Tuesday, October 30, 2012

Delete Files older then X Days BATCH SCRIPT

To delete files older then X Days use the following script:

forfiles.exe /p D:\Files /s /m *.* /d -7 /c "cmd /c del @file"
/pThis parameter specifies the path that contain the files I wish to delete.
/sThis parameter tells the program to recurse into any subfolders to look for additional files.
/mIf you want to specify a specific file type, this parameter will allow you to limit the search to specific files, such as *.doc for Word documents. In my case, I looked for all files (*.*).
/dThis one is the key parameter – it specifies the last modified date value. In my example I specify “-7″ which indicates that the files need to have a modified date 7 days less than the current date.
/cThis is the command that I execute on the files found by the program. The delete command is executed in a command window for each file.
 

VB Script - Remove Files from being Read Only

The below VB Code uses scripting.filesystemobject to go through a bunch of files and remove the read only parameter.  I found it quite handy for a scheduled task when dealing with a rouge application.

Dim fl As File
If fso.FileExists(FileName) Then
    Set fl = fso.GetFile(FileName)
    If (fl.Attributes And ReadOnly) Then
      fl.Attributes = fl.Attributes - ReadOnly
    End If
End If

Hope this code snippet helps someone else!

A problem has been encountered in the Microsoft Exchange Messaging and Collaboration Services

When decommissioning an Exchange 2003 server when upgrading to Exchange 2010, the Exchange 2003 server failed to uninstall successfully and presented me with the following error message:

A problem has been encountered in the Microsoft Exchange Messaging and Collaboration Services setup component.  Canceling setup.


After the error message the Exchange 2003 server appeared to continue decommissioning, and when it rebooted Exchange 2003 no longer was listed in Add/Remove programs.  However on the Exchange 2010 server when doing a Get-ExchangeServer, the Exchange 2003 server still came up in the list meaning the Exchange 2003 server still existed within Active Directory.

To finish the uninstall manually I deleted the Exchange Server Object in Active Directory with ADSIEdit following the instructions documented under Microsoft KB833396:

http://support.microsoft.com/kb/833396

 
This ensured that Exchange 2003 was successfully decommissioned.

Monday, October 29, 2012

OABGen encountered error 80004005 while cleaning the offline address list

Today I had an issue with Exchange 2010 Offline Address Book Generation (OABGen) at a customer.  The customer was complaining that their address book had not updated for quite some time.

When manually performing a OABGen against all Address Books on the Exchange server using the Get-OfflineAddressBook | Update-OfflineAddressBook command the following error was experienced in the event logs.

Log Name:      Application
Source:        MSExchangeSA
Date:          30/10/2012 11:14:55 AM
Event ID:      9335
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
Description:
OABGen encountered error 80004005 while cleaning the offline address list public folders under /o=Organization/cn=addrlists/cn=oabs/cn=Default Offline Address List.  Please make sure the public folder database is mounted and replicas exist of the offline address list folders.  No offline address lists have been generated.  Please check the event log for more information.
- \Default Offline Address List

 
In this environment there is an Exchange 2003 server and an Exchange 2010 server, OABGen had been moved across to Exchange 2010.  However the Exchange 2010 server was not a PF replica of the Offline Address Book public folders.  After adding the Exchange 2010 public folder database as a replica of the Offline Address Book public folder, this resolved the issue.

Running another Update-OfflineAddressBook I was able to verify the date stamp under C:\Program Files\Microsoft\Exchange Server\ExchangeOAB was updated.

Please note after OABGeneration is successful before clients are able to download the latest address book the File Distribution Service needs to run to download the OAB from OABGen to the Client Access Servers for distribution.  This by default runs every 8 hours but can be forced by running:

Update-FileDistributionService servername

If you do not understand the OAB Distribution process I highly recommend reading the following article, as this knowledge is required for troubleshooting the OAB Distribution process.  This process is used by both Exchange 2007 and Exchange 2010:

http://clintboessen.blogspot.com.au/2009/05/how-oab-distribution-works.html

Thursday, October 25, 2012

Error: WMI exception occurred on server - Quota violation

Tonight I stumbled across a limitation in Exchange 2010 when moving a vast amount of Transaction Logs to volume on an Exchange 2010 SP2 server.  This server had over 100,000 logs which needed to be moved to an alternative location, when utilising the Move-DatabasePath command with the -LogFolderPath switch, the command would hang approximately 10 minutes then fail with the following error.

