Archive for August, 2009

Configuring Roles and Features in Windows Server 2008 R2

August 26, 2009 2 comments

Windows Server 2008 includes a command-line utility called servermanagercmd.exe that allows administrators to configure roles, role services, and features from the command line. Beginning with Windows Server 2008 R2, however, servermanagercmd.exe has been deprecated. When you attempt to run servermanagercmd.exe you will receive the following message:

Servermanagercmd.exe is deprecated, and is not guaranteed to be supported in future releases of Windows. We recommend that you use the Windows PowerShell cmdlets that are available for Server Manager.

Servermanagercmd.exe has been replaced with new PowerShell Server Manager cmdlets (pronounced ‘command-lets’). Before we can use these new cmdlets we must first import them. Open an elevated PowerShell command prompt and enter the following command:

import-module servermanager

Here are the three new PowerShell cmdlets and their corresponding servermanagercmd.exe equivalents [in brackets]:

Add-WindowsFeature [servermanagercmd.exe –install]

Get-WindowsFeature [servermanagercmd.exe –query]

Remove-WindowsFeature [servermanagercmd.exe –remove]

For more information regarding the new PowerShell cmdlets and servermanagercmd.exe, please refer to the Overview of Server Manager Commands article on Microsoft Technet.

Categories: General, Utilities

Microsoft Exchange Server Remote Connectivity Analyzer

August 25, 2009 Comments off

My good friend Andy Tang, who works for e92Plus over in the UK, blogged recently about some issues he was having with ActiveSync on IAG. In his post he talks about using a wonderful utility called the Microsoft Exchange Server Remote Connectivity Analyzer. This online tool will allow you to remotely test ActiveSync, Outlook Anywhere (RPC/HTTP), and inbound SMTP. Excellent!

Categories: Troubleshooting, Utilities

Troubleshooting Basic HTTP Connectivity Using VBScript

August 25, 2009 Comments off

As a follow up to my last blog post I wanted to share with you a way to perform basic HTTP connectivity testing using VBScript. Using the GetAllResponseHeaders method of the XMLHTTP object we can easily retrieve and display response headers returned by a web server. The VBScript code looks like this:

Option Explicit

Dim HTTP, Site

Site = InputBox(“Enter site name:”, “Get All Response Headers”)

Set HTTP = WScript.CreateObject(“Microsoft.XMLHTTP”)

Call HTTP.Open(“HEAD”, “http://” & Site, False)
Call HTTP.Send()

MsgBox HTTP.GetAllResponseHeaders(), vbInformation, “Response Headers for ” & Site

Set HTTP = Nothing

Copy the code above to a text file and save it with a .vbs extension. Double-click on the file and you will be prompted to enter a web site to test.


Enter the name of the web site to test and choose ‘Ok’. The script will send a request to the web server and display the response headers returned.


Admittedly this code is very rudimentary, but it is a simple and effective way to troubleshoot HTTP connectivity issues. If you are interested in something similar that has many more features, including the ability to use specific HTTP commands, perform logging, use a proxy server, specify a USER AGENT string and much more, visit Jim Harrison’s and download his very powerful HTTP_TEST VBScript.

Troubleshooting Basic HTTP Connectivity Using A Telnet Client

August 21, 2009 1 comment

In my last blog post I demonstrated how to use the Windows telnet client to perform basic network connectivity troubleshooting. In this post I will demonstrate how to use the telnet client to interactively perform basic HTTP troubleshooting.

Note: This post assumes that you have a fundamental understanding of the HTTP protocol. If you are not familiar with HTTP and would like to learn more, there are some excellent books on the subject available. Two books that I recommend are HTTP – The Definitive Guide and the HTTP Pocket Reference, both from O’Reilly Books.

To begin, open a command prompt and enter the command telnet. This will bring up a telnet command prompt.


Notice that the escape character is CTRL+]. We’ll need to know this later. Next, enter the command set localecho. This command allows us see the text that we type in the command window.


To establish a connection to a web server on the default port, the command syntax is open <IP address, FQDN, or hostname> <port>.

For example…

open 80


After you enter the open command and hit enter, it is not readily apparent that a connection has been made to the web server. That’s because the cursor immediately jumps to the upper left corner of the command window.


Before entering commands, hit the enter key a few times to bring the cursor to a clear area in the window.


Now that we have established a connection, we are ready to issue some basic HTTP commands to the web server. Let’s begin by retrieving the default web page for the site Although a full-featured HTTP client will send many request headers to a web server to retrieve content, the RFC specifies that only the HOST header is mandatory for HTTP 1.1. First we will send a GET command requesting the default page, then we will provide the HOST header to let the web server know which web site we are requesting content from (this is required because the web server may be hosting multiple web sites using the same IP address).

To retrieve the default page from, enter the following commands:

GET / HTTP/1.1


These commands are case sensitive! Be sure to enter them exactly as shown above. After entering the HOST information, hit enter twice to send the commands to the web server. If successful, the web server will respond with the requested content.


Enter the escape command sequence CTRL+] to return to the telnet command prompt.

Additional Examples

Instead of retrieving the content of the web page, we could request that the web server send response headers only. This can be accomplished by entering the following commands:



If successful, the web server will send only the response headers and not the content of the web page itself.


