Posted by: David | May 9, 2011

BESX SBS Installation Check List

A little checklist for installing Blackberry Enterprise Server Express on SBS, available in PDF Here


Useful Information

  • BESAdmin Password (Make Up):
  • Serial Number (Supplied By RIM):
  • License Key (Supplied By RIM):
  • CAL ID (Supplied By RIM):
  • BES SSL Certificate Password (Supplied By RIM):
  • BES Admin Service Admin Account Password (Make Up):
  • Blackberry Administration Service Address (Provided by installer at end of installation):
  • Blackberry Web Desktop Manager Address (Provided by installer at end of installation):

Pre Installation Tasks

  • Create BESAdmin Account with Exchange Mailbox
  • Delegate ViewOnly Admin role to BES Admin account
    add-exchangeadministrator "BESAdmin" -role ViewOnlyAdmin
  • Grant ms-Exch-Store-Admin, Send-As and Receive-As permissions to the BESAdmin account
    get-mailboxserver "" | add-adpermission -user "BESAdmin" -accessrights ExtendedRight
    -extendedrights Receive-As, ms-Exch-Store-Admin, Send-As
  • Make BESAdmin a member of the BUILTINAdministrators group
  • Assign “Allow Log On Locally” to the BESAdmin Account in the Default Domain Controllers Policy
  • Assign “Log on as a Service” to the BESAdmin Account in the Default Domain Controllers Policy
  • Log in to SBS Server as BESAdmin
  • Run BESX Installation
  • Allow Ports for Management Interface on SBS Firewall
    netsh firewall add portopening TCP 3443 "BESExpress Management Port"

Useful Resources – SBS BESX Installation Guide
Blackberry – Documentation including installation guides
Blackberry Registration Queries – +44 (0)1753 667000

I recently looked in to setting this up so that I could stream my Itunes content from my home PC to my work laptop. I dont really want clog up my work laptop with MP3’s and my current music collection is fairly large so having it on my work laptop has some serious space implications.

There seem to be plenty of articles out on the web for streaming itunes across the web if you have a Mac but not so much for windows. There are two ways I am going to explain how to do this with and without the use of an SSH tunnel. All the software required to do this is available free of charge for personal use.

Required Software

Java – You will need this to run the Rendezvous Proxy software, if you don’t already have it installed you can get it here.

Rendezvous Proxy – This software will allow you to see your itunes library from your home machine over the internet by proxying mdns requests. Credit has to be given to the developer of this application as it is fantastic. You will need to download the Java version to use this on windows.

Optional Software (For SSH Tunneling)

WinSSHD – This software is free for non commercial use, and it is a Windows SSH server this will need to be installed on your home machine (more later)

Tunnelier – This is the client that accompanys the WinSSHD software and would need to be installed on the machine you are using to access your itunes library. You dont have to use this SSH client you can use any SSH client you with (e.g. Putty) but you will have to work out how to set up SSH tunnels yourself

What is SSH and why use it

When setting this up for myself I found that if you used password protection for your itunes library you couldn’t connect to it with the rendezvous proxy, so I had to turn off the password protection. However if you do this without the ssh tunnelling you are potentially letting anyone access your itunes library :S. If you use SSH tunneling you are not broadcasting your itunes library to all and sundary and you are also adding a layer of authentication and therefore security before you can access the data.

So what is SSH, well you could do some reading up on wikipedia for some more detailed information, but in short it provides secure access to the command shell. Orginally a unix / linux thing but when something this good you can bet it is going to get ported to other platforms. Along side straight remote command prompt access SSH also allows for the tunnelling of other TCP protocols through its connection, in essence it is a bit like how you can get broadband (ADSL) and telephone over the same line in to your house. With SSH aswell as remote access to your command prompt you can also have RDP (Remote Desktop) and file transfer to name a few, but the possibilities are endless, generally if is uses a TCP protocol you can transmit is across SSH a bit like VPN.

Getting SSH Working in Windows

Now if you do a quick search on the Web about running a SSH server on Windows you will find numerous articles showing you how to port the Linux SSH server software to windows, which will vary from installing some software call cygwin through to compiling source code. All in all these methods are a bit of a pain and also dont really provide the outcome you might be looking for in a Windows SSH server. Generally this is because they work by emulating a linux environment in Windows and then running SSH from there. If you ever use a raw ssh session to this you cant run basic windows commands from the remote shell because it is an emulation of linux.

