Zoho Banner September 2011

Archive for November, 2014

Had a weird one earlier today.  I installed the Windows Server Backup feature on two Windows Server 2012 R2 servers in the same VMware farm.  On one server I could start the wbadmin.msc snap-in immediately, but on the other I couldn’t find it at all.  I couldn’t find anything in the event logs to explain why it would be missing on that one server.  The problem wasn’t resolved by either a reboot or by uninstalling and re-installing the feature.

A quick search on Google revealed that some people had resolved the issue by installing the Windows NLB feature. This somewhat bizarre workaround also did the trick for me – although I found I only needed to the RSAT tools for NLB rather than the whole feature.  Here’s the proof!


These are the days when you don’t try to explain things – just shrug and move on!


The first thing that struck me after lifting the phone out of the box was how heavy it was. My Samsung S3 (the sole victim of a fatal hit-and-run incident recently) was much lighter.

It feels substantial, solid and it definitely won’t bend in your pocket! I wouldn’t want to drop it though. The brushed metal edging makes it look classy, but at the same time a tad rigid, and I can’t help thinking some of cheaper models with plastic surrounds might survive a fall better. I’ve been looking around for a good case – something that won’t spoil the phone’s good looks or make it look like an encyclopaedia in my pocket.

20141112_065450_resized 20141112_065538_resized 20141112_065508_resized

After three weeks the phone and I are getting on really well. I was more than slightly prepared to hate it after having had Android phones for the past 5 years. I don’t miss my S3 and have few things to quibble about. Here’s a quick summary of the pros and cons as I see them…


  • The screen clarity is amazing. Text and graphics are razor sharp and orange-effect theme is attractive to the eye.
  • The camera is mind-blowing. I can’t believe a phone can have a 20MP camera built-in!  I’m possibly the world’s worst photographer, but I’ve even managed to take some attractive looking pics (check out the photo of Breaker Bay, Wellington below).


  • The processor has plenty of grunt. Apps load quickly and you don’t seem to spend time waiting for things to load. The exception is if the app is waiting for content to be downloaded from the web or for location information to sync.
  • Windows tiles, metro (or whatever you want to call it) work really very well on the phone. I’ve pretty much got everything I need accessible from the 3 tile columns above the page fold.
  • In-call sound quality is excellent. This wasn’t always the case with my S3.
  • The built-in speaker is awesome. I like to listen to web-radio or podcasts if I can’t sleep at night. The sound quality from the tiny speaker is really very good – rounded and not at tinny like you might expect.


  • I miss the notification lights on the S3. It was helpful to simply glance at the phone occasionally to see if I’d missed a call or a SMS. Not so with the 930 where I have to unlock the screen to look at my notifications.
  • No Cortana in New Zealand. I’m not sure how much I’d actually use Cortana, but I’d like to have the option of using it to find out where to find a decent Islay single malt locally for under $75. I’m slightly peeved one of the most touted features of Windows Phone 8.1 isn’t available to me. And, yes, I know there are ways to get Cortana to work by setting everything to US/English, but this breaks other things (such as BBC iPlayer).
  • The touch screen is not quite as responsive as the S3. I find I have to tap the screen a little harder.  Not a biggie - I’m getting used to it.

A lot of people bang on about the paucity of Apps available for Windows Phone. I use only about half a dozen well-known Apps and they’re all available from the store, so it’s not been an issue for me.

All-in-all I’m a happy camper. Even more satisfying is that I didn’t pay a fortune for it. It cost me NZD640 with shipping (via a parallel importer). That’s around about the same as a Samsung Galaxy S5 and about NZD350 cheaper than an iPhone 6.


A question came up in the forums today about how to use the AD Powershell cmdlets to find objects with attribute values that contain a single space. It’s a good question and relevant because often your results can be skewed by such values when searching for attributes that are not NULL (a space character is not a NULL). Anyway, here’s an example of how to do it using the LDAPFilter.

Get-ADUser -LDAPFilter "(telephonenumber=\20)"

The “\” is the standard escape character for use in LDAP searches and “20″ is the HEX representation of the space character.

The filter should also work with other LDAP clients (e.g. LDP.EXE).


You might come across a slight gotcha with SPF records if are using Exchange Online Protection (EOP) to provide protection for your on-premises mail environment and you don’t need to use EOP to scan your outbound (i.e. on-premises to Internet) messages. If this scenario is of interest to you, read on…

You may be aware that I run a mailing list running on a single server over at ActiveDir.org that provides a forum for disucssions on the topic of Active Directory. I set up Exchange Online Protection (EOP) to cover the mail.activedir.org namespace a little while ago as a lower-cost alternative to my previous anti-malware provider. When you first set up EOP with there are some DNS records that you are asked to configure. In fact, these *appear* to be mandatory based on the wording (see below).


Without really thinking too deeply about I went ahead and configured the TXT record in DNS for SPF. With hindsight I shouldn’t have done this as I only wanted the traffic from the Internet to my on-premises mail server to be scanned for malware. I don’t need the SMTP traffic in the other direction to be scanned for malware because the only mail generated on the server is from the mailing list (list server) and as such as been scanned on the way in.

All appeared fine for a month or so and then fellow MVP Brian Arkills queried why he wasn’t receiving any email from the list. After a bit of digging, his infrastructure guy pointed to a problem with my SPF TXT record. Basically, the “-all” part of the record indicates that only the servers matching spf.protection.outlook.com are responsible for sending mail from mail.activedir.org. If a different server tries to deliver mail from that address the receiving MTA should fail the SPF check. Interestingly, most organisations treat this as a soft fail and deliver the email anyway. Not so the University of Washington, which is why Brian wasn’t receiving the list emails.

Once alerted to the problem, I modified the record like this:

v=spf1 a -all

What this says to the receiving MTA is to only pass the SPF check if sending server matches the A record for the namespace (i.e. my mail server).

That all seemed fine but then I looked at the message headers for emails that I was receiving from the list.  I am subscribed to the list with a standard cloud-based O365 email address. The header contained the following:

Received-SPF: Fail (protection.outlook.com: domain of mail.activedir.org does not designate as permitted sender)  receiver=protection.outlook.com; client-ip=;  helo=emea01-db3-obe.outbound.protection.outlook.com; Authentication-Results: spf=fail (sender IP is  smtp.mailfrom=activedir-owner@mail.activedir.org;

The IP address maps to emea01-db3-obe.outbound.protection.outlook.com (very clearly not my mail server). So what was going on? Why was the sending server showing as one of the outlook.com servers and not my mail server? I don’t know for sure but my best guess is that the O365 cloud servers are also EOP servers (makes sense). The EOP servers *think* they are responsible for the mail.activedir.org namespace and as such will effectively take over as the perceived sending server. The upshot was that I needed to go back to my SPF record and change it to include the EOP servers. It now looks like this:

v=spf1 a include:spf.protection.outlook.com -all

To summarise then:

  • Emails coming from my mail server to non-O365 addresses need to have a SPF TXT record that matches my mail server (via the A record for mail.activedir.org).
  • Emails coming from my mail server to O365 addresses need to have a SPF TXT record that matches the name required by EOP (spf.protection.outlook.com)

More than slightly confusing isn’t it? But then I guess I have a slightly unusual configuration.

For more information on SPF, this web site is a great starting point: http://www.openspf.org/