Although somewhat useful in troubleshooting basic HTTP communication, the telnet client isn’t the best tool to use. As you will quickly see, the telnet client will not allow you to backspace if you make a typo entering a command. The advantage of using the telnet client is that it is installed on most Windows operating systems by default. Thankfully, a much more robust and feature rich tool is available from Microsoft. WFetch is a GUI utility that allows you to issue many different commands to the web server and includes support for multiple authentication methods. It includes the flexibility to manipulate headers and provides the ability to direct communication through a proxy server. If you are performing advanced troubleshooting or want to learn more about HTTP communication, you can find out more about using WFetch here.

Troubleshooting Basic Network Connectivity Using A Telnet Client

August 18, 2009 Comments off

The telnet client included with Windows is a useful low level diagnostic tool. When troubleshooting a network connectivity issue, it is a simple and effective way to determine if you can establish a TCP connection with a remote host on a particular port. The command syntax is:

telnet <IP address, FQDN or hostname> <port>

For example…

telnet 445

This command instructs the telnet client to open a TCP connection to the server on port 445 (which is used by SMB). A successful TCP connection was made if the command prompt disappears and you are left with only a flashing cursor.



You can confirm this by monitoring the communication with a protocol analyzer (e.g. Network Monitor or Wireshark) when you execute the command.


Note: The example above uses a fully-qualified domain name (FQDN). When using FQDN’s or hostnames, make certain that name resolution is working properly if you are unable to establish connectivity.

Additional Examples

telnet dc01 389

This command establishes connectivity to dc01 on TCP port 389 (LDAP).

telnet 3389

This command establishes connectivity to on TCP port 3389 (RDP).

Unable To Connect

If a connection cannot be established you will receive the following error message:

Could not open connection to the host, on port <port number>: Connect failed

This error message does not explain why the connection could not be established, however. It may be that the remote host was not listening on the specified port, the remote host was not reachable, or perhaps a firewall on the remote host or in the network path between the client and the remote host denied the connection. Looking at the communication with a protocol analyzer provides more information. For example, if the remote host is reachable but not listening on the port requested, the remote host will reply with a TCP reset.


If the remote host was not reachable or a firewall denies the communication there will be no replies.


Telnet Clients

Historically the telnet client has been installed by default on all Windows operating systems. That changed beginning with Windows Vista. With Windows Vista and Windows 7 you will need to open the ‘Programs and Features’ control panel application and in the task pane select the option to ‘Turn Windows features on or off’.


Select ‘Telnet Client’ and choose ‘Ok’ to install it.


On Windows Server 2008 systems it is even easier to install the telnet client. From an elevated command prompt enter the following command:

servermanagercmd -i telnet-client

In addition there are numerous third-party telnet clients available for Windows. Some are free such as the popular Putty telnet client, and some are commercial such as SecureCRT. Third-party telnet clients offer advanced featuers not found in the native Windows telnet client and also support additional protocols such as SSH and RLogin.

In my next post I will demonstrate how to perform basic HTTP troubleshooting using a telnet client.

Microsoft Internet Explorer 8 Scores Highest in Browser Security Testing

August 14, 2009 Comments off

NSS Labs recently released the results of its latest web browser security testing. Microsoft Internet Explorer 8 rated highest among all web browsers in terms of protecting users from socially engineered malware and phishing attacks.

: )

Categories: General, Random

Configuring Microsoft ISA Server 2006 Web Proxy to Prompt Authenticated Users

August 10, 2009 17 comments

When the ISA firewall is configured as a forward proxy server, the web proxy listener is configured to use integrated authentication by default.


A web proxy client makes its initial request anonymously. If there are no policies allowing anonymous access to the requested destination, the ISA firewall responds with a challenge for authentication in the form of an HTTP 407 response (proxy authentication required).


The client then resubmits the request, this time providing credentials to the firewall. This transaction is completely transparent to the end user. The credentials supplied to the ISA firewall are that of the current logged on user. If the user does not have permission, the ISA firewall denies the request without prompting. This behavior is by design.

There are situations in which this behavior is not desirable. Recently I was working with a customer who had workstations configured to log on automatically with a non-privileged domain service account. These workstations were used to access a web-based application on the local intranet. There are times when privileged users will need access to the Internet from these systems, but they will need to do so without logging the service account off. To meet these requirements we needed to configure the ISA firewall to prompt authenticated users for credentials if they are initially denied access.

Making this change required setting the value of the ReturnAuthRequiredIfAuthUserDenied property of the web proxy listener to ‘true’. When configured, the ISA firewall will prompt authenticated users for credentials when they are denied access. This change cannot be made via the management console; it can only be configured programmatically. The MSDN reference for this property contains a VBScript that is used for changing this setting, or you can download the script here. Run the script from the command line on the ISA firewall with the argument ‘true’ to enable prompting for authenticated users who are denied access and ‘false’ to disable it.

For example…

ReturnAuthRequiredIfAuthUserDenied.vbs true

…enables the prompting of authenticated users who are denied access, and…

ReturnAuthRequiredIfAuthUserDenied.vbs false

…disables it.