Thursday, December 16, 2010

Thunderbird won't open inbox subfolders after upload to google apps

I think Thunderbird is an excellent mail client -particularly for Macs - for users on Google Apps. When setting it up for a user, I found that I was getting an error that the folder didn't exist whenever a user would try to view the data in one of the inbox's subfolders. The error looks like this:

But then I found this solution:

In short, Thunderbird is looking for a subfiolder of INBOX - but gmail's folder's when imported from Exchange may often be Inbox. So you need to rename inbox portion of the label to be INBOX. So you'd need to change this:

to this:

Wednesday, December 8, 2010

setting up a Blackberry on Google Apps (with current Enterprise Activation)

This post will guide you on how to set up your Blackberry with your new Google Apps server.

Your phone was originally installed using a different kind of server - Blackberry Enterprise Server - and we have "wipe" your phone to remove those Blackberry Enterprise Server settings.

If you have anything other than email/contacts/calendar that you want to keep – please touch base with your system administrator to help back up your phone (this would typically be things like music or pictures). If the only content on your Blackberry is your company data then we can continue.

Step 1:

First, we wipe the Blackberry.

Click Options > Security Options > General Settings > Click the trackwheel/trackball on the Password field > Select “Wipe Handheld“ Type in blackberry when prompted.

A youtube video showing the wipe process is here:

Step 2:

Download the Google mail for Blackberry application.

To download the email app, in the web browser on the BB, go to

Near the top of the screen, you should see an icon for “get faster gmail” - click on that

Download the gmail application and install it.

It’ll probably put the gmail application in the applications group on your BB. I’d recommend moving the gmail app to your main screen.

Open the gmail app and log in with your email address and your password.

It’ll download all your Google Apps email currently in your inbox.

Step 3:

Download Google Sync for the Blackberry.

In the web browser on your BB, go to

Download the app and install it. It’ll probably be located in applications after you install it. Sign in with your email address and password and tell it to sync your calendar and contacts.

That should be it.

Please contact your system administrator if you have any questions.

Tuesday, December 7, 2010

viewing other users' mailboxes in Google Apps (email delegation)

I often find that I want to enable users to see other user's mailboxes within their Outlook. If there's a common mailbox like or you're viewing the mailbox temporarily of an employee who has left the organization.

On Google Apps, I have found the method for doing that described here:

Of note - as of December 2010, this is available in premier edition only and not available in the education edition.

Thursday, December 2, 2010

restoring a file using previous versions (shadow copy)

When you delete a file from a network share, it does not go to your recycle bin . . . but you can still restore the file from "previous versions."

"Previous versions" is a tool for retrieving deleted files and prior versions of files located on a network share.

To use previous versions to recover a file, go to the folder where you want to restore the file from. Right click in an empty space (not a file or any menu) and choose properties:

Click on the Previous Versions tab (this will only exist if your administrator has enabled previous versions):

Looking at the dates on the right side of the window, choose how far back you want to go in a previous version of that folder and double click on the folder with the date you want.

A new window will open up with the a snapshot of the specified folder on that date (and time).

Find the file or folder that you want to restore. In my opinion, the easiest thing to do is copy and paste the file/folder from the previous version to the actual/current folder.

And that's it. That's the best method to use previous versions to restore a file that you may have deleted or overwritten. Please note that this feature must be enabled by your administrator for it to work.

Monday, November 29, 2010

cleaning spyware/malware in safe mode using malwarebytes

To get the most surefire cleaning from malwarebytes to remove malware from an infected computer, I recommend running malwarebytes in safe mode. This tutorial will guide you trough booting into safe mode with networking and then running malwarebytes.

Step 1:
The first thing you need to do is shut down your computer. Do this normally using Start -> Shutdown. Instead of choosing restart, you should shut the computer all the way down.

Step 2:
Turn the computer on and, wait approximately one second and then start pressing the F8 key about 2 times per second. There is a brief time window early during the booting process when we can reach the advanced startup menu. It's hard to see, so we just press F8 repaeatedly until we see it.

Step 3:

Choose Safe Mode with Networking in the advanced startup menu. Afterward, you'll get a bunch of diagnostic info on the screen about what is loading. This is normal. You can ignore it. (If you don't get the advanced start menu, your computer will boot normally. Shut down again and start on step 1).

Step 4:

Log in normally.

Step 5:

If you are asked if you want to continue in safe mode or run a system restore , hit YES - so that you continue to work in safe mode.

Step 6:

If you have already downloaded and installed Malwarebytes, run it now and skip to step 8. If not, go to step 7.

Step 7:

You can download and install Malwareware bytes from Download and install Malwarebytes (you can accept all the defaults).

Step 8:

With the software open, run an update by going to the update tab and then pressing check for updates.

Go to the scanner tab. Choose a full scan and press scan. Then in the next box, choose the C drive and hit scan.

This scan will take anywhere from 30 minutes to 2 hours depending on the speed of your computer and the number of files that Malwarebytes needs to scan. With most computers that are a year old or newer, a scan will usually take 45 to 60 minutes.

Step 9:

With the scan complete, you'll see that it found objects infected. At this point, click OK and then Show Results.

Step 10:

Click on "remove selected" on the next window that comes up. Then close text window that comes up next and click YES to restart your computer (sometimes you are not prompted to restart your computer - that's ok - you'll want to restart anyway to get out of safe mode).

After the reboot, log in normally, and you should be clean from all the malware that infected you before.

Wednesday, November 24, 2010

tool for editing/adding SSL certificates to Exchange 2007 / SBS 2008

This tool:

has been a great help to me in the management of multi-domain SSL certificates (UCC or SAN certificates). Particularly for SBS 2008, you need to use the Exchange shell to add a multi-domain SSL certificate, but this GUI tool will easily help you add it.

Monday, November 22, 2010

installing Exchange 2007 SP 3 on SBS 2008

Installing Exchange 2007 SP 3 on SBS 2008 is pretty easy, with one weird exception. As per this page:

You need to stop the "Windows SBS Manager" service to allow the service pack to run. In the two service pack installations I've done so far, each time it complained about the datacollectorsvc - which as the above article says is stopped when you stop the Windows SBS Manager.

Sunday, November 14, 2010

adding Sigmatel drivers on older Dells

I have a Dell Vostro 1400 that has a Sigmatel audio device. I had to reformat it with Windows 7, but the Windows HD driver that Windows installed didn't work quite right. For some reason, the speakers wouldn't work - only headphones when you plugged them in.