WinSSHD however provides native support for SSH, so when you get access it is actually a remote command prompt as opposed to an emulated linux shell. So to get SSH working simply download the WinSSHD software and follow the installation. You will need to set up some accounts but you can just use your existing windows login details.

Once installed you will need to set up public access to your computer via the internet to SSH, to do this you will need to configure your router firewall to forward port 22 to the ip address of your home machine with itunes and the newly installed.

I suggest at this point you install the tunnelier software on your remote machine and check you can connect.

Configuring the SSH tunnel

If you have decided to not use SSH then you can skip this step

Once you have SSH working next you need to set up a SSH tunnel, to do this with the Tunnelier applation go to the C2S Forwarding tab and click the add button and enter the following:

Status: Enabled
Listen Interface:
List. Port: 3689
Destination Host: localhost
Dest. Port: 3689

Save the chanes to your Tunnelier profile and Reconnect.

Configuring Rendezvous Proxy

If you are not using SSH you will need to add a rule on your home router to fordward port 3689 on to the ip address of the computer running Itunes (this is instead of port 22 for SSH)

Now you either have port 3689 open on your home router or the SSH tunnel working you will need to set up rendezvous proxy to broadcast the DAAP services (Itunes server) on to your local network where your work (remote) machine is so that the Itunes software can see it.

When you want to use Itunes on your remote connection you will need to have both the Tunnelier program open and the Rendezvour Proxy software running, once you have the Proxy software running, click the add host button and enter the following:

For SSH tunnelled connection

IP Address: localhost
Port: 3689
Host Label: homecomputer
Service Text: itunes from home
Service Type: _daap._tcp. (itunes host)

For Non SSH Connections

IP Address: IP address of your home internect connection or hostname
Port: 3689
Host Label: homecomputer
Service Text: itunes from home
Service Type: _daap._tcp. (itunes host)

*Note – If you are not sure what your Public IP address is for your home computer, try going from your home computer to find this out. You may also want to consider using a service like dyndns if you have a dynamic ip address and you find it keeps changing.

Accessing your Music

Once you have the software setup above you should be able to just open itunes and your home library should appear in the shared setion.


If you are not seeing your library on your remote computer I would suggest checking your Windows firewall or any Anti-Virus software to make sure it is not being blocked by these applications.

I regularly use both sylinkdrop and sylinkreplacer to make Symantec Endpoint protection clients managed by a SEP server. Often after a reinstall of the management software it is necessary to capture all machines on the domain to make them all managed by the new installation.

Sylink drop can be used on individual machines to make them managed where as SylinkReplacer is designed to be run from a machine to find SEP clients on the network and force them to be managed. Recently I have found that the replacer tool to be less and less effective at finding clients on the network particularly Windows 7 clients. I have also found the tool to be painfully slow at scanning IP ranges to find the clients in the first place.

As a workaround I have found it much more reliable to use the sylinkdrop tool in conjunction with psexec to set all computers on the network to be managed by a SEP server. To do this you will need to set up a share on the machine you are running the commands from with read access to everyone on the domain.

In this example the share I created was called “sylink” on the server AVSRV001. In the share you need the following files:

  • sylinkdrop.exe
  • sylink.xml (for info on where to find this check out this Symantec KB)
  • drop.cmd (more info on this below)

The drop.cmd file contains the following contents:
%0..sylinkdrop.exe -silent \avsrv001sylinksylink.xml
You will need to modify the server and share name in your file to match up with the shares you created.

Once all the above is setup you can use the psexec command (available to download as part of the PsTools package by sysinternals from here)

Then simply run the following command, substituting the domain username and share names for one which suit your environment.
psexec -u domainusername -p password \* \avsrv001sylinkdrop.cmd
The above command will enumerate all the computers in AD and then try to remotely execute the drop.cmd command on each of them. This will of course fail for computers which either don’t exist or are not present or switched on, so you may want to make a note of which clients fail (just watch the output of the command to collect these).

Where can I download / get Sylink Drop

Well sylinkdrop is not publically available from Symantec to download, however it is on your installation media in the following folder:


If you have lost your installation media providing you have an active subscription you should be able to log in to with your serial number on your certificate and download the latest version (which will include sylinkdrop).

