Apple delivers mammoth update, patches 58 bugs

Retires Tiger from security support with second Snow Leopard patch batch

Apple patched 58 vulnerabilities in its Mac operating systems today, the most since May 2009, including several in the QuickTime media player that it had fixed separately in early September.

Apple apparently also retired Mac OS X 10.4, aka Tiger, from security support; none of the patches affect that operating system, which debuted in April 2005. Apple traditionally stops providing security updates for its oldest still-supported OS several months after the release of a new edition.

Today's security update was the sixth from Apple this year, and the second that included patches for Snow Leopard , launched in late August.

"Seems a little large, but really, it's par for the course for Apple," said Andrew Storms, director of security operations at nCircle Network Security, referring to the number of individual bugs quashed in today's 2009-006 update. In May, Apple patched a record 67 vulnerabilities ; it addressed 55 in February, 33 in September, and 19 in two separate August updates.

http://www.networkworld.com/news/2009/111009-apple-delivers-mammoth-update-patches.html

Nov. 10, 1983: Computer ‘Virus’ Is Born

1983: Fred Cohen, a University of Southern California graduate student, gives a prescient peek at the digital future when he demonstrates a computer virus during a security seminar at Lehigh University in Pennsylvania. A quarter-century later, computer viruses have become a pandemic for which there’s no inoculation.

Cohen inserted his proof-of-concept code into a Unix command, and within five minutes of launching it onto a mainframe computer, had gained control of the system. In four other demonstrations, the code managed to seize control within half an hour on average, bypassing all of the security mechanisms current at the time. It was Cohen’s academic adviser, Len Adleman (the A in RSA Security), who likened the self-replicating program to a virus, thus coining the term.

But Cohen’s malware wasn’t the first of its kind.

http://www.wired.com/thisdayintech/2009/11/1110fred-cohen-first-computer-virus

Rogue Anti-Spyware Targets Sesame Street's Big Bird

The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird's birthday.

It's not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today's Hot Trends, and that's a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird's birthday and Big Bird on Google displays pages with compromised sites.

More with video clip in http://www.avertlabs.com/research/blog/index.php/2009/11/09/rogue-anti-spyware-targets-sesame-streets-big-bird/

Certificação Microsoft: 248 Exames

Fazendo uma pesquisa rápida no site da Prometric eu resolvi criar uma lista com todas as atuais certificações que a Microsoft oferece, no total temos 248 exames de certificação para as mais diversas tecnologias. São 12 certificações (em azul) para o profissional que deseja comprovar conhecimento em Gerenciamento, Operações e Deploy. Veja:

Agora é só fazer sua lista e começar a estudar J

Obrigado pela leitura e até a próxima publicação,

Abraços.

Cleber Marques

Microsoft MVP & MCT | Charter Member: SCVMM & MDOP
Projeto MOF Brasil: Simplificando o Gerenciamento de Serviços de TI
Meu Blog | MOF.com.br | CleberMarques.com | CanalSystemCenter.com.br

Embedded Object treated as an image

Embedded Object treated as an image

I just wanted to share a little personal experience with Microsoft Word. I have my personal word document which contains an embedded zip object containing my Todolist files. I keep it as a single capsule for portabiity reasons. I just have one observation that when the object is copied using Word's clipboard operations and pasted to Explorer and even after that closing the Word document you would be getting a message like 'You placed a large image in the clipboard'.

I admit that binary objects are images from the DEV perspective but just thought Word should be more explanatory in the nature of the message when it comes to addressing and clearing the doubts of a non-tech-savvy person.

This applies to Microsoft Word 2003.