Failed to connect to target server "ExchangeServer". Error: WMI exception occurred on server 'ExchangeServer.domain.local': Quota violation
    + CategoryInfo          : InvalidOperation: (Mailbox Database 0529333988:DatabaseIdParameter) [Move-DatabasePath],
    InvalidOperationException
    + FullyQualifiedErrorId : 7897D20B,Microsoft.Exchange.Management.SystemConfigurationTasks.MoveDatabasePath



After doing some research I discovered that this only occurs when attempting to move a ridiculously large quantity of log files.

To resolve this problem you must purge the transaction logs first before performing the operation.  This can be done in 3 ways::
  • Perform a Full Backup of the Server which in effect will purge the logs.  This can be performed by using Windows Server Backup or another product.
  • Enable Circular Logging, dismount/remount the database, then Re-enable Circular Logging.
  • Manually delete the log files using windows explorer (SHIFT + DELETE).  Do not perform this procedure without checking first that all log files have been played into the database, doing so could result in loss of data.  Please see the following post for manually flushing transaction logs http://clintboessen.blogspot.com.au/2010/09/flush-transaction-logs-in-exchange.html
After the transaction logs have been flushed, this error will no longer occur.

Tuesday, October 23, 2012

Force Active Directory replication on a domain controller

In order to force Active Directory replication, issue the command ‘repadmin /syncall /AeD’ on the domain controller.  Run this command on the domain controller in which you wish to update the Active Directory database for.  For example if DC2 is out of Sync, run the command on DC2.

A = All Partitions
e = Enterprise (Cross Site)
D = Identify servers by distinguished name in messages.

By default this does a pull replication - which is how AD works by default.  If you want to do a push replication use the following command:

repadmin /syncall /APeD

P = Push

You want to do a push replication if you make changes on a DC and you want to replicate those changes to all other DC's.  For example, you make a change on DC1 and you want all other changes to get that change instantly, run repadmin /syncall /APeD on DC1.

For all repadmin syntax please see:

http://technet.microsoft.com/en-us/library/cc736571(v=ws.10).aspx

Monday, October 22, 2012

What is the difference between IsExcludedFromProvisioning and IsSuspendedFromProvisioning

New in Exchange 2010 and carried into Exchange 2013 is a feature called Automatic Mailbox Provisioning.  This feature automatically load balances the creation of new mailboxes across all available databases when a creation of a new mailbox account occurs. It’s no longer mandatory to specify what database mailbox should reside on as Exchange uses a mailbox provisioning agent to take the decision for you on what mailbox database the mailbox creation will be created on.

It is recommended that all large Exchange deployments utilise the Automatic Mailbox Provisioning system to randomly distribute mailboxes between mailbox databases.  If you place users in particular mailbox databases based on items such as a department, in the event issues occur with a specific mailbox database and the database will not mount, an entire department within a company will be out of production for a period of time.  If mailboxes are randomly distributed between multiple databases, in the event a database goes offline, it will still effect the company however the impact will be less saver as all departments within your company will still be operational.

As we have identified, the Automatic Mailbox Provisioning system distributes mailboxes randomly amongst databases but what if we want to exclude a mailbox database from having additional mailboxes provisioned such as a mailbox database which is dedicated to holding Archive mailboxs?

Microsoft has included two attributes which can be configured against a Mailbox Database for this purpose called "IsExcludedFromProvisioning" and "IsSuspendedFromProvisioning".


What is the difference between these values?

Exchange 2010 help explains these attributes as:

-IsExcludedFromProvisioning <$true | $false>

The IsExcludedFromProvisioning parameter specifies that this database is permanently not considered by the mailbox provisioning load balancer. If the IsExcludedFromProvisioning parameter is enabled, new mailboxes aren't added automatically to this database. You can manually add a mailbox if your role permits.

