Wednesday, November 28, 2012

Changing Password on Administrator Accounts - Performing an Audit

This article addresses a common task which many administrators have to address within their career as as an IT professional - changing the password on a core administrator account.


It is well known that Administrators should always create dedicated service accounts with appropriate access to be used by network applications on a Microsoft network.  However there is always a case of a lazy administrator in the past who could not be bothered to create dedicated service accounts so they use the default domain admin account "Domain\Administrator" for applications and services to use.  So what happens in the event when there are applications and services across the network using a default domain account, everyone including previous employees, current employees and end users know the password to this account and you don't know exactly applications are using the account?  This article addresses exactly this situation.


The only way to identify all applications using an account for authentication is to revert to audit logs on domain controllers and identify the IP addresses in which the authentication attempts have been initiated from.  Once you have the IP addresses as an administrator your able to dig down into the servers configuration and identify what applications are installed and figure out what is making the authentication attempts from the account.  No application will be able to tell you exactly what program is performing the authentication request because all applications are different.  For example some applications may store the domain administrator credentials in a text configuration file, others might store the credentials in some type of database table and others might simply store it in a service or scheduled task.  No audit application understand the inter workings of every single application made, at best they can only look for where applications "usually" store credentials and return results based on that.

Another thing to note is each domain controller stores audit logs for authentication requests made against the individual DC.  There is no place where you can look at all authentication requests against domain controllers on a domain wide level without using additional software.  To gain inside into what authentication requests are being made on your network I recommend a product such as Snare Server.  Snare is seen by many as the industry standard for capturing and filtering audit and event log data.  Snare Server will pull audit logs from all domain controllers in your organisation and allow you to quickly identify exactly what servers in your organisation are using a specific account.

After ringing them for pricing, they are very cost effective compared to other audit collection tools on the market.  Its priced based on geographical region, so you will need to contact them to get pricing for your country.

Check out the following video which goes through Snare Server in detail:

Discovery VBS Script

As mentioned above the only way to perform a thorough audit of what applications in your environment are using a specific account is to revert to audit logs.  However below I will show you a handy VBS script which is able scan through all computer accounts in your domain and check if they are using an administrator account for a service or scheduled task.  This script can be downloaded from the following location, just rename it to *.vbs.

This script requires you to modify two fields:
  • The strSearchFor field is the account in which you want to find.  For example, Administrator.
  • The strExclude field are computers or locations within Active Directory in which you want to exclude.  If you want to exclude nothing you can leave this field as ""
strSearchFor = "Administrator"
strExclude = "dx-iren,dx-iren2,OU=Computers"

When you run the script it will display output in a webpage.  It pings each machine before performing the scan to ensure it is online so ensure ICMP is enabled on your windows firewall.  This can be done with group policy.

Ensure you launch it using cscript from a command prompt running as Administrator "Run As Administrator" to get around User Account Control (UAC) restrictions.

The audit results get pushed out to a CSV file under C:\results.csv and can be opened in Excel.

 Hope this post has been helpful and goodluck.

Sunday, November 11, 2012

Identify number of items in folder Outlook Cached Exchange Mode and Exchange

This blog post shows you how to identify if a folder within your Outlook OST file has become out of sync with your Exchange server for Outlook clients which are running under cached Exchange mode.  To do this we will look at the item count both of the cached outlook client and the Exchange server.

To get the item count of a folder in Outlook, this can be done in two ways.  The first method is by using a VBS script such as the one from David Lee's blog:

A copy of this script can be found below.

