties
- Now hit the Directory Security tab
- Under Secure Communications click Server Certificate…
As we’re going to create a new certificate, leave the first option selected and click Next >
Because we’re using our own CA, select Prepare the request now, but send it later, then click Next >
Type a descriptive name for the Certificate and click Next >
We now need to enter our organization name and the organizational unit (which should be pretty self-explanatory), then click Next >
In the next screen we need to pay extra attention, as the common name reflects the external FQDN (Fully Qualified Domain Name), to spell it out, this is the address external users have to type in their browsers in order to access OWA from the Internet.
Note: As many (especially small to midsized) companies don’t publish their Exchange servers directly to the Internet, but instead runs the Exchange server on a private IP address, they let their ISP’s handle their external DNS settings. In most cases the ISP creates a so called A record named mail.domain.com pointing to the company’s public IP address, which then forwards the appropriate port (443) to the Exchange servers internal IP address.
When your have entered a Common Name click Next >
Now it’s time to specify the Country/Region, State/Province and City/locality, this shouldn’t need any further explanation, when you have filled out each field, click Next >
In the below screen we have to enter the name of the certificate request we’re creating, the default is just fine, click Next >
In this screen we can see all the information we filled in during the previous IIS Certificate Wizard screens, if you should have made a mistake, this is your last chance to correct it. If everything looks fine click Next >
And finally we can click Finish.
3. Getting the Pending Request accepted by our Certificate Authority
Now that we have a pending Certificate Request, we need to have it accepted by our CA, which is done the following way:- On the server open Internet Explorer
- Type http://server/certsrv
Now that you’re welcomed by the Certificate Services, select Request a Certificate
Click advanced certificate request
Under Advanced Certificate Request click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Now we need to insert the content of the certreq.txt file we created earlier, you can do this by clicking the Browse for a file to insert or by opening the certreq.txt file in notepad, then copy/paste the content as shown in the screen below, then click Submit >
Now select Base 64 encoded then click Download certificate
Click Save
Choose to save the certnew.cer on the C: drive > then click Save
Close the Microsoft Certificate Services IE window.
4. Appending the Certificate to the Default Website
Okay it’s time to append the approved Certificate to our Default Website, to accomplish this we need to do the following:- Click Start > Administrative Tools > Internet Information Services (IIS) Manager
- Expand Websites > Right-click Default Website then select Properties
- Now select the Directory Security tab
- Under Secure Communications click Server Certificate… > then Next
Select Process the pending request and install the certificate > click Next >
Unless you have any specific requirements to what port SSL should run at, leave the default (443) untouched, then click Next >
You will now see a summary of the Certificate, again if you should have made any mistakes during the previous wizard screens, this is the final chance to correct them, otherwise just click Next >
The Certificate has now been successfully installed and you can click Finish
5. Enabling SSL on the Default Website
We have now appended the Certificate to our Default Website, but before the data transmitted between the clients and the server is encrypted, we need to click the Edit… button under Secure Communications. Here we should put a checkmark in Require Secure Channel (SSL) and Require 128-bit encryption just like below:
Now click OK.
6. Testing our SSL enabled Default Website
Now that we have gone through all the configuration steps necessary to enable SSL on our Default Website, it’s time to test if our configuration actually works.From the server (or a client) open Internet Explorer, then type:
http://exchange_server/exchange
You should get a screen similar to the one shown below:
This is absolutely fine, as we shouldn’t be allowed to access the Default Website (and any virtual folders below) through an unsecure connection. Instead we should make a secure connetion which is done by typing https, therefore type below URL instead:
https://exchange_server/exchange
The following box should appear:
Note: You may have noticed the yellow warning sign, this informs us The name on the security certificate is invalid or does not match the name of the site. Don’t worry there’s nothing wrong with this, the reason why it appears is because we aren’t accessing OWA through the common name, which we specified when the certificate was created. When you access OWA from an external client through mail.testdomain.com/exchange, this warning will disappear.
Click Yes
You will now be prompted for a valid username/password in order to enter your mailbox, for testing purposes just use the administrator account, like shown below:
Now click OK
We should now see the Administrator mailbox.
Notice the yellow padlock in the lower right corner, a locked padlock indicates a secure connection, which means OWA now uses SSL.