I ended up installing the Vista driver as recommended by this article (which also includes a link to the driver since Dell's link for that driver on their site is not working as of 11/14/10).

Tuesday, November 9, 2010

contacting Google Apps tech support

Finding the support form for Google Apps isn't as easy as it should be. It's here (updated 8/4/14):

To use it, you need an education or premier account and need the customer pin and support pin that you get on the support tab of your dashboard.

Monday, November 8, 2010

google app migration thoughts from small Exchange domain

I did my second organization wide (only 8 users) migration from Exchange to Google Apps over the weekend, and I thought I'd just summarize what I saw what I think are best practices for a migration.

1) Check with necessary staff to make sure you have a complete list of all mailboxes, aliases, and distribution lists you need.

2) Create all accounts before any other processes.

3) investigate the size of mailboxes you are migrating. One of the mailboxes I was migrating was 11.5 GB (he intentionally didn't want it to archive). It took 70 hours to download and upload using my home FIOS. In my case, I would rather have gotten his Exchange data on the LAN instead of the 33 hours it took to download the data from the server. I'd say it's pretty important to plan bandwidth utilization as it's very easy to choke up the bandwidth with a large upload. Ideally, you're uploading one mailbox at a time over the fastest upstream internet connection you have available to you.

4) alter the MX records (ideally on a Friday night)

5) wait at least 12 hours for DNS records to change so all mailboxes on the Exchange server are static and are not longer receiving an email

6) begin uploading data from the fastest internet connection possible - or multiple connections - if you can - I've had one instance where I've had trouble with the Google Sync for Outlook - - though I still think it's the preferred tool. Another option for uploading mail, which doens't seem any quicker and still allows you to upload only one mailbox at a time is the Google Apps Migration for Microsoft Outlook tool here - The problem I had with the migration for Outlook tool was that it wasn't naming the labels/folders correctly. If you had a label folder of Inbox/General - it showed up as PSTNAME/Inbox/General and not as a subfolder of inbox. Strange - though easily fixed. I guess the real difference between the two is whether an admin is doing it or if it's being done on the user's computer. On an admin's computer, he/she can use the Google migration tool to upload a PST file while he/she has his own Outlook open. For a user on his/her computer, you'd want Google Apps sync so Outlook would be usable while the data is uploading. Though from personal experience, you don't want people uploading data during the daytime. It can completely choke off your upstream bandwidth.

7) emulate functionality as best you can of Outlook using these options:

a) enable iphones to use ActiveSync -> as a Google admin -> Service Settings -> Mobile -> Turn on Google Sync
a) set up iphones using this link for instructions -
c) enable calendar sharing using these instructions -
d) enable users to allow delegation of their accounts - as a Google admin -> Service Settings -> Email -> Let users delegate access to their mailbox to others in the domain. (of note - this seems to be available in the premier version but not the education edition as of 11/15/10)
e) tell users how to delegate their mailboes using these instructions -

8) make sure each computer is set up properly with Outlook configured for the google apps account (using Google Apps Sync at Set it up as the default profile and also rename the NK2 file so that the autofill address book is retained.

a) be aware that the autofill address book will contain some old Exchange specific addresses that will fail when sending from google apps. As such, it's probably best practice to manually open a new message on the computer and delete each user on the Exchange/Google server since each entry was probably an X400 address and wouldn't work on the Google Apps server and will just cause confusion.

Thursday, October 28, 2010

putting a Verizon Westell 6100 in bridge mode

If you have a Verizon Westell 6100 that needs to be set up for bridge mode (for example, if you're going from a dynamic IP to a static IP address), here are Verizon's instructions for that:

Of note, in step 8, instead of putting it in "routed bridge" mode - you definitely want that setting to be just "bridge"

Thursday, October 7, 2010

Internal Verizon card (GOBI 2000) connects but won't disconnect

I haven't had the chance to test this - but I had a client tell me that the resolution to an internal Verizon GOBI 2000 card that connects continuously but won't disconnect is to change the setting as follows in the VZ Access Manager preferences.

Monday, October 4, 2010

Windows Server Backup - Exchange backup fails at consistency check

I have a single server setup where the server runs Windows Server 2008 R2 and Exchange 2010. The backup kept completing with warnings saying that the consistency check failed for Exchange.

EDIT - the steps from my original post below also work. But a much easier solution is to enable circular logging on the Exchange database that is failing. Then mount and dismount then Exchange database. All the logs will disappear. Get a good backup and then disable circular logging.

Original post below:

I'd also get event log errors saying that certain log files were missing. There was a point where I had deleted some log files to address space issues. And since the backup wasn't finishing, the log files kept failing to get flushed.

I doubt this is the advisable way to handle this, but this is what I did:

a) delete all log files

b) Backup all edb's.

c) Check shutdown status of your .EDB
eseutil /mh "Full Path to your EDB"

d) eseutil /p "Full Path to your EDB"
/p is hard-repair

e) eseutil /d "Full Path to your EDB"
/d is desfragment

f) isinteg -s servername -fix -test alltests **

** my isinteg would not run, but I was able to mount and run the databases without running isinteg. Not best practice, but it kept giving me references to a log file for isinteg that didn't seem to exist.

After running the eseutil commands, my database mounted and I was able to get a good backup.

Monday, September 27, 2010

resetting a password on a Mac

This is a good article on resetting your Mac password if you have lost it and you have the original Mac OS installation discs:

Monday, September 13, 2010

normal.dotm - file is in use by another application or user

I found a user with this normal.dotm error on a Windows 7 laptop with Office 2007:

I could temporarily fix the problem by deleting normal.dotm (after closing all Word and Outlook windows) since Word would recreate the file on the next opening - but that was only a temporary fix. After looking through some things and this page:
I felt that it was a Skype or other add-in that was causing the error. I found this - which I was only able to delete when logged in as admin (not the user even though she was a local admin on that computer).

Unchecking Skype4Word seems to have fixed the problem.

Wednesday, September 8, 2010

finding Outlook attachments if you hit save on a file without moving it to a new location

Every now and then, a user will open an attachment in Outlook and hit save and close then close the file - and then not be able to find the file. That's because Outlook saved the file where it found the file - which is a hidden location that's not obvious to the user.

