Friday, June 28, 2013

Find out which Global Catalog server Exchange is Using

In this article I am going to show you how to find out which Global Catalog servers your Exchange server is utilising.

How do you know what Global Catalog servers Exchange has found in its Active Directory site?

This can be found in the Application Event Logs under Event ID 2080.

This lists all domain controllers in the environment and which domain controllers are in the same site as the Exchange server.

Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1536). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
ANG-PTH-DC1.domain.local CDG 1 7 7 1 0 1 1 7 1
athena.domain.local CDG 1 7 7 1 0 1 1 7 1
ares.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-PTH-DC2.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-BUN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-JOO-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
joondalupfrcsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-JOO-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-KAT-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
kununurrasvr.domain.local CDG 1 7 7 1 0 1 1 7 1
rockinghamsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-MAN-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-MAN-SVR02.domain.local CDG 1 7 7 1 0 1 1 7 1
youthservsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-ALB-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-AWC-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
broomesvr.domain.local CD- 1 6 6 0 0 1 1 6 1
daisyhousesvr.domain.local CDG 1 0 0 1 0 0 0 0 0
Coolbellupsvr.domain.local CD- 1 6 6 0 0 1 1 6 1
ANG-BDS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1
ANG-GOS-SVR01.domain.local CDG 1 7 7 1 0 1 1 7 1

What are these numbers next to the server?  As per Microsoft KB 316300 these numbers mean the following things:

Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.

Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.

Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).

Synchronized: The fourth column shows whether the "isSynchronized" flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.

GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.

PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.

SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.

Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.

Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).

OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.

Which Global Catalog Server are we using?

By default without any configuration, Exchange load balances its Global Catalog requests against all Global Catalog servers in the same Active Directory site as the Exchange server.  All domain controllers in the same AD Site will receive an even amount global catalog calls from the Exchange server on TCP3268 unless they have a problem which the Microsoft Exchange AD Topology service has detected.  This can be verified using a tool such as Network Monitor:

Can I Manually Exclude or Specify which Domain Controllers Exchange Uses?

The answer to this question is Yes, however I recommend doing so only when troubleshooting.  This can be configured with the Set-ExchangeServer powershell cmdlet.


Wednesday, June 19, 2013

Remote COM+ Network Access to Server 2012 Core

You have setup new Server 2012 core computer and you wish to perform remote management of the server through COM+ Network Access.  When you open a console such as Computer Management you receive the following error message:

Computer "SERVERNAME" cannot be connected. Verify that the network path is correct, the computer is available on the network, and that the appropriate Windows Firewall rules are enabled on the target computer.

To enable the appropriate Windows Firewall rules on the remote computer, open the Windows Firewall with Advanced Security snap-in and enable the following inbound rules.

COM+ Network Access (DCOM-In)
All rules in the Remote Event Log management group.

You can also enable these rules by using Group Policy settings for Windows Firewall and Advanced Security.  For servers that are running the Server Core installation option, run the Netsh AdvFirewall command, or the Windows PowerShell NetSecurity module.

Because COM+ Network Access is not allowed you cannot use the Windows Firewall and Advanced Security MMC Snapin to remotely connect to the server.  As a result you need to login to the Server 2012 core machine and run the following command from command prompt to enable remote access.

netsh advfirewall set currentprofile settings remotemanagement enable

Now you can remotely connect to the Server 2012 core machine using MMC snapins.

This article might also be of reference - Remote Disk Management of a Server 2012 core machine:

Tuesday, June 18, 2013

Remote Disk Management to Server 2012 core

I had a requirement to utilise remote disk management to a Windows Server 2012 core installation.  When opening Computer Management and remotely connecting to the Windows Server 2012 computer we received the following error message when attempting to access disk management.

Disk Management could not start Virtual Disk Service (VDS) on SERVERNAME.  This can happen if the remote computer does not support VDS, or if the connection cannot be established because it was blocked by Windows Firewall.

For additional information about diagnosing and correcting this problem, see Troubleshooting Disk Management in Disk Management help.

To resolve this problem we logged into the Server 2012 core server and enabled the following firewall exception using the netsh command.

netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

After adding the firewall exception to our Windows Server 2012 core computer, we can now connect to it using remote disk management.


Monday, June 17, 2013

Setup Windows Server 2012 Core Computer for Domain

You have provisioned a new Windows Server 2012 server core machine and you want to connect it to the domain.  Before you do this there are 5 steps you generally want to perform:
  • Rename the computer
  • Change the IP to static
  • Join it to the domain
  • Enter Product Key and Activate (not required if KMS is in use)
  • Install Windows Updates
This article provides the commands and steps required to join a new Server 2012 server to the domain from command line so that it can be managed remotely using the Server 2012 GUI tools.

Rename Windows Server 2012 using NETDOM

Execute the following command to rename the server using the NetDom utility.

netdom renamecomputer Server2012 /NewName FileServer

Server2012 is the current name of the server, FileServer is the new name.  After the rename is complete you will need to restart with the following command:

shutdown -r -f -t 0

Upon reboot type "hostname" to identify the computer was renamed.

Configure the Network Interface

Next your going to most likely want to configure a static IP unless your intending to use DHCP to provide network configuration to your Windows Server 2012 computer.

The first step is to identify the name of the interface by executing the following netsh command.

netsh interface ip show config

Next you can set the IP address, Subnet Mask and Gateway with the following command:

netsh interface ip set address name="Ethernet" static 1

To configure a primary DNS server and secondary DNS server for your "Ethernet" network interface use the following commands:

netsh interface ip set dns name="Local Area Connection" static
netsh interface ip add dns name="Local Area Connection" index=2

Validate the configuration with IPCONFIG /ALL

Join the Computer to the Domain

To join the Server 2012 computer to the domain execute the following command.

netdom join FileServer /domain:corporatedomain.local /userd:domain/username /passwordd:password

After the computer is joined execute the following command to reboot the server.

shutdown -r -f -t 0

For security purposes I blurred out my domain name, username and password.

Now your ready to go, your new Server 2012 system is on the domain.  As an optional task you can add domain groups to the local admins group on the system using the following command.

net localgroup administrators /add DomainName\UserName

Enter Product Key and Activate

Enter the product key and activate Windows provided you do not have a Key Management Server (KMS) on your network.  To enter the product key use the following command:

start /w slmgr.vbs -ipk XXXX-XXXX-XXXX-XXXX-XXXX

To Activate Windows use the following command.

start /w slmgr.vbs -ato

Install Windows Updates

To install the Windows Updates on server core we need to use a tool called sconfig.exe.  Launch sconfig.exe from command line.

Select option 6 to download and install updates.
Next select A to install All Updates.


Lastly select A to install all updates or alternatively select single updates to install from the list.