Posted by: David | December 8, 2010

Updating Time Zone Ubuntu Server

tzconfig is no longer available in Ubuntu 10.10 so if you need to reconfigure the time zone on a server you now have to run the command:

dpkg-reconfigure tzdata
Posted by: David | November 2, 2010


Because trying to get this is like getting blood out of a stone, current DNS severs for BT are: | | | | |
Posted by: David | October 27, 2010

Exchange 2007 Out of Office Server Unavailable

Recently ran in to an issue with Out of Office not working for any users in an Exchange 2007 environment. Here are the symptoms and the fix for the problem:

Run Test E-Mail Auto-configuration (From Outlook), this is performed by right clicking with CTRL held down on the outlook icon in your taskbar.


Error 503 getting autodiscover.xml

Checked Autodiscover AppPool (this can be checked in IIS Manager, expand the server and choose Application Pools look for the MSExchangeAutodiscoverAppPool) and this had stopped.

Started the pool but it kept crashing.

Removed Autodiscover Virtual Directory, from the exchange management shell run:

	-Identity "server nameAutodiscover (Default Web Site)"

Reset IIS, run IISreset from command prompt.

Recreated Autodiscover Virtual Directory, from the exchange management shell run:

New-AutodiscoverVirtualDirectory -WebsiteName "DefaultWeb Site"
	-WindowsAuthentication $true -BasicAuthentication $true

Checked and the Autodiscover application pool is now working, checked and Out of Office (OOF) is working for internal users but not for external RPC over HTTP clients.

Checked Test E-Mail Auto-configuration (From Outlook), from an external user

OOF URL: https://internalFQDN/EWS/Exchange.asmx

To check the setting of the URL’s run this from the exchange management shell:

Get-WebServicesVirtualDirectory | Select name, *url* |fl


Name : EWS (Default Web Site)
InternalNLBBypassUrl : https://InternalFQDN/ews/exchange.asmx
InternalUrl : https://InternalFQDN/EWS/Exchange.asmx
ExternalUrl :

Command to Set the External URL:

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)"
	-ExternalUrl: https://EXTERNAL-FQDN/EWS/Exchange.asmx

Command to Set the Internal URL:

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)"
	-InternalUrl: https://EXTERNAL-FQDN/EWS/Exchange.asmx

NOTE: This must resolve internally and be accessible, if firewall does not support hair-pinning then internal DNS will need to be set up for this.

Test and should be working

Here are a few notes from an issue I came across this week with an exchange server configured for Outlook anywhere. For what ever reason Outlook Anywhere stopped working and the RPC over HTTP clients were no longer able to connect.

After checking all the norms, like certificates and firewall rules I ran the tests on this is an awesome site (although from experience little known) which can remotely test most aspects of exchange.

After running the test it came back with the following results:

Testing Http Authentication Methods for URL
The HTTP authentication  test failed.
Additional Details An HTTP 500 response was returned from  Unknown

After some googling I stumbled across  the following forum post, it advised that you check the SSL settings on the RPC virtual directory, I meet the following requirements:

  • Require SSL (Checked)
  • Require 128-bit SSL (Unchecked)
  • Client certificates: Ignore

If you are still having problems you may need to reinstall the RPC Proxy component on the CAS server. Below is the procedure for fixing this (This was taken from the above mentioned forum post)

  • Disable outlook anywhere via EMC
  • Remove RPC proxy component via PowerShell
  • Command: servermanagercmd -r rpc-over-http-proxy
  • Reboot the server
  • Install RPC proxy component via PowerShell
  • Command: servermanagercmd -i rpc-over-http-proxy
  • Enable outlook anywhere
  • Restart Microsoft active directory Topology service

After this RPC was working for existing users but could not be set up for new users. The retest on the the RPC passed but overall tests still failed with an ERROR performing an RPC Ping on 6004, the referral on the site was to the following page,

Here there were a number of things to check including checking some registry settings and making sure the front end sever could ping the CAS server using both Netbios and FQDN, in this case there was only one server running all roles. There was also a listed known issue with IPv6 on versions of Exchange 2007 pre SP1 RU4. Well this server was running SP3. Upon pinging via Netbios and RPC I noticed that the server name was resolving to a self assigned IPv6 address. After removing IPv6 from the server LAN adapter (no reboot required) the server name was now resolving to the IPv6 loopback interface.

I modified the local hosts file to put the FDQN and Netbios names to the IPv4 address and tested, they were now resolving with the IPv4 addresses. Checked on

There are a number of ways of completely disabling IPv6 on Server 2008 and on the next maintenance window I shall be looking in to the best way to do this and update the post at that point.

