Clint Boessen's Blog

Add Driver Packages to Boot Image Wizard Not Responding

2012-01-22T22:04:00.001-08:00

Hi had an issue today with a WDS Server on Windows Server 2008 R2 SP1. Whenever I went to add a driver package to a boot image the "Add Driver Packages to Boot Image Wizard" would freeze when trying to mount the image and come up with not responding.

When running the wizard again the following error would be received:

Error Occurred while trying to execute this command.
Error Code: 0xc1420127

In which I needed to browse to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WIMMount\Mounted Images" and delete any keys below this to run the wizard again.

To resolve the problem I ran the following command to Uninitialize the server.

wdsutil /Uninitialize-Server

Opening the WDS Console allowed me to run the configuration wizard again. After running the configuration wizard and re-configuring the server I then ran the "Add Driver Packages to Boot Image Wizard" which completed successfully.

Outlook 2007 Connection Issues over Outlook Anywhere

2012-01-19T20:47:00.000-08:00

I have seen a problem with Outlook 2007 numerous times where Outlook 2007 cannot connect to Exchange when setting up a new profile. This problem is client related, not server related. For example if the same user experiencing the issue tries to connect to Exchange remotely via Outlook Anywhere from a different PC using the same version of Outlook, it works fine.

The issue only occurs when creating a new Outlook Profile remotely via Outlook Anywhere (RPC over HTTPS). If the profile is already created and the user has used the profile in the past inside the network over direct MAPI you are reading the wrong blog post.

I am still unaware what causes this problem however I do have two working resolution. If I find the root cause in the future, I am sure to come back and update this post for everyone :)

Symptoms

A user tries to create a new Outlook Profile remotely through Outlook Anywhere but experiences the following error:

The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Note: This error is very generic and can also be caused when there is server side problems with Outlook Anywhere in which all users are effected. Only read this post if you are receiving this error only for an external user trying to create their outlook profile over Outlook Anywhere.

Resolution 1

If the user connects to the internal network either by bringing their PC/Laptop into the office or initiating a VPN connection the Outlook client connects to exchange using direct RPC MAPI and sets up the Outlook Profile as normal. If the user then brings the PC/Laptop outside the network either by disconnecting the VPN or moving the PC to another external network and connects using Outlook Anywhere (RPC over HTTP), Outlook Anywhere now works fine. The profile was created inside the network hence the issue of creating the profile over Outlook Anywhere never occured.

Resolution 2

In the event you have a user in a remote site, perhaps another country and you have no VPN connectivity setup the task of creating the Outlook Profile on the internal network using RPC MAPI calls is made difficult. However I have a work around here...

What I did was create the users profile on another PC running Outlook 2007. I used a virtual machine with Outlook 2007 installed and created the users profile using Outlook Anywhere as I did not have access to the internal network. When the profile is created and working correctly, export the following registry key to a .reg file.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem

Next go to the PC experiencing the Outlook 2007 issue and import the .reg file you have created by double clicking the file. This will import the Outlook Profile created on the remote workstation. As Outlook is no longer trying to create the Outlook profile over Outlook Anywhere, it will simply load the profile as normal allowing the user to work remotely over Outlook Anywhere.

Don't worry about Operating Systems - Performing this registry import/export from another PC with different operating system is fine. I exported my registry content from a Windows XP PC with Outlook 2007 installed and imported it on a Windows 7 PC with Outlook 2007 installed.

Additional Information

I have troubleshooted this issue numerous times and have looked at many things such as debug logging with Outlook, launching Outlook in safe mode etc, nothing provides detailed information useful to diagnosing the root cause.

This issue is not related to the Windows user profile or User Account. For example if the user recreates his profile or another user account on the PC experiencing the issue, the problem reoccurs. We can immediately rule out the users local user hive, it is definitely with the Outlook installation on the PC... so we should be looking at areas such as the local machine registry (HKLM) and the Outlook installation, are all the files correct?

Reinstalling Office 2007 on a PC experiencing the issue does not resolve the problem. This means it is either a setting in Windows or a desktop application which triggers this issue. I have seen this issue in different companies, so if it is another application causing problems, it is not a custom line of business application. It may be a common application that multiple company's use.

I have seen this issue occur on all versions of Outlook 2007 ranging from Outlook 2007 RTM, SP1 and SP2. Upgrading Outlook 2007 to the latest service pack will not resolve this issue.

I have not seen this issue on Outlook 2003 or Outlook 2010 however this is not to say the issue does not occur on these versions. I have just never seen this on these particular versions of Outlook in my professional experience.

Last thing I would like to note is, third party non-Microsoft firewall software installed on a Laptop or PC can cause this issue. If you open up Windows Firewall and Windows Firewall displays the notice something similar to "this PC is being managed by a third party vendor firewall", try uninstalling the third party firewall software as this may resolve the issue.

Assign user rights to modify distribution group membership

2012-01-09T21:57:00.000-08:00

A colleague of mine here at 4Logic today needed to perform a simple task in an Exchange 2010 environment today to allow designated users to administer distribution groups in Exchange 2010. Most Microsoft documentation suggesting adding the RBAC Administration role “Distribution Groups” to the user. This created security implementations as any user which was a member of this group, could manage all distribution groups within the organisation.

My colleague eventually worked this out by discovering RBAC user role of "MyDisturbtionGroups" allows users to manage distribution groups that they are an owner of (via Outlook and Exchange Control Panel).

Note: The group owner is controlled by the "Managed By" property.

He enabled this role by using the following PowerShell command:

New-ManagementRoleAssignment -Role MyDistributionGroups -Policy "Default Role Assignment Policy"

The role group however also allows owners of a distribution group to delete the distribution group.

If you want to allow users to only modify group membership a custom RBAC management role is required. The following commands create a custom management role which only allows a user in the "Managed By" field of a group to modify a groups membership.

New-ManagementRole -Name UpdateAddressLists -Parent MyDistributionGroups

Remove-ManagementRoleEntry UpdateAddressLists\New-DistributionGroup -Confirm:$false

Remove-ManagementRoleEntry UpdateAddressLists\Remove-DistributionGroup -Confirm:$false

New-ManagementRoleAssignment -Role UpdateAddressLists -Policy "Default Role Assignment Policy"

Command to find out how many items in each users Sent Items

2012-01-05T20:09:00.001-08:00

Today I put together a quick command to explore how many items are in each users sent items which I would like to share with you. This command ignores any users mailbox who does not have any items in the sent items folder.

Get-Mailbox | Get-MailboxFolderStatistics -FolderScope SentItems | Where {$_.ItemsInFolder -gt 0} | Sort-Object -Property ItemsInFolder -Descending | select-object Identity,ItemsInFolder | export-csv c:\test.txt

SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account

2011-12-28T22:42:00.000-08:00

In this post I will share with you the resolution to a problem I had on one of my clients Exchange environments. The following error was experienced in the event logs of my Exchange 2010 servers.

Log Name: Application
Source: MSExchange SACL Watcher
Date: 28/12/2011 11:00:43 AM
Event ID: 6006
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: APOLLO.internal.workcover.wa.gov.au
Description:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account S-1-5-21-54938807-350570593-2036031536-21088.

Next I used LDP.exe to translate the SID from the error message into something readable.

After investigating the problem I found out that "SeSecurityPrivilege privilege" translates to "Manage audit and security log" under user rights assignment in group policy. Exchange setup automatically adds "DOMAIN\Exchange Enterprise Servers" and "DOMAIN\Exchange Servers" to the "Manage audit and security log" user rights assignment on the Default Domain Controllers Policy.

My client had unlinked the Default Domain Controllers Policy from the Domain Controllers OU and created their own custom policy - NOT RECOMMENDED. Restoring this policy resolved the problem.

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication."

2011-12-28T22:05:00.000-08:00

In this post we will look at what this error means:

451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Lets have a look in the SMTP Receive protocol logs:

C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\ProtocolLog\SmtpReceive

- We can see connections trying to be established from 10.4.8.1 (in a remote AD site) and 10.4.2.8 (in the same AD site)
- We can see the connections are hitting the receive connector SVR01\External
- The receive connector is terminating the connection with "Service closing transmission channel"

2011-12-29T06:10:25.668Z,SVR01\External,08CE9265B5AAB0D9,0,10.4.2.10:25,10.4.8.1:49547,+,,
2011-12-29T06:10:25.668Z,SVR01\External,08CE9265B5AAB0D9,1,10.4.2.10:25,10.4.8.1:49547,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-12-29T06:10:25.668Z,SVR01\External,08CE9265B5AAB0D9,2,10.4.2.10:25,10.4.8.1:49547,>,"220 mail.4logic.com.au Microsoft ESMTP MAIL Service ready at Thu, 29 Dec 2011 14:10:24 +0800",
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,3,10.4.2.10:25,10.4.8.1:49547,<,EHLO OP-SRV1.4logic.lan, 2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,4,10.4.2.10:25,10.4.8.1:49547,>,250-mail.4logic.com.au Hello [10.4.8.1],
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,5,10.4.2.10:25,10.4.8.1:49547,>,250-SIZE 31457280,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,6,10.4.2.10:25,10.4.8.1:49547,>,250-PIPELINING,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,7,10.4.2.10:25,10.4.8.1:49547,>,250-DSN,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,8,10.4.2.10:25,10.4.8.1:49547,>,250-ENHANCEDSTATUSCODES,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,9,10.4.2.10:25,10.4.8.1:49547,>,250-STARTTLS,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,10,10.4.2.10:25,10.4.8.1:49547,>,250-AUTH,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,11,10.4.2.10:25,10.4.8.1:49547,>,250-8BITMIME,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,12,10.4.2.10:25,10.4.8.1:49547,>,250-BINARYMIME,
2011-12-29T06:10:25.699Z,SVR01\External,08CE9265B5AAB0D9,13,10.4.2.10:25,10.4.8.1:49547,>,250 CHUNKING,
2011-12-29T06:10:25.746Z,SVR01\External,08CE9265B5AAB0D9,14,10.4.2.10:25,10.4.8.1:49547,<,QUIT, 2011-12-29T06:10:25.746Z,SVR01\External,08CE9265B5AAB0D9,15,10.4.2.10:25,10.4.8.1:49547,>,221 2.0.0 Service closing transmission channel,
2011-12-29T06:10:25.746Z,SVR01\External,08CE9265B5AAB0D9,16,10.4.2.10:25,10.4.8.1:49547,-,,Local
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,0,10.4.2.10:25,10.4.2.8:65117,+,,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,1,10.4.2.10:25,10.4.2.8:65117,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,2,10.4.2.10:25,10.4.2.8:65117,>,"220 mail.4logic.com.au Microsoft ESMTP MAIL Service ready at Thu, 29 Dec 2011 14:10:31 +0800",
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,3,10.4.2.10:25,10.4.2.8:65117,<,EHLO QV1-EXC1.4logic.lan, 2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,4,10.4.2.10:25,10.4.2.8:65117,>,250-mail.4logic.com.au Hello [10.4.2.8],
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,5,10.4.2.10:25,10.4.2.8:65117,>,250-SIZE 31457280,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,6,10.4.2.10:25,10.4.2.8:65117,>,250-PIPELINING,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,7,10.4.2.10:25,10.4.2.8:65117,>,250-DSN,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,8,10.4.2.10:25,10.4.2.8:65117,>,250-ENHANCEDSTATUSCODES,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,9,10.4.2.10:25,10.4.2.8:65117,>,250-STARTTLS,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,10,10.4.2.10:25,10.4.2.8:65117,>,250-AUTH,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,11,10.4.2.10:25,10.4.2.8:65117,>,250-8BITMIME,
2011-12-29T06:10:32.761Z,SVR01\External,08CE9265B5AAB0DA,12,10.4.2.10:25,10.4.2.8:65117,>,250-BINARYMIME,
2011-12-29T06:10:32.777Z,SVR01\External,08CE9265B5AAB0DA,13,10.4.2.10:25,10.4.2.8:65117,>,250 CHUNKING,
2011-12-29T06:10:32.777Z,SVR01\External,08CE9265B5AAB0DA,14,10.4.2.10:25,10.4.2.8:65117,<,QUIT, 2011-12-29T06:10:32.777Z,SVR01\External,08CE9265B5AAB0DA,15,10.4.2.10:25,10.4.2.8:65117,>,221 2.0.0 Service closing transmission channel,
2011-12-29T06:10:32.777Z,SVR01\External,08CE9265B5AAB0DA,16,10.4.2.10:25,10.4.2.8:65117,-,,Local

If we look at the receive connector "External" on SVR01 we notice that Exchange Server authentication is not enabled meaning SVR01 is not able to receive mail relay from other hub transport servers in the Exchange organisation.

If we tick the box we will resolve the problem.

Hybrid Office 365 Deployment with Threat Management Gateway

2011-12-22T18:41:00.000-08:00

After working with a Hybrid Office 365 deployment with Threat Management Gateway performing SSL offloading to an Exchange 2010 SP2 hybrid server for one of my customers I experienced a number of gotcha's which are not documented.

MRSProxy with SSL Offloading

The first issue was with MRSProxy. I found out the hard way that MRSProxy "/EWS/mrsproxy.svc" does not support SSL offloading. The MRSProxy connection must hit the Exchange 2010 Client Access Server on TCP443 using a secure SSL connection. When using SSL offloading with Forefront Threat Management Gateway as soon as unsecure HTTP port 80 connections were passed to MRSProxy on the Exchange 2010 Hybrid server we were receiving was (404) Not Found in the IIS logs.

We created a separate TMG firewall rule with a path rule of "/EWS/mrsproxy.svc" which is processed before our Hybrid firewall rule. This path rule re-encrypts and forwards to the Hybird server on TCP443. All other connections come through on TCP80.

Free/Busy with Office 365

The second issue was with free/busy. Users on-premises were able to view Free/Busy for users in Office 365, however users in Office 365 were unable to view Free/Busy for users on-premises. This was caused by the Web Listener being configured for Basic or Windows Integrated authentication. Free/Busy over an Organization Relationship uses Microsoft.Web.Services.SoapContext to authenticate free/busy... in other words the authentication is handled by the .NET framework. Threat Management Gateway must pass through authentication requests to /EWS/*. Setting the TMG listener to No Authentication achieves this.

Send As From a Second Email Address

2011-12-22T17:59:00.000-08:00

From Exchange Server 2003 to Exchange 2010 SP2 (as of this writing) supports the ability to send email from different email addresses as long as the "send as" address has the same email address suffix of the users primary email address. For example I have an email address of clint.boessen@4logic.com.au. Provided I have been granted permissions I can send as from different addresses such as accounts@4logic.com.au or orders@4logic.com.au. However if my Exchange server has different Accepted Domains such as @kbomb.com.au I am not able to send as accounts@kbomb.com.au even if I have been granted permissions. Doing so will result in the following error:

You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.

Microsoft's claims this functionality is "by design" and there is no intention to create a resolution at this stage.

There is a 3rd party tool called ChooseFrom which you install on your Exchange 2007/2010 server. This tool enables Send As functionality from different domains however its rather pricey. As of this writing the asking price was 286.46 USD for a 1-2 user license, $214.84 USD if you want over 3 licenses, $7161.50 USD for a site license or $30078.30 USD for an enterprise license in which they will also provide you with the source code. If you are interested in this tool please see the following website:

http://ivasoft.com/choosefrom2007.shtml

As an alternative you can create a new Outlook Profile and create a POP account. Outlook 2010 supports multiple profiles at the same time. In the address enter your Exchange 2010 hub transport server and configure SMTP authentication. In the POP3 server address enter something bogus like mail.local. Next you need to configure the send and receive group for your POP3 profile. To do this perform the following steps:

1. Under Send/Receive Groups select Define Send/Receive Groups.
2. Select your group name or define a new group and click Edit.
3. In the Send/Receive Settings disable Receive mail items.

Now when you send/receive you wont get an error about not being able to receive from the bogus pop server.

Decrypting Network Packet Capture

2011-12-22T17:43:00.000-08:00

There may be times where you need to view a network conversation which is encrypted with SSL. What do you do?

You may decrypt the conversation using a tool called "Network Monitor Decryption Expert" which is available for free from codeplex.

http://nmdecrypt.codeplex.com/

How do I go about decrypting the traffic?

Step 1

Start Microsoft Network Monitor (NetMon) and capture the Traffic from Office 365. The latest version as of this writing is 3.4 which is available from http://www.microsoft.com/download/en/details.aspx?id=4865

Step 2

Export the Server Certificate with private key in to a PFX

Step 3

Install the Netmon expert for SSL

Step 4

Now you should be able to decrypt the encrypted traffic.

Wild Card Certificates and Hybrid Configuration Wizard

2011-12-16T16:59:00.000-08:00

When running the Hybrid Configuration Wizard I noticed the wizard crashes when attempting to create a Send Connector if a wild card certificate is attached to the default web site in IIS. What the Hybrid Configuration Wizard does is look at the common name of the certificate associated with the IIS service (verify this by using Get-ExchangeCertificate) and attempts to associate the common name as the FQDN on the Send Connector for the purpose of SMTP encryption. In a wildcard certificate *.example.com is the common name of the certificate. *.example.com is not a valid FQDN for a send connector in Exchange as thee FQDN must be associated to a domain name, not a wild card name. As a result the wizard crashes when trying to set *.example.com as the FQDN on the send connector. The following error is generated...

Update-HybridConfiguration
Failed

Error:
Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Mail Flow

Execution of the New-SendConnector cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Cannot process argument transformation on parameter 'Fqdn'. Cannot convert value "*.example.com" to type "Microsoft.Exchange.Data.Fqdn". Error: ""*.example.com" isn't a valid SMTP domain."
at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_12_16_2011_5_58_59_634596119396658235.log.

Exchange Management Shell command attempted:
Update-HybridConfiguration -OnPremisesCredentials 'System.Management.Automation.PSCredential' -TenantCredentials 'System.Management.Automation.PSCredential'

Elapsed Time: 00:07:13

Workaround...

I have a work around which will allow you to complete the Hybrid Configuration Wizard. What you need to do is use another certificate with a valid common name such as mail.example.com so the wizard is able to create its Send Connector. If you use a self signed certificate or a certificate issued by an internal certificate authority the wizard will fail. You must use a public certificate trusted from a public root certificate authority.

Does this mean I need to purchase another digital certificate, I already own a wild card certificate?

No, you can use a digital certificate from http://www.freessl.com/ (provided by RapidSSL) which is free for 30 days. This certificate is not a SAN (subject alternative name) certificate which is trusted under multiple names. As a result you must issue the certificate to autodiscover.yourdomain.com as the autodiscover service is required when running the Update-HybridConfiguration command. The autodiscover address must be pointed at the same address for the hybrid server in which your trying to configure on your firewall. When you finish creating your new certificate and associating it with the IIS service and SMTP service, re-run the Update-HybridConfiguration tool. Your send connector will be created with autodiscover.yourdomain.com as the FQDN. Now you can re-assign your wild card certificate to the IIS service and SMTP service and update the FQDN on your send connector to a domain name of your choice in alignment with the wild card certificate such as mail.example.com.

SSL Offloading...

If your running SSL offloading, i.e. your Exchange web services are all running on port 80 you still need to link a digital certificate to your IIS service to complete the wizard. Simply untick Require SSL on the various Exchange web services in IIS manager. The digital certificate you use needs to be valid for the FQDN on the SMTP service and must be linked to IIS and SMTP (Get-ExchangeCertificate).

Also if your using SSL offloading you do not have to worry about using autodiscover.yourdomain.com on the certificate associated with IIS as the autodiscover requests will be hitting your Exchange server on port 80... another device such as Threat Management Gateway or an F5 BIG-IP will be decrypting the traffic and forwarding it to Exchange 2010.

Microsoft NLB Layer 3 not working through Cisco in Multicast Mode

2011-12-15T01:39:00.001-08:00

I experienced an issue with Microsoft Network Load Balancing (NLB) configured in a multicast mode cluster. I was able to contact my cluster virtual IP address from my other computers on the same subnet (Layer 2), However I was unable to contact the Virtual IP address from a different subnet by routing through my Cisco router (Layer 3).

After a little investigation I stumbled across the following Cisco website:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

To resolve this issue I was required to add the MAC address for the Virtual IP a of my NLB cluster to the Cisco router as a static MAC entry.

To grab the MAC address of the Virtual IP address first you need to make connectivity with the IP from another PC on the same subnet. Ping will do the trick. Then display the ARP cache on the PC with arp -a.

To add the static MAC address entry to the Cisco Router use the following commands.

conf t
arp 10.4.2.15 03bf.0a04.020f arpa

This will ensure you can route layer 3 to the Virtual IP of your NLB cluster when in Multicast mode.

For a detailed description as to why this happens refer to the above Cisco link.

An error occurred while attempting to retrieve the security token.