For intermediate users and above, try this:

If you're using Windows 7/8/10 or Vista, hold down the Windows key and press R (to open the Run prompt). Then in the location bar, put this:

C:\Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook

You'll find one or more folders in there, and one of them is typically the place where Outlook attachments are saved.

If you're using Windows XP, click on Start -> Run and put this into the RUN box and hit OK:

C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.Outlook\

You'll find one or more folders in there, and one of them is typically the place where Outlook attachments are saved.

This web page talks about how to find the folder - which isn't something I'd recommend for anyone but the most advanced users (it involves going into the registry editor):

The registry entry for the Outlook secure temp folder will guide you to the exact location where you can find Outlook attachments.

Tuesday, August 31, 2010

Tool for message tracking in Exchange 2010 is now called "Tracking Log Explorer"

I had been getting very frustrated with the tracking tools in Exchange 2010 as message tracking kept leading me to the Outlook Web App web interface, which I find unhelpful.

But then I found that what I'm used to seeing as Message Tracking is now called "Tracking Log Explorer" and near the same location.

Open Exchange Management Console -> Tools -> Tracking Log Explorer

It works the same was as Message Tracking in Exchange 2007

Saturday, August 28, 2010

script to move Exchange servers in Outlook profiles

I haven't tested this yet, but I found what looks to be a very useful script for adjusting Outlook profiles when you need to alter the Exchange server if the change wasn't made automatically during a typical Exchange mailbox move.

An example is when I did my SBS 2008 migration from SBS 2003. I found that my Outlook profiles did not update automatically. The script from this blog post would have been immensely helpful:

Saturday, August 21, 2010

user not started because of error 8004011d for Blackberries

I had a BES Express box sitting on an Exchange 2010 box, but my users weren't receiving email. The event logs showed "user not started." After stopping and restarting the services in the proper order, my next step in troubleshooting was to run IEMStest.exe from a DOS prompt. Here were my results:

C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\Utility>IEMSTest.exe
BlackBerry Enterprise Server Utility - IEMSTest.exe (IExchangeManageStore), Version 1.0
Copyright (c) Research In Motion, Ltd. 1999. All rights reserved.
Opening Default Message Store Mailbox - BESAdmin

Eric Jones: Opening message store using
/o=First Organization/ou=first administrative group/cn=Recipients/cn=Eric
/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)
/cn=Configuration/cn=Servers/cn=server2/cn=Microsoft Private MDB
Eric Jones: OpenMsgStore failed (8004011d)
Eric Jones: CDO Server Name: server2
Eric Jones: CDO Mailbox DN: /o=First Organization/ou=first administrative grou
Eric Jones: CDO logon successful
Eric Jones: Get default calendar folder successful
Eric Jones: Get calendar folder name successful: 'Calendar'
Eric Jones: CDO test completed successfully
Eric Jones: Active Directory permissions test completed successfully

As per the above output, the mailbox was not opened with error 8004011d. I ended up following these steps to adjust the throttling policy, which fixed the issue. After making the changes, I restarted the BB services and the Exchange services, and then the IEMStest passed and the mailboxes were accessible again.

Friday, August 20, 2010

order to use when stopping and restarting BES services

When stopping and restarting BES services in the course of troubleshooting, I found this KB on the correct order to stop services and the correct order to start the services after they have been stopped. From the KB:

The correct order to start the BlackBerry Enterprise Server services is detailed below:

  1. BlackBerry Router
  2. BlackBerry Dispatcher
  3. BlackBerry Controller
  4. All remaining BlackBerry Enterprise Server services
The following is the order in which to stop the BlackBerry Enterprise Server services:
  1. BlackBerry Controller
  2. BlackBerry Dispatcher
  3. BlackBerry Router
  4. All remaining BlackBerry Enterprise Server services

Thursday, August 12, 2010

my static packet filters nightmare

It's been a bit since I ran into this problem, so I may not be remembering all the details correctly. But here's the gist -

In the course of setting up an Exchange 2010 server, I lost all network connectivity to my 2008 R2 box. I know I broke it, but I wasn't sure how. The answer was that I had enabled static packet filters when trying to set up routing and remote access via Network Policy and Access Services. Static Packet Filters are basically an additional option for denying access to certain ports - but if you have a firewall, you're already using another option for that functionality. I was just clicking through the Network Policy and Access Services installation and hit YES on something I wasn't paying attention to.

To remove the problem once I had realized what I did, I did this (according to my notes):

I opened RRAS and went to IPv4 -> General. Right clicked on my NIC and clicked on inbound and outbound filters each and chose "receive all packets . . . " instead if "drop all packets . . . "

Though looking back at it a couple months later, I don't see the same options when I right click on my NIC in RRAS. But hopefully, someone else will find this helpful at some point.

Tuesday, August 10, 2010

running message tracking on Exchange 2007 with wildcards

From what I can tell, the message tracking tool on Exchange 2007 does not allow wildcards like * I found this command which will allow you to use a wildcard value in the Exchange Shell:

get-messagetrackinglog -Server "Exchange-server-name" -Start "7/1/2010 11:34:00 AM" -End "8/10/2010 9:44:00 AM" -resultsize unlimited |where {$_.Sender -like "*"}

This will allow you to get a list that uses the wildcard - but the results it gives you are pretty weak. It doesn't include dates and the subject is cut off, but it's a good place to start.

Friday, August 6, 2010

PDF options for creating and/or editing PDFs

When a user wants to create and/or edit PDFs, there are several options. This post will lay out the most common ones I have come across, including costs as of 8/6/10.

Office 2007/2010 - You're able to create PDFs from any of the Office 2007/2010 programs. From Word, Excel, PowerPoint, you can choose Save As and save any file as a PDF (you'll need service pack 2 or the PDF add-on to be able to save in Office 2007).

PDF995 - a low cost option for creating and making minor edits to PDFs. From, one can install the PDF Suite, which includes PDF converter and PDF editor. The PDF converter will let you create PDFs from any program and the PDF editor will let you make certain edits within an existing PDF (add page numbers, extract, remove, combine pages, etc). PDF995 is free as an ad-supported version (you see ads as you use it) or you can pay $19.95 for the PDF Suite or $9.95 for the PDF converter only. PDF995 is cheap, but not as full featured or easy to use as the more expensive programs (see below).