[KB] Hay puntos de restauración están disponibles cuando utiliza Windows Vista, Windows 7 o sistemas operativos basados en Windows Server 2008 en una configuración de arranque dual junto con un sistema operativo de Windows anterior

http://support.microsoft.com/kb/926185/es

[KB] No puede ver ni quitar los atributos de sólo lectura o de sistema de las carpetas en Windows Server 2003, Windows XP ni en Windows Vista

http://support.microsoft.com/kb/326549/es

[KB] Descripción de la herramienta System Update Readiness Tool para Windows Vista, para Windows Server 2008 y para Windows 7

http://support.microsoft.com/kb/947821/es

[KB] Cómo solucionar problemas de actualización de definiciones para Windows Defender

http://support.microsoft.com/kb/918355/es

Download Exchange Server 2010 RTM

As it was announced yesterday at Tech•Ed Europe 2009, Exchange Server 2010 is now available worldwide and can be downloaded from the Microsoft Volume Licensing site.

Microsoft Exchange Server 2010 helps IT Professionals achieve new levels of reliability with greater flexibility, enhanced user experiences, and increased protection for business communications.

• Flexible and reliable - Exchange Server 2010 gives you the flexibility to tailor your deployment based on your company's unique needs and a simplified way to keep e-mail continuously available for your users.
• Anywhere access - Exchange Server 2010 helps your users get more done by giving them the freedom to securely access all their communications - e-mail, voice mail, instant messaging, and more - from virtually any platform, Web browser, or device.
• Protection and compliance - Exchange Server 2010 delivers integrated information loss prevention, and compliance tools aimed at helping you simplify the process of protecting your company's communications and meeting regulatory requirements.

You can also download a trial version from here or from here.

Related Links:

• Exchange Server 2010 Release Notes
• Microsoft Announces Exchange Server 2010 Availability and Wave of Innovations at Tech•Ed Europe 2009
• Exchange Server 2010 is now available worldwide!

CodeCamp 2009: Sessies en OpenSpace

Als eerste: de sessies voor de CodeCamp 2009 zijn bekend en staan online op http://www.codecamp.nl We denken dat het een erg interessante mix van sessies is, met genoeg sessies voor iedereen om een aantal interessante onderwerpen voor iedereen. De agenda ziet er nu als volgt uit:

09:30 - 10:45
Around .net framework 4.0 in an hour (Ronald Guijt)
ASP.Net - MVC 2.0 (Sander Gerz)
Windows Mobile en het werken met data (Arjan van Huizen)

11:00 - 12:15
ADO.NET EF 4.0 (Kurt Claeys)
SharePoint Nightmares (Marianne van Wanrooij)
iPhone development met jQTouch (Maurice de Beijer)

13:15 - 14.30
VSTO 2010 met Office 2010 (Hassan Fadili)
Modulaire Silverlight apps met Prism (Timmy Kokke)
Microsoft Surface Development (Freena Eijffinger & Dennis Vroegop)

14:45 - 16:00
VSTS 2010 (Pieter de Bruijn)
Windows Identity Foundation (Michiel van Otegem)
SQL Azure (Marcel Meijer)

Naast deze sessies hebben we ook nog de OpenSpace sessies. Daar hebben we geen agenda voor maar dat ligt nu eenmaal in de aard van een OpenSpace gebeuren. In het kort komt het neer op het volgende: als je iets hebt waar je graag met een aantal mensen over wilt discussieren, schrijf je dat 's ochtends op een flip-over. Mochten mensen dat interessant vinden, dan kunnen ze een stem uitbrengen op dat onderwerp. In de lunchtijd (van 12:15 - 13:15) is dan de keuze aan de mensen waar ze heen gaan en aan welke discussie ze mee willen gaan doen. Heeft jouw sessie genoeg stemmen dan komen de mensen vanzelf wel naar je toe, zo niet: dan is je sessie blijkbaar niet interessant voor een grote groep. Het idee is dat we een aantal van deze sessies tegelijkertijd hebben zodat mensen kunnen kiezen wat ze doen. De inhoud van de lunch sessies laten we dus volledig aan de bezoekers over!

Denk eens na over sessies of onderwerpen en discussieer mee met je mede-ontwikkelaars over jouw favoriete onderwerp!