Final words
Even though it’s possible to run your OWA environments without securing it with a SSL certificate, I strongly advise against doing so, as this would mean any traffic send between the external OWA clients, and the Exchange server would be sent in cleartext (this includes the authentication process). As you now know SSL provides us with 128-bit encryption, but be aware enabling SSL in your OWA environment isn’t an optimal security solution, in addition to enabling SSL, you should at least have some kind of firewall (such as an ISA server) placed in front of your Exchange server(s). You might also consider enabling the new Exchange 2003 functionality Forms Based Authentication, which provides a few additional benefits such as a new logon screen, which, among other things, uses session cookies to make the OWA sessions more secure, unfortunately the Forms Based Authentication functionality is out of the scope of this article, but I will at some point of time in the near future write another article covering this funtionality.That was it for this time, I hope you enjoyed the article.
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
23 Mar 2011
How to use 256 bit SSL in IIS 6.0
1. Install the fix http://support.microsoft.com/kb/948963 which will install the cipher sutes AES 128 and AES 256.
2. The order of cipher suites on Windows 2003 is hard-coded. AES 128 is the highest priority. AES 256 is the next. We only need to disable AES 128 then AES 256 will have the highest priority.
a. Open regedit.exe on IIS 6.0 machine.
b. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. You should be able to find there are many subkeys, e.g. AES 128/128.
c. In subkey AES 128/128, create a DWORD value “Enabled”. Set it as the value 0. It means we would disable AES 128.
3. Reboot the IIS 6.0 machine.
On Vista/Windows7 which support AES 256 machine, you can use IE to browse that IIS 6.0 web site through HTTPS. The SSL uses 256 bit encryption.
Cá nục cuốn bánh tráng
Bài này copy của Tran Ai 10/12/2006 |
Nguyên liệu:- Rau muống hạt 1/2kg - Bánh tráng gạo 300g - Cá nục thuôn mình các tròn và tươi xanh 1kg - Ớt, tỏi, chanh, muối, đường, nước mắm nhĩ Chuẩn bị - Cá nục rửa sạch để ráo nước - Ướp cá chừng 10 phút với 1 muỗng cà phê muối - Rau muống bỏ 1/3 lá, rửa sạch, để ráo - Ớt, tỏi giã nhuyễn. - Rửa sạch xửng, nồi hấp Thực hiện - Xếp cá vào xửng hấp (có lót 1 cái đĩa có lòng sâu để hứng nước cá hấp). - Đun nước sôi, đặt xửng hấp vào, chưng cách thủy chừng 10 - 15 phút là cá chín. - Bánh tráng nhúng nước sơ, để ráo. - Pha nước chấm Ớt, tỏi giã nhuyễn pha với 2 muỗng canh nước mắm nhĩ, thêm 1 muỗng cà phê đường, 1 muỗng cà phê nước cốt chanh, hoà với nước cá hấp (quan trọng là ở đây ;-) ) Trình bày - Cá hấp gắp ra đĩa, trang trí thêm 1 vài cọng hành hương, ngò. - Rau muống, bánh tráng, nước chấm. |
17 Feb 2011
Soup nấm
Lần đầu tiên tôi được ăn soup nấm là vào năm 2010. Ngon tuyệt!!! Nhất là được ăn trong cái gió lạnh và không khí trong lành của đêm Carlisle...mmmm. Peter sư phụ của tôi ở Carlisle người mà tôi gọi là Master chef đã thực hiện món này rất nhanh với một phong thái rất ư là ...thảnh thơi và thư giản. Đối với Pete nấu ăn là một nghệ thuật trộn các mùi lại với nhau để các thành phần nguyên liệu vẫn giữ được hương vị đăc trưng và thể hiện khi nó được vào đưa vào miệng.
Cách nấu soup nấm thật ra rất đơn giản và nguyên liệu để nấu nếu bạn đang ở các nước Tây Âu thì rất dễ. Tất cả đều được bán ở mall
Nếu bạn ở Việt nam thì cũng có thể tìm mua tại Big C
Nguyên liệu:
Món này dành cho 6 người ăn, mỗi người một tô...haha
Cách nấu
Nấm rơm, cần tây, củ hảnh, leak thái nhỏ
Cho bơ vào nồi rồi cho củ hành vào (4 phút), cần tây + leak(4 phút), sau đó nấm rơm. Nấu cho tới khi nào có nước xâm xấp thì cho nửa lít nước sôi và bột nêm vào nêm vừa ăn (hoặc cho stock pot với nửa lit nước sôi vào tô quậy đều rồi cho vào nồi). Nấu cho chín rục rồi dùng máy khuấy khuấy nhuyễn. Thêm tiêu vào khi ăn.