2011-12-15T01:20:00.000-08:00

Problem:

When using the Exchange Remote Connectivity Analyzer (ExRCA) using the Office 365 Microsoft Single Sign-on (BETA) tool you may experience the following error message.

ExRCA is attempting to retrieve and analyze a security token for user mr.cloud@4logic.com.au.
An error occurred while attempting to retrieve and analyze the security token.
Test Steps
ExRCA is attempting to authenticate to the security token service at https://fs.4logic.com.au/adfs/services/trust/2005/usernamemixed.
An error occurred while attempting to retrieve the security token.
Tell me more about this issue and how to resolve it
Additional Details
The Security Token service indicated that the authentication failed. Check the user name and password and try again.

Resolution:

I have seen this problem occur in two circumstances:

a.) the username and password you have entered is incorrect.

b.) the UPN suffix for the user account has not been updated yet to a public UPN suffix. Do this in AD Users and Computers. I set it to @4logic.com.au.

You may have to create a public UPN suffix under Active Directory Domains and Trusts first.

An HTTP 503 Service Unavailable response was received while trying to validate ADFS metadata

2011-12-15T00:29:00.000-08:00

Today I went to connect to Office 365 with single sign-on only to notice that it is no longer working. When using the Exchange Remote Connectivity Analyzer (ExRCA) using the Office 365 Microsoft Single Sign-on (BETA) tool I received the following error:

Validating ADFS metadata for the on-premises ADFS server.
There was a problem validating the ADFS metadata.
Test Steps
Retrieving ADFS metadata information from metadata exchange URL https://fs.4logic.com.au/adfs/services/trust/mex.
ExRCA failed to retrieve ADFS metadata.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 503 Service Unavailable response was received while trying to validate ADFS metadata.

On my internal network when I tested https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx from Internet Explorer I received

Service Unavailable
HTTP Error 503. The service is unavailable.

After further investigation we noticed the AD FS 2.0 Windows Service was not running on my AD FS 2.0 servers.

After starting this service the issue was resolved. If we navigate to https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx to test we can verify that our AD FS servers are giving us XML.

Please note that you cannot use https://fs.4logic.com.au/adfs/fs/federationserverservice.asmx to test your Federation Proxy servers. This test can only be used against AD FS 2.0 servers, not the AD FS 2.0 Proxy servers. When passing this address through your federation proxy you will ALWAYS receive:

Service Unavailable
HTTP Error 503. The service is unavailable.

Why was the service not running?

I looked into why the service was not running and in the event log I noticed the service crashed during startup. The following error was generated in the SYSTEM event log:

Log Name: System
Source: Service Control Manager
Date: 15/12/2011 3:22:43 AM
Event ID: 7023
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: qv1-dc2.4logic.lan
Description:
The AD FS 2.0 Windows Service service terminated with the following error:
An exception occurred in the service when handling the control request.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7023</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2011-12-14T19:22:43.912273400Z" />
<EventRecordID>4333</EventRecordID>
<Correlation />
<Execution ProcessID="456" ThreadID="1504" />
<Channel>System</Channel>
<Computer>qv1-dc2.4logic.lan</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">AD FS 2.0 Windows Service</Data>
<Data Name="param2">%%1064</Data>
</EventData>
</Event>

Looking at the service we can already see it is configured with a delay start.

Interestingly I noticed on the recovery tab of the service by default it is configured to Restart the Service on the First and Second failure. This hints to me that the product team is already aware of this issue with the service crashing on startup. This is most likely due a dependency not starting in time. My AD FS 2.0 servers are also domain controllers which is recommended for small organisations. Being domain controllers means the startup time for these servers is even longer then normal. What I did was in the "Restart service after" box I entered in 2 minutes to ensure the delay was longer. This resolved the problem.

Federation information could not be received from the external organization.

2011-12-14T18:52:00.000-08:00

I had an issue when completing the Hybrid Configuration Wizard in Exchange 2010 SP2. It continuously crashed out with the following error.

Error:
Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships.

Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Federation information could not be received from the external organization.
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
'.

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_12_8_2011_18_2_52_634589641723224440.log.

Exchange Management Shell command attempted:
Update-HybridConfiguration -OnPremisesCredentials 'System.Management.Automation.PSCredential' -TenantCredentials 'System.Management.Automation.PSCredential'

Elapsed Time: 00:02:56

I also received the following error when running this command:

Get-FederationInformation -DomainName 4logic.com.au

Federation information could not be received from the external organization.
+ CategoryInfo : NotSpecified: (:) [Get-FederationInformation], GetFederationInformationFailedException
+ FullyQualifiedErrorId : ABE6A500,Microsoft.Exchange.Management.SystemConfigurationTasks.GetFederationInformation

Externally my autodiscover was working correctly which I confirmed by using the Exchange Remote Connectivity Analyzer (ExRCA).

However what we found was internally the Get-FederationInformation does not use the Service Connection Point (SCP) objects in Active Directory for performing Autodiscover. As a result it must be able to resolve autodiscover.4logic.com.au to an internal IP address.

We have two ways we can do this... add your public DNS zone to your internal network and populate it with internal IP addresses or create an entry in your hosts file on your Hybrid Server. This is what I did.

The hosts file is located under C:\Windows\System32\drivers\etc

Also your certificate attached to Exchange must have a valid SAN name for your autodiscover record.

NLB Installed on DNS Servers Issues

2011-12-13T21:07:00.000-08:00

I needed to install Microsoft Network Load Balancing (NLB) on two Active Directory Domain controllers running Windows Server 2008 R2 SP1 to load balance Active Directory Federation Services AD FS 2.0 on TCP443.

Here is the my setup:

Generally the Network Load Balancing Virtual IP Addresses do not get registered in DNS automatically. However I found out that if Network Load Balancing is installed and configured on a DNS server, both the virtual network adaptor address and dedicated network adaptor address get registered in DNS.

For my two domain controllers QV1-DC1 and QV1-DC2 there were two A records for each... the servers IP address and my virtual NLB address. DNS round robin, which is enabled by default on all Windows DNS servers was distributing at random either the servers IP address or the virtual address.

The problem here is the virtual address was only listening on port 443 meaning no Active Directory queries could reach the domain controller for any hosts who resolved the virtual IP address.

I found a fix which allowed me register the IP addresses I want on each of my servers to DNS, instead of turning of dynamic DNS updates all together. This registry key is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\PublishAddresses

Now my two domain controllers only register their IP address in DNS, not the NLB Virtual IP.

I found the fix on the following KB Article:

http://support.microsoft.com/kb/246804

Mailbox could not be created. Verify that OU ( Users ) exists

2011-12-13T01:56:00.000-08:00

In Exchange when you run the test commands such as Test-OutlookWebServices or Test-FederationTrust for example it requires a Exchange Test account. This is usually created by running the New-TestCasConnectivityUser.ps1 script from the Exchange 2010 scripts Directory C:\Program Files\Microsoft\Exchange Server\V14\Scripts.

If you don't create a test user account you will receive such errors in PowerShell:

Test-OutlookWebServices

Failed to find the mailbox. Mailbox = 'extest_40f651ff86fd4@4logic.lan'.
+ CategoryInfo : NotSpecified: (:) [Test-OutlookWebServices], MailboxNotFoundException
+ FullyQualifiedErrorId : Microsoft.Exchange.Monitoring.MailboxNotFoundException,Microsoft.Exchange.Management.SystemConfigurationTasks.TestOutlookWebServicesTask

Test-FederationTrust

Couldn't find object "extest_40f651ff86fd4". Please make sure that it was spelled correctly or specify a different object.
+ CategoryInfo : NotSpecified: (:) [Test-FederationTrust], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : C5C16259,Microsoft.Exchange.Management.SystemConfigurationTasks.TestFederationTrust

However today when I ran the New-TestCasConnectivityUser.ps1 it complained that it could not find the Users OU, a problem which I had not seen before. I know that the password I supplied met the complexity requirements. This is the error I was receiving.

CreateTestUser : Mailbox could not be created. Verify that OU ( Users ) exists and that password meets complexity requirements.
At C:\Program Files\Microsoft\Exchange Server\V14\Scripts\new-TestCasConnectivityUser.ps1:267 char:31
+ $result = CreateTestUser <<<< $exchangeServer $mailboxServer $securePassword $OrganizationalUnit $UMDialPlan $UMExtension $Prompt
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,CreateTestUser

I simply specified my Users OU and it created the object...

get-mailboxServer .\new-TestCasConnectivityUser.ps1 -ou 4logic.lan/users

Exchange 2010 Management Shell into Existing Exchange 2007 Servers

2011-11-23T01:52:00.000-08:00

By default Exchange 2010 Management Shell (EMS 2010) cannot manage/access information stored on the Exchange 2007 servers such as IIS configuration in the example below. When attempting to get information from an Exchange 2007 server in an Exchange 2010 management shell you will receive the following error:

An IIS directory entry couldn't be created. The error message is Access is denied.
. HResult = -2147024891
+ CategoryInfo : NotInstalled: (PER-EXCHMBX\Exchange (Default Web Site):ADObjectId) [Get-OwaVirtualDirecory], IISGeneralCOMException
+ FullyQualifiedErrorId : EBEB5204,Microsoft.Exchange.Management.SystemConfigurationTasks.GetOwaVirtualDirectory

For example here we have an Exchange 2010 shell and an Exchange 2007 shell. We can see the Exchange 2010 shell cannot access the Exchange 2007 servers... where the Exchange 2007 shell is fine.

To allow the Exchange 2010 shell to connect to the Exchange 2007 servers you must add "Microsoft Exchange Security Groups\ Exchange Trusted Subsystem" as a local admin to all Exchange 2007 servers.

Windows RPC/HTTP and Outlook Anywhere

2011-11-22T18:23:00.000-08:00

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the "Certificate Principal Name" configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that your certificate common name is configured as the name Outlook Anywhere references which can be achieved by using the Set-OutlookProvider cmdlet with the -EXPR parameter.

To understand how to configure the EXPR parameter please view this blog post:

http://clintboessen.blogspot.com/2009/06/configuring-outlook-anywhere-settings.html

As many people still use Windows XP, I recomend always configuring the the EXPR parameter to use the certificate common name.

Where are Exchange 2003 relay restrictions stored?

2011-11-21T20:34:00.000-08:00

I was asked by a client where Exchange 2003 Relay Restrictions are stored? The SMTP Virtual Server in Exchange 2003 is actually apart of IIS and as a result its configuration is not stored in Active Directory (for the most part). This means if you recover an Exchange 2003 server using the Disaster Recovery switch you will need to re-enter this configuration.

drive:\Setup\I386\Setup.exe /DisasterRecovery

See Recovering a failed Exchange 2003 server:

http://www.msexchange.org/tutorials/Recovering-Failed-Exchange-2003-Member-Server-Using-Disaster-Recovery-Switch.html

The relay restrictions are stored under a series of REG_DWORD and REG_MULTI_SZ values under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\MSExchangeIMC\Parameters

For more information please see the following Microsoft KB article:

http://support.microsoft.com/kb/193922

Load Balance SMTP with F5 BIG-IP

2011-11-17T17:16:00.001-08:00

The F5 BIG-IP has a template for Exchange 2010 which assists administrators with configuring load balancing for Outlook Anywhere, Active Sync and Outlook Web App. This template does not configure SMTP load balancing. There are many circumstances where you may want an SMTP endpoint IP address to be highly available and load balanced between multiple hub transport servers.

In this post I will go through and show you how to configure the BIG-IP LTM for load balancing the SMTP protocol and the challenges associated with this. This article was written using the F5 BIG-IP LTM VE version 10.2.3.

Create a Health Monitor

Create a health monitor which monitors the Exchange 2010 SMTP service on our Exchange 2010 servers. The heath monitor will send SMTP HELO requests on a regular basis to ensure the SMTP servers are healthy.

Expand Local Traffic and click Add next to Monitors.

I called the monitor SMTP_Monitor. Set the Type to SMTP. Provided an interval of 120 seconds meaning the monitor will send an SMTP HELO every 2 minutes to the Ex2010 servers to see if they are still online. Configured the Alias service port to 25.

Create a Pool for the SMTP Servers

A load balancing pool is a logical set of devices, in our case SMTP servers, that you group together to receive and process traffic. To create a new pool under Pool List click Add.

I called the pool smtp_pool. Select the SMTP_Monitor we created earlier. Select the load balancing method as Round Robin. Add the SMTP servers to our pool in which we wish to distribute inbound SMTP connections to.

Create an SMTP Virtual Server

Create an SMTP Virtual Server on the F5 BIG-IP which will allow the BIG-IP system to listen on TCP25 to load balance incoming SMTP sessions. To do this under Virtual Servers --> Virtual Server List click add.

I called the SMTP Virtual Server SMTP_VS. Under Destination I specified 172.16.51.174. This is the Virtual IP the BIG-IP will listen on for incoming SMTP traffic. Select a service port of 25 and place the device in an enabled state.

Under configuration set SNAT Pool to Auto Map (I have explained what Auto Map is below).

Scroll down further and under resources set the Default Pool to smtp_pool along with the default persistence profile to source_addr.

Test our BIG-IP SMTP Virtual Server

The F5 BIG-IP device should now be configured to load balance SMTP requests between the two Exchange 2010 servers. In your Virtual Server List the SMTP_VS should come up green.

From a command prompt verify you can telnet our SMTP virtual server on 172.16.51.174 on port 25.

We can see that it successfully connected to one of the SMTP servers in our load balancing pool "smtp_pool"

At this point your F5 BIG-IP is successfully load balancing SMTP.

The Problem...

When building an email solution it is absolutely critical to avoid becoming an open SMTP relay. Most organisations implement relay restrictions by locking anonymous relay down to certain source IP addresses on their internal network such as applications and printers. Source IP is generally the preferred method as Administrators do not have to deal with SMTP authentication methods. The list of IP addresses who are allowed relay anonymously are usually configured on the Exchange SMTP receive connectors. However when dealing with load balancers such as a F5 BIG-IP Local Traffic Manager this becomes a difficult task.

Why?

Whilst load balancing connections the F5 BIGIP uses SNAT to re-write the source IP address on the SMTP packets to one of its "Self IP" addresses or "Virtual IP" addresses. This means the Exchange servers will see all requests coming from the same IP address making it impossible to determine which request belongs to what client. This is illustrated in the following diagram:

However I have a workaround for you. If we setup two SNAT addresses on the F5 BIG-IP for example 172.16.51.174 and 172.16.51.175 we can configure our BIG-IP to say any source IP addresses that need to be an anonymous open relay hit our Exchange 2010 servers from 172.16.51.174 ELSE hit our Exchange 2010 servers from 172.16.51.175. This solution means we need to configure our list of allowed IP addresses for SMTP relay on our F5 BIG-IP instead of our Exchange SMTP Receive Connectors.

Create a Data Group List

First we must create a list of IP addresses we want to allow anonymous relay for on our F5 BIG-IP. These are the IP addresses we would normally configure on our Exchange receive connectors. To do this we need to create a new data group list.

Add a new data group list by expanding iRules --> Data Group List and clicking the add button.

I called my Data Group List smtp_relay_allowed and specified the IP address 172.16.51.21. You can add as many IP addresses as you want for anonymous relay.

Create a new iRule

An iRule is a powerful and flexible feature of BIG-IP devices which provide you with unprecedented control to directly manipulate and manage any IP application traffic. By creating an iRule we can instruct the BIG-IP to return a different SNAT address based on on the condition. We want to instruct our BIG-IP to perform the following:

IF a clients source IP is on our Data Group List THEN use an SNAT address of 172.16.51.174 ELSE use the SNAT address of 172.16.51.175.

To create the iRule under Local Traffic Select iRule --> iRule List and click the add button.

I called my iRule smtp_irule and created the following code to perform my required conditions as mentioned above.

A copy of the code:

when CLIENT_ACCEPTED {
set accepted_snat "172.16.51.174"

if { [ class exists smtp_relay_allowed ] }
{
if { [class match [IP::client_addr] equals $::smtp_relay_allowed] }
{
snat $accepted_snat
} else {
snat automap
}
} else {
snat automap
}
}

Automap is a feature of the BIGIP where it automatically selects a Self IP at random to use for the SNAT translation. A Self IP is an IP you have assigned to the BIGIP manually under your network configuration. This is different to a Virtual IP address which is created when you setup a virtual server. I only have one Self IP on my BIG IP set to 172.16.51.175 and one virtual IP set to 172.16.51.174 used by all my F5 virtual servers on different TCP ports. As a result automap will ONLY select 172.16.51.175.

Why would you want multiple source SNAT IP addresses?

For each connection made from the BIG-IP to your load balanced servers a TCP source port needs to be opened for the communication. TCP only has 65535 ports for source and destination traffic so if the number of connections exceeded the number of available ports, the BIG-IP would not be able to take new connections. In this event you could add an additional Self IP and rely on the Automap feature or create an SNAT pool which is a predefined list of IP addresses the BIG-IP is allowed to use for SNAT.

I recommend reading the chapter on SNAT configuration from the F5 website:

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_snat.html

How do I configure Exchange 2010:

On your Exchange 2010 servers create your two receive connectors as normal. Create one receive connector configured for your anonymous relay and setup yoru default receive connector for all other SMTP traffic. Both receive connectors must listen on port 25. Do this on all Exchange servers in your pool.

For information on how to configure your application receive connector for anonymous relay follow this blog post:

http://clintboessen.blogspot.com/2009/07/allow-network-applications-to-relay.html

Apply my new iRule to the SMTP Virtual Server

Next we need to attach the iRule to the SMTP virtual server in the F5 configuration screen. To do this go to your Virtual Servers --> Click Virtual Server List then select our SMTP_VS created earlier.

Select Resources then under iRules click Manage.

Select our smtp_irule out of the list available then click finish.

Testing our Configuration

So time to test the configuration to ensure it works as configured. Lets telnet my BIG-IP SMTP Virtual Server from the host we allowed 172.16.51.23 by running the following command:

telnet 172.16.51.174 25

I then wrote some random comments in the telnet session so we can identify our server 172.16.51.23 in our SMTP logs.

I then repeated the procedure from another server which is not in our Data Group List created above.

In our SMTP logs on our Exchange 2010 server as expected the 172.16.51.23 server came from 172.16.51.174 and the non trusted IP came from 172.16.51.175.

VBS Get the OU distinguishedName of the OU containing a User Account

2011-11-08T21:48:00.001-08:00

I had an interesting task which I needed to achieve. I had another peice of code grabbing a bunch of user distinguishedName's in Active Directory. For each distinguishedName I needed to grab the OU/container the user account resides in. For example:

"CN=Clint Boessen,OU=Microsoft MVPs,OU=Engineers,OU=IT Professionals,DC=4Logic,DC=local"

We need to cut the "CN=Clint Boessen" of this string in order to determine the organisational unit so we get:

"OU=Microsoft MVPs,OU=Engineers,OU=IT Professionals,DC=4Logic,DC=local"

However sometimes the user accounts are in a container not an OU so we need code smart enough to deal with this.. for example:

"CN=Clint Boessen,CN=Users,DC=4Logic,DC=local"

To be come:

"CN=Users,DC=4Logic,DC=local"

The VB Script below will take care of this... as long as you store the distinguishedName within the strOU attribute.

For example:

strOU = "CN=Clint Boessen,OU=Microsoft MVPs,OU=Engineers,OU=IT Professionals,DC=4Logic,DC=local"

If instr(lcase(strDN),"cn=users") = 0 then
strOU = right(strDN,len(strDN) - instr(lcase(strDN),",ou="))
Else
strOU = right(strDN,len(strDN) - instr(lcase(strDN),",cn=users"))
End If

Exchange 2003 PFDavAdmin Error

2011-11-03T23:21:00.000-07:00

When trying to connect to an Exchange 2003 Server using PFDavAdmin I received the following error:

An error occur ed while trying to establish a connection to the Exchange server. Be sure that port 443 (for SSL) or port 80 (for non-SSL) can be reached. If you are connecting to public folders, be sure that the public folder store is mounted. If you are connecting to mailboxes and the progress bar shows a particular mailbox, be sure that user has at least one email address.

Exception: Failed to connect using secure URL: https://domain.local/ExAdmin/Admin/domain.local/public%20folders/ with error: The underlying connection was closed: Unable to connect to the remote server.. Failed to connect using unsecure URL http://domain.local/ExAdmin/Admin/domain.local/public%20folders/ with error: The remote server returned an error: (503) Server Unavailable.

This error gets generated if you have a proxy server configured in Internet Options. What caught me out however is PFDavAdmin only detects proxy settings on application lauch... not on connection. If you remove your proxy settings from Internet Options, then attempt to connect again using PFDavAdmin the same error will be reproduced as PFDavAdmin will continue trying to use your proxy settings.

You must:

1. Disable your proxy server or add an exclusion.
2. Close PFDavAdmin
3. Relaunch the PFDavAdmin application.

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

2011-11-02T21:23:00.000-07:00

When Running Test-ActiveSyncConnectivity on Exchange 2010 you will probably experience the following error.