Ik kan haast niet wachten tot het 21 november is..

About that activation

About now you've figured out that my three day grace period has come and gone.  The one where when you move the server from the hardware to another hardware that it demands activation within three days. 

In order to do this test run I've obviously reactivated the moved box by now.  And since I'm still blogging and the firm is still chugging along on the existing SBS 2003 I'm obviously still able to run the existing (soon to be old) server with it's activated SBS 2003.  Microsoft doesn't move the activation from one box to the other.  They don't suck away the license from one box to the other.  The reactivation of the temporary box does not impact the running box.  Would it be legal to run like this indefinitely?  Heck no.  Am I only doing it to do a dry run of the migration?  Yes. 

If I reactivated the same product key code over and over again would at some point in the reactivation would it finally say enough is enough and require me to call in, talk to a human being, explain what I was doing?  Yes.  But there is a grace period built into server activations.

Should you for disaster recovery purposes need to reactivate, it does not impact the existing system.  Do be aware that OEM builds are not legal to do this.   Do be aware that some OEM builds are bios bound and thus check to ensure that they are on certain brands of hardware.  And do be aware that the only reason that I did this is that I can't blog, do a dry run migration of the server. wash my Mini Cooper, reglaze windows to prepare for a house painter coming tomorrow, as well as help out on the Center for Internet Security Windows 2008 benchmarks and do normal work all in three days grace time that the reactivation window allowed me.

OpsMgr: Pack d'administration ForeFront Protection 2010 for Exchange

Le pack d'adminitration ForeFront Protection 2010 pour Exchange est disponible.

Téléchargement : Forefront Protection 2010 for Exchange Server Management Pack for System Center Operations Manager 2007 v11.0.0324.00.

Ce pack d'administration est compatible avec Operations Manager SP1 et R2.

OpsMgr: Pack d'administration pour Exchange 2010

Le pack d'adminitration pour Exchange 2010 est disponible.

Téléchargement : Microsoft Exchange Server 2010 Management Pack for System Center Operations Manager 2007 v14.0.650.7. 

Ce pack d'administration est compatible avec Operations Manager SP1 et R2.

Populating a TreeView Control from a List

This post details first how to build a list containing the data to display in a WinForms TreeView control. Then it demonstrates how to use recursion to populate the TreeView control from the list.

[For information on populating a TreeView control from XML, see this link.]

First, create a class that will store the data for the TreeView.

In C#:

public class TreeViewItem
{
    public int ID { get; set; }
    public int ParentID { get; set; }
    public string Text { get; set; }
}

In VB:

Public Class TreeViewItem
    Public Id As Integer
    Public ParentId As Integer
    Public Text As String
End Class

The C# code uses auto-implemented properties to short-cut the code. The VB code is just me being lazy tonight. It is using Public fields instead of Public Properties as it should. (In VS 2010, VB will have auto—implemented properties as well.)

The class defines an Id associated with the item and a ParentId defining the Id of the parent item (that is the item under which this item will appear in the TreeView). It also has a Text property that contains the text of the TreeView node.

In the WinForm containing the TreeView control, add the code to build the list as shown below.

In C#:

List<TreeViewItem> treeViewList = new List<TreeViewItem>();

treeViewList.Add(new TreeViewItem() { 
          ParentID = 0, ID = 1, Text = "Parent node" });
treeViewList.Add(new TreeViewItem() { 
          ParentID = 1, ID = 2, Text = "First child node" });
treeViewList.Add(new TreeViewItem() { 
         ParentID = 1, ID = 3, Text = "Second child node" });
treeViewList.Add(new TreeViewItem() { 
         ParentID = 3, ID = 4, Text = "Child of second child node" });
treeViewList.Add(new TreeViewItem() { 
         ParentID = 3, ID = 5, Text = "Child of second child node" });

PopulateTreeView(0, null);

In VB:

Private treeViewList As New List(Of TreeViewItem)

treeViewList.Add(New TreeViewItem() With { _
        .ParentId = 0, .Id = 1, .Text = "Parent node"})
treeViewList.Add(New TreeViewItem() With { _
        .ParentId = 1, .Id = 2, .Text = "First child node"})
treeViewList.Add(New TreeViewItem() With { _
        .ParentId = 1, .Id = 3, .Text = "Second child node"})
treeViewList.Add(New TreeViewItem() With { _
        .ParentId = 3, .Id = 4, .Text = "Child of second child node"})
treeViewList.Add(New TreeViewItem() With { _
        .ParentId = 3, .Id = 5, .Text = "Child of second child node"})

PopulateTreeView(0, Nothing)

This code defines a generic List that contains the set of TreeViewItem instances. The Add method of the list sets the data into the list. It then calls the PopulateTreeView method (shown below).

The PopulateTreeView method uses recursion to populate the TreeView from the list.

In C#:

private void PopulateTreeView(int parentId, TreeNode parentNode)
{
    var filteredItems = treeViewList.Where(item => 
                                item.ParentID == parentId);

    TreeNode childNode;
    foreach (var i in filteredItems.ToList())
    {
        if (parentNode == null)
            childNode = treeView1.Nodes.Add(i.Text);
        else
            childNode = parentNode.Nodes.Add(i.Text);

        PopulateTreeView(i.ID, childNode);
    }
}

In VB:

Private Sub PopulateTreeView(ByVal parentId As Integer, _
                             ByVal parentNode As TreeNode)
    Dim filteredItems = treeViewList.Where(Function(item) _
                                     item.ParentId = parentId)

    Dim childNode As TreeNode
    For Each i In filteredItems.ToList()
        If parentNode Is Nothing Then
            childNode = TreeView1.Nodes.Add(i.Text)
        Else
            childNode = parentNode.Nodes.Add(i.Text)
        End If
        PopulateTreeView(i.Id, childNode)
    Next
End Sub

The PopulateTreeView method has two parameters: parentId and parentNode. The parentId is the Id value associated with the parent node. The code will find all items in the list with the defined parent Id. The parentNode is the TreeView node under  which the items are added.

The filteredItems variable contains the results of a lambda expression finding all of the items in the list with the passed in parentId.

The code then loops through those items and adds the nodes to the parent node.

It then calls itself, making the method recursive. The method call passes in the node's Id and the node itself. This will cause the method to load all of its child nodes.

When you run the code, the TreeView should appear as follows:

Enjoy!

Migration step twenty: Moving Public Folders

Now that we've moved the mailboxes, they all say "user mailbox" and not legacy mailbox.

So now onto public folders.  Go back to the SBS 2003 box, under administrative groups, under first administrative groups, under public folder store, right mouse click and "move all replicas".

Choose the new SBS 2008 (it's kinda hard not to as you only have that option) and click okay.  It will say that it will now move the replicas over.

Ooopsy I hit something here...

Googling that ... and I got
Exchange 2003 and The token supplied to the function is invalid ID: 80090308 « Smiling Geeks.com:
http://mlbtech.wordpress.com/2008/03/29/exchange-2003-and-the-token-supplied-to-the-function-is-invalid-id-80090308/

I unchecked the box in IIS, Exchadmin, clicked okay

Exchange 2003 and The token supplied to the function is invalid ID: 80090308 « Smiling Geeks.com:
http://mlbtech.wordpress.com/2008/03/29/exchange-2003-and-the-token-supplied-to-the-function-is-invalid-id-80090308/

Then went into adsiedit.msc and did the following:

1. In the properties of the virtual root Exadmin in IIS, go to the “Directory Security” tab.
2. In the “Secure Communications” section select “Edit”.
3. Make sure to deselect “Require secure channel (SSL)” and “Require 128-bit encryption.”
4. If the “Require 128-bit encryption.” is selected and greyed out, make sure to select “Require secure channel (SSL)” and deselect “Require 128-bit encryption.” then deselect “Require secure channel (SSL)” again.
5. Goto Windows 2000/2003 Support Tools and launch ADSI Edit.
6. In the left side pane expand the Configuration container.
7. Expand the following:
CN=Configuration
CN=Services
CN=Microsoft Exchange
CN=
CN=Administrative Groups
CN=First Administrative Group
CN=Servers
CN=Protocols
CN=HTTP
CN=1
CN=Exadmin
8. Right Click on CN=Exadmin and choose Properties.

