Monday, April 30, 2012

Where are Accepted Domains stored in Active Directory?

Today we needed to make OpenLDAP query a list of all Accepted Domains in Active Directory to ensure the Postfix understands which SMTP Namespaces Exchange is authoratative for.  After digging through the Active Directory configuration partition we found that Accepted Domains are stored under the following location:

CN=Accepted Domains,CN=Transport Settings,CN=TSTHOSTING,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local

Sunday, April 29, 2012

Exchange POP Your e-mail Server Rejected Your User Name

By default Microsoft Exchange 2010 requires you to use TLS Encryption "Secure POP" for authentication to work.  If your organisation does not require Secure POP then by default your users will not be able to login.  They will receive the following error when attempting to access POP3 services through Outlook.

Log onto incoming mail server (POP3): Your e-mail server rejected your user name.  Verify your user name for this account in Account Settings.  The server responded: -ERR Command is not valid in this state.

To allow POP3 to authenticate using standard POP3 you must change teh authentication level as per:

The default setting is "SecureLogon".  Below are the various settings:

This example allows Basic authentication on an unsecured port if you won't be using TLS encryption.

Set-PopSettings -LoginType PlainTextLogin
This example restricts Basic authentication to use only secured ports if you won't be using TLS encryption.

Set-PopSettings -LoginType PlainTextAuthentication
This example allows authentication after you use TLS encryption.

Set-PopSettings -LoginType SecureLogin

If you configure use PlainTextLogin users can send their Active Directory password over the internet unencrypted.

If you plan on not using TLS, I always recommend using PlainTextAuthentication which allows users to send the password over the internet without using TLS.  This however does require your users configuring "Require logon using Secure Password Authentication (SPA)" under Outlook.

After you change your Pop settings your users will now be able to authenticate over TCP110.

Important: If you have a user account that is an Administrator in your Exchange environment they will NOT be able to login.  This is due to security, POP3 authentication is not deemed as Secure by Microsoft and as a result Microsoft have prevented Administrative users from authenticating over the internet using POP to avoid administrative credentials leeking.

Important: You must restart the POP3 service for configuration changes to take effect.

Friday, April 27, 2012

Windows 7 Slow Access to Network Shares

One of my clients recently deployed Windows 7 across their network and are experiancing performance issues when accessing network resources involving MS-RPC calls such as network shares through the SMB protocol.  Windows Vista/2008/7 has a new TCP network stack to Windows XP/2003 and has a number of new technologies designed to increase network performance.

Windows XP/2003 clients are not receiving performance problems.


When a Windows 7 PC attempts to accesss file shares on any Windows XP/2003 servers, browsing performance of mapped network shares is aporling.  It feels simlar to accessing the file server over a VPN connection with poor bandwidth and high latency, however in this scenario we are accessing the file server over LAN.  We tested a Windows 7 client on the same 24bit subnet as a number of Windows 2003 file servers on a 1gbps network.  Slow access to network shares also occured over the same subnet.

What I did notice however was slow performance did not occur when a Windows Vista/2008/7 computer accesses file shares on another Windows Vista/2008/7.  The issue only occured when Windows Vista/2008/7 accessed Windows XP/2003.

This issue is not driver related, I ensured to test workstations of different driver architecture including Intel and Broadcom network drivers.


After researching into this issue we came identified two Windows components contributing to the performance issues.
  • TCP Auto-Tuning
  • Remote Differential Compression
Do not disable these components unless you understand what they are and their purpose.

TCP Auto-Tuning

As mentioned above, a new TCP stack was implemented as of Windows Vista that aims to take full advantage of hardware advances such as gigabit networking. Among the new feature in the new TCP stack is Receive Window Auto-Tuning Level for TCP connections. TCP AutoTuning enables TCP window scaling by default and automatically tunes the TCP receive window size for each individual connection based on the bandwidth delay product (BDP) and the rate at which the application reads data from the connection, and no longer need to manually change TcpWindowSize registry key value which applies to all connection. Theoretically, with TCP auto-tuning, network connection throughput in Windows Vista should be improved for best performance and efficiency, without registry tweak or hack. However, this is not always the case, and may cause some performance related issues such as in our case.

The default auto-tuning level is "normal", and the possible settings for the above command are:
disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).
highlyrestricted: allows the receive window to grow beyond its default value, very conservatively
restricted: somewhat restricted growth of the tcp receive window beyond its default value
normal: default value, allows the receive window to grow to accommodate most conditions
experimental: allows the receive window to grow to accommodate extreme scenarios (not recommended, it can degrade performance in common scenarios, only intended for research purposes. It enables RWIN values of over 16 MB)
In my environment changing this from the default value of normal to restricted resolved my performance issues.

netsh int tcp set global autotuninglevel=restricted

Remote Differential Compression

Remote Differential Compression (RDC) is a client–server synchronization algorithm that allows the contents of two files to be synchronized by communicating only the differences between them. It was introduced with Windows Server 2003 R2 and is included with later Windows client and server operating systems.  As of Vista onwards Remote Differential Compression is enabled by default.