Món này khi trời lạnh mà được 1 chén thì quá đã...:-)
Nếu tây hơn nữa thì dùng cream cho vào nồi rồi mới khuấy nhuyễn.
Cách nấu soup nấm thật ra rất đơn giản và nguyên liệu để nấu nếu bạn đang ở các nước Tây Âu thì rất dễ. Tất cả đều được bán ở mall
Nếu bạn ở Việt nam thì cũng có thể tìm mua tại Big C
Nguyên liệu:
Món này dành cho 6 người ăn, mỗi người một tô...haha
- Nấm rơm: 400g
- Cần tây (celery stick): 8 cọng
- Củ hành trắng hoặc đỏ: 1 củ lớn bằng trái banh tennis
- Hành ba rô (leak): 1 cọng
- Hạt nêm Knorr hương nấm rơm và rong biển (nếu ở UK bạn mua vegetable stock pot)
- Cream
- Bơ
- Tiêu sọ xay
Cách nấu
Nấm rơm, cần tây, củ hảnh, leak thái nhỏ
Cho bơ vào nồi rồi cho củ hành vào (4 phút), cần tây + leak(4 phút), sau đó nấm rơm. Nấu cho tới khi nào có nước xâm xấp thì cho nửa lít nước sôi và bột nêm vào nêm vừa ăn (hoặc cho stock pot với nửa lit nước sôi vào tô quậy đều rồi cho vào nồi). Nấu cho chín rục rồi dùng máy khuấy khuấy nhuyễn. Thêm tiêu vào khi ăn.
Món này khi trời lạnh mà được 1 chén thì quá đã...:-)
Nếu tây hơn nữa thì dùng cream cho vào nồi rồi mới khuấy nhuyễn.
4 Feb 2011
VĂN KHẤN GIAO THỪA TRONG NHÀ
Thời khắc giao thừa, người miền Nam cúng ngoài sân và trong nhà. Lễ cúng đơn giản với dĩa ngũ quả, hoa trang hoặc vạn thọ, sống đời, hai cây đèn cầy, lư hương, giấy tiền vàng bạc và một trái dừa tươi đã chặt sẵn. Đúng giờ khắc chuyển giao, gia chủ đốt nhang, thành kính khấn theo bài khấn: “Vái chín phương trời, mười phương Phật…”
Đó là lễ cúng giao thừa miền Nam ngày nay đã lượt bớt một số công đoạn cũng như giảm đi phần lễ. Nếu đầy đủ và “đúng chuẩn” thì phần lễ cần: hương (3 cây nhang to), hoa, đèn nến, trầu cau, quần áo, mũ thần linh và mâm lê mặn. Với thủ lợn luộc, gà trống luộc, xôi, bánh chưng. Đặt biệt kèm thêm bắp cải thảo… tất cả được bày lên bàn trang trọng đặt ở trước cửa nhà. Vào đúng thời điểm giao thừa, người chủ gia đình phải thắp đèn, nến, rót rượu, rồi khấn vái trước án. Văn khấn có thể viết vào giấy để đọc, sau khi hết 3 tuần hương thì hoá tờ giấy viết văn khấn cùng vàng mã dâng cúng
Đó là lễ cúng giao thừa miền Nam ngày nay đã lượt bớt một số công đoạn cũng như giảm đi phần lễ. Nếu đầy đủ và “đúng chuẩn” thì phần lễ cần: hương (3 cây nhang to), hoa, đèn nến, trầu cau, quần áo, mũ thần linh và mâm lê mặn. Với thủ lợn luộc, gà trống luộc, xôi, bánh chưng. Đặt biệt kèm thêm bắp cải thảo… tất cả được bày lên bàn trang trọng đặt ở trước cửa nhà. Vào đúng thời điểm giao thừa, người chủ gia đình phải thắp đèn, nến, rót rượu, rồi khấn vái trước án. Văn khấn có thể viết vào giấy để đọc, sau khi hết 3 tuần hương thì hoá tờ giấy viết văn khấn cùng vàng mã dâng cúng
Khi khần xong gia chủ nên đốt thêm 4 cây nhang nhỏ, rồi ra cửa khấn tiếp và nhìn 4 hướng: Tây nam, Tây bắc, Đông bắc hoặc hướng Tây cho những người thuộc về Tây tứ trạch. Tiếp theo là khấn rước các vị tài thần mời họ vào để dùng hương hoa sắm lễ…của gia đình. Các vị tài thần gồm hỷ thần, tài thần… để cầu xin sức khỏe 1 năm an lành, hạnh phúc tấn tài tấn lộc, vạn sự như ý, an khang thịnh vượng. Do mỗi năm các vị tài thần đứng mỗi hướng khác nhau. Ví dụ: năm 2007 tài thần ở hướng Tây, hỷ thần Đông Nam. Vì vậy, gia chủ tốt nhất vái 4 hướng.