-IsSuspendedFromProvisioning <$true | $false>

The IsSuspendedFromProvisioning parameter specifies that this database is temporarily not considered by the mailbox provisioning load balancer.

What does it mean by temporarily not considered?

I forwarded this question onto members of the Exchange product team and here is the response I received was they both do the same thing.

The reason they are two attributes is for environments which have multiple admins as a mechanism to indicate which provisioning suspensions are permanent, and which are temporary so that other admins know if they are allowed to un-suspend a mailbox database from provisioning.  Thus, in a multi-admin environment, if one admin configures either setting, the intent should be clear to the other admins (and therefore, they won’t remove a permanent suspension as a result of knowing that intent).

What would have been nicer is a IsExcludedFromProvisioningReason attribute where administrators can place a short string value to explain why it has been excluded from provisioning.

Tuesday, October 16, 2012

How to move a Calendar from one mailbox to another.

I have just migrated a company running Exchange 2003 to Exchange 2010.  Exchange 2003 does not utilise resource mailboxes and as a result, my customer has created a bunch of ordinary mailboxes to represent meeting rooms.  As of Exchange 2007 Microsoft introduced resource mailboxes to represent meeting rooms and equipment.

My customer now needs to either create new resource mailboxes to represent the meeting rooms or convert the existing shared mailboxes into room mailboxes.

How to migrate calendar data from one mailbox to another mailbox

In the event my customer chose to create new mailboxes to represent his meeting rooms it is possible to migrate just the calendar information from the existing shared mailboxes to the room mailboxes by using the following powershell commands:

Export the calendar data from one mailbox:

New-MailboxExportRequest -Mailbox "Ex2003SharedMailbox" -IncludeFolders "#Calendar#" -FilePath \\servername\c$\Ex2003SharedMailbox.pst

Import the calendar data into the new mailbox:

New-MailboxImportRequest -Mailbox "NewRoomMailbox" -IncludeFolders "#Calendar#" -FilePath \\servername\c$\Ex2003SharedMailbox.pst

How to migrate the shared mailboxes into room mailboxes

In the event my customer wants to convert the existing shared mailboxes into room mailboxes this can be done with the following command:

Set-Mailbox MailboxName -Type Room

PPTP VPN and Belkin F5D8635

There is an issue with PPTP VPN connections and the Belkin F5D8635 router.  By default the Belkin F5D8635 router does not allow the GRE protocol which is essential for creating PPTP VPN connections between VPN clients and VPN servers.  When attempting to create a PPTP VPN connection from Windows to a host VPN server the following error is experienced complaining that GRE is not available:

Error 806: The VPN connection between your computer and the VPN server could not be completed.  The most common cause for this failure is at least one Internet device (for example, a firewall or router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets.  If the problem persists, contact your network administrator or Internet Service Provider.


Belkin has resolved this issue in the latest version of their firmware which is version 1.00.23.

Login to your Belkin router web interface and click Firmware Update under Utilities.  Under Firmware Version if it says anything below 1.00.23 you will be unable to create a PPTP VPN connection through the router.


Download the latest version of the Belkin firmware from teh following location:

http://www.belkin.com/uk/support/article/?lid=enu&pid=f5d8635uk4a&aid=14489&scid=0&fid=4779&fn=f5d8635v1_ww_1.00.23.bin

For a full list of fixes under Firmware version 1.00.23 please see:

http://www.belkin.com/uk/support/article/?lid=enu&pid=f5d8635uk4a&aid=14489&scid=0

Monday, October 15, 2012

Apple iPhone iOS6 and Exchange Autodiscover

You may be wondering why iOS6 on the Apple iPhone does not Autodiscover anymore?  It doesn't work!  We have done extensive testing with multiple mobile devices on Exchange Server 2010 SP2 UR4:

iPhone (4 or 4S) running IOS5 works great
iPhone (4, 4S or 5) running IOS6 does not work.

This article was posted 16/10/2012 - Apple might release an update for IOS6 which resolves this issue in the near future which will make this article redundant.

