Exchange 2010 – Out-of-office response (OOF) won’t turn off?
Posted by evan in Uncategorized on August 11, 2010
Two users reported the same problem this week: they turned on their out-of-office reply while they were out, then came back and turned it off. Except even after they turned it off, the autoreply was still being sent out. I had them log in to OWA and make sure it was off (maybe some weird bug with Outlook not registering the change in the server), which it was in both cases. I Googled hard and fast and couldn’t find anyone with this same problem.
I went in with Powershell and checked their autoreply status via Get-MailboxAutoReplyConfiguration and it appears that it is, in fact, disabled:
[PS] C:\Windows\system32>Get-mailbox -identity username | Get-MailboxAutoReplyConfiguration
RunspaceId : 7ad7e9af-cd57-4572-a4fd-c1e999e4b9a5
AutoReplyState : Disabled
EndTime : 8/12/2010 12:00:00 PM
ExternalAudience : All
ExternalMessage :
InternalMessage :
StartTime : 8/11/2010 12:00:00 PM
MailboxOwnerId : [removed]
Identity : [removed]
IsValid : True
I used Set-MailboxAutoReplyConfiguration to set the messages to “” (empty string) and it’s still sending the user’s autoresponse, from before I blanked it out. My working theory right now is that the out-of-office message was set on both the Exchange 2010 server and the Exchange 2003 server (where the mailboxes were before I migrated them to 2010).
What a fun problem! It’s hard to test whether I’ve fixed it, since each sender only receives the message once, so I have to keep creating new test email addresses to send test messages.
Also, as an aside, why is “out-of-office” abbreviated “OOF” in Microsoft’s docs?
Edit 1: I had one user verify the message was off in OWA and then start Outlook via Start -> Run… “outlook /cleanrules” and this seemed to resolve the issue. Hopefully this isn’t required every time…
The sinister side of Google’s Picasa face tagging
Posted by evan in Uncategorized on August 6, 2010
So, let me start by saying that I love Picasa, Google’s photo organization tool. It automatically finds new photos as you add them to your hard drive. It lets you crop pictures, remove red-eye, adjust colors and make a few other basic edits that cover probably 95% of what most people need to do when editing photos. It lets you select a few photos from your library and email them to anyone with just a couple of clicks. It also integrates with Google Earth and Google Maps to show you on a map where a particular photo was taken (for those unaware, GPS-enabled cameras, including many mobile phone cameras [e.g., iPhone] embed your GPS coordinates within the EXIF metadata of the photo, so any person, program or website with access to the image will know the location at which it was taken).
It also has a nifty feature called face tagging. How this works, basically, is Picasa analyzes all of the photos in your library and looks for faces. There’s some algorithm in the program that can recognize that two eyes, a nose, a mouth and maybe some hair is a face. So if you use the face-tagging feature, Picasa shows you a page of faces extracted from your photo library. Initially these photos have no names, but Picasa does some basic grouping of them. For example, it doesn’t know who your Uncle Bob is, but it does know that these 14 photos are all of the same person. The grouping feature isn’t perfect, but it is very helpful when you decide to apply a name to the group of photos – tagging 14 photos instead of one is a great time-saver.
This feature only really becomes useful if you start tagging faces with real names — i.e. if you tag the photos of Uncle Bob by telling Picasa “these are photos of Uncle Bob.” If you facetag enough photos, Google will start “guessing” the name for a particular face, and tagging it automatically. This feature is also not perfect, but I imagine they’re working on improving it all the time.
So, this all happens on your computer, within Picasa. I’m not so much of a tinfoil hat type as to suggest Google’s doing anything in particular with the data on your computer itself. The “problem” as I see it is that when you tag a photo of Uncle Bob, Picasa pulls Uncle Bob’s contact info out of your Gmail contacts. So essentially, you’re tying a face to an email address. As I said, I don’t think Google’s surreptitiously going to use the info that resides on your computer.
But in addition to Picasa, the photo organization tool you run on your computer, Google offers an online photo album service called Picasa Web Albums. This is similar to other services, Flickr being the largest, that offer a simple way to upload photos and share them with others. All users get 1 GB of free storage, and you can buy more pretty cheaply (as of today you can get 20 GB for $5/year). As you might expect from the names, Picasa and Picasa Web Albums integrate very well. If you create an album within Picasa, all you have to do to upload it to Picasa Web Albums is click the “Sync This Album” button. It will then upload all the photos in the album to Picasaweb.