'Declare some variables
Dim olkApp, olkSes

'Connect to Outlook
Set olkApp = CreateObject("Outlook.Application")
Set olkSes = olkApp.GetNamespace("MAPI")
olkSes.Logon olkApp.DefaultProfileName

'Call the export process once for each folder count to be exported
'Format is ExportMessageCountToExcel <Path to Outlook Folder>, <Path and filename of the Excel file to export to>, <Number of the sheet the count goes on>
'The following lines are examples.  Edit them as needed.  Add additional lines as desired.
ExportMessageCountToExcel "Mailbox - Doe, John\Inbox", "C:\Message_Counts.xlsx", 1
ExportMessageCountToExcel "Personal Folders\Projects", "C:\Message_Counts.xlsx", 2

'Disconnect from Outlook
Set olkSes = Nothing
Set olkApp = Nothing

Sub ExportMessageCountToExcel(strFolder, strWorkbook, intSheet)
    Const EXCEL_COL = 1
    Dim olkFld, excApp, excWkb, excWks, lngRow
    Set olkFld = OpenOutlookFolder(strFolder)
    Set excApp = CreateObject("Excel.Application")
    Set excWkb = excApp.Workbooks.Open(strWorkbook)
    Set excWks = excWkb.Worksheets(intSheet)
    lngRow = excWks.UsedRange.Rows.Count
    If lngRow = 1 Then 
        If excWks.Cells(lngRow,1) <> "" Then
            lngRow = lngRow + 1
        End If
        lngRow = lngRow + 1
    End If
    excWks.Cells(lngRow, EXCEL_COL) = olkFld.Items.Count
    Set excWks = Nothing
    excWkb.Close True
    Set excWkb = Nothing
    Set excApp = Nothing
    Set olkFld = Nothing
End Sub

Function OpenOutlookFolder(strFolderPath)
    Dim arrFolders, varFolder, bolBeyondRoot
    On Error Resume Next
    If strFolderPath = "" Then
        Set OpenOutlookFolder = Nothing
        Do While Left(strFolderPath, 1) = "\"
            strFolderPath = Right(strFolderPath, Len(strFolderPath) - 1)
        arrFolders = Split(strFolderPath, "\")
        For Each varFolder In arrFolders
            Select Case bolBeyondRoot
                Case False
                    Set OpenOutlookFolder = olkApp.Session.Folders(varFolder)
                    bolBeyondRoot = True
                Case True
                    Set OpenOutlookFolder = OpenOutlookFolder.Folders(varFolder)
            End Select
            If Err.Number <> 0 Then
                Set OpenOutlookFolder = Nothing
                Exit For
            End If
    End If
    On Error GoTo 0
End Function

This script will output the results to an Excel spreadsheet as shown in the following screenshot:

The second method is by selecting all items within the Outlook folder by pressing "CTRL + A" then pressing "ENTER".  Make sure you select NO!

Now to check the number of items in my Sent Items on the Exchange server.  This is done with the following PowerShell command:

Get-MailboxFolderStatistics -Identity "clint" -FolderScope "SentItems"

This shows the number of items on my Exchange server matches my Outlook client meaning my Outlook Cached Copy is indeed in sync!

Tuesday, November 6, 2012

Exchange ActiveSync Error (500) Internal Server Error

One of my customers had an issue on their Exchange 2010 server regarding Exchange ActiveSync.  The mobile device would Autodiscover the settings however it would fail to synchronise email.  After investigating the issue I quickly isolated the issue to the users Active Directory user account.  This was determined after I recreated the users mailbox by exporting to PST, disabling the mailbox, creating a new mailbox then reimporting the mailbox content.

I used the following command in PowerShell to test the users ActiveSync configuration status.

Test-ActiveSyncConnectivity -MailboxCredential (Get-Credential domain\username) -UseAutodiscoverForClientAccessServer

The command failed.

I then piped the output to a format list function to provide more details about the error received.

The error received was as follows:

"[System.Net.WebException]: The remote server returned an error: (500) Internal Server Error."

As I knew the problem was not to do with the mailbox contents as I had recently recreated the users mailbox, and this user was the only user effected by the issue, it had to be a problem with the Active Directory user account itself.

After investigating the user account I noticed the account was no longer inheriting permissions in Active Directory.  After re-enabling inheritable permissions, this resolved the problem.