Sunday, October 14, 2012

Problem Moving Mailboxes

When migrating mailboxes to a new Exchange 2010 server from an old Exchange 2003 environment, some mailboxes failed to move and generated the following powershell exception:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:01


FinancialCounselling StNicholas
Failed

Error:
Active Directory operation failed on domaincontroller.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


The user has insufficient access rights.
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.2.318.0&t=exchgf1&e=ms.exch.err.Ex6AE46B
Exchange Management Shell command attempted:
'domainname/Staff/accountname' | New-MoveRequest -TargetDatabase 'MailboxDatabase4'

Elapsed Time: 00:00:01

This issue is caused when incorrect permissions are set on the Active Directory user account.  To resolve this problem for a user perform the following procedure:

Open up Active Directory Users and Computers and enable Advanced Features.


Open up properties of the user account experiencing problems and select the security tab and click the Advanced button.

 
Select "Include inheritable permissions from this object's parent" and click OK.


This should resolve the problem.

Active Sync Issues on Exchange 2010

I migrated 600 mailboxes to a new Exchange server from 2003 to 2010.  The next morning when users got to work some users were complaining that their email was not working on their mobile phone.  When creating a new test account, Active Sync works fine so the issue is narrowed down to either a problem with the user account migrated from Exchange 2003 or a problem with the mailbox.  The error I experienced when running the Exchange Remote Connectivity Analyzer (ExRCA) against a problematic user was as follows:

An ActiveSync session is being attempted with the server.

Errors were encountered while testing the Exchange ActiveSync session.

Test Steps

Attempting to send the OPTIONS command to the server.

The OPTIONS response was successfully received and is valid.

Additional Details
Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.2
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Public: OPTIONS,POST
Content-Length: 0
Cache-Control: private
Date: Mon, 15 Oct 2012 02:38:58 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET


Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.


Additional Details
Exchange ActiveSync returned an HTTP 500 response.

 
After investigating the issue further it turned out that the issue was to do with incorrect security settings on the Active Directory user account.  To resolve the problem I performed the following steps:

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View --> Advanced Features from the Menu at the top of the screen then navigate back to your user).

Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.


In the user account properties click the advanced button.


In the advanced security window select "Include inheritable permissions from this object"


This will fix the problem for the account in question.

A Note for Administrator Accounts

If your account has administrative privilages in Active Directory you may find after inheriting permissions that your account may stop working again an hour later.  This happens because Active Directory uses AdminSDHolder to define permissions the default protected security groups receive.  Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt

Wednesday, October 10, 2012

Unable to open PST file filepath. Error details: Access to the path filepath is denied.

When attempting to import a PST file from an administrative workstation running Exchange Management Shell you may experience the following error:

Unable to open PST file "filepath". Error details: Access to the path "filepath" is denied.


When examining the PST file you notice that your account does indeed have permissions to access the PST file on your local computer.  Why is this error occurring?

This is because the Mailbox Replication Server (MRS) is running as LocalSystem it can’t access a network share. By adding the Exchange Trusted Subsystem group to the share permissions you will give the LocalSystem account and therefore MRS access to the share.

 To ensure this works for all PST files on a machine in any share, you can simply add "Exchange Trusted Subsystem" to the local Administrators group.

Exchange PST Capture Tool: Import error: Error opening mailbox

Today a customer consulted me to import 600 mailboxes into Microsoft Exchange from PST files scattered across the network.  However when performing the import into Exchange the following error was experianced:

Import error: Error opening mailbox


Now this error ususally occurs when the user does not have Mailbox Import Export permissions. This can be assigned to a user using the following PowerShell command:

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "PSTImportUser"

However in my case this was not the problem.  I found out the hard way that you must have a 64bit version of Outlook installed on the PST Importer server.  My version of Outlook was 32bit hence causing the error.

Sunday, October 7, 2012

A Quick Look at WinSAT

WinSAT.exe is a fantastic free tool made by Microsoft for checking performance utilisation of a server through command line.  WinSAT allows you to quickly look at the performance of your disk, cpu or memory plus much more.