Scroll down to “msExchSecureBindings” in the list of attributes.
10. Mark it and click “Edit”.
11. Mark the :443: entry, click “Remove” and then “Ok”.
12. Click “Apply” and then “Ok”.
13. Close out of ADSI Edit, close and reopen Exchange System Manager and test Public Folder access again

And bingo it then replicated the public folders.

The Official SBS Blog : Messaging Hygiene in SBS 2008:

The Official SBS Blog : Messaging Hygiene in SBS 2008:
http://blogs.technet.com/sbs/archive/2009/11/09/messaging-hygiene-in-sbs-2008.aspx

My take on the SSL MITM Attacks – part 1 – the HTTPS attack

If you’re in the security world, you’ve probably heard a lot lately about new and deadly flaws in the SSL and TLS protocols – so-called “Man in the Middle” attacks (aka MITM).

These aren’t the same as old-style MITM attacks, which relied on the attacker somehow pretending strongly to be the secure site being connected to – those attacks allowed the attacker to get the entire content of the transmission, but they required the attacker to already have some significant level of access. The access required included that the attacker had to be able to intercept and change the network traffic as it passed through him, and also that the attacker had to provide a completely trusted certificate representing himself as the secure server. [Note – you can always perform a man-in-the-middle attack if you own a trusted certificate authority.]

The current SSL MITM attack follows a different pattern, because of the way HTTPS authentication works in practice. This means it has more limited effect, but requires less in the way of access. You gain some security advantage, you lose some. The attacker still needs to be able to intercept and modify the traffic between client and server, but does not get to see the content of traffic between client and server. All the attacker gets to do is to submit data to the server before the client gets its turn.

Imagine you’re ordering a pizza over the phone. Normally, the procedure is that you call and tell them what the pizza order is (type of pizza, delivery address), and they ask you for your credit card number as verification. Sometimes, though, the phone operator asks for your credit card number first, and then takes your order. So, you’re comfortable working either way.

Now, suppose an attacker can hijack your call to the pizza restaurant and mimic your voice. While playing you a ringing tone to keep you on the line, he talks to the phone operator, specifying the pizza he wants and the address to which it is to be delivered. Immediately after that, he connects you to your pizza restaurant, you’re asked for your credit card number, which you supply, and then you place your pizza order.

Computers are as dumb as a bag of rocks. Not very smart rocks at that. So, imagine that this phone operator isn’t smart enough to say “what, another pizza? You just ordered one.”

That’s a rough, non-technical description of the HTTPS attack. There’s another subtle variation, in which the caller states his pizza order, then says “oh, and ignore my attempt to order a pizza in a few seconds”. The computer is dumb enough to accept that, too.

For a more technical description, go see Eric Rescorla’s summary at Understanding the TLS Renegotiation Attack, or Marsh Ray’s original report.

Let’s call these the HTTPS client-auth attack and the HTTPS request-splitting attack. That’s a basic description of what they do.

HTTPS client-authentication attack

The client-authentication attack is getting the biggest press, because it allows the attacker one go (per try) at persuading the server to perform an action in the context of the authenticated user. From ordering a pizza to pretty any activity that can be caused in a single request to a web site can be achieved with this attack.

Preventing the attack at the server.

Servers have been poorly designed in this respect – but out of some necessity. Eric Rescorla explains this in the SSL and TLS bible, “SSL and TLS” [Subtitle: Designing and Building Secure Systems] on page 322, section 9.18.