[System.Net.WebException]: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Inner error [System.Security.Authentication.AuthenticationException]: The remote certificate is invalid according to the validation procedure.

There is generally three causes for this problem:

1) Name mismatch - make sure the site name matches exactly as it is in the cert. If there is a "Subject Alternative Name" (SAN) on the details tab, then make sure the name is in that list (note: subject name must also be included in the SAN). Some applications don't supports SANs, but most do. Also note that site1 and site1.domain.com are not the same - this is the most common mistake.

2) Untrusted - you need to install the root certificate into the trusted root certificate store. If this app uses the Microsoft root store, you can check Certificates MMC to see if it shows up. If not, view the details of the certificate from the error box, go to the certification path tab and double click the topmost certificate, go to details tab and Copy to File button to export it, then from your saved copy you can import it to the trusted root store.

3) Expired or not yet valid - usually from the cert expiring - renew it. Can also happen if the time/time zone/date/year is off in the client OS - if this is ok, try also checking the same in BIOS.

Name mismatch is generally the one that catches people out. If you simply run Test-ActiveSyncConnectivity the Exchange 2010 server will not use a trusted URL on your SAN certificate. Make sure you specify the URL on the Test command for example:

Test-ActiveSyncConnectivity -URL "https://mail.contoso.com/Microsoft-Server-ActiveSync"

Outlook Cached Exchange Mode

2011-10-28T22:15:00.000-07:00

Cached Exchange Mode is the process of when 2003/2007/2010 downloading a copy of the users mailbox and storing it locally on their workstation. This means all emails opened by the user from there onwards does not hit the Exchange servers significantly reducing load.

Many clients however still disabled cached Exchange mode on their users workstations. When asking them "why", their answer is always:

Because we need the user can access the most updated address book when they click the global address book.

If your company has this requirement this doesn't mean you need to disable Cached Exchange Mode. You can configure a registry key on your clients to simply keep the address book in online mode.

For more information on this key for Outlook 2003/2007/2010 please see:

http://support.microsoft.com/kb/841273

Generally the only time you want to disable cached exchange mode is if your users run on a terminal services or Citrix shared environment where you do not want a copy of EVERY users mailbox downloaded and stored locally on the terminal server!

Outlook does not Redirect to Exchange 2010 SP1 CAS Array

2011-10-28T21:31:00.000-07:00

Problem:

You have a single Exchange 2010 SP1 server "Ex2010.domain.local" running HT, MBX and CAS roles. You move a mailbox from the Exchange 2010 SP1 install to a new Exchange 2010 SP1 CAS Array installation "CASArray01.domain.local".

Outlook 2003, 2007 and 2010 will still points at the mailbox "Ex2010.domain.local", it will not automatically update and point at "CASArray01.domain.local". This is because the RPC CA service doesn't respond with a "ecWrongServer" like previous versions of Exchange did.

Microsoft is aware of this issue however their is no easy resolution in terms of a little code tweak.

How do I prevent this from happening:

Microsoft has been telling customers for a long time to always create a CAS Array even if they have one server - they need a one server array. If all servers single servers were setup in an Array from the beginning this problem would not exist.

Is there a way to force all Outlook clients to automatically perform a full re-autodiscover and attach to the new server?

Yes - if you remove the "Host A" record from DNS for the old Exchange 2010 server old Exchange 2010 server "Ex2010.domain.local" the Outlook clients should do a full re-autodiscover and attach to the new CAS array "CASArray01.domain.local" automatically.

This however is generally impractical especially when you want to stage your mailbox move slowly instead of attempt the big bang approach where all mailboxes are moved in one hit. For small server migrations this is a workable solution.

Is there another work around other then removing a Host A record from DNS?

Yes - create a PRF (Outlook Profile) configuration file to automatically update Outlook to point to the new server. You will need to script this out to ensure it automatically runs on all workstations.

http://technet.microsoft.com/en-us/library/cc179062.aspx

Please look at this article for information on pushing these settings via Group Policy or Script:

http://www.howto-outlook.com/howto/deployprf.htm

An IIS directory entry couldn't be created. The error message is Access is denied.

2011-10-17T22:22:00.000-07:00

Today while building a new Exchange 2010 environment I noticed a problem where Exchange servers were able to access themselves but not other Exchange 2010 servers in the same organisation.

The error I received when my powershell attempted to connect to another Exchange 2010 server was:

An IIS directory entry couldn't be created. The error message is Access is denied.
. HResult = -2147024891
+ CategoryInfo : NotInstalled: (DEVDREXCH171\EWS (Default Web Site):ADObjectId) [Get-WebServicesVirtualDirectory], IISGeneralCOMException
+ FullyQualifiedErrorId : E2E22D81,Microsoft.Exchange.Management.SystemConfigurationTasks.GetWebServicesVirtualDirectory

The problem was the Microsoft Exchange Security Groups\Exchange Trusted Subsystem group was no longer a member of the local admins on the Exchange 2010 servers. The customer was setting local admin on servers via Group Policy. When policy refreshed it removed any Exchange 2010 specific groups from the local administrators.

UAC Beware with Update Rollups

2011-10-17T18:48:00.000-07:00

Beware of user account control (UAC) when installing update rollups for Microsoft Exchange 2007/2010. It will cause your update to fail!

If you get the following error it is most likely because of UAC.

Setup Wizard for Update Rollup 5 for Exchange Server 2010 Service Pack 1 (KB2582113) ended prematurely.

Setup Wizard for Update Rollup 5 for Exchange Server 2010 Service Pack 1 (KB2582113) ended prematurely because of an error. Your system has not been modified. To install this program at a later time, please run the installation again.

To exit the Setup Wizard, click Finish.

So what is an easy way to install the update without having to turn UAC off? Run a command prompt as administrator and launch the msp from command line.

Do I need to install update rollups in order for Exchange 2010?

2011-10-16T22:41:00.000-07:00

Today I'm going to answer a simple question I get asked all the time. You have just setup a new Exchange 2010 SP1 server. As of this writing we are currently up to Exchange 2010 SP1 Update Rollup 5.

Do we need to install Update Rollups 1 through to 5 in order?

The answer is no. Exchange Update Rollups are cumulative. Cumulative means it contains all previous hotfixes. Exchange 2010 Update Rollup 5 also contains update rollups 1-4.

You only need to install the latest service pack followed by the latest update rollup.

#< #5.6.1 smtp;554 5.6.1 Body type not supported by Remote Host> #SMTP#

2011-10-09T22:09:00.000-07:00

One of my customers has just finished migrating their user mailboxes from Exchange 2003 to Exchange 2010. After the migration of users my customer experienced a weird NDR (Non-Deliverable Report). This NDR was generated when an Exchange 2010 mailbox user emailed a mail enabled distribution groups containing a mail enabled contact object in Active Directory.

This problem only occured for a select few distribution groups. The NDR received was:

#< #5.6.1 smtp;554 5.6.1 Body type not supported by Remote Host> #SMTP#

The Exchange server generating the NDR was one of the old Exchange 2003 servers. Now why would Exchange 2010 be delivering this email to Exchange 2003? This gave it away. Straight away I looked to see if there was an Expansion Server configured for the distribution group. Yes there was - it was pointing at one of the old Exchange 2003 servers. I simply removed the Exchange 2003 server as an expansion server for the distribution group.

To view if your group has an expansion server configured, go to the properties of the distribution group in Exchange Management Console and click the Advanced tab.

To view if any of your other distribution groups have expansion servers configured for Exchange 2003, use the following powershell command in Exchange Management Shell.

Get-DistributionGroup | fl Name, ExpansionServer

What is an Expansion Server?

Expansion servers route messages that are sent to a single distribution list or group for each of the recipient objects in that list or group. When a user sends a message to a group, the Exchange server that is acting as the expansion server expands the group to its individual members. This expansion permits members of the distribution list or group to receive the message. An expansion server also resolves the names of all recipients in the distribution list or group, and then determines the most efficient path for routing the message.

You configure which hub transport server or Exchange 2000/2003 server you wish to use as your expansion server on the distribution group.

If you do not designate a specific server as the expansion server that expands a message that is sent to a group, the first server that the message is submitted to expands the group, and then sends the message to all of the destination servers.

NOTE: There is a drawback to setting a specific server as the expansion server for a group. If that server is down, no members of the distribution group receive the message.

[Fixed] Can't Insert Page Number Microsoft Word

2011-10-09T21:54:00.000-07:00

A customer of mine experienced a weird issue where they were unable to insert a page number in Microsoft Word 2007. When they went to insert page number in Word they received "Save Selection to Page Number Gallery".

After using system internals process monitor I discovered that Word references a file called "Building Blocks.dotx" to create the page number.

On Windows XP/Server 2003 this file is located under:

C:\Documents and Settings\username\Application Data\Microsoft\Document Building Blocks\1033

In Vista/7/2008 this file is located under:

C:\Users\username\AppData\Roaming\Microsoft\Document Building Blocks\1033

I copied Building Blocks.dotx from another computer with Word 2007 installed replacing the file in my user profile. This resolved my issue.

Note: I believe that this resolution will also work for Word 2010.

Offline Address Book 0x80190197

2011-10-09T19:12:00.000-07:00

Issue: when Outlook 2007/2010 attempts to download the offline address book via CAS Web Distribution the following error is recieved:

Task 'Microsoft Exchange' reported error (0x80190197) : 'The operation failed'

This error occurs when Outlook attempts to download the offline address book through a proxy server. This is heavily identified... please see:

http://support.microsoft.com/kb/939765

However today I found another scenario which produces exactly the same error. My clients internally download the OAB through HTTP and externally they download the OAB via HTTPS.

In IIS7 go to the OAB Virtual Directory and click SSL Settings.

Untick Require SSL as internal clients are trying to download the OAB without SSL encryption.

Apply the settings.

Determine if binary is 32bit or 64bit?

2011-10-06T21:10:00.000-07:00

Now that there are 16bit, 32bit and even 64bit binaries around for different processor and operating system platform types we need an easy method for determining which machine architecture a binary has been compiled for.

I found a neat little tool called MiTeC EXE Explorer which does exactly that and more. This tool was developed by a guy named Michal Mutl. Michal has developed all sorts of system admin tools... please visit his website at http://www.mitec.cz/.

MiTeC EXE Explorer is such a great little tool as it does not require installing, its a portable executable which can be executed on any server or workstation within your organisation. It is also completely free.

This is a third party non Microsoft tool however you can feel save executing it on your enterprise environment knowing it will not perform unknown miscellaneous activities as the tool received the Softpedia 100% clean award.

To download MiTeC EXE Explorer please visit http://www.mitec.cz/exe.html.

Here is a screenshot of the tool in action:

The Exchange server for the database object wasn't found in Active Directory Domain Services

2011-10-02T02:51:00.000-07:00

Today when working on a customers Exchange server I had an interesting problem. When I ran the Get-PublicFolderDatabase command I received the following error:

The exchange server for the database object "Public Folders" wasn't found in Active Direcoty Domain Services. The object may be corrupted.

I opened the configuration partition with ADSIEdit. Under Services --> Microsoft Exchange --> Exchange Org Name --> Administrative Groups --> Exchange Administrative Group --> Databases I had two public folder databases, 0261515011 and 0931127523. My Exchange 2010 server had a database associated with 0261515011. There was no database associated with 0931127523.

To resolve the issue I deleted 0931127523 with ADSIEdit.

Why didnt my routing group connector get created?

2011-09-27T02:12:00.000-07:00

Below I'm going to address a bug that exists from Exchange 2007 RTM to Exchange 2010 SP1 (as of this writing). Sometimes when you install Exchange 2010 in a new environment your routing group connector does not get created - colleagues of mine have seen this before.

This happens even when when you specify an Exchange 2003 server in the dialog box below during the Exchange 2010 setup wizard.

When it doesn't get created during the installation if you dig down through your system logs in event viewer you will notice event 1002 from the MSExchangeSetup. See below, pay attention to the bold text.

Log Name: Application
Source: MSExchangeSetup
Date: 27/09/2011 2:28:20 PM
Event ID: 1002
Task Category: Microsoft Exchange Setup
Level: Error
Keywords: Classic
User: N/A
Computer: exchange.domain.local
Description:
Exchange Server component Hub Transport Role failed.
Error: Error:
The following error was generated when "$error.Clear();
if ($roleLegacyRoutingServer -ne $null)
{
$lrs =

$roleLegacyRoutingServer;
$source = [String][System.Environment]::MachineName;

if ($lrs.Length -gt 31)

{
$lrs = $lrs.Substring(0, 31)
};

if ($source.Length -gt 31)
{

$source = $source.Substring(0, 31)
};

$name = $source + "-" + $lrs;
$result = (get-

routinggroupconnector where {$_.Name -eq $name});
if ($result -eq $null)
{
new-

RoutingGroupConnector -SourceTransportServers:$source -TargetTransportServers:$roleLegacyRoutingServer -Cost:1 -Name:$name -Bidirectional:

$false
};

$name = $lrs + "-" + $source;
$result = (get-routinggroupconnector where {$_.Name -eq

$name});
if ($result -eq $null)
{
new-RoutingGroupConnector -SourceTransportServers:

$roleLegacyRoutingServer -TargetTransportServers:$source -Cost:1 -Name:$name -Bidirectional:$false
};
};
" was

run: "Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130e2 (msExchTargetBridgeheadServersDN)
".

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130e2 (msExchTargetBridgeheadServersDN)

A value in the request is invalid.

Error:
The following error was generated when "$error.Clear();
if ($roleLegacyRoutingServer -ne $null)
{
$lrs =

$roleLegacyRoutingServer;
$source = [String][System.Environment]::MachineName;

if ($lrs.Length -gt 31)

{
$lrs = $lrs.Substring(0, 31)
};

if ($source.Length -gt 31)
{

$source = $source.Substring(0, 31)
};

$name = $source + "-" + $lrs;
$result = (get-

routinggroupconnector where {$_.Name -eq $name});
if ($result -eq $null)
{
new-

RoutingGroupConnector -SourceTransportServers:$source -TargetTransportServers:$roleLegacyRoutingServer -Cost:1 -Name:$name -Bidirectional:

$false
};

$name = $lrs + "-" + $source;
$result = (get-routinggroupconnector where {$_.Name -eq

$name});
if ($result -eq $null)
{
new-RoutingGroupConnector -SourceTransportServers:

$roleLegacyRoutingServer -TargetTransportServers:$source -Cost:1 -Name:$name -Bidirectional:$false
};
};
" was

run: "Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130df (msExchSourceBridgeheadServersDN)
".

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130df (msExchSourceBridgeheadServersDN)

A value in the request is invalid.

The following error was generated when "$error.Clear();
if ($roleLegacyRoutingServer -ne $null)
{
$lrs =

$roleLegacyRoutingServer;
$source = [String][System.Environment]::MachineName;

if ($lrs.Length -gt 31)

{
$lrs = $lrs.Substring(0, 31)
};

if ($source.Length -gt 31)
{

$source = $source.Substring(0, 31)
};

$name = $source + "-" + $lrs;
$result = (get-

routinggroupconnector where {$_.Name -eq $name});
if ($result -eq $null)
{
new-

RoutingGroupConnector -SourceTransportServers:$source -TargetTransportServers:$roleLegacyRoutingServer -Cost:1 -Name:$name -Bidirectional:

$false
};

$name = $lrs + "-" + $source;
$result = (get-routinggroupconnector where {$_.Name -eq

$name});
if ($result -eq $null)
{
new-RoutingGroupConnector -SourceTransportServers:

$roleLegacyRoutingServer -TargetTransportServers:$source -Cost:1 -Name:$name -Bidirectional:$false
};
};
" was

run: "Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130e2 (msExchTargetBridgeheadServersDN)
".

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130e2 (msExchTargetBridgeheadServersDN)

A value in the request is invalid.

Error:
The following error was generated when "$error.Clear();
if ($roleLegacyRoutingServer -ne $null)
{
$lrs =

$roleLegacyRoutingServer;
$source = [String][System.Environment]::MachineName;

if ($lrs.Length -gt 31)

{
$lrs = $lrs.Substring(0, 31)
};

if ($source.Length -gt 31)
{

$source = $source.Substring(0, 31)
};

$name = $source + "-" + $lrs;
$result = (get-

routinggroupconnector where {$_.Name -eq $name});
if ($result -eq $null)
{
new-

RoutingGroupConnector -SourceTransportServers:$source -TargetTransportServers:$roleLegacyRoutingServer -Cost:1 -Name:$name -Bidirectional:

$false
};

$name = $lrs + "-" + $source;
$result = (get-routinggroupconnector where {$_.Name -eq

$name});
if ($result -eq $null)
{
new-RoutingGroupConnector -SourceTransportServers:

$roleLegacyRoutingServer -TargetTransportServers:$source -Cost:1 -Name:$name -Bidirectional:$false
};
};
" was

run: "Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130df (msExchSourceBridgeheadServersDN)
".

Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: The name reference is invalid.
This may be caused by replication latency between Active Directory domain controllers.
Active directory response: 000020B5: AtrErr: DSID-03152395, #1:
0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att

179130df (msExchSourceBridgeheadServersDN)

A value in the request is invalid.

Now what is this bug?

The New-RoutingGroupConnector command will only connect to SMTP Virtual Servers that have a common name value of 1. What do I mean by this? In the Exchange 2010 source code the Exchange 2010 product team coded this powershell command to query:

"CN=1,CN=SMTP,CN=Protocols,CN=MERCURY,CN=Servers,CN=SHENTON PARK,CN=Administrative Groups,CN=WORKCOVER,CN=Microsoft,Exchange,CN=Services,CN=Configuration,DC=YOURDOMAIN,DC=COM"

What is this object? This is your SMTP virtual server your administrators see in Exchange 2003 system manager. Any configuration changes made to this virtual server get updated on this Active Directory object in the configuration partition.

If an administrator creates new SMTP virutal servers then deletes the first SMTP virtual server that had a CN value of 1 the issue occurs. For example if I open ADSIEdit in my environment with the problem and navigate to the following location:

Configuration\services\Microsoft Exchange\Org Name\Administrative Groups\Exchange 2003 AG name\Servers\Exchange 2003 servername\Protocol\SMTP

I see that my CN is a value of 3.

To resolve this I performed the following steps:

1. Renamed CN=3 to CN=1 in ADSIEdit by right clicking the object.

2. Force replication to whichever DC your Exchange 2003 server is communicating to. You can find this out by running "nltest /dsgetdc:domain.local" on your Exchange 2003 server provided you have the 2003 support tools installed.

3. Restart the Simple Mail Transfer Service on your Exchange 2003 server - VERY IMPORTANT.

Note: If you manually try and use the New-RoutingGroupConnector in Exchange 2007/2010 shell after the installation is complete, it will also unless you correct the CN= value for your SMTP Virtual Server.

[FIXED] Exchange 2010 Single Server Installation Problems

2011-09-27T01:49:00.000-07:00

Today I set out to perform a single Exchange 2003 server migration to a new Exchange 2010 server for approximately 200 users. What is a simple task for me had some bumps.

I installed setup my new Exchange 2010 server as a brick level deployment "all roles on one server".

I performed the following steps:
1. Installed the Exchange 2010 SP1 prerequisites for MBX, HT and CAS.
2. Installed the Microsoft Office 2010 filter packs
3. Performed the Schema update using setup.com /PrepareAD
4. Installed Exchange 2010 with all roles.

After installation completed successfully I rebooted the server. After the reboot I noticed I could not connect to Exchange 2010 using the console or shell. I checked to see if the powershell virutal directory existed... it did not.

For some reason only the mailbox role installed, even though the wizard said all roles were installed successfully. I went back and ran setup.exe again. I selected Hub Transport and Mailbox.. went through the install - rebooted. This time all roles existed. Although Exchange 2010 installed, it was unusable.

When I tried to perform powershell commands in the shell as an Exchange organisation administrator I received the following errors:

Exception calling "GetSteppablePipeline" with "1" argument(s): "The type initializer for 'Microsoft.Exchange.Configuration.Tasks.Task' threw an exception."
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

Opening up Exchange Management Console I received the following error:

Initialization failed
The following error occured when retrieving user information for 'user account':
Unexpected error [0x17B26A98] while executing command 'Get-LogonUser'.

Resolution

To resolve the issue I performed the following steps:

1. Uninstalled Exchange 2010 SP1 from my new server
2. Rebooted
3. Installed Exchange 2010 SP1 client access server role
4. Rebooted
5. Tested exchange management console (EMC) and exchange management shell (EMS)
6. Installed Exchange 2010 SP1 hub transport role
7. Rebooted
8. Tested EMC and EMS
9. Installed Exchange 2010 SP1 mailbox role
10. Rebooted
11. Tested EMC and EMS

Only when installing in this order was I able to resolve the issue. Very weird, this is the only time I have experianced this behaviour.