Troubleshooting Fun with the Test-ActiveSyncConnectivity cmdlet

The Test-ActiveSyncConnectivity cmdlet is a great command for testing Active Sync connectivity with a device.  This can be used to test Active Sync connectivity with any user in your domain.  You may have issues using this command however and the example commands provided in the Get-Help in powershell are wrong.  For example the powershell help instructs administrators to enter the users UPN or DomainNetBIOS\Username format for the MailboxCredential parameter.

Test-ActiveSyncConnectivity -UseAutodiscoverForClientAccessServer $true -URL "" -MailboxCredential

However the MailboxCredential parameter requires the full credentials including username and password of the user account in which your attempting to test.  Not doing so will result in the following error.

Cannot process argument transformation on parameter 'MailboxCredential'. Cannot convert the "jag" value of type "System.String" to type "System.Management.Automation.PSCredential".
    + CategoryInfo          : InvalidData: (:) [Test-ActiveSyncConnectivity], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Test-ActiveSyncConnectivity

To specify both the username and password along with the Test-ActiveSyncConnectivity cmdlet you can use the Get-Credential cmdlet, for example:

Test-ActiveSyncConnectivity -MailboxCredential (Get-Credential domain\username) -UseAutodiscoverForClientAccessServer

This command above will work.  What I also noticed is in the powershell help it mentions to use the $true switch for the UseAutodiscoverForClientAccessServer parameter.  You must not use the $true switch when running the command, if you do the command does not process correctly and you will receive this error:

Cannot bind positional parameters because no names were given.
    + CategoryInfo          : InvalidArgument: (:) [Test-ActiveSyncConnectivity], ParameterBindingException
    + FullyQualifiedErrorId : AmbiguousPositionalParameterNoName,Test-ActiveSyncConnectivity

So in summary, whenever you need to test Active Sync for an individual user within your domain, this is the command you need.

Test-ActiveSyncConnectivity -MailboxCredential (Get-Credential domain\username) -UseAutodiscoverForClientAccessServer

Tuesday, October 30, 2012

Delete Files older then X Days BATCH SCRIPT

To delete files older then X Days use the following script:

forfiles.exe /p D:\Files /s /m *.* /d -7 /c "cmd /c del @file"
/pThis parameter specifies the path that contain the files I wish to delete.
/sThis parameter tells the program to recurse into any subfolders to look for additional files.
/mIf you want to specify a specific file type, this parameter will allow you to limit the search to specific files, such as *.doc for Word documents. In my case, I looked for all files (*.*).
/dThis one is the key parameter – it specifies the last modified date value. In my example I specify “-7″ which indicates that the files need to have a modified date 7 days less than the current date.
/cThis is the command that I execute on the files found by the program. The delete command is executed in a command window for each file.

VB Script - Remove Files from being Read Only

The below VB Code uses scripting.filesystemobject to go through a bunch of files and remove the read only parameter.  I found it quite handy for a scheduled task when dealing with a rouge application.

Dim fl As File
If fso.FileExists(FileName) Then
    Set fl = fso.GetFile(FileName)
    If (fl.Attributes And ReadOnly) Then
      fl.Attributes = fl.Attributes - ReadOnly
    End If
End If

Hope this code snippet helps someone else!

A problem has been encountered in the Microsoft Exchange Messaging and Collaboration Services

When decommissioning an Exchange 2003 server when upgrading to Exchange 2010, the Exchange 2003 server failed to uninstall successfully and presented me with the following error message:

A problem has been encountered in the Microsoft Exchange Messaging and Collaboration Services setup component.  Canceling setup.

After the error message the Exchange 2003 server appeared to continue decommissioning, and when it rebooted Exchange 2003 no longer was listed in Add/Remove programs.  However on the Exchange 2010 server when doing a Get-ExchangeServer, the Exchange 2003 server still came up in the list meaning the Exchange 2003 server still existed within Active Directory.