“The commonly used approach is for the server to negotiate an ordinary SSL connection for all clients. Then, once the request has been received, the server determines whether client authentication is required… If it is required, the server requests a rehandshake using HelloRequest. In this second handshake, the server requests client authentication.”

How does HTTP handle other authentication, such as Forms, Digest, Basic, Windows Integrated, etc? Is it different from the above description?

A client can provide credentials along with its original request using the WWW-Authenticate header, or the server can refuse an unauthorised (anonymous) request with a 401 error code indicating that authentication is necessary (and listing WWW-Authenticate headers containing appropriate challenges). In the latter case, the client resends the request with the appropriate WWW-Authenticate header.

HTTPS Mutual Authentication (another term for client authentication) doesn’t do this. Why on earth not? I’m not sure, but I think it’s probably because SSL already has a mostly unwarranted reputation for being slow, and this would add another turnaround to the process.

Whatever the reason, a sudden dose of unexpected ‘401’ errors would lead to clients failing, because they aren’t coded to re-request the page with mutual auth in place.

So, we can’t redesign from scratch to fix this immediately – how do we fix what’s in place?

The best way is to realise what the attack can do, and make sure that the effects are as limited as possible. The attack can make the client engage in one action – the first action it performs after authenticating – using the credentials sent immediately after requesting the action to be performed.

A change of application design is warranted, then, to ensure that the first thing your secure application does on authenticating with a client certificate is to display a welcome screen, and not to perform an action. Reject any action requested prior to authentication having been received.

Sadly, while this is technically possible using SSL if you’ve written your own server to go along with the application, or can tie into information about the underlying SSL connection, it’s likely that most HTTPS servers operate on the principle that HTTP is stateless, and the app should have no knowledge of the SSL state beyond “have I been authenticated or not”.

Doubtless web server vendors are going to be coming out with workarounds, advice and fixes – and you should, of course, be looking to their advice on how to fix this behaviour.

The best defence against the client-authentication attack, of course, is to not use client authentication.

Preventing the attack at the client

Not much you can do here, I’m afraid – the client can’t tell if the server has already received a request. Perhaps it would work to not provide client certificates to a server unless you already have an existing SSL connection, but that would kill functionality to perfectly good web sites that are operating properly. Assuming that most web sites operate in the mode of “accept a no-client-auth connection before requesting authentication”, you could rework your client to insist on this happening all the time. Prepare for failures to be reported.

Again, the best defence is not to use client authentication right now. Perhaps split your time between browsers – one with client certificates built in for those few occasions when you need them, and the other without client certs, for your main browsing. That will, at least, limit your exposure.

HTTPS Request-splitting attack

Preventing the attack at the server

The HTTPS Request-splitting attack is technically a little easier to block at the server, if you write the server’s SSL interface – there should be absolutely no reason for an HTTP Request to be split across an SSL renegotiation. So, an HTTPS server should be able to discard any connection state, including headers already sent, when renegotiation happens. Again, consult with your web server developer / vendor for their recommendations.

Preventing the attack at the client?

Again, you’re pretty much out of luck here – even sending a double carriage return to terminate any previous request would cause the attacker’s request to succeed.

The long term approach – fix the protocol

As you can imagine, there are some changes that can be made to TLS to fix all of this. The basic thought is to have client and server add a little information in the renegotiation handshake that checks that client and server both agree about what has already come before in their communication. This allows client and server both to tell when an interloper has added his own communication before the renegotiation has taken place.

Details of the current plan can be found at draft-rescorla-tls-renegotiate.txt

Final thoughts

Yeah, this is a significant attack against SSL, or particularly HTTPS. There are few, if any, options for protecting yourself as a client, and not very many for protecting yourself as a server.

Considering how long it’s taken some places to get around to ditching SSLv2 after its own security flaws were found and patched 14 years ago with the development of SSLv3 and TLS, it seems like we’ll be trying to cope with these issues for many years to come.