Here’s where the potential creepy part starts. Let’s say you have a photo in Picasa, that you took on August 4th, 2010, at 10:00 AM, and you’ve tagged 2 faces in it: Aunt Alice (alice@gmail.com) and Uncle Bob (bob@gmail.com). Let’s further say that you took this photo with your iPhone, so the GPS coordinates are embedded in the photo metadata. You upload the photo to Picasa Web Albums. Well, now you’ve just told Google the following:
- What alice@gmail.com looks like.
- What bob@gmail.com looks like.
- Where alice@gmail.com and bob@gmail.com physically were (via GPS coordinates) on 8/4/2010 at 10:00 AM
There’s lots of other information you’ve probably also told them, but these are the data that are creeping me out lately. If your album has 20 or 30 photos of Alice and Bob that you’ve tagged with their contact info then Google’s got a pretty good idea what they look like – if the Picasa desktop app is able to guess who people in your photos are based on some algorithm inside it, imagine what Google’s billion-dollar datacenters can do?
In all likelihood, you aren’t the only one uploading photos of Alice and Bob. Other people at other events tag photos of Alice and Bob and upload them to Google, further “teaching” this massive computer brain what Alice and Bob look like (since email addresses are basically internet-wide unique IDs, two photos tagged with the same email address can generally be assumed to be the same person). Alice and Bob may never use Picasa, may not even own a camera themselves, and may not even use Google at all. But at this point Google knows what they look like and where they’ve gone – completely apart from their computer-based activities.
I think facial recognition is going to become huge for marketers over the next decade or so. Picasa offers users a useful feature that seems like it has this sinister other side to it – basically building an enormous crowdsourced facial recognition database, so they’ll be able to identify millions of people right out of the gate. If New York City ever gives Google access to its street cams, Google will be able to track the activities of millions more people without their knowledge or consent. Combine that with the existing knowledge Google has – if your iPhone checks your Gmail account, they know your general location at any given time anyway, just based on IP address – and they can create a pretty accurate (in advertising terms) picture of you. And with facial recognition, it will actually BE a picture of you.
Much is made of Google’s “Don’t Be Evil” motto (and I couldn’t write this without throwing those 3 words in), and I tend to be somewhat of a Google fanboy myself. However, much like government, what you have to worry about isn’t always what the current regime is doing with its power, but what the regime 10 or 20 or 100 years from now will do with it. I’m sure Google has rules about how these data are used, but rules change; rules are broken. If there’s one rule that seems inviolate throughout human history it’s that power corrupts. Knowledge is power. Or something.
Well, whatever. I still love Picasa, it just gives me this creepy feeling sometimes. This stuff is all completely voluntary, nobody is being forced to use any of these features, but like I said, Uncle Bob and Aunt Alice were tagged in a photo by someone else – you don’t need to do anything to have your face added to the Great Google Face Database In The Sky. This is something I’ve been thinking about for a while, but I was prompted to write it down based on Eric Schmidt’s recent comment, “Show us 14 photos of yourself and we can identify who you are.”
Changing Active Directory Password in Browser through OWA 2010
Posted by evan in Uncategorized on August 5, 2010
A few months ago I was on a quest to figure out how to change my Active Directory password via a browser (for Linux/Mac users). I finally figured it out, but since I’ve been working on this Exchange 2010 migration I noticed one of the features of OWA (Outlook Web App) in Exchange 2010 is that you can change the AD password right in the browser from within the app:
The new OWA has a zillion other awesome features, my favorite being that Firefox and Chrome are no longer second-class-citizens and can use the “full version” now, even on Linux. So anyway, I guess all my work was for nothing. Not the first time (or the last). 
Vonage iPhone App Calls Facebook Friends Free, So What?
Posted by evan in Uncategorized on August 5, 2010
Lots of outlets seem to have picked up the story about the new Vonage iPhone app that lets you call your Facebook friends free. I don’t understand why this is even newsworthy. There are a bunch of free VOIP apps for iPhone already, with Skype being the one that comes to mind first. But a couple of other things have me scratching my head about this story:
- AT&T doesn’t offer the unlimited data plan for iPhone anymore, so this “free” call could end up being pretty expensive over 3G.