RMS Shared Identity user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 not found

2011-09-26T23:14:00.001-07:00

Today I was re-installing Exchange 2010 into an Active Directory forest which previously had Exchange 2010 installed. The schema was already extended with the Exchange 2010 SP1 schema extensions.

When installing Exchange 2010, installation of the Hub Transport role failed with the following error:

Error:
The following error was generated when "$error.Clear();
if ( ($server -eq $null) -and ($RoleIsDatacenter -ne $true) )
{
Update-RmsSharedIdentity -ServerName $RoleNetBIOSName
}
" was run: "RMS Shared Identity user FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 not found.".

FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 is a Exchange 2010 built in arbitration user account which must exist in every Exchange 2010 environment. The GUID never changes, it is always "4c1f4d8b-8179-4148-93bf-00a95fa1e042".

The setup failed because someone deleted this user account from Active Directory!

How can we get it back?

You have two ways to get this mailbox back. If you have a computer on your network with the Exchange 2010 management tools installed, you can create the user account using powershell with the following command:

New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@default_accepted_domain

For more information on this see Microsoft KB978776

What happens if you do not have exchange management shell installed on any computers? Well there is another way to get this account back. This account is originally created when you prepare the domain/schema. If you run setup.com /PrepareAD on your domain it will re-create this account for you. See below:

Connecting to a single AD Object

2011-09-22T20:19:00.000-07:00

This script lets you connect to an LDAP DC / LDS server and display attributes on objects:

Set oUser = GetObject("LDAP://localhost:10001/CN=Clint2,OU=TestOU,DC=test,DC=com")
oUser.GetInfo
wscript.echo oUser.Get("otherHomePhone")

A quick way to determine your bridgehead servers?

2011-09-19T18:47:00.000-07:00

You want to determine which bridgehead servers have been elected in each Active Directory site to troubleshoot replication issues?

Use the following command:

repadmin /bridgeheads

Windows Server Backup - DAG Environment

2011-09-18T22:24:00.000-07:00

Windows Server Backup or wbadmin.exe cannot be used to backup passive databases in a Database Availability Group environment.

WSB does not back up Passive copies. It can only be used to back up Active copies. This is simply a limitation of the WSB plug-in. Also WSB is only designed to backup small Exchange 2010 environments that are not DAG members.

http://technet.microsoft.com/en-us/library/dd876874.aspx

Also – as indicated in the article, you have to back up the entire volume containing both the database/logs.

So essentially if you want to use WSB to take a full backup of *all* databases, you are looking at either moving all active copies to a single DAG member (for the backup), or using WSB locally on each DAG member that hosts active databases.

Please note, you can backup passive mailbox databases using WSB in a DAG environment as explained in the above article:

"If a server hosting the data being backed up is a member of a database availability group (DAG) and hosts both active and passive database copies, you must disable the Microsoft Exchange Replication service VSS writer. If the Microsoft Exchange Replication service VSS writer is enabled, the backup operation will fail."

Why would you want to use windows server backup to backup a DAG member? Possibly your primary backup product is failing and you want to test the VSS service using an alternative product? In this case you may use BETest.exe to test the VSS snapshot service.

Exchange 2003 Domain Rename with Exchange 2010

2011-09-18T21:49:00.000-07:00

Domain Rename's are possible only with Exchange 2003. After you perform the Active Directory rename using the domain rename tool RENDOM, the next step is the fixup the Exchange 2003 attributes using a tool called XDR-Fixup.

XDR-Fixup is not supported on:
- Exchange 5.5
- Exchange 2000
- Exchange 2007
- Exchange 2010

What happens if you have an Exchange 2003 environment that you have just done an ADPrep to prepare the forest for Exchange 2010? Can you still proceed with an Exchange 2003 domain rename?

The answer here is no, the Exchange schema extensions must be that of Exchange 2003 SP2 (no higher).

ADAMSync Error -2146893813. Error code: 317

2011-09-14T20:56:00.000-07:00

Today I discovered what may be a bug in ADAMSync, however I found a workaround. Let me go into detail sharing my findings with you. First... lets cover off my environment.

I have 4 forests, 10 domains. My AD LDS server is a member of subdomain.forest3.lan. Please see the diagram below.

- My LDS Server has multiple instances "LDS Databases" for each Active Directory domain. These instances are listening on 10001, 10002, 10003, 10004 etc... There is a 1 to 1 relationship between a single domain and its corresponding LDS instance.

- Each LDS Instance has only one application partition with the same distinguishedName mapping an Active Directory domain. For example dc=forest2,dc=lan or dc=bu2,dc=forest1,dc=lan.

- My ADAMSync configuration in each instance replicates the user class objects from Active Directory to "userProxy" class objects in each LDS Instance. Objects are successfully replicating.

- userProxy bind redirection is working successfully for all LDS Instances and the corresponding Active Directory domain (excluding forest4.lan due to no domain trusts existing). For more information on userProxy objects see http://clintboessen.blogspot.com/2011/04/userproxy-class-and-adam-lds.html

- There is no synchronization errors. I have validated all attributes declared in my adamsync.xml file are successfully synchronizing to the corresponding userProxy object in LDS for each user account.

- ADAMSync is successfully creating the same Organisational Unit structure matching that of LDS.

- The base distinguishedName of each LDS instance matches the base distinguishedName of the Active Directory domain.

- All child domains in forest1 synchronise using an ldapquery account located in the parent forest1.lan domain. This is configured in the XML file ldapquery and forest1.lan.

- forest2.lan synchronises using an account in forest2.lan

- forest3.lan synchronises using an account in subdomain.forest3.lan. No user accounts reside in the root domain forest3.lan. This is configured as an "empty root domain".

- forest4.lan synchronises using an account located in forest4.lan

The following Active Directory accounts were setup to make this solution work:

- subdomain.forest3.lan\LDSSVC. This account is only a member of "domain users" in subdomain.forest3.lan. This account has "Log on as service" rights assigned under "user rights assignments" on the LDS Server. This account provides the security context under which LDS Instance runs as a service. i.e. all LDS Services run as this account.

- subdomain.forest3.lan\LDSBoss. This account is only a member of "domain users" in subdomain.forest3.lan. During the installation of each LDS Instance using the "Active Directory Lightweight Directory Services Setup Wizard" this account was specified as the Administrator of each instance. This account has no access to the LDS Server itself, i.e. the account does not even have permissions to login to the LDS Server. It only has "Administrative privilages" inside each LDS Instance. All commands which manipulate LDAP data inside an LDS Instance such as ADAMSync must be run under the security context of this LDSBoss account.

- forest1.lan\ldapquery. This account is a member of "Domain Admins" and "Enterprise Admins"in the forest1.lan root domain. It is specified in the ADAMSync.xml file for each child domain in the forest1.lan forest. This account is used to perform LDAP Queries against the forest1.lan forest. If this account is not a Domain Admin or Enterprise Admin, ADAMSync fails to run.

- forest2.lan\ldapquery. This account is a member of "Domain Admins" in the forest2.lan domain. This is specified in the ADAMSync.xml file for the forest2.lan forest. It is used for LDAP queries against forest2.lan

- subdomain.forest3.lan\ldapquery. This account is a member of "Domain Admins" in the subdomain.forest3.lan domain. This is specified in the ADAMSync.xml file for the subdomain.forest3.lan forest. It is used for LDAP queries against subdomain.forest3.lan

- forest4.lan\ldapquery. This account is a member of "Domain Admins" in the forest4.lan domain. This is specified in the ADAMSync.xml file for the forest4.lan forest. It is used for LDAP queries against forest4.lan

So whats the bug you found clint?

I went and installed my ADAMSync XML configuration file running a command prompt under the security context of the user account SUBDOMAIN\LDSBoss with the following command:

adamsync /install localhost:10001 "C:\Windows\ADAM\AdamSync Configs\SUBDOMAIN\SUBDOMAIN-AdamSyncConf.XML" /passprompt

When prompted I entered the password for the subdomain.forest3.lan\ldapquery account which was specified in the ADAMSync XML file.

When I run ADAMSync.exe using my SUBDOMAIN\LDSBoss credentials (the credentials used to install the XML configuration file), the sync works successfully.

However I then created another account called SUBDOMAIN\boessenc_admin which I added to the configuration partition "Administrators" group in my LDS Instance. When I tried to sync using my SUBDOMAIN\boessenc_admin account the sync failed with ADAMSync.exe terminating. The following error is received:

Error occured fetching internationalized message number -2146893813. Error code: 317

Problem signature:
Problem Event Name: APPCRASH
Application Name: adamsync.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc94c
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7600.16695
Fault Module Timestamp: 4cc7b325
Exception Code: c0000005
Exception Offset: 0000000000023b12
OS Version: 6.1.7600.2.0.0.272.7
Locale ID: 3081
Additional Information 1: dba5
Additional Information 2: dba5cead4302f0c0fa066ea618a55f8f
Additional Information 3: f135
Additional Information 4: f135fc65c6fa056fecabbbdf82720b5f

I created a memory dump of the ADAMSync process using the following MSDN article:
http://msdn.microsoft.com/en-us/library/bb787181.aspx

I submitted this memory dump to James Li from the Microsoft Directory Service Support Team. James analysed the memory dump carefully and suspects it might be caused by a bug in AdamSync.exe. Here is the stack information he provided me with:

00 00000000`0013e990 000007fe`fd479ce9 ntdll!RtlFormatMessageEx(
unsigned short * MessageFormat = 0x00000000`00000000,
unsigned long MaximumWidth = 0,
unsigned char IgnoreInserts = 0x10 '',
unsigned char ArgumentsAreAnsi = 0x00 '',
unsigned char ArgumentsAreAnArray = 0x00 '',
char ** Arguments = 0x00000000`0013f3b0,
unsigned short * Buffer = 0x00000000`ff7fb630,
unsigned long Length = 0x26d7,
unsigned long * ReturnLength = 0x00000000`0013f174,
struct _PARSE_MESSAGE_CONTEXT * ParseContext = 0x00000000`0013f1a8)+0x272

01 00000000`0013f110 000007fe`fd479a97 KERNELBASE!BaseDllFormatMessage(
unsigned char ArgumentsAreAnsi = 0x00 '',
unsigned long dwFlags = 0x1000,
void * lpSource = 0x00000000`0013f510,
unsigned long dwMessageId = 0x13d,
unsigned long dwLanguageId = 0x400,
unsigned short * lpBuffer = 0x00000000`ff7fb630,
unsigned long nSize = 0x2710,
char ** arglist = 0x00000000`0013f3b0)+0x239

02 00000000`0013f210 00000000`77024d88 KERNELBASE!FormatMessageW(
unsigned long dwFlags = 0,
void * lpSource = 0x00000000`ff7f91b0,
unsigned long dwMessageId = 0,
unsigned long dwLanguageId = 0xff797074,
unsigned short * lpBuffer = 0x00000000`ff7fb630,
unsigned long nSize = 0x2710,
char ** lpArguments = 0x00000000`0013f3b0)+0x37

03 00000000`0013f260 00000000`ff7942d0 kernel32!FormatMessageWStub(
unsigned long dwFlags = 0x13f510,
void * lpSource = 0x00000000`00002800,
unsigned long dwMessageId = 0,
unsigned long dwLanguageId = 0x5f7f20,
unsigned short * lpBuffer = 0x00000000`ff7fb630,
unsigned long nSize = 0x2710,
char ** lpArguments = 0x00000000`0013f3b0)+0x28

I continued investigating the issue... I then reinstalled the ADAMSync XML file by re-running the ADAMSync.exe process under SUBDOMAIN\boessenc_admin using the same command, and specifying the password for the SUBDOMAIN\ldapquery which was specified in the XML configuration file:

adamsync /install localhost:10001 "C:\Windows\ADAM\AdamSync Configs\SUBDOMAIN\SUBDOMAIN-AdamSyncConf.XML" /passprompt

I then ran the ADAMSync.exe program with the sync switch under the security context of SUBDOMAIN\boessenc_admin. It worked!

What did we learn?

Whatever account you used to install the ADAMSync.exe XML configuration file, i.e. the account the ADAMSync.exe process is running as during the config installation MUST also be used to perform the ADAMSync.exe synchronisation. If you attempt to perform a synchronisation using a different account other then the account used during the XML import, the ADAMSync.exe process will crash.

Forefront Threat Management Gateway - Workgroup Configuration with Exchange 2010

2011-09-14T01:34:00.001-07:00

In this post I will give you some information around publishing Exchange 2010 with Forefront Threat Management Gateway (TMG) or ISA 2006 and weather or not these servers should have domain membership.

Microsoft's recommended deployment is that you add your TMG servers as members of your Active Directory domain. For the TMG setup whitepaper please see the following link. This whitepaper explains how to setup TMG step by step with domain membership.

http://download.microsoft.com/download/E/5/6/E56ACB6E-7BCC-40F1-8F18-E636B7BFE088/PublishingExchangeServer2010withForefront.doc

When Microsoft initially released Threat Management Gateway, it did not support workgroup configuration. It's a product that is designed to run as a member of your Active Directory domain and configuring it any other way results in significant loss in functionality and in some cases security. I managed to find a copy of the original release notes published by Microsoft which is available here... stating that TMG does not support workgroup configuration. http://technet.microsoft.com/en-us/library/cc487898.aspx

Previous versions of the product such as ISA2006 did support workgroup configuration and some companies implemented it in this method. There was an outcry and as a result Microsoft changed their stance on this and updated the product to support domain membership.

Can you publish Exchange 2010 using TMG without adding the Threat Management Gateway server as a member of your internal Active Directory domain? Yes you can, there are 3 ways to do this:

- Configure another Active Directory domain to hold TMG. Create a Transitive Forest Trust between your production forest and your TMG forest. Create domain local groups on the TMG Active Directory forest and nest any groups that require access rules inside the TMG forest’s domain local groups.

- Configure an internal PKI, if you want security you need to ensure you have an offline root stand-alone CA, and a subordinate enterprise issuing CA which is AD Integrated. Issue a digital certificate to each domain controller and configure your environment to support LDAP over SSL for AD Authentication. To configure your domain controllers to support LDAPS using SSL see http://support.microsoft.com/kb/321051

- Configure a RADIUS server on your internal network. Configure the TMG server as a RADIUS client to pass through authentication requests to the RADIUS server. The RADIUS server will then pass the authentication request through to Active Directory. You will not get Outlook Anywhere working if your using RADIUS authentication, see http://blogs.isaserver.org/pouseele/2007/02/06/a-quest-for-strong-user-authentication-with-rpc-over-http-services-and-isa-server-2006/

All three of these options have the following disadvantages:

- Will require additional servers weather its certificate authorities, radius servers or domain controllers to run a new AD forest.

- Will extend the project life cycle from an originally estimated 2 weeks to 4-8 weeks depending which of the 3 options you wish to go down.

- Increase complexity of your network and increase downtime periods should infrastructure fail as this is not a highly available deployment.

Neither of these solutions add any significant layer of security and are not seen as efficient solutions due to the Administrative overhead they create.

In a Microsoft whitepaper written by Greg Taylor "Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG", Greg dedicated a section around joining Forefront TMG/Forefront UAG to an Active Directory domain or leaving it workgroup. For a copy of this article see the following URL:

http://www.microsoft.com/download/en/details.aspx?id=22723

Here is an extract from Greg Taylors whitepaper:

"Domain Joining Forefront TMG/Forefront UAG or Leaving in a Workgroup"

In most organizations, the decision whether to domain join the server hosting Forefront TMG/Forefront UAG to your production domain may be one of the more contentious parts of the deployment.

For Forefront UAG deployments, the guidance is clear. Because Forefront UAG is not a firewall, it should be placed behind some other device that acts as a firewall on the corporate network. Also, it's recommended that Forefront UAG be domain joined to make authentication simple and flexible. Forefront TMG is installed on the Forefront UAG computer during installation, but that's done only to protect the host system and for the underlying functionality it provides to Forefront UAG.

Forefront TMG deployments are more complex to discuss because Forefront TMG is considered a firewall and can protect the network edge. Domain joining Forefront TMG offers many advantages: it allows certificate based authentication to be used at Forefront TMG, using Kerberos Constrained Delegation to communicate to Exchange; it allows easy use of Active Directory groups and user objects in publishing rules to restrict access; and it provides other benefits. For an impartial view on whether to domain join Forefront TMG, see Debunking the Myth that the ISA Firewall Should Not be a Domain Member. For more information about identifying your infrastructure design requirements, see Domain and workgroup requirements.

The link Greg Taylor mentions in his white paper "Debunking the Myth that the ISA Firewall Should Not be a Domain Member" by Thomas W Shinder, Microsoft MVP is an excellent read. Please view it here:

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

In Thomas's article he mentions:

ISA/TMG that is a domain member machine is more secure and more flexible than a non-domain member machine and that they do themselves and their companies a disservice by not joining the ISA firewall to the domain. This is a significant issue and not something to be taken lightly because there is a serious security hit you take when you don’t join the ISA firewall to the domain.

He also covers in his article the primary reason companies go through all this effort of not joining the TMG/ISA server to the internal domain, compliance managers and external auditors that believe in this myth. He writes:

Should the ISA firewall array be placed in a domain or a workgroup? That is the question. Is it nobler to place the ISA firewall in a workgroup where you can avoid the catcalls of clueless compliance managers, "hardware" firewall know-nothings, or “network guys” who think of network security as "port opening and closing", or should you bear the slings and arrows of the same harridan housewives and carping screws for placing the ISA firewall in the domain, where you can get a higher level of overall security and substantially improve your security position?

The last article I would like to point you at is a TechNet article published by Microsoft around considerations when and when not you would place your TMG server as a member of your internal Active Directory domain. Please view this article here:

http://technet.microsoft.com/en-us/library/dd897048.aspx

I would like to finalise by saying majority of TMG deployments should all be a member of your Active Directory domain especially if your just publishing Exchange 2010. However there may be circumstances where your using your TMG server for things other then just Exchange and you may need to look at implementing TMG in a workgroup configuration.

Joining Forefront Threat Management Gateway 2010 to an Active Directory domain to publish Exchange 2010 services to the Internet is not a security threat to your network.

Access is Denied - Disabling SID Filtering

2011-09-12T21:58:00.000-07:00

Today I had an issue where I received "Access is Denied" when disabling SID Filtering, even though my account had access.

Of course I checked my command prompt was running with administrative rights... check this is you have User Account Control (UAC) enabled.

I ran the netdom command with /quarantine:no and the correct syntax and received:

The command failed to complete successfully.

To get around this problem I established a UNC connection to the the PDC emulator in the destination forest. This resolved the problem. Please see the screenshot below:

Access is Denied adding GPMC to MMC

2011-09-04T21:48:00.000-07:00

Scenario: I have an administrators XP workstation. The administrator has a standard user account and an administrator account. I migrated his standard user account and administrator account to a new Active Directory forest. ADMT performed security translation on his profile. The administrator can successfully login to the new domain keeping his same profile and settings.

Problem: The administrator opens MMC using "run as" and specifies his administrative credentials in the source forest. He can access AD Users and Computers and make configuration changes. When he tries to add group policy management console (GPMC) to the MMC console he receives Access is Denied.

I used Sysinternals Process Monitor (Procmon.exe) and noticed it was having problems writing to a particular registry key.

I granted the administrator account full control over the profile using regedit.

This resolved the problem.

Manipulating Text Strings in VBScript

2011-08-24T21:51:00.000-07:00

Here is a bunch of links that explain how to manipulate text strings in VBS.

Mid Function:
http://msdn.microsoft.com/en-us/library/wffts6k3(v=vs.85).aspx

Right Function:
http://msdn.microsoft.com/en-us/library/eh8fefz1(v=vs.85).aspx

Left Function:
http://msdn.microsoft.com/en-us/library/sk3xcs8k(v=vs.85).aspx

These functions are to determine how many characters are in the string:

LTrim; RTrim; and Trim Functions
http://msdn.microsoft.com/en-us/library/c623wz83(v=vs.85).aspx

Len Function
http://msdn.microsoft.com/en-us/library/dxsw58z6(v=vs.80).aspx

This website also has lots of handy commands for manipulating strings:

http://www.w3schools.com/VBscript/vbscript_ref_functions.asp

List all users in domain using LDAP and VBS

2011-08-22T00:21:00.000-07:00

This sample code lists all users in a domain using LDAP, a more powerful connection then WinNT.

This script automatically binds to the default domain naming context:

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

objCommand.CommandText = _
"<LDAP://domain.local/RootDSE>(objectCategory=User);Name,distinguishedName,sAMAccountName,legacyExchangeDN;Subtree"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
Wscript.Echo objRecordSet.Fields("sAMAccountName").Value
Wscript.Echo objRecordSet.Fields("legacyExchangeDN").Value
objRecordSet.MoveNext
Loop

This script lets you manually bind to the domain/application partition.