Microsoft does not recommend ever disabling Remote Differential Compression (RDC) unless there is an absolute need to.  Diane from Microsoft wrote a blog post entitled "Debunking Myths about Remote Differential Compression and System Performance" where she states:

A number of third-party blogs are telling people they can speed up Windows Update downloads, and file copy operations, by turning off the Remote Differential Compression (RDC) feature on Windows Vista. This is 100% false. Neither Windows Update or file copy operations use RDC at all.

The RDC feature is simply a DLL that does not consume any system resources, except when you run an application that uses RDC specifically. If you disable RDC, any application that uses it will either not be able to take advantage of RDC or will simply fail. For more information on RDC see this link

As a result I do not recommend disabling RDC unless you have an absolute need to.  In my environemnt I tested my Windows 7 PC's with RDC turned on and RDC turned off.  When turned on I noticed my performance to Windows 2003/XP file shares diminished.  Please disable with care.

You can disable RDC through Windows Features in control panel:

You can also disable RDC through command line using the following command:

ocsetup MSRDC-Infrastructure /uninstall

Deploying the Workaround

I wrote a batch script to deploy this workaround to all Windows 7 computers on my network.  The batch script first identifies IS the computer running Windows 7, if so THEN set TCP Autotuning to Restricted and disable Remote Differential Compression.

Here is a copy of my script:

@echo off
systeminfo | find "OS Name" > %TEMP%\osname.txt
set /p vers=<%TEMP%\osname.txt

echo %vers% | find "Windows 7" > nul
if %ERRORLEVEL% == 0 goto ver_7

goto warnthenexit

ocsetup MSRDC-Infrastructure /uninstall
netsh interface tcp set global autotuning=restricted
goto exit

echo Machine undetermined.


Deploy this script to your workstations through a Group Policy Startup Script.

Note: Due to the Windows 7 performance issues I also needed to configure "Always wait for the network at computer startup and logon" under "Computer -- Administrative Templates -- System -- Logon"

Sunday, April 22, 2012

Why isn't my Outlook spam filter working?

The Outlook Spam filter or "Junk E-mail Filter DLL" works only against messages in the local store, i.e. the offline OST file.  For Outlook to filter emails on a workstation using the Outlook Anti-Spam engine you must have "Cached Exchange Mode" enabled.

You configure this on the users Outlook Profile.

Sunday, April 15, 2012

DAG Node lost access to File Witness Share

Today on my own companies network 4Logic IT Solutions we had an issue when trying to activate a database copy inside a database availability group (DAG) cluster.

When attempting to move the active mailbox database to another node using Exchange Management Console (EMC) or Exchange Management Shell (EMS) the following error was experianced.

Microsoft Exchange Error
Cannot activate database copy 'Activate Database Copy...'.

Activate Database Copy...
An Active Manager operation failed. Error The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Server 'QV1-EXC1.4logic.lan' is not up according to the Windows Failover Cluster service.. [Database: QV1-EXC1-Database-01, Server: OP-SRV1.4logic.lan]

An Active Manager operation failed. Error An error occurred while trying to validate the specified database copy for possible activation. Error: Server 'QV1-EXC1.4logic.lan' is not up according to the Windows Failover Cluster service.

The error stated that Windows cluster services reported the node as being down. So I fired up Failover Cluster Management MMC snapin to investigate further. The following errors were being generated:

File share witness resource 'File Share Witness (\\qv1-utl1.4logic.lan\DAG01.4logic.lan)' failed to arbitrate for the file share '\\qv1-utl1.4logic.lan\DAG01.4logic.lan'. Please ensure that file share '\\qv1-utl1.4logic.lan\DAG01.4logic.lan' exists and is accessible by the cluster.

Node 'QV1-EXC1' failed to form a cluster. This was because the witness was not accessible. Please ensure that the witness resource is online and available.

I went over to my server hosting the File Witness Share QV1-UTL1.4logic.lan. DAG01$ was the only trusted object added to the Share permissions. I added Exchange Trusted Subsystem and my Administrator account (for testing purposes) to the Share Permissions.

I then restarted the Cluster Services service on QV1-EXC1. After the permission change the cluster service came online again.

Unable to update Mailbox SD in the DS. Mailbox Guid: 33fcbcfe-5c36-4204-91f1-6108fc5b86f6. Error Code 0x8004010f

I had a client who was receiving Application Error 9554 from MSExchangeIS.

Unable to update Mailbox SD in the DS. Mailbox Guid: 33fcbcfe-5c36-4204-91f1-6108fc5b86f6. Error Code 0x8004010f

First thing I did was attempted to search for the user in Active Directory by converting the 32bit GUID to a searchable format using KB322308. I was unable to find the user account matching the mailbox guid.