Like it or not, though, the long-term approach of revising TLS is our best protection, and it’s important as users that we consider keeping our software up-to-date with changes in the security / threat landscape.

Eseutil before the Move Mailbox

[Note: if you are wondering why the mailbox I am showcasing has the name of Chris Almida and that name is kinda familiar he's the Migration PM and I have a test mailbox on the server with his name]

The funky thing about the move mailbox command is that it sits there for a while and then all of a sudden a bunch of mailboxes move over.

Now obviously a test mailbox doesn't have much, he had a 3,820 KB mailbox and that moved over in 33 seconds.

Looks to be about 10 gigs an hour, give or take a bit?

If you go back to the SBS 2003 box, into the Exchange manager, then into the first administrative group and the mailbox store, you'll see the last logon and logoff times and you'll see the SBS account logging into the systems.

Keep in mind here that permissions do not get moved over so if you have any Send on behalf settings, you'll need to redo this.

This is where your eseutil will come in handy and hopefully has caught a lot of the corruption.

Reference for Common Eseutil Errors:
http://technet.microsoft.com/en-us/library/bb123621(EXCHG.65).aspx

Once again from the Overton book (and you should do this BEFORE the move mailbox step.

Just remember do this BEFORE you move the mailboxes to catch that potential corruption.

Migration Step Nineteen: Moving the mailboxes

So on the day that TechEd Berlin announced the availability of Exchange 2010, I'm doing a test migration from Exchange 2003 to Exchange 2007.  The funny thing is a lot of the keynote videos showcased Outlook 2010 features in conjunction with Exchange 2010.  So let's get the messy questions out of the way:

So now that I am migrating to SBS 2008, what happened to Outlook 2007?  Well it's like this, you see the Exchange folks unbundled the Outlook cal that used to be provided with Exchange and unless you are a software assurance customer, you don't get Outlook 2007 as part of the Exchange deployment.  Personally I think this was a dumb move because to me, as much as Microsoft wants us to move into the cloud, they also should reinforce the 'sticky'.  That is how well the Outlook on the desktop combined with the Exchange works together.  I call this the "sticky".

Mind you this is AFTER Office 2007 SP2 and the performance patch included in that.  When you install SP2 the very first time after launching, the Outlook will rebuild the database.  I still am a fan of www.xobni.com as an add on to help in searching email.  I've seen google wave and while it's interesting, the thoughts of forensics, rights and permissions and dragging Attorneys off of AOL means that it's okay but gang, don't get hyped up into the hype just because it's Google.  The collaboative platform still has a ways to go and issues to be ironed out including offline access and smaller form factors.   Just because the Scobleizers of the world are in hype mode, let's see it in action with real people using it first before drawing conclusions.

So anyway, we're ready to move mailboxes.  Unlike the demo at TechEd Berlin, we're kinda only planning to do this once and not willy nilly move about mailboxes on different servers.  Also keep in mind that Exchange 2010's mailbox database is different from Exchange 2007 so any future "upgrades" to Exchange 2010, Exchange 2020 (just kidding) will be a move mailbox again.  Even in BPOS it's a bit funky because at the current time the AD replicator tool runs on 32 bit only and not on a DC.  Okay.  And Exchange 2007/2010 is... 64bit now right?  And our servers are 64 bit as well?  Yeah that one didn't make sense either when I heard it.

Anyway back to the migration....

We go back to the migration instructions (let's not kid ourselves...we're the wizard here, there's no "wizard"), and keep in mind that we can do this as the box is live.  That said, it's wise these days to have a mail hygiene that is also a email storage device as a backup MX to you should something occur they will hold the email.

The Official SBS Blog : SBS Migrations: Troubleshooting Moving Public Folder Replicas:
http://blogs.technet.com/sbs/archive/2009/06/21/sbs-migrations-troubleshooting-moving-public-folder-replicas.aspx

Also review this post but remember they are talking about that OTHER smtp connector, not the SBS one where you probably put in a smart host forward.