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

objCommand.CommandText = _
"<LDAP://domain.local/dc=domain,dc=local>(objectCategory=User);Name,distinguishedName,sAMAccountName,legacyExchangeDN;Subtree"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
Wscript.Echo objRecordSet.Fields("sAMAccountName").Value
Wscript.Echo objRecordSet.Fields("legacyExchangeDN").Value
objRecordSet.MoveNext
Loop

Another example of a similar script can be found on:

http://www.cruto.com/resources/vbscript/vbscript-examples/misc/searchad/Search-for-All-Users-Using-an-LDAP-Query.asp

Connecting to the configuration partition of an LDS Instance

2011-08-10T23:03:00.001-07:00

LDS Instances like Active Directory also have a Configuration Partition and a Schema Partition. On TechNet it is documented:

By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition.

http://technet.microsoft.com/en-us/library/cc731143.aspx

How do I get to the configuration partition in an LDS Instance?

Well if I connect to my application partition created during the LDS installation wizard and go to my Administrators, I can see nested inside is another Administrators group residing inside the Configuration Partition.

I can now connect to this using ADSIEdit.

Under the administrators group in the configuration partition I can find the account used when I installed the LDS Instance as per Microsoft documentation on TechNet.

ADAMSync Aging

2011-08-10T22:07:00.000-07:00

In this post I will describe Aging with ADAMSync. If you configure ADAMSync to replicate your Active Directory information to an LDS Instance, without aging deleted data from Active Directory will never be removed from LDS. For example if you delete a user object from your Active Directory database, this object will not be deleted from the LDS Instance when you run the next sync.

The ADAMSync aging configuration is done under your ADAMSync XML configuration file.

<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>

The two configuration options you need to configure are frequency and num-objects.

Frequency:
http://technet.microsoft.com/en-us/library/cc737713.aspx

num-objects:
http://technet.microsoft.com/en-us/library/cc778153.aspx

Unfortunately the documentation on TechNet around these is very poor.

Frequency

- If it's set to "0", the Aging will be skipped, AdamSync will return the following informaiton:
a. Aging is skipped.
b. The times since the last sync.

- If it's larger than "0", system will compare its value with the number of times since the last sync:

a. If its value is larger than the number of times since the last sync, Aging will be skipped, and the number of the times since the last sync will be increased by 1.
b. if its value is not larger than the number of times since the last sync, Aging procedure will be called and the number of times since the last sync will be reset.

Examples:

- If the value is set to 0, aging will be not used.
- If the value is set to 1, the aging will be called each time during the sync.
- if it's set to 2, the aging will be called every two sync.

num-objects

num-objects is the number of objects that need to be aged per run. If you make this 0, it will always age all objects against Active Directory. If you make this 50, it will only age 50. When you perform the next sync, it will age the next 50. Don't worry all objects will eventually be aged... depends on how often you schedule task adamsync.exe to run!

Why was Aging developed?

Please read this fantastic article by Eric Fleischman which explains why Aging was developed by Microsoft in ADAMSync.

http://blogs.technet.com/b/efleis/archive/2006/10/28/change-visibility-in-the-directory-or-lack-there-of-aka-what-s-the-point-of-aging.aspx

Thankyou to James Li from the Directory Services Support Team at Microsoft for looking at the source code of ADAMSync.exe and explaining how the code works! This information was published with written permission from Microsoft via email.

How to find the server your DFS Namespace Client is talking to

2011-08-08T20:19:00.001-07:00

When setting up Distributed File System Replication (DFSR) between multiple file servers, you may want to know which file server your DFS namesace client is communicating with.

To find this out use the DFSUTIL program with the pktinfo switch. Any ACTIVE TARGETSET servers are servers your workstation is currently talking to.

dfsutil /pktinfo

Alternatively you can right click in a DFS share under explorer and select Properties.

Hit the DFS Tab

Word Crashes Dell XPS 15z Laptop

2011-08-08T20:07:00.000-07:00

I just got a new Dell XPS 15z laptop. Microsoft word however continiously crashes generating the following error in event viewer:

Log Name: Application
Source: Application Error
Date: 9/08/2011 9:42:22 AM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Clint-PC
Description:
Faulting application name: WINWORD.EXE, version: 14.0.4762.1000, time stamp: 0x4bae25cd
Faulting module name: btmofficea.dll, version: 1.0.0.49, time stamp: 0x4d382a1a
Exception code: 0xc0000005
Fault offset: 0x00000000000065ff
Faulting process id: 0xd80
Faulting application start time: 0x01cc56359222c86d
Faulting application path: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Faulting module path: C:\Program Files (x86)\Intel\Bluetooth\btmofficea.dll
Report Id: d2f29c37-c228-11e0-8b74-feb16a7ed552

This was caused by the bluetooth module that comes with the laptop. In word I went to file --> options. Under Add-Ins we see the bluetooth driver.

Under COM Add-ins click Go. Untick the send to bluetooth checkbox.

AD Delegation - How to set default permissions for new group policy objects

2011-08-08T01:24:00.000-07:00

When setting up Active Directory delegation, you want administrators to be able to maintain Group Policy without being a Domain Admin. If you read TechNet, Microsoft tells you to use Group Policy Creator Owners, please see:

http://technet.microsoft.com/en-us/library/cc776858.aspx

Lets test it. We have a user named Jess. Jess is only a member of the domain users group. We add Jess to "Group Policy Creator Owners". Jess creates a group policy object called "Jess's Policy". Great, it worked. If we look at the permissions of "Jess's Policy" in group policy management console (GPMC), we see that she has permissions to the group policy object.

Jess does not have permissions to modify or edit any other group policy objects.

The problem with Group Policy Creator Owners

Lets say you have 10 administrators that need to make group policy changes. You add the 10 administrators to Group Policy Creator Owners. One administrator creates a group policy object. The others cannot read or modify the group policy object as only the administrator that created the group policy object owns it. The administrator that created the group policy object must remember to grant the other administrators access to the group policy object. This process needs to re-occur every time an administrator creates a new group policy object.

I don't know why Microsoft recommends to use this approach for group policy delegation as it is not feasible.

The Solution

Change the template permissions in Active Directory!

By default whenever you create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins
- ENTERPRISE DOMAIN CONTROLLERS
- SYSTEM

These permissions are the "default" permission template for newly created group policy objects. We can add additional custom groups to this template by modifying the Active Directory Schema Partition.

To do this use ADSIEdit and connect to the Schema Partition.

View the properties for CN=Group-Policy-Contrainer

The defaultSecurityDescriptor attribute contains the security template for all new group policy objects. By default the defaultSecurityDescriptor looks like this:

D:P(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)

Schema permissions are written by using the Security Descriptor Definition Language (SDDL).

Note: These SID's will be different in your environment as the beginning of a SID is unique to the given domain.

The beginning of each ACL states what permissions are set over the group or username entry. The second part shows the SID of the group/user account.

I have created a group called AD-GPO-M that I want to add to the template permissions to ensure they get applied to all new group policy objects. We added the following to the end of my SDDL on the defaultSecurityDescriptor attribute. This is the SID that is append to the AD-GPO-M security group.

(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;S-1-5-21-1445357118-337764505-1417137283-24392)

On the CN=Group-Policy-Contrainer Active Directory object, the defaultSecurityDescriptor attribute now reads:

D:P(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;S-1-5-21-1445357118-337764505-1417137283-24392)

Now when I created a new group policy object (GPO) called "Test PCI Member Server" the following permissions were granted by default:

This has now given your non-domain admins who are a member of this group permissions to administer this new group policy object.

For any existing group policy objects they will not currently have access, however you can reset permissions to default which will pull the permissions down from the defaultSecurityDescriptor attribute.

Where are these permissions set?

Permissions for your group policy objects are maintained in two locations.
- Active Directory
- SYSVOL policies container

Whenever you make a change to permissions on a group policy object in group policy management console (GPMC) it will modify permissions on both the Active Directory object and SYSVOL.

In Active Directory the group policy objects are stored under your domain partition --> System --> Policies.

Caution for Multi-Domain Forest

In a multi-domain forest, your administrator account may reside in a Child Domain. You may be nested in the Schema Admins group in the forest root domain. When you use ADSIEdit to modify the CN=Group-Policy-Contrainer on the schema partition you may receive the following error:

Operation failed. Error code: 0x202b
A referral was returned from the server.

0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
ref 1:

I found you need to connect to the schema master in your forest root domain to make this change in ADSIEdit. This resolved the problem.

Single Instance Storage (SIS) gone

2011-08-03T22:08:00.000-07:00

In previous versions of Exchange 2003-2007 there was a feature called SIS (Single Instance Storage). This meant if an email was sent to multiple mailboxes in a distribution group, it would only get stored in a mailbox database once. When designing database layout it was recommended you group users of a similar operational role under the same mailbox database. This ensures when emails are sent to distribution groups, the email is only stored in the database once.

In Exchange 2010, SIS has now been removed to help improve performance allowing low cost disk to be utilized. This was one of the key factors in reducing disk I/O on the Exchange database.

The decision behind this was around using low cost TIER2 SATA disk, who cares if emails are stored multiple times inside a database?

Have a read of Ross Smith IV's article explaining this in more detail:

http://blogs.technet.com/b/exchange/archive/2010/02/22/3409361.aspx

ADMT Unable to create or merge object

2011-07-28T21:10:00.000-07:00

I am performing domain migration and I ran into the following problem error in the migration logs for a user account:

2011-07-29 13:37:35 WRN1:7665 Unable to create or merge object 'CN=Joe Blow,OU=My Users,DC=domain,DC=local' as another instance of ADMT is currently creating or merging the same object.

I had started migrating Joe Blow to the new forest using ADMT but then realised I hadn't started the Password Export Server on the source domain so I hit "Stop" to stop the migration. I then went and started Password Export Server and tried to migrate the account again. This is where I received the above error.

What happened was ADMT recorded in the ADMT migration SQL database that the account is currently locked as its undergoing migration.

I am using SQL Express 2005 on my ADMT 3.2 server on Windows Server 2008 R2. I went and downloaded SQL Management Studio Express 2005 from here:

http://www.microsoft.com/download/en/details.aspx?id=8961

I then found the location in the ADMT database where the account was locked. It is under the table dbo.LockedObjects.

After deleting this record I was able to successfully migrate the user.

Making Domain Controllers cover more then one site

2011-07-27T22:33:00.000-07:00

When designing Active Directory sites and services, usually you decide which Active Directory site objects you want to place your domain controllers. Sites are usually mapped to physical locations but can also be logical depending on your design.

However, there is a registry key on domain controllers that allows a domain controller to be authoritative for more then one site object in Active Directory. This registry key is known as SiteCoverage.

For more information about this please see:

http://technet.microsoft.com/en-us/library/cc937924.aspx

ADMT is unable to connect to domain controller. 0x80070005

2011-07-27T22:16:00.000-07:00

I am performing cross forest migration from 2 AD forests, multiple domains into a new AD forest. When I added one of the domains within a source forest I received the following error:

ADMT is unable to connect to domain controller
\\domaincontroller.sourcedomain.local, in domain sourcedomain.local. Access is denied.
(0x80070005)

Morgan Che posted up multiple causes for this error on the following forum thread:

http://social.technet.microsoft.com/Forums/en/winserverMigration/thread/f0e341f2-d00c-4bf7-925f-250af8530440

I had a different problem to the ones mentioned on the above forum thread. One of my forests was setup with whats called a single labelled domain name. ADMT was having difficulties communicating with all domains within the single labelled forest.

To resolve this on the ADMT server I needed to add a DWORD registry key "AllowSingleLabelDnsDomain" with a decimal value of 1.

ADMT was then able to communicate with all domains in the forest which had a single labelled root domain.

For more information on this registry key please see:

http://support.microsoft.com/kb/300684

Understanding how "Log On To" works

2011-07-21T22:36:00.000-07:00

In this article we will be having a look at how the Log On To list is populated. This is the list in windows XP/2003 where users can select which domain they are logging into from a drop down list.

I decided to blog this as I spent a morning working out how this worked, and there is little documentation on the Internet.

So where does this list come from?

The logon list is stored from a DomainCache registry key located under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DomainCache

How does this list populate?

Windows populates the DomainCache registry key from a file called C:\WINDOWS\system32\config\netlogon.ftl.

The DomainCache registry key gets updated from netlogon.ftl as part of the computer boot process and whenever a remote desktop connection is established based on my testing.

Here I added a string record to the DomainCache called CLINTY pointing at a fake domain called clint.local. I then locked my PC, you can see it appear in the list.

If I remote desktop my machine or reboot the PC, it repopulates the DomainCache from netlogon.ftl. Here I remote desktoped my PC, you can see in process monitor it did the repopulation.

When it repopulated the DomainCache from netlogon.ftl, it deleted my CLINTY record.

What populates netlogon.ftl?

The netlogon.ftl file is populated from Active Directory by the netlogon service - I think this occurs when the system boots... but I'm not sure.

Where in Active Directory does netlogon.ftl populate from?

It the defaultNamingContext partition under the System container. It populates from the TrustedDomain object types.

You can also query this information using nltest or a VBScript:

nltest /domain_trusts

Here is a copy of the VB Script used in the above screenshot.

' This code prints the trusts for the specified domain.
' ------ SCRIPT CONFIGURATION ------
strDomain = "wfi.wan"
' ------ END CONFIGURATION ---------

' Trust Direction Constants taken from NTSecAPI.h
set objTrustDirectionHash = CreateObject("Scripting.Dictionary")
objTrustDirectionHash.Add "DIRECTION_DISABLED", 0
objTrustDirectionHash.Add "DIRECTION_INBOUND", 1
objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2
objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

' Trust Type Constants - taken from NTSecAPI.h
set objTrustTypeHash = CreateObject("Scripting.Dictionary")
objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1
objTrustTypeHash.Add "TYPE_UPLEVEL", 2
objTrustTypeHash.Add "TYPE_MIT", 3
objTrustTypeHash.Add "TYPE_DCE", 4

' Trust Attribute Constants - taken from NTSecAPI.h
set objTrustAttrHash = CreateObject("Scripting.Dictionary")
objTrustAttrHash.Add "ATTRIBUTES_NON_TRANSITIVE", 1
objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2
objTrustAttrHash.Add "ATTRIBUTES_QUARANTINED_DOMAIN", 4
objTrustAttrHash.Add "ATTRIBUTES_FOREST_TRANSITIVE", 8
objTrustAttrHash.Add "ATTRIBUTES_CROSS_ORGANIZATION", 16
objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32
objTrustAttrHash.Add "ATTRIBUTES_TREAT_AS_EXTERNAL", 64

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrusts = GetObject("LDAP://cn=System," & _
objRootDSE.Get("defaultNamingContext") )

objTrusts.Filter = Array("trustedDomain")
Wscript.Echo "Trusts for " & strDomain & ":"

for each objTrust in objTrusts

for each strFlag In objTrustDirectionHash.Keys
if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

for each strFlag In objTrustTypeHash.Keys
if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

for each strFlag In objTrustAttrHash.Keys
if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then
strTrustInfo = strTrustInfo & strFlag & " "
end If
next

WScript.Echo " " & objTrust.Get("trustPartner") & " : " & strTrustInfo
strTrustInfo = ""
next

Disable SID Filtering - Access is denied.

2011-07-21T01:04:00.000-07:00

I went and attempted to disable SID Filtering over some trust links to prepare for SID History during domain migration using the following command:

netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD: domainadministratorAcct /passwordD: domainadminpwd

http://technet.microsoft.com/en-us/library/cc772816.aspx

When doing this I got the following error (click to enlarge):

After research I found the cause. “Network access: Allow anonymous SID/name translation” was set to disabled on the Trusted Domain. This this should be enabled on domain controllers – please see http://technet.microsoft.com/en-us/library/cc728431.aspx.

To disable SID Filtering you must Enable anonymous SID/name translation on your Default Domain Controllers GPO for the Trusted Domain.

I set it to enabled. This policy is located under:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

After this the problem was resolved:

Note: Access is denied can also be caused if you use NetBIOS names instead of FQDN's for the domain names.

Microsoft Sync Toy - Perfect for Home Users

2011-07-18T22:36:00.000-07:00

Today I stumbled across a fantastic little application called Sync Toy. Perfect for home users who want to backup data to a external drive on a regular basis, between computers or to mapped drive pointing to a cloud provider such as Windows Live.

SyncToy 2.1 is a free application that synchronizes files and folders between locations. Typical uses include sharing files, such as photos, with other computers and creating backup copies of files and folders.

It is so easy to use, I think my mum could do it.

Here I have setup synchronization of My Documents to my Microsoft Windows Live SkyDrive cloud account to ensure my documents are backed up at all times. This is a free service. This also allows me to sync the files down to any new computer I work on.

Z:\ is mapped to windows live cloud account.

Please click to enlarge:

As of this writing the latest version of SyncToy is 2.1. The x86 and x64 version is available from here:

http://www.microsoft.com/download/en/details.aspx?id=15155

Note: If you wish to setup a drive letter mapped to your Windows Live SkyDrive service please see the following link:

http://www.addictivetips.com/microsoft-office/map-local-drive-letter-to-live-skydrive-using-office-2010/

Bind to AD using Alternative Credentials VBS

2011-07-07T18:27:00.001-07:00

Below is a VBS Script by MVP Richard L. Mueller which I found very useful. It shows you how to connect to Active Directory using alternative credentials.

Please view his original post here:
http://www.rlmueller.net/ADOAltCredentials.htm

Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, strUser, strPassword, objNS, strServer

Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_SERVER_BIND = &H200

' Specify a server (Domain Controller).
strServer = "MyServer"

' Specify or prompt for credentials.
strUser = "MyDomain\TestUser"
strPassword = "xyz12345"

' Determine DNS domain name. Use server binding and alternate
' credentials. The value of strDNSDomain can also be hard coded.
Set objNS = GetObject("LDAP:")
Set objRootDSE = objNS.OpenDSObject("LDAP://" & strServer & "/RootDSE", _
strUser, strPassword, _
ADS_SERVER_BIND Or ADS_SECURE_AUTHENTICATION)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
' Use alternate credentials.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Properties("User ID") = strUser
adoConnection.Properties("Password") = strPassword
adoConnection.Properties("Encrypt Password") = True
adoConnection.Properties("ADSI Flag") = ADS_SERVER_BIND _
Or ADS_SECURE_AUTHENTICATION
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire domain. Use server binding.
strBase = "
' Search for all users.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";subtree"

' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
Wscript.Echo strDN
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

List all OU's and Sub OU's using VBS

2011-07-07T18:23:00.000-07:00

Simple Script to list all OU's and Sub OU's using a VBScript

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
"SELECT Name FROM 'LDAP://ou=finance,dc=fabrikam,dc=com' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop

The replication scope could not be set. For more information, see "DNS zone replication in Active Directory

2011-07-06T19:31:00.000-07:00

When configuring the DNS zones to replicate to all domains in the forest, instead of all domains just in the current domain the following error was experianced:

"The replication scope could not be set. For more information, see "DNS zone replication in Active Directory" in Help and Support. The error was:

There was a server failure.

To understand where DNS is stored in Active Directory please see:

http://clintboessen.blogspot.com/2010/02/active-directory-dns-zone-locations.html

When trying to connect to the DNS Domain Partition Zone using ADSI Edit (following the above article) the following error was received:

Operation failed. Error code: 0x202b
A referral was returned from the server.

0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1 : 'DomainDnsZones.domain.local'

It turned out that the partitions "DomainDNSZones" and "ForestDNSZones" were a lost cause. To fix this you need to perform the following steps:

1. use NTDSUtil to remove the replicas for both ForestDNSZone and DomainDNSZone. Wait for replication. Verify the changes took place then delete each of the partitions.

2. After the deletion has processed to all domain controllers, go into DNS Management and change the Zone to Forest Level/Domain Level. Active Directory will automatically recreate the partition within Active Directory. These new AD application partitions will automatically replicate to all DNS servers. These will then be accessible through ADSI Edit.

It may take over 30 minutes to get to synchronise the DNS zone around - AD is very slow when it comes to DNS.

After this no errors are showing up in the DNS or Active Directory event logs, diagnostics come back clean.

ILM Sample Code PrepareMoveRequest Exchange 2010 Cross Forest Mailbox Moves - Multi Forest

2011-07-06T00:19:00.000-07:00

Microsoft Identity Lifecycle Manager Service Pack 1 Feature Pack 1 (ILM 2007 SP1 FP1) can be used to pre-stage the user accounts with the appropriate attributes in a destination forest for cross-forest mailbox moves The out of the box GALSync MA cannot be used since it creates contact object instead of user object required for Online Mailbox Move. Microsoft has provided a sample code extension for the management agents to perform this which can be downloaded from:

http://www.microsoft.com/download/en/details.aspx?id=17741

The ILM sample code demonstrates how to sync source mailbox as Mail Enabled Users (MEU).