For example to look at your disk performance simply type from command prompt:

"winsat disk"

The "winsat disk" command provided the following output:

 
You can also look at memory performance by typing "winsat mem" or CPU performance by typing "winsat cpu".
 
winsat comes by default with all Windows 7 and Windows Vista operating systems, however it does not come on Windows Server 2008 or Windows Server 2008 R2.  You can however run this application on Windows Servers which can be done by simply copying the Winsat files to the System32 directory on a WIndows Server from a client.

The Winsat program is made up of the following two files:
  • WinSAT.exe
  • WinSATAPI.dll
 
Simply copy these files from a Windows Vista or Windows 7 client to the server's system 32 directory.  Note if it is a x64 server, you need to copy the files from an x64 version of Windows 7 or Windows Vista.  If the server is 32bit, you need to copy these files from a 32bit version of Windows 7 or Windows Vista.

What about testing network performance clint?

If you need to test network performance, I recommend you looking at a tool called IPERF.  Please see my following article:

http://clintboessen.blogspot.com.au/2010/01/how-to-test-bandiwidth-between-two.html

Note: If you are having problems running winsat it is most likely due to User Account Control.  Make sure you open a command prompt as administrator to bypass UAC by right clicking on cmd.exe and selecting "Run As Administrator".

Monday, October 1, 2012

Windows Server 2012 Deduplication

Tonight I am playing with the new Windows Server 2012 RTM which I have downloaded and installed in a virtual environment. One of the new features which I like in Windows Server 2012 is the File Storage deduplication option. No longer do customers need to purchase expensive 3rd party deduplication software - Microsoft allows customers to perform deduplication of there data for free witht he purchase of a Windows Server 2012 license.

Below is a screenshot of where you enable the deduplication feature in the new Windows Server 2012 server manager console.

Introducing Exchange Online Protection (EOP)

If you have yet to hear, Microsoft has retired their entire Forefront product suite.  For products which will continue such as Forefront Identity Manager, these products have been moved to the System Center product suite.

As part of this move to remove the Forefront product family, Forefront protection for Exchange (FPE) and Forefront Online Protection for Exchange (FOPE) are also being removed.
Forefront Protection for Exchange (FOPE) is being replaced with a new product called Exchange Online Protection (EOP).  When I say new, it is actually the next release of FOPE.  Exchange Online Protection is an online Microsoft cloud service for filtering email.  It can be implemented for both cloud based Exchange customers such as Office 365 as well as on-premises implementations of Exchange.

In terms of Forefront Protection for Exchange (FPE), a product which is installed on a Windows server in the customers environment - there is no replacement I'm currently aware of.  Apart from the integrated spam filtering functionality which comes as part of Microsoft Exchange, Microsoft do not offer an on-premises product which customers can install for filtering email spam.  Customers will be encouraged moving forward to adopt Microsoft's online cloud services for filtering spam which can be found under EOP.

Exchange Online Protection offers customers the following functionality:

  • URL lists for spam filtering that block messages containing specific URLs within their message body. EOP includes additional lists beyond those available in FOPE.
  • The ability to skip spam filtering for trusted senders, based on subscription lists
  • The ability to filter messages written in specific languages, or sent from specific countries or regions
  • Malware filtering that can delete and strip unsafe attachments
  • The capacity to mark bulk email (such as advertisements) as spam through the user interface
  • The capability to search for, view, or release quarantined email messages in the EAC
  • Transport rules which you can use to control mail flow, based on a message’s content
  • Message tracing capability, which allows you to search for and view details about a specific message
  • Inbound connectors and outbound connectors you can use to enforce secure communication between you and a partner, or to make hybrid mail flow (where you host a portion of your mailboxes on-premises and a portion in the cloud) possible New reports, which you can use to monitor your organization’s mail flow, available in the Office 365 portal, by using a Microsoft Excel download application, or by using a Web service.
Previously FOPE had a seperate user interface to Office 365 for users to manage spam settings.  Microsoft has now consolidated this under the new Exchange Administrative Center (EAC).  For Exchange Online (Office 365) customers, EOP has now been intergrated directly into the EAC console, however for on-premises customers users will still need to go to another web address to access the online EAC for configuring Exchange Online Protection.
 
Below is a screenshot of the configuation interface for Exchange Online Protection (EOP):