Posted by: David | October 23, 2010

Citadel Online ("Hot") Backup : Script

So as previously mentioned, I use the Citadel Server as my email / groupware server, and like all good admins I like a backup, when I put the server in this was one of the first things I sorted out. I checked the Citadel Manual for their suggestions on backing up the server. Their manual offers two backup methods; online and offline. Now I am not a great fan of offline backups, nor do I see the point, if you are going to have a server why should you have to take it offline to back it up? So online backup it is then.

There are a couple of things to note here:

  1. You cannot have automatic deletion of logs enabled in Citadel if you use this method (this is done under side wide configuration in webcit when logged in with the Admin account)
  2. You must make sure that you backup the database and log files in the correct order otherwise no restore for you…

So the script, now I am not overly familiar with Shell Scripting so I am sure there will be some of you out there that look at this script and neatly reduce it to 5 lines of code, if you do please let me know you secrets!
prefix=$(date +%Y%m%d)
echo $filename

#re-create file citadel directory structure in backup location
mkdir $backuplocation$filename
mkdir $backuplocation$filename/bio
mkdir $backuplocation$filename/bitbucket
mkdir $backuplocation$filename/files
mkdir $backuplocation$filename/images
mkdir $backuplocation$filename/info
mkdir $backuplocation$filename/keys
mkdir $backuplocation$filename/userpics
mkdir $backuplocation$filename/data

#copy files as per citadel reccomendations
cp /var/lib/citadel/* $backuplocation$filename/
cp -Rv /var/lib/citadel/bio $backuplocation$filename/bio
cp -Rv /var/lib/citadel/bitbucket $backuplocation$filename/bitbucket
cp -Rv /var/lib/citadel/files $backuplocation$filename/files
cp -Rv /var/lib/citadel/images $backuplocation$filename/images
cp -Rv /var/lib/citadel/info $backuplocation$filename/info
cp -Rv /var/lib/citadel/keys $backuplocation$filename/keys
cp -Rv /var/lib/citadel/userpics $backuplocation$filename/userpics
cp -v /var/lib/citadel/data/cdb.* $backuplocation$filename/data/
cp -v /var/lib/citadel/data/log.* $backuplocation$filename/data/
cp -v /var/lib/citadel/data/ref* $backuplocation$filename/data/

#Compress Backup Files
rm $backuplocation$filename.tar.gz
tar -pczf $backuplocation$filename.tar.gz $backuplocation$filename

rm -R $backuplocation$filename

#Delete undeeded logs from Citadel
echo "Culling logs"
/usr/sbin/sendcommand "CULL"

So there are a couple of things that you need to check here, all the locations are set at the top of the script, and you may also want to check where the sendcommand command is located on your system, I installed my server with apt-get but I know that some of the other provided utilities (ctdlmigrate being one) did not work for me because they were looking somewhere else for the sendcommand command. It is important that you make sure this is correct as it is this line of the script which clears out the logs from the server once the backup is taken. If you don’t clear out these logs you may find after a while you begin to run out of disk space.

The script needs to be run under the citadel user account so that it has permissions to access and backup the citadel database files, I cheated with this and used Webmin to configure my scheduled backup in cron.

However if you create a file called your citadel username (e.g. citadel) with the contents below in /var/spool/cron/crontabs this should do the trick.
0 3 * * * sh /var/lib/citadel/backup
The only other thing you should be aware of is that the citadel user needs permission to write to the backup location, here are the permissions I have set on the backup directory
drwxrwxr-x 2 root citadel 4096 Oct 23 16:37 backup
With regards to restore, it should be noted that this data will only be re-storable if the system has the same architecture i.e 32-bit or 64-bit. But I have tested this (accidentally deleted some emails I needed), to do a restore simply install citadel on a machine, stop all the Citadel services and then copy the data from the backup to the Citadel folder, start the services and log in with your old admin account details.

If you do want to do a “cold” or offline backup where you shut the citadel services down, instructions on how to do so can be found on

Posted by: David | October 22, 2010

Windows 7 Password Expiry Reminders : Workaround

As I am sure people are becoming aware, Windows 7 password expiry reminders are some what un-reliable. Usually that will manage to flash up in the corner of the screen for a couple of seconds during the 14 days before your password expires.

If you are lucky and don’t happen to be blinking at the time you may see this reminder and be able to reset your password in time.