- If you’re making a call to another friend with the iPhone app, then your friend probably has an iPhone. They’re also probably also on AT&T, so a regular voice call to them would be free anyway. So just call them?
This might make more sense to me if your friend is outside the US, or they come out with a similar app for other platforms, but even then… so what? Free VOIP calls aren’t new. Is it just the Facebook tie-in? I don’t get the buzz. Maybe it’s because I have 5,000 rollover minutes with AT&T.
Microsoft Office 2007′s awful user interface
Posted by evan in Uncategorized on August 2, 2010
Office 2007 is pretty old by now, and I know much has been written on the move from a “normal” looking app to the “Ribbon” UI. I personally hate the change and feel Microsoft just changed the UI as a way to make the application look “different” so that people will look at it and go “oooh, shiny!” and not feel as bad about being forced into another $400 upgrade of a word processor. Sure, Excel’s row limit was finally raised beyond 64k, and I’m sure there were some other tweaks, but .docx? .xlsx? Yet more file formats, ensuring most businesses will feel compelled to upgrade. If your clients are upgrading, you’re going to have to.
Anyway, that’s all well documented. What may not be is the ridiculous location of the SMTP header info in a message in Outlook. If you want to view this interserver communication, which is invaluable when debugging mail issues, you can either A) right-click the message in the inbox, or B) … Well, in Office 2003, there was a way to do this from within the open message. I didn’t think there was a way to do it from within the message in Outlook 2007, but it turns out there is. It’s just retarded:
WTF?
Dear Microsoft: please drop the “Ribbon” completely and go back to menus, or at least provide that as an option. This UI is awful.
Amazon EC2 – ext3 mkfs takes 30+ minutes?
Posted by evan in Uncategorized on August 2, 2010
I’ve been playing around with Amazon EC2 for a new project I’m working on and so far I’m really impressed. One thing I’ve noticed, however, is that it takes forever to create an ext3 filesystem on a new volume. For example, the below command took over 30 minutes to create the filesystem on a 300 GB volume:
# mke2fs -j -m0 /dev/sdf1
mke2fs 1.40.4 (31-Dec-2007)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
39321600 inodes, 78642183 blocks
0 blocks (0.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
2400 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: doneThis filesystem will be automatically checked every 38 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
It took about 30 seconds do do everything up to the writing of the superblocks. Not sure why this takes so long, but it’s happened for every EBS volume I’ve formatted ext3. Annoying. Initially I thought it was hanging, and ended up terminating an instance that wouldn’t shutdown or let me cancel the operation. The terminated instance is still being displayed in the UI with a status of “terminated” and I can’t find any way to remove it from the list.
Testing LinkedIn/WordPress Integration
Posted by evan in Uncategorized on July 30, 2010
Supposedly if I tag a post “linkedin” it will show up and spam everyone on my LinkedIn. That sounds wicked.
Edit: The URL I had to use was http://www.evanhoffman.com/evan/tag/linkedin/feed/ (it kept looking for /?feed=rss2&tag=linkedin which didn’t work properly).
Outlook 2007 & Exchange 2010 Autodiscover SSL certificate error annoyance
Posted by evan in Uncategorized on July 27, 2010
One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007′s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.
I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.
Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.
Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.
Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.
Other useful resources:
- MS Exchange Team blog post comparing the various autodiscover schemes.
- Set-ClientAccessServer.
- Test Exchange Connectivity
- Setting Autodiscover URL via DNS SRV record
- Autodiscover whitepaper.
- Example Autodiscover BIND record – _autodiscover._tcp.domain.com. SRV 0 0 443 webmail.domain.com.
- Debug Autodiscover by right-clicking the Outlook icon in the system tray while holding down Ctrl
- Verifying SRV records exist with nslookup
- What version of Outlook am I running? You need SP1 or later for the SRV hack.
- Hotfix for Outlook 2007 (pre-SP1) to use SRV records for autodiscovery
The Joy of Migrating from Exchange 2003 to 2010
Posted by evan in Uncategorized on July 20, 2010
I’ve been working on migrating from Exchange 2003 to Exchange 2010 for several weeks. Actually, at this point it feels like several months. Now that I think about it, I guess that’s because it’s actually been several months.
