Posts Tagged ‘Microsoft’

This post is to illustrate that having strong IT policies in any organization is important. This seemed to be a case of broken configuration on the Exchange Server and the users were flooded with Spam email. The server had begun to take it’s last breath and it was time for us to come to the rescue and resuscitate it back to life.

A system admin has to take great care while putting a network into place and just setting up the Exchange Server in a secure is a daunting task. Though there are anti-spam measures in place, users started getting tons and tons of Viagra and Cialis mails. No one likes such personal emails in their official inbox, right? 😉 It all started when we used to notice a mild increase  in spam, but Postini used to take care of it to a good extent. The only problem was email delivery had become slow. If you have noticed, once there is an outbreak of a certain kind of spam mails, it takes sometime before authorities step in and put a plug on it. Slowly, a particular type of spam reduces while an improved one starts pouring in and it keeps the techies busy 😦 😛

In our case, the spam being generated was from within the company network, rather than outside. A system or group of systems had been compromised and spam-bot made itself cozy in the Windows machine and started it’s job. Unfortunately, we couldn’t completely figure out how the system got infected and the root cause of all this. The server needed CPR and if we didn’t work on it immediately, the users would strangle us to death. The malware had taken over disabled accounts and started sending mails to everyone and also to unknown recipients. This resulted in a huge queue of postmaster mails wanting to try again and choking the network. The legit mails were stuck in the queue and was sometimes completely lost.

We had to work with Microsoft to get this under control. So, it was time to roll-up the sleeves and get the hands dirty.

1. Time to clear up the postmaster NDRs

He suggested using a handy command line tool called “aqadmcli.exe” This is a separate download and is used to search mails and delete them. Firing up the command line, we enter :

setserver “Servername” delmsg flags=sender,

Searching the postmaster mails and deleting them used to still get back more spam. Delete 200 messages and we used to get a flood of 50. So, we immediately had to work on the firewall to get a breather.

2.  Repair the chinks in the armor

Though the firewall is well configured, we had to tighten the security. Configured a rule so that only port 25 was open and only for Exchange. Any other app. wanting to try to talk using this port, sorry baby, you need to try a different tongue(read port). This helped in controlling the flood to a big extent and it was time to dress up the wounds on the server

3.  Sender ID filtering

We had Sender ID filtering in place

In case you want to enable this on your Exchange, please note that you should make sure that you have applied the hotfix mentioned in MS KB article: 905214 – Windows Server 2003 may stop responding when you enable Sender ID filtering on an SMTP virtual server in Exchange Server 2003 SP2.

4. Intelligent Message Filtering

The Spam Confidence Filter was set to 7. We don’t want the filter to be too paranoid or too slack, so 7 fit the bill

5. Connection filtering-Using the good guys do the filtering for you

There are few sites out there that lists out domains, ISPs and spam mails which is blocked due to infection. Using Spamhaus Block List (SBL) on the Exchange helps to prevent spam at very early stages. Here is what Spamhaus has to say about SBL

“The SBL is queriable in realtime by mail systems thoughout the Internet, allowing mail server administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending, hosting or origination of Unsolicited Bulk Email (aka “Spam”). The SBL database is maintained by a dedicated team of investigators and forensics specialists located in 10 countries, working 24 hours a day to list new confirmed spam issues and – just as importantly – to delist resolved issues”

We configure the Block List Configuration to let Spamhaus do the work of filtering the messages.

Hit the Edit button and configure as below

Next, click on Return Status Code and choose the Match Filter Rule…….. and added few IPs from the 127.x.x.x range since few spam-bots are known to use these IPs to send out mails.

6. Recipient Filtering – The untapped power of Exchange in spam blocking

This is the primary setting which helped to cut-out on spam to a large extent. Remember I told that the bot was sending out mails from disabled accounts to few unknown accounts as well? After reading up a bit on Exchange, found that certain spammers send mail to users they hope exist in your domain, sometimes hoping to learn if they exist by reading NDRs generated by Exchange, and sometimes just sending to common names, or running through a dictionary of names. So, Johns, Bobs and Alices were hit with dirty emails real bad.

In Recipient Filtering, checking the “Filter recipients who are not in directory” This setting ensures that the bot which tries to send out mails to people who are not in the Directory is automatically deleted. Cool stuff, huh!? 😉

Bend the rules!

After making enough changes on how messages get delivered, it was time to let the server know how the SMTP protocol needs to be managed. Expand Servers–> Server Name –> SMTP –> Right click on Default SMTP Virtual Server and go to Properties. Next, went straight away to the Access tab

7. Authentication

In the Authentication, Anonymous access, Basic Authentication and Integrated Windows authentication are checked. Then going to the list of users from the Users button showed that there were few DLs and contacts part of this. Made sure that only Authenticated users and only Submit Permission was set to Allow

8. Connection control-You better know who talks to who

Back in the Access tab, hitting the Connection button takes you to another window. Here, we need to choose only which of the IPs will be able to communicate with each other. If you have different office sites setup, you can enter specific IP ranges from each site and also customer office IPs if required.

9. Relay-Kindly pass the message

Finally, we tell the server how to relay messages. Going to the Relay option in the Access tab, we again list specific IPs.