To finish the uninstall manually I deleted the Exchange Server Object in Active Directory with ADSIEdit following the instructions documented under Microsoft KB833396:

This ensured that Exchange 2003 was successfully decommissioned.

Monday, October 29, 2012

OABGen encountered error 80004005 while cleaning the offline address list

Today I had an issue with Exchange 2010 Offline Address Book Generation (OABGen) at a customer.  The customer was complaining that their address book had not updated for quite some time.

When manually performing a OABGen against all Address Books on the Exchange server using the Get-OfflineAddressBook | Update-OfflineAddressBook command the following error was experienced in the event logs.

Log Name:      Application
Source:        MSExchangeSA
Date:          30/10/2012 11:14:55 AM
Event ID:      9335
Task Category: (13)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
OABGen encountered error 80004005 while cleaning the offline address list public folders under /o=Organization/cn=addrlists/cn=oabs/cn=Default Offline Address List.  Please make sure the public folder database is mounted and replicas exist of the offline address list folders.  No offline address lists have been generated.  Please check the event log for more information.
- \Default Offline Address List

In this environment there is an Exchange 2003 server and an Exchange 2010 server, OABGen had been moved across to Exchange 2010.  However the Exchange 2010 server was not a PF replica of the Offline Address Book public folders.  After adding the Exchange 2010 public folder database as a replica of the Offline Address Book public folder, this resolved the issue.

Running another Update-OfflineAddressBook I was able to verify the date stamp under C:\Program Files\Microsoft\Exchange Server\ExchangeOAB was updated.

Please note after OABGeneration is successful before clients are able to download the latest address book the File Distribution Service needs to run to download the OAB from OABGen to the Client Access Servers for distribution.  This by default runs every 8 hours but can be forced by running:

Update-FileDistributionService servername

If you do not understand the OAB Distribution process I highly recommend reading the following article, as this knowledge is required for troubleshooting the OAB Distribution process.  This process is used by both Exchange 2007 and Exchange 2010:

Thursday, October 25, 2012

Error: WMI exception occurred on server - Quota violation

Tonight I stumbled across a limitation in Exchange 2010 when moving a vast amount of Transaction Logs to volume on an Exchange 2010 SP2 server.  This server had over 100,000 logs which needed to be moved to an alternative location, when utilising the Move-DatabasePath command with the -LogFolderPath switch, the command would hang approximately 10 minutes then fail with the following error.

Failed to connect to target server "ExchangeServer". Error: WMI exception occurred on server 'ExchangeServer.domain.local': Quota violation
    + CategoryInfo          : InvalidOperation: (Mailbox Database 0529333988:DatabaseIdParameter) [Move-DatabasePath],
    + FullyQualifiedErrorId : 7897D20B,Microsoft.Exchange.Management.SystemConfigurationTasks.MoveDatabasePath

After doing some research I discovered that this only occurs when attempting to move a ridiculously large quantity of log files.

To resolve this problem you must purge the transaction logs first before performing the operation.  This can be done in 3 ways::
  • Perform a Full Backup of the Server which in effect will purge the logs.  This can be performed by using Windows Server Backup or another product.
  • Enable Circular Logging, dismount/remount the database, then Re-enable Circular Logging.
  • Manually delete the log files using windows explorer (SHIFT + DELETE).  Do not perform this procedure without checking first that all log files have been played into the database, doing so could result in loss of data.  Please see the following post for manually flushing transaction logs
After the transaction logs have been flushed, this error will no longer occur.

Tuesday, October 23, 2012

Force Active Directory replication on a domain controller

In order to force Active Directory replication, issue the command ‘repadmin /syncall /AeD’ on the domain controller.  Run this command on the domain controller in which you wish to update the Active Directory database for.  For example if DC2 is out of Sync, run the command on DC2.

A = All Partitions
e = Enterprise (Cross Site)
D = Identify servers by distinguished name in messages.