Using the ADFind utility created by MVP Joe Richards also did not find any results.

adfind -gc -b "" -binenc -f " msExchMailboxGUID={{GUID:33fcbcfe-5c36-4204-91f1-6108fc5b86f6}}" -dn

After further investigation I found that the GUID on the Exchange Mailbox did not match the msExchMailboxGUID on the AD User Account. I determined this by running the following powershell command:

Get-MailboxStatistics -Server troy-exch-2010 fl mailboxguid,displayname > output.txt

MailboxGuid : 33fcbcfe-5c36-4204-91f1-6108fc5b86f6
DisplayName : User Name

The user account in AD had a different GUID not matching the GUID of our Exchange mailbox.

In this instance the user no longer worked at the company so we simply deleted both the user account and the Exchange mailbox.

Tuesday, April 10, 2012

How to Configure SSL Offloading in Exchange 2010

The following article explains in detail how to configure SSL Offloading in Exchange 2010 RTM, SP1 and SP2. If you require SSL Offloading for any reason on an Exchange deployment, please refer the following article:

Thursday, April 5, 2012

The HTTP authentication test failed - Connection was closed unexpectedly.

Today I had a problem with Outlook Anywhere at a customer site - everything was configured correctly however Outlook Anywhere would still not work! The server was Exchange 2007 SP2 running on Windows Server 2003 R2 Standard Edition x64.

When using the Exchange Remote Connectivity Analyzer the following error was experianced.

Testing HTTP Authentication Methods for URL
The HTTP authentication test failed.
Additional Details
Exception details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()

1. Disable outlook anywhere via EMC

2. Remove RPC proxy component via PowerShell, Server Manager or Add and Remove Programs (Windows Components) depending on your version of windows. You can also use this command: servermanagercmd -r rpc-over-http-proxy

3. Reboot the server

4. Install RPC proxy component via PowerShell

5. Command: servermanagercmd -i rpc-over-http-proxy

6. Enable outlook anywhere

7. Restart Microsoft active directory Topology service

This should resolve your problem, did for me.

Autodiscover settings for Outlook Anywhere are being validated

If you run the Exchange 2010 Remote Connectivity Analyzer (ExRCA) and you get the following message it means the Server attribute is set on the EXPR provider incorrectly.

Autodiscover settings for Outlook Anywhere are being validated.
ExRCA wasn't able to validate Outlook Anywhere Autodiscover settings.
The AuthPackage wasn't specified in the EXPR section of the Autodiscover response.

Simply remove the Server attribute and set it to Null.

Set-OutlookProvider EXPR -Server $null

This will resolve your problem.

IISReset loosing settings in IIS6

People do not know but the IISReset command can cause some settings to be lost.

The IISReset command line tool waits for a normal shutdown of the services before it starts them again. Because of the number of services that are dependent on the IISAdmin service, the shutdown may not occur in a timely manner. When this happens, IISReset forces the shutdown of the services. This can result in metabase changes that are not saved properly.

Today at a customer site when I ran the Remote Conectivity Analyzer (ExRCA) Exchange 2007 server it was complaining about Annonymous authentication being enabled.

The Initial Anonymous HTTPS request didn't fail, but Anonymous isn't a supported authentication method for this scenario.

To fix this we simply need to disable annonymous authentication on the RPC web application in IIS.

When disabling annonymouse authentication and running the IISRESET command it simply re-enables annonymous authentication.

To commit changes while still restarting IIS6 run the following commands:

net stop iisadmin /y
net start iisadmin /y

If you notice now, the changes has been permanently committed to the IIS6 metabase.

For more information about this problem please see the following knowledge base article:

Tuesday, April 3, 2012

Error installing Hub Transport Server "Failed to read directory object with distinguished"

Today I had an issue installing Exchange 2010 with SP1 in a new Active Directory forest. The installation was failing during installation of the Hub Transport role. The following error was experienced:

Hub Transport Role

The following error was generated when "$error.Clear();
Add-DelegatedGroupsToLocalAdminGroup -DomainController


" was run: "Failed to read directory object with distinguished name TST-DC2-EXC-1-4.".

Failed to read directory object with distinguished name TST-DC2-EXC-1-4.

After looking at the error "Failed to read directory object with distinguished name" I first checked the SPN for the computer object TST-DC2-EXC-1-4. This checked out fine.

I then removed the computer TST-DC2-EXC-1-4 from the Active Directory domain, deleted the computer object then rejoined it. When rejoining the domain I experienced the following error:

Changing the Primary Domain DNS name of this computer to "" failed. The name will retain "tsthosting.local". The error was:

This specified server cannot perform the requested operation.

I removed the PC from the domain setting it back to workgroup. Before joining it to the domain again I manually set the primary DNS suffix for the computer account by clicking More in the domain settings window.

I then unticked change primary DNS suffix when domain membership changes and manually typed in my domains DNS suffix.

This resolved my problem allowing my setup to complete successfully.

While this procedure fixed the issue, it is not the root cause. I did not have enough time to diagnose and determine the root cause.