Back in January or February, I got fed up with the Exchange setup I inherited: our Exchange 2003 server was running on a server in the basement of our office, on non-UPS power, with a power company that likes to pull shenanigans (like 3-4 hour outages every few months). In addition, the physical machine itself has some weird bug where it would hang at the POST screen complaining about some USB device, even though there are no USB devices plugged in, and USB is disabled in the BIOS. Meanwhile, in the datacenter, I had recently finished migrating most of our ancient physical servers to virtual machines on beautiful new hardware. It didn’t take long to see the solution that seemed to be obvious: move Exchange to the datacenter, in a VM.
There was a major wrinkle in this plan, however: there were no quota limits enforced in Exchange, and the average mailbox was 6-7 gigabytes, with 4 users over 10 gigs. At the time, we only had a 5 mbit upload connection to the datacenter, and the total size of the mailboxes was around 400 gigs. I didn’t want to spend weeks and weeks moving tons of mail over a slow pipe – and with mailboxes being so big, I wasn’t sure I could even complete some of them overnight.
At this point I brought up the idea of migrating the company to Google Apps. I’m a big fan of Gmail and moving off of Exchange would have certainly simplified some aspects of my job, and nobody would need Outlook (especially not me). I knew it would be a tough sell internally, but the pricing certainly didn’t help; it came out to $83/user/year for Google Apps + document retention. The price came out to about the same as upgrading to Exchange 2010. If it had been half or a third the cost I may have pushed harder, but to make the story (a little) shorter, we ended up sticking with Exchange, and instituting quotas.
We phased in the quotas over the course of a month to give users time to archive and clean up their mailboxes. Once that was done, I setup a new Exchange 2003 frontend server (in a VM) in the datacenter and pointed our webmail (OWA & ActiveSync) there. So we had the frontend in the datacenter and the backend “mailbox” server still in the office. I then setup another VM running Exchange 2003 in the datacenter. This enabled me to move mailboxes over one at a time with almost no interruption in service, except for the user whose mail was in transit. Since we instituted quotas, the mailboxes were all under 2 GB, and I was able to do 6-10 mailboxes each night.
I can’t tell you how happy I was when we lost power yet everyone retained full connectivity to email via their phones (except BlackBerry users, since BES was still in the basement — note to RIM: ActiveSync!).
So phase 1 & 2 (instituting quotas and moving email out of the basement) were complete. Phase 3 was the bigger unknown – moving to Exchange 2010. After lots of reading and planning, installing, configuring and testing, about two weeks ago I setup a Client Access Server to serve as the new webmail “frontend.” Microsoft has some pretty great instructions for setting up 2003 and 2010 in coexistence, but basically you point your “real” webmail URL to the 2010 CAS and move your “old” Exchange 2003 webmail to another url (they suggest legacy.company.com). Then people log in to the 2010 interface, and if their mailbox is housed on the 2003 server, it seamlessly redirects them to https://legacy.company.com/, and they don’t have to log in again. Pretty slick, and I didn’t believe it would work until I saw it for myself (which, btw, it does). So ActiveSync and Outlook Anywhere were working through the 2010 CAS even for the users housed on the 2003 server (which was all of them).
This week I started moving users over to Exchange 2010. So far it’s been mostly positive. We have several Mac users, so the ability for them to have native mail & calendaring is pretty epic. The Outlook Web App in Exchange 2010 is phenomenal. I mean, it almost brings a tear to my eye, it’s so beautiful – especially when compared with 2003. And being able to do server-side searching in OWA & on my iPhone is fabulous.
All is not perfect, though. I keep getting stupid certificate errors for Autodiscover when I open Outlook 2007. I guess I’ll need to buy another SSL certificate and dedicate another IP to this service… ugh. And now that I moved my mailbox to Exchange 2010, Outlook Anywhere appears not to work. Oh well, almost there…
When single-sign-on isn’t.
Posted by evan in Uncategorized on July 16, 2010
I’m looking into training courses for Exchange 2010, and to add a course to “My Learning,” which I guess is the equivalent of a shopping cart, I had to sign in with my Live.com ID. I have a Live.com ID because you need one to see your MS licenses and download ISOs, etc. It’s not as seamless as Google’s ID but it seems to work ok most of the time. But here’s an instance where it sucks:
I’m already logged in, why do I need to input all my info again? Including my email address, which was required to login?
ClustrMaps