By default this does a pull replication - which is how AD works by default.  If you want to do a push replication use the following command:

repadmin /syncall /APeD

P = Push

You want to do a push replication if you make changes on a DC and you want to replicate those changes to all other DC's.  For example, you make a change on DC1 and you want all other changes to get that change instantly, run repadmin /syncall /APeD on DC1.

For all repadmin syntax please see:

Monday, October 22, 2012

What is the difference between IsExcludedFromProvisioning and IsSuspendedFromProvisioning

New in Exchange 2010 and carried into Exchange 2013 is a feature called Automatic Mailbox Provisioning.  This feature automatically load balances the creation of new mailboxes across all available databases when a creation of a new mailbox account occurs. It’s no longer mandatory to specify what database mailbox should reside on as Exchange uses a mailbox provisioning agent to take the decision for you on what mailbox database the mailbox creation will be created on.

It is recommended that all large Exchange deployments utilise the Automatic Mailbox Provisioning system to randomly distribute mailboxes between mailbox databases.  If you place users in particular mailbox databases based on items such as a department, in the event issues occur with a specific mailbox database and the database will not mount, an entire department within a company will be out of production for a period of time.  If mailboxes are randomly distributed between multiple databases, in the event a database goes offline, it will still effect the company however the impact will be less saver as all departments within your company will still be operational.

As we have identified, the Automatic Mailbox Provisioning system distributes mailboxes randomly amongst databases but what if we want to exclude a mailbox database from having additional mailboxes provisioned such as a mailbox database which is dedicated to holding Archive mailboxs?

Microsoft has included two attributes which can be configured against a Mailbox Database for this purpose called "IsExcludedFromProvisioning" and "IsSuspendedFromProvisioning".

What is the difference between these values?

Exchange 2010 help explains these attributes as:

-IsExcludedFromProvisioning <$true | $false>

The IsExcludedFromProvisioning parameter specifies that this database is permanently not considered by the mailbox provisioning load balancer. If the IsExcludedFromProvisioning parameter is enabled, new mailboxes aren't added automatically to this database. You can manually add a mailbox if your role permits.

-IsSuspendedFromProvisioning <$true | $false>

The IsSuspendedFromProvisioning parameter specifies that this database is temporarily not considered by the mailbox provisioning load balancer.

What does it mean by temporarily not considered?

I forwarded this question onto members of the Exchange product team and here is the response I received was they both do the same thing.

The reason they are two attributes is for environments which have multiple admins as a mechanism to indicate which provisioning suspensions are permanent, and which are temporary so that other admins know if they are allowed to un-suspend a mailbox database from provisioning.  Thus, in a multi-admin environment, if one admin configures either setting, the intent should be clear to the other admins (and therefore, they won’t remove a permanent suspension as a result of knowing that intent).

What would have been nicer is a IsExcludedFromProvisioningReason attribute where administrators can place a short string value to explain why it has been excluded from provisioning.

Tuesday, October 16, 2012

How to move a Calendar from one mailbox to another.

I have just migrated a company running Exchange 2003 to Exchange 2010.  Exchange 2003 does not utilise resource mailboxes and as a result, my customer has created a bunch of ordinary mailboxes to represent meeting rooms.  As of Exchange 2007 Microsoft introduced resource mailboxes to represent meeting rooms and equipment.

My customer now needs to either create new resource mailboxes to represent the meeting rooms or convert the existing shared mailboxes into room mailboxes.

How to migrate calendar data from one mailbox to another mailbox

In the event my customer chose to create new mailboxes to represent his meeting rooms it is possible to migrate just the calendar information from the existing shared mailboxes to the room mailboxes by using the following powershell commands:

Export the calendar data from one mailbox:

New-MailboxExportRequest -Mailbox "Ex2003SharedMailbox" -IncludeFolders "#Calendar#" -FilePath \\servername\c$\Ex2003SharedMailbox.pst

Import the calendar data into the new mailbox:

New-MailboxImportRequest -Mailbox "NewRoomMailbox" -IncludeFolders "#Calendar#" -FilePath \\servername\c$\Ex2003SharedMailbox.pst