The problem with this sample code is was only designed for migration between two forests. My customer wishes to pre-stage user accounts from 2 forests into a new forest meaning I have two source forests! In the OneWaySync.xml file by default we have:

<?xml version="1.0" encoding="utf-8" ?>
<config>
<TargetOU>ou=MaiLboxmoves,DC=targetdom,DC=exchange,DC=contoso,DC=com</TargetOU>
<SourceMAName>Source Forest</SourceMAName>
<TargetMAName>Target Forest</TargetMAName>
</config>

I worked with a Microsoft FIM (Forefront Identity Manager) expert named Tracy Yu and together we made changes to the sample code and recompiled a new DLL to account for multiple source forests.

The file we needed to edit was Microsoft.Exchange.Sample.OneWayGALSync.MVRules.dll. The source code for this file is located under the solution folder under the sample ILM sample code package in a file named Microsoft.Exchange.Sample.OneWayGALSync.MVRules.cs. Here is our new code - in red are any changes made:

// ---------------------------------------------------------------------------
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
// ---------------------------------------------------------------------------

///

/// Example ILM 2007 Provisioning Rule to perform one-way cross-forest GAL synchronization
/// with required prerequisites for mailbox moves from source to target forests
///

using System;
using System.Xml;
using Microsoft.MetadirectoryServices;

namespace Microsoft.Exchange.Sample.OneWayGALSync.MVRules
{
public class MVExtensionObject : IMVSynchronization
{
// define variables for configuration setting
private string targetOU;
private string sourceMAName;
//add by tracy
private string sourceMAName1;
private string targetMAName;

public MVExtensionObject()
{
// No additional constructor logic required
}

void IMVSynchronization.Initialize()
{
// initialize the provisioning rules configuration parameters
// from config file in ILM Extensions directory
XmlDocument xmlConfigFile = new XmlDocument();
xmlConfigFile.Load(Utils.ExtensionsDirectory + "\\OneWaySync.xml");
XmlNode xmlConfig = xmlConfigFile.SelectSingleNode("config");
targetOU = xmlConfig.SelectSingleNode("TargetOU").InnerText.Trim();
sourceMAName = xmlConfig.SelectSingleNode("SourceMAName").InnerText.Trim();
targetMAName = xmlConfig.SelectSingleNode("TargetMAName").InnerText.Trim();
//add by tracy
sourceMAName1 = xmlConfig.SelectSingleNode("SourceMAName1").InnerText.Trim();
}

void IMVSynchronization.Terminate()
{
// No additional termination logic required
}

// For each Mailbox in the Source Forest Provision a connected
// Mail User object in the Target Forest.
void IMVSynchronization.Provision(MVEntry mventry)
{
// ConnectedMA sourceMA = mventry.ConnectedMAs[sourceMAName];
//ConnectedMA targetMA = mventry.ConnectedMAs[targetMAName];
//CSEntry csentry;

//modify by tracy

ConnectedMA targetMA = mventry.ConnectedMAs[targetMAName];
CSEntry csentry;
ConnectedMA sourceMA = null;
ConnectedMACollection MACols = mventry.ConnectedMAs;

foreach(ConnectedMA tmpMA in MACols)
{
if(tmpMA.Name == sourceMAName1)
{
sourceMA = mventry.ConnectedMAs[sourceMAName1];
}
else if (tmpMA.Name == targetMAName)
{
//did nothing
}
else
{
sourceMA = mventry.ConnectedMAs[sourceMAName];
}
}

// if the object has been deleted from Source Forest then delete it
// from Target Forest
if (sourceMA.Connectors.Count == 0)
{
targetMA.Connectors.DeprovisionAll();
return;
}

// This example provisioning rule excludes certain Exchange object types
if (sourceMA.Connectors.Count != 1 ||
!mventry["msExchHomeServerName"].IsPresent ||
!mventry["mailNickName"].IsPresent)
{
return;
}

ReferenceValue targetDN = targetMA.EscapeDNComponent("CN=" + mventry["cn"].Value).Concat(targetOU);

// check for Contacts in target forest that have to be converted to MEUs
for (int index = 0; index < targetMA.Connectors.Count; index++)
{
if (targetMA.Connectors.ByIndex[index].ObjectType.ToLower().Equals("contact"))
{
bool duplicateDN = targetMA.Connectors.ByIndex[index].DN.ToString().ToLower().Equals(targetDN.ToString().ToLower());

targetMA.Connectors.ByIndex[index].Deprovision();
if (duplicateDN)
return;
}
}

if (targetMA.Connectors.Count != 0)
return;

// provision a new AD User Object in the targetOU container
csentry = targetMA.Connectors.StartNewConnector("user");
csentry.DN = targetDN;

// provision the following minimal attributes on the new MailUser object
csentry["samAccountName"].Value = mventry["samAccountName"].Value;
csentry["msexchRecipientTypeDetails"].IntegerValue = 0x80;// MailUser
csentry["userAccountControl"].IntegerValue = 0x202; // ACCOUNTDISABLE | NORMAL_ACCOUNT
csentry["msexchRecipientDisplayType"].IntegerValue = -1073741818; // equivalent to *unsigned* 0xC0000006 i.e. ACL-able, Synced, MailUser
csentry["msExchMasterAccountSID"].Value = mventry["msExchMasterAccountSID"].IsPresent ? mventry["msExchMasterAccountSID"].Value : mventry["objectSID"].Value;
csentry["msExchMailboxGUID"].Value = mventry["msExchMailboxGUID"].Value;
csentry["mailNickname"].Value = mventry["mailNickname"].Value;
csentry["proxyAddresses"].Values = mventry["proxyAddresses"].Values;
csentry["proxyAddresses"].Values.Add("X500:" + mventry["legacyExchangeDN"].Value); // this ensures migrated mail that addresses this user is reply-able in target forest
csentry["msExchVersion"].IntegerValue = 44220983382016; // Set version to E14

csentry.CommitNewConnector();
}

bool IMVSynchronization.ShouldDeleteFromMV(CSEntry csentry, MVEntry mventry)
{
throw new EntryPointNotImplementedException();
}
}
}

Now when we can create two source domains in our OneWaySync.xml file for two source management agents.

<?xml version="1.0" encoding="utf-8" ?>
<config>
<TargetOU>ou=MaiLboxmoves,DC=targetdom,DC=exchange,DC=contoso,DC=com</TargetOU>
<SourceMAName>Source Forest 1</SourceMAName>
<SourceMAName1>Source Forest 2</SourceMAName1>
<TargetMAName>Target Forest</TargetMAName>
</config>

Thanks Tracy!

stopped-error-limit

2011-07-06T00:09:00.000-07:00

I was using ILM (Identity Lifecycle Manager) to synchronize users cross forest to prepare for cross-forest mailbox moves using the sample code provided by Microsoft. Please see:

http://www.microsoft.com/download/en/details.aspx?id=17741

I was synchronizing over 5000 users to the new forest. Synchronization was failing with stopped-error-limit.

I found out that MIIS / ILM and FIM only allow up to 5000 objects by default. You can change this with a DWORD in the registry which you create under HKLM\SYSTEM\CurrentControlSet\miisserver\Parameters. This is documented by Microsoft on KB2387673

I set my limit to 10,000 which resolved the problem.

Microsoft Office 2010 SP1 Released

2011-06-28T20:18:00.000-07:00

Microsoft Office 2010 Service Pack 1 has now been officially released by Microsoft as of June 28th 2011.

The official KB for this release is 2460049

Download the 32bit version from here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9D2E1282-8B69-418B-AFA0-9F61239EC8BE

Download the 64bit version from here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E9F3C2D0-C321-4910-A4CE-B2F294B42D65

WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the mailbox.

2011-06-22T00:02:00.000-07:00

In this post I'm going to address a very common problem many new Exchange 2010 Administrators face.

When running commands such as Test-OutlookWebServices on an Exchange 2010 CAS you will receive the following error:

[PS] C:\>Test-OutlookWebServices
WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the mailbox. Mailbox ='extest_0f9a03d82a6d4@destination.local'.
Failed to find the mailbox. Mailbox = 'extest_0f9a03d82a6d4@destination.local'.
+ CategoryInfo : NotSpecified: (:) [Test-OutlookWebServices], MailboxNotFoundException
+ FullyQualifiedErrorId : Microsoft.Exchange.Monitoring.MailboxNotFoundException,Microsoft.Exchange.Management.SystemConfigurationTasks.TestOutlookWebServicesTask

This is probally the first time you have run the Test command isn't it? In Exchange 2010 you need a test mailbox to perform tests with. This can be created using the new-TestCasConnectivityUser.ps1 powershell script Microsoft provides us with Exchange 2010.

All you need to do is navigate to the Scripts directory:

C:\Program Files\Microsoft\Exchange Server\V14\Scripts

Then run .\new-TestCasConnectivityUser.ps1

Provide the test mailbox a password when prompted...

Easy?

Error 49: ldap_simple_bind_s() failed: Invalid Credentials

2011-06-20T17:55:00.000-07:00

I have setup a Windows Server 2008 R2 server running LDS. I have an LDS Instance running on 10001 (LDAP) and 20001 (LDAPS).

I added a user account using the following:

dn: CN=testaccount,CN=Users,DC=domain,DC=ADAM
changetype: add
objectClass: user
userPrincipalName: testaccount
cn: testaccount
displayName: My Test Account
userPassword: Passw0rd

Note: As the requirement for special formatting of unicodePwd has been lifted Microsoft has placed a default requirement to ensure all password operations are done through LDAPS instead of LDAP. To allow password operations through LDAP please see:

http://clintboessen.blogspot.com/2011/06/0x2077-illegal-modify-operation-some.html

When I attempt to bind to this account using ldp.exe using "Simple Bind" over LDAP (not secure LDAP) using the following credentials I get an error:

username: CN=testaccount,CN=Users,DC=domain,DC=ADAM
password: Passw0rd

-----------
res = ldap_simple_bind_s(ld, 'CN=testaccount,CN=Users,DC=domain,DC=ADAM', ); // v.3
Error <49>: ldap_simple_bind_s() failed: Invalid Credentials
Server error: 8009030C: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 2030, v1db0
Error 0x8009030C The logon attempt failed
-----------

There were three things I needed to change to get this working.

Problem 1

I read from multiple places on the internet that by default when you associate a password to an account - the account is disabled. I also know that this error can be related to the user account being disabled - please see:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/44d29c43-4203-400a-bff4-c488da5c5f57/

However the attribute which sets the account password to disabled "msDS-UserAccountDisabled" was not associated with the user class object in the schema. AD LDS has a series of attributes to control a user account for items such as Account Lockout, Account Disabled, Password Never Expires, User Cannot Change Password etc. For a list of these attributes please see:

http://msdn.microsoft.com/en-us/library/aa772124.aspx

Note: Active Directory does not have these attributes, instead all these values are associated with an attribute called userAccountControl. This attribute has an integer set to it.. 512 is a normal account. To disable an account add a value of 2. In decimal, this is 514 (2 + 512). For more information on how this works in Active Directory please see: http://support.microsoft.com/kb/305144

To associate these attributes with the user class object you need to connect to the LDS Instance using the Active Directory Schema Console. If Active Directory Schema does not exist in your MMC snap-in list register it using "regsrv32 schmmgmt.dll" from command line.

Note: When connecting to your LDS Instance you cannot use localhost or it will fail. You must use the IP address of the LDS Instance. This is due to a code error in the Active Directory schema console, please see:

http://clintboessen.blogspot.com/2011/06/lds-active-directory-schema-status.html

Once connected to your LDS Instance in Active Directory Schema MMC snap-in go to the properties of the user class object and click the attributes tab.

As you see none of the msDS-User type class objects exist. Go ahead and add the following attributes:

- ms-DS-UserAccountAutoLocked

- msDS-UserAccountDisabled

- msDS-UserDontExpirePassword

- ms-DS-UserEncryptedTextPassword

- msDS-UserPasswordExpired

- ms-DS-UserPasswordNotRequired

After the attribute is added, restart your LDS Instance service and connect to the application partition in ADSIEdit containing your user account. Set the msDS-UserAccountDisabled to FALSE.

Problem 2

You must allow Simple Bind requests to an AD LDS Instance over standard LDAP. To do this connect to the configuration partition on your LDS Instance using ADSIEdit. My instance is listening on TCP 10001.

Navigate to:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID}

Open the properties of Directory Service. Open the multivalued attribute msDS-Other-Settings. Ensure RequireSecureSimpleBind is set to 0. This will ensure that both LDAP and LDAPS connections are allowed to bind authentication to the LDS Instance.

Note: RequireSecureProxyBind is for userProxy class objects which perform bind proxy redirection.

Problem 3

The third problem related to the following TechNet article:

http://technet.microsoft.com/en-us/library/cc732460.aspx

This article states:

AD LDS does not include any default security principals. However, AD LDS does provide importable schema extensions that you can use to create users in AD LDS. Users that are created from these user classes can be used as security principals. In addition, you can make any object class in the AD LDS schema a security principal by adding the msDS-bindableobject auxiliary class and the unicodePwd attribute to the schema definition of an object class. Each AD LDS security principal must be assigned an account and password, which AD LDS uses for authentication.

To do this open up ADSIEdit and connect to the Schema partition of your LDS Instance.

Navigate to the CN=User class object in ADSIEdit under the Schema partition and open its properties.

As you see the msDS-bindableobject auxiliary class does not exist.

Add it to the list and click OK.

Restart the LDS Instance under the services MMC console.

Reset the user's password by connecting to the appropriate application partition in ADSIEdit, right clicking on the user and clicking Reset Password.

I was now ale to perform a simple bind to my LDS Instance using a LDS user account.

-----------
res = ldap_simple_bind_s(ld, 'CN=SVCLDAPQuery,CN=Users,DC=domain,DC=ADAM',); // v.3
Authenticated as: 'CN=SVCLDAPQuery,CN=Users,DC=domain,DC=ADAM'.
-----------

You can also do this using an LDIF file:

dn: CN=User,CN=Schema,CN=Configuration,DC=X
changetype: Modify
add: auxiliaryClass
auxiliaryClass: msDS-BindableObject
-

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

imported using (ignore line wraps below)

ldifde -i -f -s : -c
"CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

Thanks to Lee Fight (Directory Services MVP) who assisted me in getting this working!

Active Directory userAccountControl and LDS

2011-06-15T23:58:00.001-07:00

Active Directory user accounts have an attribute called userAccountControl which is used to control items such as Account Lockout, Account Disabled, Password Never Expires, User Cannot Change Password etc. This is determined by an integer value... based on the value the system knows which options are enabled and which are disabled. The value 512 is the base value for all normal user accounts. To understand all integers that make this attribute work please refer to the following KB article.

http://support.microsoft.com/kb/305144

AD LDS (ADAM) does not support the userAccountControl attribute. Instead, AD LDS uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute.

For a list of these attributes please refer to the following MSDN article:

http://msdn.microsoft.com/en-us/library/aa772124.aspx

Any userAccountControl flags that are not listed below are not supported by AD LDS.

0x2081 Multiple values were specified for an attribute

2011-06-15T22:55:00.000-07:00

I'm trying to import the following LDIF file into an LDS Instance using LDIFDE.

dn: CN=SVCLDAPQuery,CN=Users,DC=testinstance,DC=ADAM
changetype: add
objectClass: user
userPrincipalName: SVCLDAPQuery
cn: Service Now LDAP Query
displayName: Service Now LDAP Query
userPassword: Passw0rd

I am performing the import with the following command:

ldifde -i -f SVCLDAPQuery.ldf -s localhost:10001

This command throws out the following errors:

Connecting to "localhost:10001"
Logging in as current user using SSPI
Importing directory from file "SVCLDAPQuery.ldf"
Loading entries.
Add error on entry starting on line 1: Invalid DN Syntax
The server side error is: 0x2081 Multiple values were specified for an attribute that can have only one value.
The extended server error is:
00002081: NameErr: DSID-03050C42, problem 2003 (BAD_ATT_SYNTAX), data 0, best match of:
'CN=SVCLDAPQuery,CN=Users,DC=testinstance,DC=ADAM'

0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

This occured because the "cn" attribute did not match the first part of the "distinguishedName" attribute. If we change this to:

dn: CN=SVCLDAPQuery,CN=Users,DC=testinstance,DC=ADAM
changetype: add
objectClass: user
userPrincipalName: SVCLDAPQuery
cn: SVCLDAPQuery
displayName: Service Now LDAP Query
userPassword: Passw0rd

The import will work correctly:

Please also see this problem as it is related:
http://clintboessen.blogspot.com/2011/06/0x2077-illegal-modify-operation-some.html

0x2077 Illegal modify operation. Some aspect of the modification is not permitted.

2011-06-15T21:50:00.000-07:00

I'm trying to import the following LDIF file into an LDS Instance using LDIFDE.

dn: CN=SVCLDAPQuery,CN=Users,DC=testinstance,DC=ADAM
changetype: add
objectClass: user
userPrincipalName: SVCLDAPQuery
userPassword: Passw0rd

Note: For ADAM, Microsoft enabled the userPassword attribute to function as a write-alias for unicodePwd and removed the requirement for the special formatting unicodePwd required. This allows your LDIF files to have clear-text passwords specified.

I am performing the import with the following command:

ldifde -i -f SVCLDAPQuery.ldf -s localhost:10001

This command throws out the following errors:

Connecting to "localhost:10001"
Logging in as current user using SSPI
Importing directory from file "SVCLDAPQuery.ldf"
Loading entries.
Add error on entry starting on line 1: Operations Error
The server side error is: 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.
The extended server error is:
00002077: SvcErr: DSID-033807B5, problem 5012 (DIR_ERROR), data 8237

0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

As the requirement for special formatting of unicodePwd has been lifted Microsoft has placed a default requirement to ensure all password operations are done through LDAPS instead of LDAP. This is why it will not import the password!

To lift this requirement make the following change to the configuration partition of the instance:

Navigate to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID of the ADAM}

Edit dSHeuristics attribute and set value to 0000000001001

Now you can perform password operations without requiring LDAPS.

Please also see this problem as it is related:
http://clintboessen.blogspot.com/2011/06/0x2081-multiple-values-were-specified.html

Ldap error occured. ldap_add_sW: Object Class Violation

2011-06-13T01:13:00.000-07:00

I am performing ADAMSync from an Active Directory domain to an LDS Instance. My AD Domain Partition is called DC=Domain,DC=Local. My LDS Instance also has the same distinguished name of DC=Domain,DC=Local. When Syncing the following error is experienced:

Processing Entry: Page 18, Frame 1, Entry 48, Count 1, USN 0
Processing source entry
Processing in-scope entry 08080633da0dfe4f8b46508f00f2708f.
Adding target object CN=JoeBlow,OU=Disabled accounts,OU=IS Users,OU=IS,DC=Domain,DC=Local.
Adding attributes: sourceobjectguid, sn, title, description, physicalDeliveryOfficeName, telephoneNumber, givenName, instanceType, department, company, objectSid, sAMAccountName, lastagedchange, objectclass,
Ldap error occured. ldap_add_sW: Object Class Violation.
Extended Info: 0000207D: UpdErr: DSID-0315121C, problem 6002 (OBJ_CLASS_VIOLATION), data 19
.
Ldap error occured. ldap_add_sW: Object Class Violation.
Extended Info: 0000207D: UpdErr: DSID-0315121C, problem 6002 (OBJ_CLASS_VIOLATION), data 19
.

************
************
************ A fatal error occured in the program while processing entry
************ GUID=08080633da0dfe4f8b46508f00f2708f
************ The error will be ignored at user request. Continuing...
************
************

Below I will explain how to resolve this. I am syncing all User Objects from Active Directory to userProxy objects in LDS. This is required for single sign on (SSO). userProxy objects forward authentication bind requests to domain controllers which process the authentication request, pass it back to LDS then to the client.