If by accident you choose the “All except the one below“, spammers can easily send mails through your server and flood to go to others. Your Internet connection might be severed until you set things right and that can mean a major unexpected downtime during business hours.

Disaster………..managed  🙂

Time to wipe your hands clean and get to another pressing issue. Just another day at the office 😉

P.S-I’m still very new to Exchange and got to learn a bit working on this. In case anyone finds mistakes, kindly point it out to me and I’ll be more than happy to edit the post accordingly.

Credits to, Petri, Exchange Ninjas and other numerous exclusive Exchange sites which made me understand concepts a tad bit better 🙂


A time comes in a server’s life where it will be either “retired from its job role” or “put to sleep”. This might sound very dramatic for the non-IT folks, but it’s not. Relax! Usually, “retiring a server from its job role” happens when the demand increases and one single server cannot take up the burden of doing it all alone. So, one or more roles are removed and the server acts like a storage dump. The “putting to sleep” phase comes when the server simply is too dated for the current technology and an option of installing a new application or server OS runs out.

Recently, I  had the opportunity of “putting a server to sleep”. The job was to decommission a domain controller and shut it down. All this sitting thousands of miles away. This was an unnerving experience because of the complex nature of the job. We all generally get a DC setup in a lab within minutes and if things go wrong, there is always an option of reinstalling the OS 😀 This is a bad practice which lot of institutes ask the students to do. There is no real troubleshooting in life and you are not geared up for disaster management. Setting up a DC at a particular sites with numerous servers which sync with each other is a tough job. However, I never realized that decommissioning would be tough as well.

The steps followed (to most extent) was from the official Microsoft site and this was to be done on a multi-site network. My job was made slightly easier since its role of acting as a RADIUS server was moved to another one by someone else.

Here are the steps which were followed :

1. Check the assigned FSMO roles

We need to make sure that the server is not playing the FSMO role.  The server which needed to be decommissioned was named contoso-dc5. To do that, fire up your command prompt and type :

netdom query fsmo

Here is the (modified) output of the command

C:\Users\iamadmin>netdom query fsmo
Schema master                                            

Domain naming master                            


RID pool manager                                       

Infrastructure master                               

The command completed successfully

We can see that contoso-DC5 is not playing any FSMO roles. Good. Next step.

2. Transfer the Naming Master FSMO role

3. Transfer other FSMO roles such as RID, PDC, or Infrastructure roles.

Points 2 and 3 will not be applicable in this case. So, we move to the next important step.

4. Remove the Global Catalog(GC)

This is the major step. You need to make sure that there are other GCs in the site. If it’s the last GC in the AD and you remove it, you’ll be unable to log on anymore. Do this carefully. Log into any other DC in the same site(I chose DC6) and make sure that there are other GCs by opening  Active Directory Sites and Services.

a) In the console tree, expand the Sites container, expand the site of the domain controller you want to check, expand the Servers container, and then expand the Server object.

b) Right-click the NTDS Settings object, and then click Properties.

c) On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

This was indeed a GC and since I made sure that other servers were acting as GCs, went ahead and unchecked it on contoso-DC5.  Allow few  minutes for the settings to replicate. Log off from the server where you performed the other task(DC6 for me) and reboot the machine which needs to be decommissioned(contoso-DC5)

5. Verify DNS registration and functionality

Back in the DC which needs to be decommissioned, type netdiag /test:dns (I chose to do netdiag /test:dns /v) and the output should be successful. If it is not, do not go ahead with the other steps until you resolve the issue. Remember, the /v stands for the verbose and the output can spit out pages of data. In case you need to go through the output, make sure you redirect the output to a text file.

6. Verify communication with other domain controllers

During the removal of Active Directory, contact with other domain controllers is required to ensure:

a) Any unreplicated changes are replicated to another domain controller

b) Removal of the domain controller from the directory

c) Transfer of any remaining operations master roles

Type netdiag /test:dsgetdc in the command prompt. This is where I hit my first ‘roadblock’. The output showed that it failed. So, ran the command again in verbose mode to get an idea as to what exactly is happening. The summary kinda explains things.

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext


Domain: contoso-dc5 PASS PASS FAIL FAIL PASS PASS n/a ……………………. contoso .com failed test DNS

We can see that the DNS test result failed for Forwarding and Delegation (the output could not be formatted properly in this text area). A quick check to see if this server was also taking up the role of the DNS server made me heave a sigh of relief. Contoso-DC1 was acting as the primary DNS and a public DNS was acting as the secondary. This server was probably acting as a DNS, since I also so numerous host entries for the DNS role.  So, we can still go ahead with the next step. Yippee! 😀

7. dcpromo

Run dcpromo in Run dialog box and get yourself a break for sometime and reboot when prompted to.

This computer was also to be removed from the domain and shutdown. So, before doing that, make sure you know the local admin password. Else, you will be locked out of the computer once you remove it from the domain. Time to power down the server. Sweet!

One last step is to check if the computer still shows up in Active Directory Users and Computers list after shutting down. When you demote a server, the AD should take it out, but in my case it hadn’t(probably because I didn’t give enough time to repliacte?). If it does, go ahead and delete the computer from the list.

That’s it! I hope this guide was helpful. In case someone finds out any mistake in this or know of a better solution, please do let me know.