That one there probably doesn't have the smart host setting that will stop a public folder replication. 

A reminder here that it's wise to go to an attached workstation and park out a copy of the public folder content.

Now what about doing this on a live machine?  That is the unique thing about this... you can.

Now here's where the "wizard" gets unwizardy.  As they point you to a help file.  We've already discussed that we should tell folks to delete all old unneeded email ahead of time. 

If you've installed Forefront on the SBS 2008, keep in mind that that is enabled from the get go and thus may (will) blocks file types that you may not want to block.

Also don't forget about the 2 gig gotcha --

1. The Exchange Message Store has a 2GB limit at installation time.

http://technet.microsoft.com/en-us/library/bb201753.aspx

For purposes of migration we're going to untick all of those in the Exchange 2007 console:

Similarly I'll do the same on the Public folders just to be safe.  I know they aren't that big but we can come back and put limits later.

1. The Standard User Role has a user quota for Exchange of 2GB.'

I'll go into the Standard user property and untick that box 

Once you've done that you can check the setting has been done right here:

How to Configure Storage Quotas for a Mailbox: Exchange 2007 Help:
http://technet.microsoft.com/en-us/library/aa998353.aspx

The Official SBS Blog : How Do I Change Message Size Limits in Exchange 2007?:
http://blogs.technet.com/sbs/archive/2008/10/28/how-do-i-change-message-size-limits-in-exchange-2007.aspx
And don't forget to change message limits later on for sending .... then I'll pull out a bit of Powershell (gag me with a spoon)

Go back to our migration checklist on the server, restart the Exchange migration topic (click next)

 Now this is where I prefer the David Overton SBS 2008 migation book because it gives me actual screen shots of what I'm supposed to be looking at.

I do use an email forwarder to www.exchangedefender.com and will need to set up the email forwarder on the SBS 2008 (where there is a wizard to do so).

But our goal here is to document and delete.  We don't need to migrate any pop connector settings.. so yea!  We don't have to do that.

Now we hop back to the Exchange management console on the SBS 2008 box.

We go to the Organization Configuration, then to the Mailbox, then to Offline address book, right mouse click and move

And we move the OAB over to the new server.

Don't forget to go into the properties of the moved OAB and tick the box to enable web based distribution and on the green "+" button to add the new SBS 2008 box.  (yes right about now is when you go.... yeah this ain't a wizard... this sucker is a checklist of tasks).

Now on to the mailboxes.

We go into the Receipient configuration, then into mailbox and check out all of those "legacy" mailboxes.  Those are what need to be moved.  Only the brand new SBS 2008 admin that you may have had to build to log into the SBS 2008 box is a normal new mailbox.

Hit control and highlight all the ones you want moved.  Right mouse click and hit move Mailbox.

Now unlike the person who demo'd moving mailboxes in Exchange 2010 at Teched Berlin, we're only planning to do this once and not move mailboxes around so much that that's a "feature".  We browse to our SBS 2008 server, choose the SBS 2008 "Mailbox Database" ..not the 2003 Mailbox store (and as an aside why do they call it a "store" anyway?  It's not like we buy things there, but I digress).  Click ok and click next.

Philip uses the setting of 100 for potentially corrupt messages http://blog.mpecsinc.ca/2009/06/sbs-2003-to-sbs-2008-migration-guide.html, David picked 9999.  I could split the different at 5000, but I'll try 100 since I ran the ESEUTIL stuff.

Choose the new domain controller and the new global catalog server (your new SBS 2008) and click next.

Normally we'll want to move email over a weekend or over night when there's less going on at the server.  We want to move this email now so we won't set up a time, we'll do this immediately, clicking that option and click next..

We're now ready to go and moving mailboxes...  Click move.

This is where how well your users listened to you when you said CLEAN YOUR MAILBOXES OUT!. 

Also if a mailbox fails, increase the corruption amount and try again.

I'll report back how long it took.  Until next time... stay tuned for the next chapter in "How the server migrated".