To understand this in more detail please read my following blog post on the userProxy class:

http://clintboessen.blogspot.com/2011/04/userproxy-class-and-adam-lds.html

Here is a copy of my XML configuration file I installed into ADAMSync:

<?xml version="1.0"?>
<doc>
<configuration>

<description>ADAMSync Configuration</description>
<security-mode>object</security-mode>

<source-ad-name>domaincontroller.domain.local</source-ad-name>

<source-ad-partition>dc=domain,dc=local</source-ad-partition>


<source-ad-account>ldapquery</source-ad-account>
<account-domain>domain</account-domain>

<target-dn>dc=domain,dc=local</target-dn>
<query>

<base-dn>dc=domain,dc=local</base-dn>


<object-filter>(objectCategory=person)</object-filter>
<attributes>

<include>objectSID</include>
<include>givenName</include>
<include>sn</include>
<include>description</include>
<include>title</include>
<include>company</include>
<include>department</include>
<include>mail</include>
<include>physicalDeliveryOfficeName</include>
<include>telephoneNumber</include>
<include>sAMAccountName</include>
</attributes>
</query>

<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>

Notice the bits in bold. These are the attribute I want to Sync. I am also syncing these attributes FROM a user object TO a userProxy object. Let's use the "Active Directory Schema" mmc snap-in to look at the LDS Instance schema. To understand how to use "Active Directory Schema" mmc snap-in to connect to an LDS Instance please read:

http://technet.microsoft.com/en-us/library/cc816707.aspx

Your also going to probably run into this problem when connecting to the LDS Instance:

http://clintboessen.blogspot.com/2011/06/lds-active-directory-schema-status.html

In this environment I imported the following schema extensions MS-UserProxy.ldf, MS-AdamSyncMetadata.ldf, MS-AdamSchemaW2K8.ldf to my LDS Instance. In my Active Directory Schema if I look at my userProxy class object attribute association I have the following attributes associated:

However in my user class object I have the following attributes associated:

Can you pick the problem yet? I have asked ADAMSync to sync the following attributes FROM user class in Active Directory TO userProxy:

<attributes>

<include>objectSID</include>
<include>givenName</include>
<include>sn</include>
<include>description</include>
<include>title</include>
<include>company</include>
<include>department</include>
<include>mail</include>
<include>physicalDeliveryOfficeName</include>
<include>telephoneNumber</include>
<include>sAMAccountName</include>
</attributes>

userProxy does not have these attributes associated. After I added these attributes to the userProxy class object all was fixed:

LDS Active Directory Schema Status Unavailable

2011-06-13T00:13:00.000-07:00

Back when LDS (Lightweight Directory Services) was called ADAM (Active Directory Application Mode) there was a console known as "ADAM Schema" which was the ADAM version of the "Active Directory Schema" MMC console.

Now with LDS the "ADAM Schema" no longer exists. Microsoft say to use "Active Directory Schema" for both LDS and Active Directory databases. For the TechNet article please see:

http://technet.microsoft.com/en-us/library/cc816707.aspx

I setup an LDS instance running on TCP10001. When I try and connect to the instance using Active Directory Schema on localhost:10001 it comes up as available. However I know my instance is there as I can connect to it using ADSIEdit.

I found out if you connect using the IP address of the server's primary network interface card it connects successfully.

Must be something dodgy embedded into the code of the Active Directory Schema snap-in.

Allowing Domain Membership through a Cisco Firewall

2011-06-06T23:50:00.000-07:00

When setting up windows networks a DMZ must be created. This DMZ cannot contain any PC's that are a member of your internal Active Directory domain for security reasons. For your SME companies best practice is to generally configure all machines in your DMZ in a workgroup setup. For your enterprise companies best practice is to create a separate active directory forest for your DMZ. This allows centralised management over your DMZ servers allowing administrators to control servers using things such as Group Policy and WSUS.

However there are times where you need to allow PC's in your DMZ to access your internal Active Directory. For example I needed to setup an ADAM server to synchronise only particular attributes from various domains in an Active Directory forest which to be exposed to the internet using LDAPS (Secure LDAP) on secure port 636 for an external application. This ADAM server needs to be a member of of the Active Directory domain as I require User Proxy Bind Redirection to forward authentication requests through to an Active Directory domain controller. We created a separate DMZ just to contain this server requiring domain membership.

For more information on User Proxy Bind Redirection see:

http://clintboessen.blogspot.com/2011/04/userproxy-class-and-adam-lds.html

Windows machines are not very "firewall friendly". To start off with we opened up the following ports between our isolated "Domain DMZ" and our internal network:

UDP 53 – DNS Queries
TCP 88 – Kerberos v5 over TCP
UDP 88 – Kerberos v5 over UDP
TCP 135 – Microsoft Report Procedure Call Endpoint Mapper
UDP 389 – Unsecure LDAP over UDP
TCP 389 – Unsecure LDAP over TCP
TCP 443 – WSUS Windows Updates
TCP 445 – Simple Message Block Protocol
TCP 1688 – Key Management Server
TCP 3268 – Global Catalog Requests
TCP 3389 – Remote Desktop for management purposes

All the ports above still do not allow a workstation to be a member of an Active Directory domain due to the DCOM RPC ports. Microsoft RPC (MS-RPC) does not only use port TCP135 it also uses randomly generated ports from TCP 1024-65535 for XP/2003 and TCP 49152-65535 for Vista/2008 upwards. These are frequently informally referred to as "random RPC ports." In these cases, RPC clients rely on the RPC Endpoint Mapper (EPM) which runs on TCP135 to tell them which dynamic port(s) were assigned to the server.

Multiple components from the underlining windows subsystem get assigned their own dynamic RPC port every time the windows PC boots. These components include:

- Active Directory (Local Security Authority) – Runs on each domain member!
- Certificate Services
- Cluster Service
- Distributed File System
- Distributed File System Replication
- Distributed Link Tracking Server
- Distributed Transaction Coordinator
- Outlook MAPI Client
- ISA Server
- Fax Service
- File Replication
- FTP Publishing Service
- Group Policy
- Net Logon
- Remote Storage Notification
- Remote Storage Server
- Systems Management Server 2.0
- Terminal Services Licensing
- Terminal Services Session Directory

All these windows components get a dynamic port each time the system boots. RPC clients discover which port these services are on by querying TCP 135 (the port mapper).

So how did we get around this without opening every port from 1024-65535?

Our corporate firewall is currently a Cisco ASA 5540 running OS v8.4(1). The lastest Cisco OS software for the 5540 has integrated smarts for the Windows RPC Endpoint Mapper (EPM) running on TCP135. Cisco refers to this as "DCERPC".

This process works as follows:
1. A client queries an EPM server for the dynamically-allocated port number of a required DCERPC service. The EPM server listens on the well-known TCP port 135.
2. The ASA, located between the client and EPM server, intercepts the communication.
3. The EPM server indicates the port number on which the DCERPC service is available.
4. The ASA opens a pinhole for that DCERPC service.

This allows us to make the access control lists (ACLs) as tight as possible maintaining security whilst allowing application functionality through the ASA firewall.

Here is the Syntax used for configuring this functionality on our ASA:

class-map dcerpc
match port tcp eq 135
policy-map interface_dcerpc
class dcerpc
inspect dcerpc

service-policy interface_dcerpc interface dmz_adam

interface_dcerpc is our custom Service Policy
dmz_adam is our costom interface

Of course you also need to allow TCP135 (the RPC Port Mapper) in the ACL rules for this to work!

For more information on these dynamically generated RPC ports used by Windows Systems please see the following Microsoft knowledge base articles:

http://support.microsoft.com/kb/154596
http://support.microsoft.com/kb/832017

A big thank you to Peter Revill (CCIE #18371 Routing and switching, Voice) for helping me out on this one.

Alternate Witness Server in Database Availability Groups

2011-06-06T20:16:00.000-07:00

In this post we will look at the Alternate Witness Server - what is it?

The Alternate Witness Server provides a replacement witness server for a DAG to use after a datacenter switchover. When you are performing a datacenter switchover, you’re restoring service and data to an alternate or standby datacenter after you’ve deemed your primary datacenter un-usable from a messaging service perspective.

Although you can configure an Alternate Witness Server (and corresponding Alternate Witness Directory) for a DAG at any time, the Alternate Witness Server will not be used by the DAG until part-way through a datacenter switchover; specifically, when the Restore-DatabaseAvailabilityGroup cmdlet is used.

The Alternate Witness Server itself does not provide any redundancy for the Witness Server, and DAGs do not dynamically switch witness servers, nor do they automatically start using the Alternate Witness Server in the event of a problem with the Witness Server.

The reality is that the Witness Server does not need to be made redundant. In the event the server acting as the Witness Server is lost, it is a quick and easy operation to configure a replacement Witness Server from either the Exchange Management Console or the Exchange Management Shell.

Exchange 2010 Max Message Size Precedence

2011-06-06T19:37:00.000-07:00

In Exchange 2007/2010 you can set SMTP message size quota's in 3 locations:

- Global Settings (Set-TransportConfig)
- Receive Connectors (Set-ReceiveConnector)
- Send Connectors (Set-SendConnector)

But which of these have Precedence?

The more restrictive limits always take precedence.

If you set the SMTP message size quota on a receive connector to 50MB but leave the TransportConfig quota to 10MB - Exchange will still only be able to receive 10MB emails.

If you set the SMTP message size quota on the TransportConfig to 50MB but leave a receive connector at 10MB - Exchange will only be able to receive 10MB emails on that particular receive connector.

To increase message size quota's you need to ensure you configure Every Receive connector, Send connector and the Global Settings on the transport config.

Why does it behave like this?

With Exchange 2003 and before, messages can pass directly between local
mailboxes as long as they don't need a (RG or SMTP) connector.
In that sense, the global limit is not applied to all messages.

Now, all messages need a Hub transport, including messages from a local
mailbox to another local mailbox. So, the global limit is always respected.

The security database on the server does not have a computer account for this workstation trust relationship

2011-06-02T01:24:00.001-07:00

After joining a new Windows Server 2008 R2 member server to the domain I was not able to log in, even with a Domain Admin account. The following error was experianced:

The security database on the server does not have a computer account for this workstation trust relationship

After some investigation it turns out the computer new computer account did not have a SPN (Service Principal Name). This is stored in the servicePrincipalName attribute in Active Directory. Below is a screenshot from ADSIEdit:

I added two SPN's to the computer account object in Active Directory in the format of:

HOST/COMPUTERNAME
HOST/COMPUTERNAME.domain.local

I was then able to log in to the new workstation.

Continuous Replication Block Mode vs Continuous Replication File Mode

2011-05-31T19:58:00.000-07:00

Exchange 2010 RTM only supported Continuous Replication File Mode.
Exchange 2010 SP1 now supports Continuous Replication Block Mode.

Ok so whats the difference?

Continuous Replication Block Mode

A form of continuous replication that replicates blocks of ESE transaction data between the ESE log buffers on the active mailbox database copy to replication log buffers on one or more passive mailbox databases copies. What does this mean? This means Exchange 2010 has replicate log buffers before the transaction log file is closed. This reduces the amount of transactions that are lost should a failover occur. If a transaction log is not played to the passive node in time, data may be lost during a failover. This is what AutoDatabaseMountDial is for, controls if the database will be mounted based on the based on the number of log files missing by the copy being mounted.

Continuous Replication File Mode

A form of continuous replication that replicates closed transaction log files from the active mailbox database copy to one or more passive mailbox database copies. This means the transaction logs need to be closed before they can be shipped. This is one of the reasons transaction log size as reduced from 5MB to 1MB as of Exchange 2007 - to minimize data loss during Exchange failover.

Please note if a log file does not replicate in time when a failover occurs - the hub transport server in the same site has a service a process known as transport dumpster. The transport dumpster resides on every hub transport server by default however it is not used unless a mailbox failover occurs. What the transport dumpster does is hold email that has already been delivered to the active mailbox server for a specified period of time. In the event that a DAG node fails which prevents the most recent logs from being replicated over, the transport dumpster can redeliver this email.

Transport Dumpster was first introduced in Exchange 2007 for CCR (Continuous Cluster Replication). Please see:

http://clintboessen.blogspot.com/2009/04/scc-single-copy-clusters-vs-ccr.html

So now your asking me why introduce Continuous Replication Block Mode if there is a process called Transport Dumpster that replays emails after a failover? Good question!

The answer is not all exchange mailbox transactions are caught in transport dumpster. Transport dumpster, as it resides on the hub transport will only ever capture SMTP based transactions. There are other internal transactions Exchange generates directly on the mailbox database. These transactions will not reside within Transport Dumpster. Also things like de-duplication software that replaces emails with stubs. These cause transactions to occur which are not registered in Transport Dumpster.

Can I switch between Continuous Replication File Mode and Continuous Replication Block Mode if I'm running Exchange 2010 SP1?

No - The system can automatically switch between file mode and block mode based on the passive copy's ability to keep up with continuous replication.

TechEd North America 2011

2011-05-31T19:31:00.000-07:00

Exchange 2010 Active Sync Feature Comparison

2011-05-31T19:23:00.001-07:00

I found an excellent article today listing all the features of Exchange Active Sync and which features are supported by what mobiles. Please check this article out here:

http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients

Exchange Active Sync Logo Program

2011-05-30T01:59:00.000-07:00

Customers have been telling Microsoft for quite some time that one of their top concerns is the increasing diversity of mobile devices that employees use to access company networks. While most mobile devices use EAS, the industry standard for mobile email, EAS policies are not consistently implemented by the mobile device manufacturers. This makes it challenging to know which EAS management features are supported by any particular device.

In the EAS Logo program, participants agree to implement a predefined set of EAS policies (or more). IT professionals can now be assured that devices that bear the logo meet a consistent set of mobile device requirements. Today, we’re launching with the following devices:

- All Windows Phone 7 and Windows Mobile 6.5 devices
- Nokia devices with the Mail for Exchange 3.0.05, including the recently launched Nokia E7
- Apple devices with iOS 4.X, including the iPhone 4, iPhone 3GS, iPad and iPad 2

Microsoft have a strong pipeline of additional device manufacturers working toward compliance. Additional participants will be announced in the coming months, including wireless carriers that will use the logo when marketing compliant devices to their customers.

The EAS Logo Program has the following requirements:
- Direct Push email, contacts & calendar
- Accept, Decline & Tentatively Accept meetings
- Rich formatted email (HTML)
- Reply/Forward state on email
- GAL Lookup
- Autodiscover
- ABQ strings (device type and device model) provided
- Remote Wipe
- Password Required
- Minimum Password Length
- Timeout without User Input
- Number of Failed Attempts

Please refer to the following blog post by Greg Smiley for more information:

http://blogs.technet.com/b/exchange/archive/2011/04/13/announcing-the-exchange-activesync-logo-program.aspx

The official page for the EAS Logo Program can be found here:

http://technet.microsoft.com/en-us/exchange/gg187968.aspx

For a full list of all the Exchange Active Sync features and an understanding of which phones support which features please see:

http://en.wikipedia.org/wiki/Comparison_of_Exchange_ActiveSync_Clients

Advanced DNS Active Directory Questions

2011-05-30T00:59:00.000-07:00

One of my clients has 3 Active Directory forests each with multiple domains. Stub zones are in place for the forest root domain in each forest which are stored in each DomainDNSZone for each forest. When a DNS client wants to resolve a hostname for a host in a child domain in a different Active Directory forest it is using recursion referencing the root DNS server (from the Stub Zone) and obtaining the NS RR's for the child domain.

Delegation records and Conditional Forwarders need to be updated manually when DNS servers are added and removed from the environment. Currently the companies delegation records are not align with the DNS servers in each of the child domains for each Active Directory forest. The company wants to implement a solution which is automated so they will never have to worry about updating Delegates or Forwarders. Stub Zones meet the requirement.

The company is currently looking at removing all delegation between parent and child domains in each forest and use Stub Zones instead. They also want wish to use Stub Zones cross forest. To avoid having to create a Stub Zone in each domain they wish to store the Stub Zone for every domain in the ForestDNSZone partition in each forest. This means all domains in each forest will be able to utilize the Stub Zone.

I have the following questions:

Question 1
In an Active Directory Forest we want to store each domain’s DNS zone in the DomainDNSZone partition within Active Directory. We want to configure a Stub Zone for every domain within a DNS forest and store these Stub Zones in the ForestDNSZones partition within Active Directory so they replicate to all AD Domains on the given forest. Question: All domain controllers will have their domain DNS zone under the DomainDNSZones partition in Active Directory. However they will also receive the stub zone for the ForestDNSZones partition as they are a member of the same forest. What happens here with the stub zone located in ForestDNSZones?

Question 2
You can only configure forwarders or stub zones on any given DNS server. What happens if you create a forwarder on one DNS server then on another DNS server in a different AD site you create a stub zone that is AD Integrated. When it goes to replicate, it will replicate the stub zone to the DNS server which in this case both a stub zone and a forwarder exists. How does windows DNS deal with this?

Question 3
In the relationship between child and parent domains, if an organisation chooses to use stub zones instead of delegation, if they do not remove the delegation records which precedence the Stub RR's or the Delegate RR's?

To answer these questions I raised I ended up having to create a lab environment and perform testing. Below are my answers:

Question 1 Answer
If a "Stub Zone" exists in the forest DNS partition but a DNS server in the same forest has a the "Primary Zone" file stored locally or in another location within DNS, the DNS server will ignore the "Stub Zone" in the forest DNS partition. To find this out I created a lab environment with two domains within a single forest:

- contoso.com
- branch.contoso.com

Contoso.com DNS server:

Properties for the branch.contoso.com stub zone on the contoso.com DNS server:

Branch.contoso.com DNS server:

Properties for the contoso.com stub zone on the branch.contoso.com DNS server:

Question 2 Answer
If a stub zone exists on a DNS server windows will not let you create a conditional DNS forwarder matching the same name as the stub zone. If a conditional DNS forwarder exists windows will not let you create a DNS stub zone matching the same name as the conditional forwarder. If you create an AD integrated stub zone on another DNS server in a different active directory site it will replicate through standard AD replication. When it replicates to the server containing the conditional forwarder, the stub zone will take precedence over the conditional forwarder. Stub Zones always have precedence over conditional forwarders.

Question 3 Answer
Stub Zones always have precedence over delegation.

Initializing MAPI session object failed

2011-05-26T22:44:00.000-07:00

I had a user who upgraded from a previous version of Outlook to Outlook 2010. Whenever they open an Outlook email they recieve an error "Initializing MAPI session object failed." After clicking OK the email opens.

This is resolved by going to C:\Windows\System32 and renaming mapi32.dll to mapi32.dll.old. Then run a tool called fixmapi.exe under C:\Windows\System32. This will generate a new mapi32.dll file.

Note: Sometimes Administrators do not have rights to rename or modify mapi32.dll, only "TrustedInstaller" does. In cases like this you need to take ownership of mapi32.dll and provide Administrators access to the file.

Pitfalls to Virtualizing Exchange 2010

2011-05-22T20:27:00.000-07:00

Exchange performs best when it can interact with the physical components of a server directly. If you disagree with this statement that’s usually a symptom exhibited right after a vmware conference - hopefully it will go away.

Before I go into the pitfalls, let me say I love virtualization - most of my Exchange 2010 deployments are virtualized. Virtualization is fantastic for small deployments of Exchange 2010 as it provides many advantages including increasing energy efficiency and requiring less hardware with server consolidation. What us Exchange people are arguing is there are times you do not want to virtualize an Exchange server.

One statement VMware makes is "Virtualize enterprise apps, including Oracle, Exchange, SQL Server, Sharepoint and SAP, and deliver the highest SLAs and top performance.", please see: http://www.vmware.com/virtualization/. How is virtualizing your infrastructure going to achieve top performance? Top performance can only be achieved when software can interact directly with physical hardware bypassing hypervisors completely.

VMware have published publicly that Exchange 2010 DAG replication is supported - please see:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1037959

This is officially NOT supported by Microsoft. Just because VMware had it working in their lab doesn't with "simulated load generators" doesn't mean it will behave correctly in a production environment - I am talking here from experience. The Microsoft Exchange product team has clearly stated that both HyperV live migration and VMotion are not supported. You can see the link: http://technet.microsoft.com/en-us/library/aa996719.aspx. The link states that you're not supported if you use VMotion/SRM (etc) at the same time as the DAG. That's the support statement. Period.

I have seen problems directly related to virtualizing clustered Exchange 2010 mailbox servers. I have seen virtualized Exchange servers where the windows cluster had kicked the server out of being a cluster member. When you try and readd the node back into the cluster, the cluster node would join and then be evicted again. This can be resolved by evicting the node via ConfigurationOnly and removing it from Windows Clustering. The problem? The Witness! It appears the Witness was locked and the new (old) node could not access it. As it turns out the client vmotioned the server to another node and that's when all the problems began.

I have just got back to Australia from MSIDC (Microsoft Indian Development Centre). During my time at MSIDC I had an interesting debate internally with a Microsoft virtualization MVP named Susantha Silva on this subject. Virtualization MVP's ususally think everything should be virtulized, I'm sure they would virtualize the operating system on their mobile phone if they could! Present during this debate was Sheesh Dubey, Hyper V Program Manager for Microsoft. This debate was closed by Sheesh Dubey saying "If a product team states their application should not be virtualized in any particular circumstance, you should always follow the advise of the product team as they have reasons behind any statement they make."

A pitfall when Virtualizing mailbox servers that are a member of a cluster is taking snapshots in regards to transaction log replication. Go on take a snapshot of a server performing log replication. Have fun fixing it!

Another pitfall to Virtualization is low-balling the RAM because "it's a VM and we can add it whenever". Exchange 2010 was architectured to use slow disk, as a result it needs more memory to provide ample disk cache. Make sure you use the Exchange Storage calculator and calculate your RAM correctly.