I got fed up with resetting user passwords because they didn’t see the reminders so I found a workaround. This comes in the flavour of a quick VBS script to show a message box on screen if your password is due to expire and also a new group policy to apply this as a login script to users on Windows 7 based machine (nice use of WMI filtering here)

First the VBS script: (passexpiry.vbs)
On Error Resume Next
set objNetwork=CreateObject("Wscript.Network")
Set objUser=GetObject("WinNT://" & objNetwork.Userdomain & "/" & objNetwork.Username & ",user")

Dim objUser

PassExp=INT(objUser.MaxPasswordAge/86400)-INT(objUser.PasswordAge/86400) - 1

if (PassExp=0) then
wscript.echo "Your password is due to expire in " & PassExp & " day(s)"
end If

This was copied up to the \domain.localnetlogon folder so that everybody could access it, this can also be saved in to the policy folder under the sysvol share however I don’t like my scripts scattered across lots of folders which long GUID names which mean nothing to me.

Then a new WMI filter in need to be created to filter out this policy to Windows 7 based machines, create a new WMI filter (I called mine Windows 7).

Windows 7 WMI GPO Filter

So add a query for the namespace rootCIMv2


select * from Win32_OperatingSystem
		where Version like "6.1%" and ProductType = "1"

Here the Win32_OperatingSystem will return 6.1 for both Windows 7 and Server 2008 operating systems so we also need to make sure the product type is set to 1 so that we only pick up workstation based operating systems.

Set the WMI filter on the new group policy and also apply it to the Domain Computers security group.

Group Policy Creation - Link WMI filter

Now for the settings of the Group Policy, first because this policy is going to be applied to the computer the user logs in to, but the script run as a user setting we need to enable “User Group Policy loopback processing mode” in “merge” mode.

This is set under:
Computer Configuration
Administrative Templates
Group Policy
User Group Policy loopback processing mode : Enabled (Mode : Merge)

Then we need to set the policy to apply the user logon script, this is done here:
User Configuration
Windows Settings
Scripts (Logon / Logoff)
Add script \domain.localnetlogonpassexpiry.vbs

Now you should have a policy which looks like this:

Windows 7 Password Notify Group Policy

Thats it, sit back and enjoy once again users resetting their own passwords. I am still looking for a way to trigger the reset password screen from the popup box, if anyone knows how to do this please let me know!! 🙂

Posted by: David | October 21, 2010

Windows Updates Via Script / HTA (GUI)

I have now finished the creation of a new tool. As part of my job I regularly have to download and install Windows updates on servers in maintenance windows, over the years I have come to notice a few irritations.

  1. If WSUS is badly maintained some updates are not approved and therefor never installed.
  2. If you are using Remote desktop to access the server the little yellow shield does not always show in your session if it is displaying on the console or another session
  3. If you downloading updates for the server from Microsoft Update and you have a slow internet connection or a lot of updates this process can take a while and you may miss your maintenance window

I recently discovered the Windows Update API and decided to find a resolution to my irritations. So I bring you the Windows Update Downloader HTA

Windows Update HTA Screenshot

This can be used for both the download and installation of Windows updates and if a WSUS server is detected it can easily be bypassed in favour of Microsoft Update.

This was a fairly simple little fellow to write however the asynchronous downloads were a little awkward,

Set dsession = downloader.BeginDownload &_

I found that VBScript really doesn’t like the use of callback functions on this Interface call and I had to workaround by creating a dummy class and dictionary object.

Additionally getting a HTA to wait is also not very easy as there is no sleep function you can call to this had to be overcome with a very nasty workaround:

Sub Sleep(intSeconds)
	Dim objShell, strCommand
	Set objShell = CreateObject("Wscript.Shell")
	strCommand = "%COMSPEC% /c ping -n " & 1 + intSeconds & ">nul"
	objShell.Run strCommand, 0, True
	Set objShell = Nothing
End Sub

Users please be aware that the HTA will hang when you click on check for updates or (Disable / Enable WSUS) while the script is querying the update server, as the HTA is waiting for the function to return, I may get round to changing this to an asynchronous check at a later point but at the moment the script is functional and serves its purpose well. I only added in the install functionality as it wasn’t much more effort.

Please let me know any problems / feedback you may have with the HTA as I would be interested to know if you find it useful or have issues.

NOTE: Please be aware of the disclaimer as this script is provided “as-is”, without any warranty, whether express or implied, of  its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party produsts or information mentioned in the work are authored, recommended, supported or guaranteed by Further, Sys-Admin shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

By downloading and using this HTA you are accepting the included disclaimer


« Newer Posts - Older Posts »