Lễ cúng giao thừa được cử hành đúng thời khắc giao thừa, kết thúc năm cũ, chuyển sang năm mới.
Ý nghĩa:
Lễ cúng giao thừa được cử hành đúng thời khắc giao thừa, kết thúc năm cũ, chuyển sang năm mới. Cúng giao thừa là một nghi lễ thành kính và trang trọng, toàn thể thành viên trong gia đình đứng trước bàn thờ gia tiên cầu khấn cho một năm mới được khoẻ mạnh, vạn sự may mắn tốt lành.
Sắm lễ:
Lễ vật trong lễ cúng giao thừa gồm:
- Hương hoa, vàng mã;
- Đèn nến;
- Trầu cau;
- Rượu;
- Bánh kẹo;
- Mâm cỗ mặn ngày Tết đầy đặn, thơm ngon, tinh khiết.
Sau khi cung kính bày lễ lên bàn thờ thì đốt nến (đèn), thắp nén hương thơm và thành kính cầu khấn.
VĂN KHẤN GIAO THỪA TRONG NHÀ
Nam mô a di Đà Phật!
Nam mô a di Đà Phật!
Nam mô a di Đà Phật
- Con lạy chín phương Trời, mười phương Chư Phật, Chư Phật mười phương.
- Con kính lảy Đức Dương lai hạ sinh Di lặc Tôn Phật.
- Con kính lạy Hoàng thiên, Hậu Thổ, chư vị Tôn thần.
- Con kính lạy Long Mạch, Táo quân, chư vị Tôn thần
- Con kính lạy – Các cụ tổ tiên nội, ngoại chư vị Tiên linh. .
Nay phút giao thừa năm……………………………………….
Tín chủ (chúng) con là………………………………………..
Phút giao thừa vừa tới, giờ Tý đầu xuân, đón mừng nguyên đán, tín chủ chúng con thành tâm, sửa biện hương hoa phẩm vật, dâng lên trước án, cúng dâng Phật Thánh, dâng hiến Tôn thần, tiến cũng Tổ tiên, đốt nén hương, thành tâm kính lễ.
Chúng con xin kính mời ngài Bản cảnh Thành hoàng chư vị Đại Vương, ngài Bản xứ Thần linh Thổ địa, Phúc đức chính thần, các ngài Ngũ phương, Ngũ thổ, Long Mạch Tài thần, các ngài Bản gia Táo quân và chư vị Thần linh cai quản ở trong xứ này giáng lâm trước hương án thụ hưởng lễ vật.
Con lại kính mời các cụ Tiên lnh Cao Tằng Tổ Khảo, Cao Tằng Tổ Tỷ, Bá Thúc Huynh Đệ, Cô Di, Tỷ Muội, nội ngoại Gia tộc, chư vị Hương linh, cúi xin giáng về linh sàng thụ hưởng lễ vật.
Tín chủ chúng con lại kính mời vong linh các vị Tiền chủ, Hậu chủ, y thảo thụ mộc ngụ tại đất này, nhân tiết giao thừa, giáng lâm trước hương án thụ hưởng lễ vật.
Cúi xin các vị phù hộ độ trì cho toàn thể gia chủ
Chúng con năm mới tốt lành, sức khoẻ dồi dào, tấn tài tấn lộc, vạn sự tốt lành, vạn điều như ý.
Chúng con lễ bạc tâm thành, nhất tâm kính lễ, cúi xin phù hộ độ trì.
Nam mô a di Đà Phật!
Nam mô a di Đà Phật!
Nam mô a di Đà Phật!
Subscribe to:
Posts (Atom)