Adobe Acrobat Standard or Professional - Often, Adobe Acrobat is considered the gold standard for PDF creation. Adobe Acrobat Reader (which can only view PDFs) is far and away the most common PDF viewer. Adobe Acrobat Standard allows for PDF creation and editing in most ways. Acrobat Professional also adds functionality for protecting PDFs and creating forms. As of 8/6/10, the MSRP of Acrobat Standard is $299 and the MSRP of Acrobat Professional is $499. Often, you can save up to 30% from online stores like

NitroPDF - NitroPDF is a full featured alternative to Acrobat Standard. As far as I know, it has all the same functionality as Acrobat Standard. As of 8/6/10, NitroPDF is $99. I have several clients using NitroPDF who have used Acrobat and find it just as good (or even better) for significantly less money.

For basic PDF creation, often Office 2007/2010 is plenty for most users as most PDFs are created out of Word or Excel. For most advanced users, the PDF995 Suite is generally good enough for basic uses, but I find most average users have some trouble with the interface. For the average user, I recommend NitroPDF. It's more cost effective than Acrobat, and it's a solid program. For the most discriminating users, I recommend Acrobat Professional.

Monday, July 26, 2010

sending spam to junk email folder on Exchange 2007/2010

When configuring actions on detected spam on Exchange 2007 and 2010, there is no option to send it to the junk email folder when configuring it on the EMC. This is absurd. It looks like this (shown here are the actions on the content filter):

As stupid as it is, the way you can configure an SCL to be sent to the junk e-mail folder is through the PowerShell.

This command will send all junk with an SCL of 4 or higher to junk e-mail:

Set-OrganizationConfig -SCLJunkThreshold 4

I put this command on all my Exchange servers. I also disable all outright rejection of spam. Users hate it when legitimate email gets rejected. All spam goes into the junk email folder.

More info on this issue is located here:

Tuesday, July 13, 2010

allowing anonymous sending on SBS 2008 (for scan to email copiers or other devices)

I had put an SBS 2008 box in place for a client. I had to alter settings as the old mail server had allowed anonymous sending on the LAN. I tried a bunch of differnet credential combinations and ports and SSL options and none of them worked. Then I found this post, which walked me through created a receive connector that allowed anonymous senders on the IP addresses you specify.

The short version of the article.

Go to EMC.
Go to Server Configuration -> Hub Transport
Highlight your server in the top middle field and choose new receive connector on the right side
Call the connector "copier" without quotes and type is custom
Note sure if this is necessary, but add the internal FQDN in the bottom box such as contoso1.contoso.local
Leave the local network settings alone
In remote network settings, remove the existing content. Add a single entry for the IP address of the copier like
Hit NEW.
Now, right click on the connector you just created and clear all check boxes on the authentication tab.
On the permission groups tab, check the box for anonymous users.

Then open the Exchange PowerShell and run this command:

Get-ReceiveConnector "copier" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

On your copier, you can now send over port 25 without SSL and without the need for sending credentials either.

Saturday, July 10, 2010

adding a UCC (mulitple name) SSL certificate to SBS 2008

Adding a single name SSL certificate to SBS 2008 is pretty easy using the "add a trusted certificate" wizard in SBS 2008. But it's not as easy if you want a UCC SSL certificate - should you have a DNS host that doesn't support SRV records.

I found sembee's blog post on this exact topic here. His steps are a little convoluted, but here's a short version with just the need to know info:

You're not going to use the wizard. You'll use the powershell.

You'll go to Digicert's wizard for UCC creation:

Then use the Powershell command it creates on your SBS 2008 box. It'll create a CSR file on the root of your C drive.

Take that CSR file to your SSL cert provider (godaddy or whoever). Buy the UCC cert and put in the CSR as needed.

After your cert is approved, download the cert and use this command to import the certificate:
Import-ExchangeCertificate -Path “D:\Shares\Install\SSL Cert\mail_ExternalDomaiName_com.crt” -FriendlyName “CompanyName UCC Cert”
(altered as appropriate of course for the actual path of your SSL cert)

Also follow the necessary instructions provided by the cert provider about intermediate certification authorities if applicable. Restart the MS Exchange Transport service and run an iisreset.

Then go back to the "add a trusted certificate wizard" in the SBS console and tell it that you'll use an already existing certificate and choose the cert that you just imported.

EDIT - this all makes sense, and I should see this working as I see the certificate in the personal store of the certificates MMC, so I should be able to add the UCC cert in the "add a trusted certificate wizard" - but I don't see it there, so I'm going to go the more manual route and follow these instructions:

Wednesday, June 30, 2010

BES Express installation thoughts

RIM released a new version of their free server side enterprise software in early 2010. There are some big benefits of the new version (Blackberry Enterprise Server Express 5.0 over Blackberry Professional Server Express). Three huge advantages to the new version - 1) you can install it on 64 bit systems, 2) you no longer need the BB Enterprise plan on your devices to use Blackberry Enterprise (though you need BB Enterprise plan to do wireless activation - without it, you need to do wired activation through the desktop software), and 3) the server license is free and so are all device licenses.

You can get the software here:

The install wasn't too different from the previous version of the server software, but what's great is that RIM made a great installation guide and one that included a great screen shot walk-through.

Here's the text guide:

Here's the screen shot walk-throug:

I was setting up BES Express on a Windows 2008 R2 machine with Exchange 2010 on it. The truth is that I had some trouble with the instructions. There were several things that the guide told me to do that I couldn't. I had trouble setting send as permissions to besadmin. I had trouble granting log on locally as a permission to besadmin (option was greyed out). I also couldn't get this command to work (I edited it as appopriate for my domain):
Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User "BESAdmin" -Identity "DC=,DC=,DC="

So in my case, luckily, I had already created another bedadmin account when my domain was a 2003 domain - but overall, minus the issues on this Exchange 2010 install, which I was luckily able to work around, the new version is a welcome change.

Tuesday, June 29, 2010

certificate mismatch when opening Outlook clients on Exchange 2007/2010 servers

After moving from Exchange 2003 to Exchange 2010, I found all my Outlook 2007 users on the LAN were getting this error:

The certificate it was referencing was the FQDN for the external name of the server. But it was accessing Exchange through the internal name. The solution was KB94072

Easy fix once you know what to look for. You're telling Outlook to use the external name - which is resolvable through internal DNS.

Monday, June 28, 2010

adding anti-spam features to single server Exchange 2010

I built a single Exchange 2010 box, as opposed to one with an edge server - and there were not anti-spam features present. Normally, you'd find the anti-spam features in edge transport in the Exchange Management Console (EMC).

