Home / Blog
Notes from the field
Older posts on Exchange administration, security tools, and everyday troubleshooting — carried over from the original site.
Secure communications in an insecure world
A roundup of tools worth knowing if privacy matters to you: ProtonMail for encrypted, ad-free webmail; Mailvelope for adding PGP encryption on top of any browser-based email; Kleopatra for managing OpenPGP/X.509 keys; and OpenKeychain for encrypting messages on Android.
On the network side, a VPN like IPVanish keeps browsing private without logging activity, while Signal replaces default SMS with end-to-end encrypted messaging and calls. Browser add-ons HTTPS Everywhere and Privacy Badger push connections to encrypted versions of sites and block known trackers automatically.
For anonymity-focused setups, Tor routes traffic through relays to obscure your location, and Tails is a live Linux OS that boots from USB and retains nothing between sessions. Calyx offers both an anonymous mobile hotspot and a free XMPP messaging server. Rounding it out: Dashlane for password management, an app locker for sensitive apps on your phone, and DuckDuckGo/StartPage as tracker-free search alternatives.
The Blue Screen of Death — a troubleshooting checklist
A BSOD (STOP error) means Windows hit something serious enough to halt entirely — almost always hardware or driver related. General approach, roughly in order:
- Think back to the last change made (new install, driver update, patch) and undo it — Last Known Good Configuration, System Restore, or a driver rollback.
- Confirm free disk space on the system drive — Microsoft's 100MB minimum is really a bare floor; aim for at least 15% free.
- Run a full virus scan, including MBR/boot sector, since some malware triggers BSODs directly.
- Apply outstanding Windows updates and service packs, and update hardware drivers.
- Check Event Viewer's System and Application logs for clues.
- Reset Device Manager settings and BIOS settings to defaults — non-default resource assignments and overclocked BIOS settings are common culprits.
- Reseat internal cables, memory, and expansion cards.
- Run memory and disk diagnostics; replace failing hardware.
- Boot with minimal hardware attached to isolate a bad component.
Back pressure in Exchange 2007, 2010 and 2013
Back pressure is Exchange's built-in resource-protection mechanism on Hub Transport and Edge Transport roles. When disk space, memory, or queue database utilization crosses a threshold, the transport service throttles or stops accepting new connections to protect message delivery for what's already queued.
There are three states — Normal, Medium, and High — with increasingly aggressive restrictions on which connections get accepted. The most common real-world trigger is low free disk space on the drive hosting the message queue database; Exchange needs roughly 4GB free there as a floor. Watch for Event IDs 15004–15007 in the event log, which flag utilization-level changes. In nearly every case seen in the field, the root cause traces back to disk space on the database drive.
OWA login: "Your account has been disabled"
A recurring issue: users suddenly can't log into Outlook Web App and get an "account has been disabled" error, even though nothing was actually changed in Active Directory. This is typically caused by stale cached AD information about a mailbox — sometimes following a mailbox deletion and reattachment to a new account SID, sometimes with no obvious trigger at all.
The fix in both cases: run Clean-MailboxDatabase –Identity <Database Name> in the Exchange Management Shell. This forces a rescan of AD and refreshes the disconnected-mailbox status for the target database.
Exchange 2013 SP1's late-breaking transport agent bug
Shortly after Exchange 2013 SP1 shipped, a bug surfaced that broke third-party transport agents — the mechanism anti-spam and anti-malware products (TrendMicro, Symantec, Exclaimer, and others) use to hook into Exchange's message flow. A malformed XML comment in an assembly redirection policy file, introduced during a late security fix, caused the Global Assembly Cache to reject those agents entirely.
Microsoft published a PowerShell-based fix quickly, and the underlying issue was corrected in the next cumulative update. The broader lesson: it's difficult for any vendor to validate every third-party product that might touch Exchange's transport pipeline before a release ships, which is part of why staying a patch or two behind "bleeding edge" on production mail systems remains reasonable practice.
The problem of viruses and malware
The most common complaints from customers are performance-related: a slow, freezing computer, unexpected pop-ups, or antivirus software that isn't catching what's clearly there. Malware removal is genuinely difficult, even for people who do it daily — infections often chain together (spyware pulling in adware, adware pulling in a virus), some regenerate after being "cleaned," and some actively block removal tools from installing.
There's no shortcut that reliably works for every infection; it usually takes a combination of tools, multiple reboots, and a fair amount of patience to fully clear a system and confirm it stays clean.
Ways to maintain your privacy while online
Three practical starting points, prompted by renewed attention to online surveillance: switch to a privacy-focused browser like Tor, which relays traffic through proxy servers to mask your IP; switch to a privacy-respecting search engine so you get standard search results without being tracked; and switch to an email provider like ProtonMail that doesn't require identifying information and encrypts messages between its own users by default.
Exchange best practices checklist
A punch list worth running through on any Exchange environment: store logs on a separate physical drive from databases (RAID 5 for databases, RAID 1/10 for logs); split mailboxes across at least two databases rather than one; keep individual databases under roughly 100GB and mailbox sizes under 5GB; run inbound and outbound spam filtering; lock receive connectors down to known-good IPs; enforce send/receive size limits; and use a proper SSL SAN certificate for OWA.
Beyond that: enable OWA and Outlook Anywhere, disable open relay, and make sure SPF and Autodiscover DNS records are correctly published internally and externally. On the operational side — set Application log size to at least 40MB, move the TEMP path and pagefile off the C: drive, run the Exchange Best Practices Analyzer, weigh the tradeoffs of circular logging (it can cost you a full day of mail if a dirty shutdown hits at the wrong moment), and confirm every CAS-related DNS name (ECP, OWA, ActiveSync, OAB) is configured correctly, since a single misconfigured entry causes disproportionate client-side pain.