Next problem we have is with a concept called Dynamic Memory. This is when a virtual machine is able to automatically extend the amount of memory it has allocated and return it to the hypervisor when its not required through a concept called Ballooning. SQL Server now supports Dynamic Memory as per http://support.microsoft.com/kb/956893, but Exchange 2010 mailbox role however does not (all other Exchange 2010 roles do). This is because the Mailbox Role in Exchange Server does not change its memory allocations on the fly. I encourage you to do a google/bing search for "dynamic memory exchange".

"Not doing the I/O numbers because it’s that magic virtual storage behind VMware". If you want the absolute best disk I/O you need to pass the physical storage directly through to the virtual machine. This provides the best possible I/O performance. If you insist on using a VHD or VMDK file make sure its fixed size! Another problem with shared storage is its very easy to overcommit a RAID Array of disks on a LUN to to many servers. I have seen so many virtual exchange servers where the disk queue lengths exceed 100 - very bad! Especially if your using the recommended Exchange 2010 TIER2 storage model, please make sure nothing else hits the disks!

Tossing a whole DAG on one virtual host. Yes I have seen it done unfortunately. We have mentioned above the reasons why we cannot add live migrate or vmotion a servers that are a member of a DAG cluster. So what is the point? Having two mailbox servers in a DAG cluster on a single host performs worse then if the server was simply a single mailbox server.

People, one virtual CPU does not represent one physical CPU. A virtual CPU represents 1 core of a physical CPU.

RDM/LUN limits per VMWare cluster (FC path limit of 1024 / 4 paths = 256 LUNs per cluster)
RDM LUN limits per Exchange VM (60 LUNs max – 4x SCSI controllers, 15 LUNs per controller)

When Exchange 2010 is virtualized I ususally see the DB/Logs on the same Disk Spindles that are used by the VMs for the operating system. Remember back to the days when all servers were physical. Did the DB and LOGs ever be on the same disks as the operating system? No they didn't.

When virtualizing your client access servers Microsoft NLB does not support Unicast Mode if Notify Switches is turned on. This means you need to configure NLB to use multicast mode and send cluster communication over the servers primary network interface card.

Virtual Sprawl. I see admins just add more and more virtual machines until the virtualization platform almost collapses and dies. They seem to have such faith in it so they don’t even monitor it, they also think that in some mystic way it will compensate for not designing and RAM, disk and CPU correct. I think this is a knowledge and maturity thing of admin.

I have a personal rule I follow, if more then 2000 users require access to a mailbox server and the users are heavy power users I ensure the Exchange server is setup physical. If the users are under 2000, require light weight access to their email and do not require DAG clustering with live migration/vmotion I set the environment up Virtual. This is pending that the disks and servers are not already over committed. On majority of networks Exchange followed by SQL requires more resources then other server. Because of this it does not always make sense to perform server consolidation through virtualization as your Exchange server may already be utilizing majority of resources on the physical host. Please note: CPU's are getting faster, this blog post is getting older. Pay close attention to the CINT Rates value of the CPU and use the sizing spreadsheet created by Ross Smith and size your CPU's appropriately.

Take advantage of cheap local storage, the whole idea of Exchange 2010 is to have multiple copies of your data in different geographical locations on extremely cheap disk/hardware. It is designed to scale out so that you CAN have servers fail. A properly designed enterprise exchange 2010 environment should be able to cope with 49% of the servers failing without taking down the environment. If you have a deep understanding on how Exchange 2010 clustering and native data protection technology you will understand where us Exchange guys are coming from in terms of virtualization.

If your a SME business with up to 1000 users I highly recommend looking at the HP e5000. It's a DAG in a box solution with 2 physical blade servers and locally attached storage. It comes bundled with the Exchange licensing setup with a plug in and go approach. It offers a fast performing lean mean highly available email system for companies that require high levels of email up time. There is loads of information about the e5000 on the internet.

Insight into the Ignore Feature in Outlook 2010

2011-05-21T23:14:00.000-07:00

In this blog post we will take an insight into how the Ignore feature in Outlook 2010 works. The Ignore feature excludes you from conversation threads your not interested in. If your new to the Ignore feature please read the following URL:

http://office.microsoft.com/en-us/outlook-help/ignore-all-e-mail-messages-in-a-conversation-HA010361232.aspx

Where are Ignore rules stored?

Ignore rules are stored in the inside the users mailbox within a mailbox database. They are treated like an Outlook rule and stored in the XML blob. You can view these rules using MFCMAPI.

As an end user can I view a list of which conversations I'm ignoring?

As an end user using Outlook 2010 there is currently no way of viewing which conversations your ignoring.

As an Exchange Administrator you can use MFCMAPI to view within a mailbox which conversations are currently being ignored. In MFCMAPI under the users mailbox there is a "Conversation Action Settings" hidden folder. If you right click on this folder and click "View Associated Contents table" you can see all the ignored conversations. If you look at the MAPI property “PR_SUBJECT”, you will see the conversation subject string.

Is there a limit to the number of conversations you can ignore?

This is unknown however I have spoke to a senior esculation team within the Exchange product group and me mentioned he has seen over 100,000 before.

Does the client or server process ignored conversations?

The server does it.

What happens to emails that get ignored?

Ignored emails are moved to the deleted items folder within the Exchange 2010 mailbox dumpster. Exchange 2010 uses dumpster 2.0. For more information please see:

http://clintboessen.blogspot.com/2009/10/exchange-2010-dumpster-20.html

How long do ignores last for? For example if I do an ignore to a conversation thread then 6 months later someone does a reply to all on an unrelated topic, does this mean I will not recieve the email?

Ignore Rules only last for 180 days.

Do ignore rules use the message subject of an email?

No it uses the conversationID or conversationTopic properties generated by the Exchange 2010 server.

When you ignore a conversation thread does it include "re:" and "fw:"?

Not unless you’re using conversationTopic, in which case changing the subject will sometimes cause the message to escape. However, adding "re" or "fw" (or their localized equivalents) shouldn’t have any effect.

Hope this information has been helpful.

MapiExceptionMailboxInTransit: Unable to open message store. (hr=0x80004005, ec=1292)

2011-05-02T18:41:00.000-07:00

Problem

I am performing cross-forest migration and I am having a had an issue when attempting to perform cross-forest mailbox moves.

A "user" for each "mailbox user" in the source forest exists in the destination forest. These objects were created by Identity Lifecycle Manager. These "user" objects were then prepared to be "mail users" by using the Prepare-MoveRequest.ps1 script for each user using the following syntax:

.\Prepare-MoveRequest.Ps1 -Identity "CN=Paul,OU=User Accounts,DC=source,DC=local" -RemoteForestDomainController "sourceforest-dc1.source.local" -RemoteForestCredential $Remote -LocalForestDomainController "destinationforest-dc01.destination.local" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,DC=destination,DC=local" –UseLocalObject

I am trying to perform the mailbox move using the following command:

New-MoveRequest -Identity "CN=Paul,OU=FromILM,DC=destination,DC=local" -RemoteLegacy -TargetDatabase "Mailbox Database 0205912051" -RemoteGlobalCatalog "sourceforest-dc1.source.local" -RemoteCredential $Remote -TargetDeliveryDomain "contoso.com"

When I create the move request, the move request status update does not change, it just stays at "InProgress".

[PS] C:\>Get-MoveRequest

DisplayName Status TargetDatabase
----------- ------ --------------
Tamara InProgress Mailbox Database 0205912051

I bumped up the EventLogLevel for MSExchangeIS\9002 System\Move Mailbox" to medium by using the following powershell command:

Set-EventLogLevel "MSExchangeIS\9002 System\Move Mailbox" -Level Medium

In the destination Exchange 2010 server the following event logs were logged under "Application Log" with the EventLogLevel turned up.

Log Name: Application
Source: MSExchange Mailbox Replication
Date: 2/05/2011 4:27:37 PM
Event ID: 1101
Task Category: Mailbox Move
Level: Warning
Keywords: Classic
User: N/A
Computer: Ex2010.destination.local
Description:
Mailbox move for 'destination.local/FromILM/Paul' (fcfdc22e-d8d8-44f1-bdfe-140fdbc0d1ca) encountered a transient failure. The operation will be retried (9 out of 60).
Error code: -2147467259
MapiExceptionMailboxInTransit: Unable to open message store. (hr=0x80004005, ec=1292)
Diagnostic context:
Lid: 18969 EcDoRpcExt2 called [length=132]
Lid: 27161 EcDoRpcExt2 returned [ec=0x0][length=132][latency=0]
Lid: 23226 --- ROP Parse Start ---
Lid: 27962 ROP: ropLogon [254]
Lid: 17082 ROP Error: 0x50C
Lid: 26937
Lid: 21921 StoreEc: 0x50C
Lid: 27962 ROP: ropExtendedError [250]
Lid: 1494 ---- Remote Context Beg ----
Lid: 26426 ROP: ropLogon [254]
Lid: 22787 Error: 0x0
Lid: 13032 StoreEc: 0x8004010F
Lid: 7588 StoreEc: 0x8004010F
Lid: 6564 StoreEc: 0x8004010F
Lid: 24316
Lid: 2199 StoreEc: 0x50C
Lid: 17097 StoreEc: 0x50C
Lid: 8620 StoreEc: 0x50C
Lid: 1750 ---- Remote Context End ----
Lid: 26849
Lid: 21817 ROP Failure: 0x50C
Lid: 26297
Lid: 16585 StoreEc: 0x50C
Lid: 32441
Lid: 1706 StoreEc: 0x50C
Lid: 24761
Lid: 20665 StoreEc: 0x50C
Lid: 25785
Lid: 29881 StoreEc: 0x50C

Log Name: Application
Source: MSExchangeIS
Date: 2/05/2011 4:27:37 PM
Event ID: 9660
Task Category: Logons
Level: Warning
Keywords: Classic
User: N/A
Computer: Ex2010.destination.local
Description:
User Paul (/o=Destination/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Paul) failed to log on because their mailbox is in the process of being moved.

In the "System Log" I also noticed the Microsoft Exchange Mailbox Replication service crashing during the move.

Log Name: System
Source: Service Control Manager
Date: 3/05/2011 9:07:13 AM
Event ID: 7031
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Ex2010.destination.local
Description:
The Microsoft Exchange Mailbox Replication service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.

My Environment

In the destination domain I have:
- A single Exchange 2010 server with CAS, MB and HT roles installed running SP1, Update Rollout 4.
- Public folders

In the source domain I have:
- A single Exchange 2003 server running Service Pack 2
- An Exchange 2010 SP1 Server running Update Rollout 4 only running the CAS role. This is for MRSProxy.

Resolution

The problem occured because MRSProxy was not enabled on the Exchange 2010 Client Access Server in the source forest. When mailboxes are moved from one Exchange 2010 forest to another Exchange 2010 forest, the process is handled through Exchange 2010 Client Access Servers using the MRSProxy service. The only port required to be open between the forests for MRSProxy to use HTTPS traffic is port 443. This works even if the source mailboxes are on 2003 or 2007 MBX servers as long as an Exchange 2010 CAS server exists in both organizations.

MRSProxy is not enabled on client access servers by default. You need to enable this on the source forest client access server. To enable this navigate to the following directory on the Exchange 2010 CAS server in the source forest.

Exchange Installation Path\V14\ClientAccess\ExchWeb\EWS\web.config

Open the web.config in a text editor and find where it says under MRSProxyConfiguration

IsEnabled="false"
MaxMRSConnections="100"
DataImportTimeout="00:01:00

Change IsEnabled to true:

I then rebooted the Exchange 2010 CAS server in the source forest. Upon reboot the cross-forest mailbox moves worked.

The Exchange 2010 CAS Server in the source domain will proxy the move request from the Ex2003 mailbox server.

I also found a TechNet article that explains how to enable this:

http://technet.microsoft.com/en-us/library/ee732395.aspx

NotifyChangeDirectory throws INSUFFICIENT RESOURCES

2011-05-02T07:40:00.000-07:00

We had an application called Kentico CMS which we deployed on Windows Server 2008 R2 with IIS 7.5.

Looking in the event log for the app, it's getting "File change notification errors" and tracking (causing the restarts) it with ProcMon we see:

NotifyChangeDirectory calls being made - for a while they succeed and then they start throwing INSUFFICIENT RESOURCES in the status.

The following errors were experienced in event viewer under the application logs:

EventID: 9145
EventType: W
EventTime: 2/11/2011 12:25:04 AM
Source: Application_End
EventCode: ENDAPP

EventDescription: Message: File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_groups
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_groups
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_medialibrary
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_messageboards
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_newsletter
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_polls
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_reporting
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_webanalytics
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_tools
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_groups
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_medialibrary
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_messageboards
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_newsletter
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_polls
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_reporting
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\app_themes\default\images\cmsmodules\cms_webanalytics
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\cmspages
CONFIG change
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\cmspages
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\CMSPages
File Change Notification Error in \\files\domains$\k\kwinana.wa.gov.au\public_html\cmspages
HostingEnvironment initiated shutdown
HostingEnvironment caused shutdown<br />
Shutdown stack: at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at System.Web.Hosting.HostingEnvironment.InitiateShutdownInternal()
at System.Web.Hosting.HostingEnvironment.InitiateShutdown()
at System.Web.HttpRuntime.ShutdownAppDomain(String stackTrace)
at System.Web.Configuration.HttpConfigurationSystem.OnConfigurationChanged(Object sender, InternalConfigEventArgs e)
at System.Configuration.Internal.InternalConfigRoot.OnConfigChanged(InternalConfigEventArgs e)
at System.Configuration.BaseConfigurationRecord.OnStreamChanged(String streamname)
at System.Web.Configuration.WebConfigurationHostFileChange.OnFileChanged(Object sender, FileChangeEvent e)
at System.Web.DirectoryMonitor.FireNotifications()
at System.Web.Util.WorkItem.CallCallbackWithAssert(WorkItemCallback callback)
at System.Web.Util.WorkItem.OnQueueUserWorkItemCompletion(Object state)
at System.Threading._ThreadPoolWaitCallback.WaitCallback_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)<br />
Call stack: at Global.LogApplicationEnd()
at Global.Application_End(Object sender, EventArgs e)
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Web.HttpApplication.ProcessSpecialRequest(HttpContext context, MethodInfo method, Int32 paramCount, Object eventSource, EventArgs eventArgs, HttpSessionState session)
at System.Web.HttpApplicationFactory.FireApplicationOnEnd()
at System.Web.HttpApplicationFactory.Dispose()
at System.Web.HttpRuntime.Dispose()
at System.Web.HttpRuntime.ReleaseResourcesAndUnloadAppDomain(Object state)
at System.Threading._ThreadPoolWaitCallback.WaitCallback_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)

And...

EventMachineName: GIR1
EventID: 289983
EventType: E
EventTime: 2/11/2011 4:24:23 PM
Source: Application_End
EventCode: EXCEPTION
EventDescription: Message: File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
Directory rename change notification for '\\files\domains$\o\omsintl.com\public_html'.
public_html dir change or directory rename
Change Notification for critical directories.
bin dir change or directory rename
Change Notification for critical directories.
App_Browsers dir change or directory rename
CONFIG change
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html\cmsdesk
CONFIG change
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html\cmsdesk
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html\cmspages
CONFIG change
HostingEnvironment initiated shutdown
HostingEnvironment caused shutdown
File Change Notification Error in \\files\domains$\o\omsintl.com\public_html\cmspages<br />
Shutdown stack: at System.Environment.GetStackTrace(Exception e, Boolean needFileInfo)
at System.Environment.get_StackTrace()
at System.Web.Hosting.HostingEnvironment.InitiateShutdownInternal()
at System.Web.Hosting.HostingEnvironment.InitiateShutdown()
at System.Web.HttpRuntime.ShutdownAppDomain(String stackTrace)
at System.Web.Configuration.HttpConfigurationSystem.OnConfigurationChanged(Object sender, InternalConfigEventArgs e)
at System.Configuration.Internal.InternalConfigRoot.OnConfigChanged(InternalConfigEventArgs e)
at System.Configuration.BaseConfigurationRecord.OnStreamChanged(String streamname)
at System.Web.Configuration.WebConfigurationHostFileChange.OnFileChanged(Object sender, FileChangeEvent e)
at System.Web.DirectoryMonitor.FireNotifications()
at System.Web.Util.WorkItem.CallCallbackWithAssert(WorkItemCallback callback)
at System.Web.Util.WorkItem.OnQueueUserWorkItemCompletion(Object state)
at System.Threading._ThreadPoolWaitCallback.WaitCallback_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)<br />
Call stack: at Global.LogApplicationEnd()
at Global.Application_End(Object sender, EventArgs e)
at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean skipVisibilityChecks)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Web.HttpApplication.ProcessSpecialRequest(HttpContext context, MethodInfo method, Int32 paramCount, Object eventSource, EventArgs eventArgs, HttpSessionState session)
at System.Web.HttpApplicationFactory.FireApplicationOnEnd()
at System.Web.HttpApplicationFactory.Dispose()
at System.Web.HttpRuntime.Dispose()
at System.Web.HttpRuntime.ReleaseResourcesAndUnloadAppDomain(Object state)
at System.Threading._ThreadPoolWaitCallback.WaitCallback_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallbackInternal(_ThreadPoolWaitCallback tpWaitCallBack)
at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback(Object state)

The following INSUFFICIENT RESOURCES errors were experienced in process monitor:

To resolve the problem, there are a few settings that can be configured in IIS and ASP.NET To optimize this behavior.

To resolve the issue we set the DWORD HKLM\Software\Microsoft\ASP.NET\FCNMode is a Decimal value of "2" as per http://support.microsoft.com/kb/911272.

If your running a 32bit process on a 64bit server then set this key instead:

HKLM\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\FCNMode

MSExchangeIS EventID 1121 and 5000

2011-04-24T23:25:00.000-07:00

I had an issue today where the Information Store service would not start on any Exchange 2010 server. When you went to start the Information Store service the following error appears:

Windows could not start the Microsoft Exchange Information Store on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147221233.

The following errors were appearing in my application log:

Error 0x8004010f connecting to Active Directory.

Unable to initialize the Microsoft Exchange Information Store service. - Error 0x8004010f.

If you experienced these errors you may not have the same problem! There is more then one cause for these error codes..

In my case these errors were occurring because there was no default recipient policy or email address policy. Recipient Policies were the name in Exchange 2000/2003. Email Address Policies are the new name under Exchange 2007/2010. They are the same class object in Active Directory and stored under the same location within the schema.

The default email address policy displays in Exchange System Manager or Exchange Management Console with a priority of Lowest. Each additional policy gets a priority of 1 upwards... 2, 3, 4, 5 etc. When Exchange processes the recipient policy it starts from the highest number an works its way down. Recipient policies have LDAP filters, if a match is made with the filter, the policy is applied. If a policy is applied to a user, no additional policies are processed.

When I went to Exchange Management Console I had a single "Default Policy" under my Email Address Policies, however it had a priority of 1, not "Lowest". No policy had a priority of "Lowest". No email address policy was the default! This was causing the information store not to mount.

I used ADSIEdit to set a default policy by connecting to the configuration partition. The policies located under:

CN=Recipient Policies\CN=\CN=Microsoft Exchange\CN=Services\CN=Configuration\DC=domain\DC=local

To set a policy as the default email address policy, configure the priority to be 2147483647. This value is hard coded into Exchange to be the default email address policy. This value needs to be associated with the msExchPolicyOrder attribute.

There is one more attribute that is also hard coded into Exchange, which enables a policy to become the default email address policy. That attribute is purportedSearch. This attribute must be set to (mailNickname=*).

Once these attributes were set correctly Exchange recognized an email address policy. The information store was now able to start on all servers after AD replication completed.

There is also a TechNet article that provides some information into this error:

http://technet.microsoft.com/en-us/library/bb885057.aspx

Exception: The Active Directory user wasn't found

2011-04-19T07:21:00.000-07:00

I was doing work for a client who recently just had their single Exchange 2003 server upgraded to an Exchange 2010 clustered environment.

When trying to access a public folder database using the new ExFolders tool (the replacement for PFDavAdmin) the following error was experianced:

An error occurred while trying to establish a connection to the Exchange server.

Exception: The Active Directory user wasn't found.

This was resolved by deleting the CN=Servers container from the old administrative group using ADSIEdit. By default this administrative group is called First Administrative Group.

Why is my server blue screening?

2011-04-14T00:18:00.000-07:00

Why is my server blue screening?

Lets analyze that crash dump...

How to analyze a dump file

VSApiNt.sys = Trend Micro

Why am I not surprised.

Seriously over that product... the amount of Trend Micro related problems I have seen over the past few years I can honestly say if it was a choice between Trend Micro on your servers and no antivirus, I would take no antivirus.