But since there is no edge transport server, you can add the anti-spam functionality (so that it appears in Organization Configuration -> Hub transport and some in Server Configuration -> Hub transport. In each case, there's an anti-spam tab.

To add it, enter these commands:

1. Run the following command from the %system drive%/Program Files\Microsoft\Exchange Server\Scripts folder.


2. After the script has run, restart the Microsoft Exchange Transport service by running the following command.

Restart-Service MSExchangeTransport

Sunday, June 27, 2010

adding VPN (RRAS) functionality to Server 2008 R2

If you're looking to add VPN/RRAS functionality to Windows 2008 R2, you won't find it called by either name. You need to add the role called Network Policy and Access Services (see screen show below).

Saturday, June 26, 2010

setting up Quickbooks Database Manager on Windows 2008 R2

Windows 2008 R2 is 64 bit only. Quickbooks Database Manager (hereto referred to as QDM) is only certified on 32 bit systems from what I've read. Setting aside how ridiculous it is in 2010 that Quickbooks doesn't officially support 64 bit systems, I had to make a small adjustment when configuring QDM on Windows 2008 R2.

When I ran the Quickbooks connection diagnostic tool, it said I had to open ports 8019 and 55338. Weirdly, I never had to do this for previous OSes, but c'est la vie.

Thursday, June 24, 2010

setting a Fortigate back to factory defaults using the console cable

The other day, I had lost connectivity to the Fortigate 50B that I had set up. Luckily, I had the console cable and a machine with a serial port that I could use. I was able to get into the CLI using that console cable and use these commands to set the device back to factory defaults:

Connect with a terminal program (like hyperterminal or putty)
connect with these settings:
8 bits
no parity
1 stop bit
9600 baud (the FortiGate-300 uses 115,000 baud)
Flow Control = None

log in as admin (perhaps with no password - perhaps with a password you set)

run this from the CLI:
exec factoryreset

Wednesday, June 9, 2010

removing Dell background on preconfigured servers

Dell prebuilt servers come with a wallpaper background that appears whenever you remote desktop to that box - which can be very slow over a low bandwidth connection. Found this registry change that will get rid of that default wallpaper:

Open Regedit and modify the following key
HKEY_USERS\.DEFAULT\Control Panel\Desktop\Wallpaper
Change value from \windows\system32\DELLWALL.BMP to blank, as in nothing, not the word ‘blank’.

Wednesday, June 2, 2010

removing rescue and recovery even if it doesn't appear in normal uninstall area

I loathe rescue and recovery. I've yet to find a place where I needed it, so I remove it. but occasionally, it's not in add/remove programs or whatever the equivalent is called in Vista/7. I read in a forum that you can also run the installer - which will allow you to uninstall.

The installer should be located in:


I haven't tested it yet, but just in case it works . . .

Tuesday, June 1, 2010

unable to allocate drive space for unallocated space - 2 TB parition size limits on NTFS

I'm building a Windows 2008 R2 x64 Standard box on a Dell PowerEdge T610 right now, and I ran into trouble with disk sizing that is begging to be documented.

This particular machine came with eight 600 GB SAS drives. I configured the RAID array as a RAID 5 with maximum allocation over seven of the drives and kept the final drive as a hot spare (I find that is most easily done by going into the RAID utility during the POST).

Anyway, when Windows finally came up, I had my 100 GB system partition, but I had two separate partitions of unallocated space, one was about 1.9 TB and the other was 1.3 TB. I could not allocate the 1.3 TB parition at all. It was useless to me.

I came across this article:

In short, it seems like an disks with the MBR partition style can only have 2 TB worth of usable partitions on it. The answer is formatting the drive as GPT partition style. But the problem is that a system partition cannot be GPT and a single drive can only have only one partition style. As such, you MUST have two virtual disks - one that will have the partition style MBR (for the system partition) and one that will have the partition style GPT (for the data partition).

So here is what I did with the help of a Dell tech:

create two virtual disks - one that is 100 GB (which will be the system partition) and one that is 3.5 TB (which will be the data partition)

To do this, press Control R (or whatever sequence is required to get into the RAID setup).
Delete all other virtual disks (press F2 when highlighting the disk and choosing delete).
Create a new virtual disk using the disks you want to use in both arrays (in my case that was 7 disks - disk 0 through disk 6) and change the allocation to be 100000 MB - the size of the virtual disk defaults to be the maximum size of all the drives together. You are changing that.
Do not add a hot spare here. We will add a global hot spare later in the PD Mgmt page.
Hit OK and then run a fast init of the of newly created virtual disk.
Under unallocated space (I believe), you'll now see the remaining space on the 7 drives. Highlight that unallocated space and hit F2 and create new VD. It will automatically select the 7 drives (disk 0 through disk 6) and default to the maximum size of all the remaining space. Hit OK. Do not make a hot spare here. We will do that later in the PD Mgmt page.
Run a fast init on the newly created virtual disk.
Now, hit control P until you're at the PD mgmt page. Assign a global hot spare.

Hit ESC until you are out and then begin your installation process.

With this done, you'll be able to install Windows on the first virtual disk - which will be the MBR partition style.

Then when Windows is up, you can go into disk management and assign the other disk as a GPT partition style. Here is what this looks like:

Of note, the Dell tech also spoke of a UEFI setting in the BIOS that some servers (including this one) have. With that setting enabled, one can create NTFS partitions larger than 2 TB, but I decided to go with this more universal option.

Thursday, May 27, 2010

resetting a domain admin password on Windows 2008

I had lost the main admin password on one of my client's Windows 2008 SBS boxes, and I thought I'd have to try one of the many utilities that exist for changing passwords outside of Windows, but instead I found this:

Using just the Windows 2008 DVD, you can reset any domain admin password.

Info recreated here just in case that page is ever taken down:
* Boot onto DVD of Windows Server 2008
* Choose “Repair your computer”
* Launch cmd
* Go to c:\windows\system32
* Rename Utilman.exe to Utilman.exe.bak
* Copy cmd.exe to Utilman.exe
* Reboot on Windows
* Do the keyboard shortcut Windows + U when on the logon screen
* net user administrator Newpass123 inside the cmd
* log on with the domain admin account and this new pass
* change the password to remember it if needed
* Reboot on the DVD to put back the original Utilman.exe

Youtube video of the process here:

Tuesday, May 18, 2010

viewing mailbox size in Exchange 2007

There isn't a GUI method (as far as I can tell) for viewing mailboxes sizes. This page talks about a powershell command to show mailbox sizes:

Monday, May 17, 2010

dealing with broken jumplists in Windows 7

On one of my machines, the jump list for Remote Desktop was not working. It worked in all other prorgrams, but not Remote Desktop. After some research (primarily this page:

I found that it was third party shell extensions that were the cause. Specifically, it was a shell extension called "CopyPathContextMenu" that seemed to have been created by Once I removed that, my Remote Desktop jump list started working normally.

Saturday, May 15, 2010

Friday, May 14, 2010

software encryption for laptops with security needs

I'm mostly tracking this for my information. In situations where one needs to encrypt a laptop to comply with whatever needs you may have:

One option - Credant (offered with Dell computers):

Second option - TrueCrypt (a free option):

Sunday, May 2, 2010

scan to email with google mail or other off-site mail servers

I was in a pickle with a copier with a scan to email function and email hosted on google apps. No matter what I tried, I couldn't get the authentication to work. Then I found this page that talks about using hmailserver basically as a relay to gmail. I tried it, and it worked great.

Complete instructions on the hmailserver setup:

EDIT - in a failed installation, I found three things that needed fixing that I didn't do quite right that you may want to pay attention to in the future:
1) if on a machine with a firewall, you'll need to open up port 25
2) the port for sending to gmail must be 465.  I tried 587 - which should work, but it didn't.  I tried this on 12/27/12.  I can't explain that - it was the only change I made so I know that the port number needed to be 465.
3) In Advanced -> IP ranges, you'll want the "firewalled subnets" or whatever you call the range that includes your copier - you'll want priority to be the highest number (meaning if the highest number is 20, you'll want your copier's priority to be 20 or 25 or higher).  I'm used to MX records, so I figured lower would be a higher priority, but that was not true.

Thursday, April 22, 2010

Google Apps upgrade impressions

Today, I took a 7 person company and moved them from a shared Linux/POP server to Google Apps. Once I got the process down, it was super easy.

Presuming that you want to keep Outlook in use or use the gmail webmail as your primary interface (which is what it sounds like Google wants you to do), you start the same way.

Start with the Google Apps Sync for Outlook:

Just install that, log in, choose a new profile. and then import and choose the old Outlook profile where all the data is. It'll take a minute before it starts importing, but it'll do it.

This is really the best method. I tried to do an import from a PST file, but that failed several times. The google email updater is also an option, but that requires Outlook to be closed, so it's not convenient for a user to work on while the uploading process is happening.

I also had to set up three Blackberries. Setting up Google sync (which does wireless syncing of calendar and contacts only) was super easy. Just go to this site on the BB, log in, and that's it:

But what was weird was the Google Mail app for Blackberries. You can get that here on the BB:

On the Storm, I was able to get the Google icon to appear. On the 8800 and the 9630, I downloaded and installed the mail app, but there was no Google Mail icon. I installed again. Nothing. So instead, I set up those two BBs with IMAP accounts.

First, I had to enable IMAP. You can't do that on an individual's Google settings. It must be done from an admin's console.

Here's how you enable IMAP company-wide:

Click on Manage this domain
Click on Service settings
On that page, find the check box for "Disable POP and IMAP access for all users in the domain" and UNCHECK that box

Wait 30 minutes and you'll be able to use IMAP to check email for staff on google apps

Tuesday, April 20, 2010

steps on recreating a corrupt profile

When you've got a corrupt profile, often the only thing you can do is recreate it. I've found myself recreating a profile about once a month for this damn x2upbf.dll problem. Anyway, here's a basic list of steps so that you don't miss anything when doing it.

steps for rebuilding a profile

1) take note of: 1) default printer, 2) default browser, 3) any additional mailboxes configured in Outlook
2) reboot
3) log in as administrator
4) rename profile (change c:\users\%username% to c:\users\%username%.old) in profiles folder and alter registry if Vista or 7 (registry change instructions)
5) reboot (if Vista or 7)
6) log in as user
7) set up Outlook (and archiving as applicable)
8) move back data from old profile to new profile:
a) desktop
b) documents
c) favorites
d) Outlook NK2 file
e) Outlook archives (if applicable)
f) restore Firefox bookmarks from bookmarkbackups - if applicable
g) Chrome data from c:\users\username.old\appdata\local\google\chrome\user data\default
9) set up backup
10) set up VPN
11) add Bcc to new Outlook messages
12) make sure VPN exists
13) add back signature using old sent items
14) add printers (if necessary) and set correct default printer

Friday, April 16, 2010

all DCs in a small environment should be a global catalog server

I'm reading through some documentation that recommends that, in small networks, all domain controllers should be global catalog servers as well.

To make a domain controller a GC server, follow these steps:

1. Start the Active Directory Sites and Services snap-in.
2. In the console tree, double-click Sites, and then double-click the sitename where
your server resides.
3. Below the Site, double-click Servers, double-click your domain controller, right-click
NTDS Settings, and then click Properties.
4. On the General tab, click to select the Global catalog check box to assign the role of
global catalog to this server if it is not already enabled.

Wednesday, April 7, 2010

Exchange 2007 Service Pack 2 installation tool for SBS 2008

Microsoft released a tool to enable Exchange 2007 Service Pack 2 installs on SBS 2008. Before this tool, it required a bunch of manual stuff to install Exchange 2007 SP 2. You still have to download Exchange 2007 SP 2 separately, but this tool is a must:;EN-US;974271

Friday, April 2, 2010

setting up autodiscover SRV records for SBS 2008 for complete functionality (including out of office assistant)

Exchange 2007 (and 2010) rely on DNS for certain functionality more than Exchange 2003 did. Particularly, I mean the autodiscover record.

A great example is the out of office assistant. This will not work on your Exchange 2007 box unless you have your autodiscover information set properly.

There are a couple ways to do set it up, but I'll cover what seems to be the easiest and least costly way - the SRV record.

Some nameservers support SRV records, and some don't (it's different from an A, MX, or CNAME record) - which is where it can get weird, but presuming you have a nameserver that does, you can set up an SRV record with these properties:

Service: _autodiscover
Protocol: _tcp
Port Number: 443

Once that record propagates, your autodiscover will work properly (because SBS autocreates the appropriate information at

There are other options like getting an SSL certificate that encompasses - but that requries more cost and isn't really necessary.

If you can create the SRV record with your nameserver, that's the best method in my opinion.

If you'd like to check on the status of an SRV record, you can follow these instructions or use Microsoft's site at

Hopefully, this will help someone. As I was investigating why my out of office assistant wasn't working, I feel like all the resources available to me were pretty vague about what was needed and how to go about it.

A good tutorial from Susan Bradley is here (which includes screen shots of setting up an SRV record on godaddy's DNS).

Thursday, April 1, 2010

enabling shadow copy on SBS 2008

For some reason, shadow copy isn't enabled by default in SBS 2008. Or rather - it's enabled on the C drive, but not other drives - where your data is likely located.

Of note - you enable shadow copies for a drive - not a share. So here's how you enable shadow copies for a drive.

Right click on the drive itself and Configure shadow copies. Select the drive and hit enable. This is a no-brainer to set up for clients, but typically, you won't do it until the first time you need it - which will be too late by then.

Monday, March 29, 2010

too many blacklists on SBS 2008 leads to Earthlink delivery problems

I had this problem for several weeks, and I'm documenting it in case anyone else is unlucky enough to be in this situation and needs to find the solution. I was seeing that Earthlink and Mindspring were not able to send to my domain. The senders would get delivery delay emails and the delivery failures eventually on all emails to my domain. With a couple exceptions, everyone else had no problem sending to my domain. So 99% of all email was coming through, but these couple were problematic.

It turns out that I had configured too many real time block list providers (RBLs). When the remote server was connecting to my server, the process of checking the sending server against all 5 RBLs would take some time. In this case, the Earthlink servers wouldn't wait long enough for my server to finish checking - and the Earthlink servers would drop the connection. The solution was to just have one block list provider. In this case I used

So that was it. Just a note for future reference.

Tuesday, March 16, 2010

checking autodiscover SRV records using nslookup

There are a couple ways to add autodiscover - which is required by Exchange 2007 (and presumably Exchange 2010) for full functionality (more coming on this concept).

One method is to add an SRV record. Because nothing is easy, not all DNS editors allow you to create SRV records. Sometimes, you can add them yourself. Sometimes, you have to write to support. Sometimes, it can't be done. But when it is done, here is how to check on it:

In a DOS prompt, type "nslookup"
Then "set type=srv"
Then the record you want - such as ""

Here's what a properly configured autodiscover looks like:

Wednesday, March 10, 2010

the anatomy of a fakealert infection

Over the last year, a new type of virus (malware) has become prevalant. The weird part is that antivirus vendors are way behind on detecting these new viruses. It seems new generations of these viruses change just enough to evade detection. This post will show you what it typically looks like when you are infected with one of these viruses - called fakealert viruses.

It starts by visiting an infected site. These don't necessarily need to be inappropriate sites. You can visit an infected site from a regular innocuous google search.

You start by getting a pop-up like this:

For some viruses, hitting OK might infect you - or it might be hitting any of the buttons in the pages that follow. What you're seeing here is a web site pop-up with words on it. It could just as easily be telling you the plot of last night's CSI: Miami. A web page can display anything as you will soon see. In this case, it just happens to be misleading text. The virus can't just infect you - it needs a little help from you in order to run a script.

If you hit ok, you often get something like the screen below. Again, it looks like something your computer is telling you - but it's just a web page. It could be a spoiler for Dancing with the Stars, but it's just an image and text that someone chose to put on there. Nothing is really scanning.

If you try to close the browser, it won't let you. No matter what you try, you get something like this:

And then it will often try to run/download a file to further infect you.

Another example of what you might see:


So what is the answer? You've found your way to a web page that you can tell is trying to infect you - but it's hard/impossible to close your browser (the example here is Firefox - but Internet Explorer is vulnerable as well).

The answer is to close your browser with Windows Task Manager before you can be infected. Hit control-alt-delete and the start the Task Manager. Find your browser on the applications tab (either Internet Explorer or Firefox) and hit end task. This will close your browser without the annoyances and get rid of the potential infection before you are infected (presuming you didn't interact with virus/malware in the web page).

So that's pretty much it. That's what you should be looking for and the best way to avoid infection if you come across these types of viruses/malware. If you find yourself infected, you can use the tools listed here to disinfect your computer.

UPDATE - Symantec talks about fakealert viruses here:

Still no improvement on the handling of these types of malware. Very lame.

Tuesday, March 9, 2010

malware removal tools

The fakealert malware viruses are everywhere. I've managed to rid most of them with just two tools:

rkill - to terminate the running processes
Malwarebytes - to remove the infections

For just about every fakealert virus, I put and mbam.exe (links above) on a flash drive and then run on the infected computer. Then I run Malwarebytes full scan and then remove whatever it suggests.


The other day, I came across a machine with different symptoms - just in time debugging kept coming up over and over again. I fixed it with combofix, but here's also another suggested tool that I didn't have to use:

Dr. Web CureIt

So far, I've fixed every infection I've found using some combination of these tools. I wonder when the antivirus vendors will ever get a hold on this. It's been over a year that these types of viruses have been in the wild.

Saturday, March 6, 2010

laptop reliability survey

I came across this laptop reliability survey, and I thought I'd keep track of it as it's pretty interesting - first time I've seen it. It came from here:

In case the link disappears, here's the important graph:

Tuesday, March 2, 2010

pdf995 requires Program Compatibility Assistant on Windows 7

I had a Windows 7 computer where I had installed PDF995, but found that it didn't show up in the list of printers. Then I found this - which said that you need to make sure the Program Compatibility Assistant service is started. In this case, the PCA was set to manual - but it was not started. I started it - uninstalled PDF995 and reinstalled it and voila - it worked. Weird.

Monday, March 1, 2010

installing Filemaker on Windows 2008 SBS (or Standard)

I had quite an ordeal installing Filemaker Server on Windows 2008 SBS. I won't bore the people who don't care about my troubleshooting and just provide the relevant details:
  • Filemaker 10 is necessary on Windows 2008. Filemaker 9 is not supported (I tried and failed).
  • If installing on 64 bit Windows (SBS or otherwise), install the 64 bit version of Apple Bonjour first (Bonjour is required and the FMS install tries to install the 32 bit version). Credit for that advice belongs here.
  • You need to open ports 5003, 16000, and 16001 on the server for the clients to interact properly with the server
  • Filemaker Server 10 can use any level of Filemaker Pro on the desktop end - 8, 9, or 10 (and presumably 7)
  • Web publishing should not be used on your SBS box. SBS isn't supported by Filemaker - though it works - but even if you use it - the web publishing stuff will conflict with some of the IIS stuff that SBS uses

Friday, February 26, 2010

Blackberry Controller Service stops with error error 5003 (0x138B)

On one of my SBS 2003 servers, I run Blackberry Professional Server Express. All of a sudden, last night at about 7 pm, I got this in my application event log:

EVENT ID 20000
DATE / TIME 2/25/2010 7:05:00 PM
MESSAGE Could not connect to Service Control Manager at \\ 1722

and then I got this error when trying to start the Blackberry Controller Service - which was stopped:
The BlackBerry Controller service terminated with service-specific error 5003 (0x138B).

Long story short . . .

For some reason, the DNS Server service causes some problem with the Blackberry Controller service. It's easily fixed by stopping the DNS Server service and then starting the Blackberry Controller service. And then you can restart the DNS Server service. It's not a big deal - but it looks like I'm going to have to go through this stupid rigmarole each time I reboot the server from this point forward.

Thursday, February 25, 2010

using an SBS 2003 box after a 2008 migration

Typically, you wouldn't use your SBS 2003 box after you've done an SBS 2008 migration. In my most recent upgrade, I did need to use it. I had Filemaker Pro 9 on the SBS 2003 box, which apparently can't be installed on 64 bit Server 2008. As part of the 2008 migration, I took the SBS 2003 box out of the domain and put it in a workgroup and demoted it to a member server. Not being in the domain wasn't a big deal - Filemaker didn't need to be in the domain - the clients just needed to see the server over TCP/IP. However, the server kept shutting down every two hours or so saying that the server needed to be a domain controller. The easy solution was to put the server in a new domain and run dcpromo. Problem solved.

Thursday, February 18, 2010

notes on SBS 2008 upgrade

I did my first SBS 2008 upgrade from SBS 2003 this week - and it was surprisingly easy - though time consuming. Here are my thoughts on it:
  • the Microsoft SBS 2008 migration demo is generally excellent and following it is a MUST. It is here
  • After you create the answer file and stick it on a flash drive, you can start the installation using regular non-migration means (in my case, I used the Dell OpenManage CD to start the SBS 2008 installation). There's no real indication that you're doing a migration until you're quite a bit into the process. It doesn't really prompt you for a migration, it just starts doing it when it sees the answer file part of the way into the process
  • After it detected the answer file and began doing the install, it said "this process may take 30 minutes or more" - it took 2.5 hours. Of note the machine I was installing on was a Dell PowerEdge T310 with 12 GB of RAM, a Xeon X3450 processor at 2.66 Ghz, and 7200 RPM drives
  • the mailbox migration took 11.5 hours - going from a 3 Ghz Xeon something with 3 GB of RAM, and 7200 RPM drives to the aforementioned PowerEdge T310. Amazingly, it was only 44 mailboxes and 18 GB of data. I saw a reference to someone else who migrated 57 mailboxes with 50 GB of data in 3 hours 20 minutes.
There are some other parts to it - like the potential necessity of having to change your SSL certificate (the default is You are also required to use a certain set of IP addresses - either 10.X.Y.Z or 192.168.Y.Z or 172.X.Y.Z.

Overall, things went great. I'll post more notes when I do my next migration.

Friday, February 12, 2010

finding install date for servers/computers

Here is a simple command for finding the installation date for a computer:

systeminfo | find /i "install date"

Just put that in a DOS prompt and it will output a single date.

Thursday, February 11, 2010

winsock failed to initialize

When cleaning up a fakealert virus the other day on an XP machine, I had successfully cleaned it, but none of the network interfaces could get an IP address. My only real clue was a simple dialog box that said "winsock failed to initialize"

Luckily, I found this utility:

I ran it, and it fixed my problem very easily.

Monday, February 8, 2010

altering the default lockout policy on Server 2003 (SBS or Standard)

For servers that are publicly facing, it's possible that hackers will attempt to hack you. Recently, I had a hacker try to guess logins and passwords over and over and over again (thousands of times) over port 25. I was able to thwart that by disabling port 25 for a bit (15 minutes) and the hacker lost interest. But theoretically, had I not seen the hacker attempting, he could have tried hacking forever, just guessing and guessing.

There's no lockout policy for invalid usernames. If the hacker is guessing on jsmith and you don't have a jsmith user, he can keep guessing forever. The lockout policy will not apply. But if the hacker is trying legitimate user names, the hacker should be locked out after a limited number of attempts. I have seen the default as no limit and as 50 attempts on SBS machines.

The number of attempts should be 6 or fewer and the lockout times should be 15 minutes or longer.

You can get to the appropriate place via:

Group Policy Management -> expand to default domain policy, right click on default domain policy and click edit. Then edit these fields:

Monday, January 25, 2010

Removing password requirement for mobile devices on Exchange 2007 and/or SBS 2008

When you put in a Windows 2008 SBS box, it puts in a password requirement once the mobile device (for example - an iphone) has an active Exchange ActiveSync connection.

You can alter that setting in Exchange Management Console under Oragnization Configuration -> Client Access -> right click on Windows ... Mobile Policy ... and unchecking require password on the password tab.

In my experience, you need to remove and re-add the account on the mobile device after making the settings change (at least on an iphone 3Gs I tested on)

More details here:

Tuesday, January 12, 2010

Symantec Endpoint Protection eating up disk space

On two of my servers, I found Symantec Endpoint Protection eating up disk space like crazy. In each case, they had many, many temp folders that amounted to many gigs of data in this folder:

C:\Program Files\Common Files\Symantec Shared\SymcData\sesmvirdef64

There doesn't seem to be any harm in deleting them. Very strange - very lame.

Friday, January 8, 2010

Syswan router VPN passthrough has reverse setting

I've become a fan of Syswan routers as they are a cheap, functional business class router. There aren't a lot of routers in the sub $300 category that aren't the residential wireless routers that are sub $100.

Today, I was troubleshooting the fact that users at a site with a Syswan router couldn't make outgoing VPN connections. After checking, PPTP passthrough was enabled, so I disabled it. And voila - it worked. So it seems, in some cases (not all) - the PPTP passthrough box has the reverse of the intended effect. Screen shot below of a setting that DOES work for PPTP passthrough. The model of this router is Syswan Duolinks 24 VPN.