How to migrate the shared mailboxes into room mailboxes

In the event my customer wants to convert the existing shared mailboxes into room mailboxes this can be done with the following command:

Set-Mailbox MailboxName -Type Room

PPTP VPN and Belkin F5D8635

There is an issue with PPTP VPN connections and the Belkin F5D8635 router.  By default the Belkin F5D8635 router does not allow the GRE protocol which is essential for creating PPTP VPN connections between VPN clients and VPN servers.  When attempting to create a PPTP VPN connection from Windows to a host VPN server the following error is experienced complaining that GRE is not available:

Error 806: The VPN connection between your computer and the VPN server could not be completed.  The most common cause for this failure is at least one Internet device (for example, a firewall or router) between your computer and the VPN server is not configured to allow Generic Routing Encapsulation (GRE) protocol packets.  If the problem persists, contact your network administrator or Internet Service Provider.

Belkin has resolved this issue in the latest version of their firmware which is version 1.00.23.

Login to your Belkin router web interface and click Firmware Update under Utilities.  Under Firmware Version if it says anything below 1.00.23 you will be unable to create a PPTP VPN connection through the router.

Download the latest version of the Belkin firmware from teh following location:

For a full list of fixes under Firmware version 1.00.23 please see:

Monday, October 15, 2012

Apple iPhone iOS6 and Exchange Autodiscover

You may be wondering why iOS6 on the Apple iPhone does not Autodiscover anymore?  It doesn't work!  We have done extensive testing with multiple mobile devices on Exchange Server 2010 SP2 UR4:

iPhone (4 or 4S) running IOS5 works great
iPhone (4, 4S or 5) running IOS6 does not work.

This article was posted 16/10/2012 - Apple might release an update for IOS6 which resolves this issue in the near future which will make this article redundant.

Sunday, October 14, 2012

Problem Moving Mailboxes

When migrating mailboxes to a new Exchange 2010 server from an old Exchange 2003 environment, some mailboxes failed to move and generated the following powershell exception:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:01

FinancialCounselling StNicholas

Active Directory operation failed on domaincontroller.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A48, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

The user has insufficient access rights.
Click here for help...
Exchange Management Shell command attempted:
'domainname/Staff/accountname' | New-MoveRequest -TargetDatabase 'MailboxDatabase4'

Elapsed Time: 00:00:01

This issue is caused when incorrect permissions are set on the Active Directory user account.  To resolve this problem for a user perform the following procedure:

Open up Active Directory Users and Computers and enable Advanced Features.

Open up properties of the user account experiencing problems and select the security tab and click the Advanced button.

Select "Include inheritable permissions from this object's parent" and click OK.

This should resolve the problem.

Active Sync Issues on Exchange 2010

I migrated 600 mailboxes to a new Exchange server from 2003 to 2010.  The next morning when users got to work some users were complaining that their email was not working on their mobile phone.  When creating a new test account, Active Sync works fine so the issue is narrowed down to either a problem with the user account migrated from Exchange 2003 or a problem with the mailbox.  The error I experienced when running the Exchange Remote Connectivity Analyzer (ExRCA) against a problematic user was as follows:

An ActiveSync session is being attempted with the server.

Errors were encountered while testing the Exchange ActiveSync session.

Test Steps

Attempting to send the OPTIONS command to the server.

The OPTIONS response was successfully received and is valid.

Additional Details
Headers received: Allow: OPTIONS,POST
MS-Server-ActiveSync: 14.2
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Content-Length: 0
Cache-Control: private
Date: Mon, 15 Oct 2012 02:38:58 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

Attempting the FolderSync command on the Exchange ActiveSync session.
The test of the FolderSync command failed.

Additional Details
Exchange ActiveSync returned an HTTP 500 response.

After investigating the issue further it turned out that the issue was to do with incorrect security settings on the Active Directory user account.  To resolve the problem I performed the following steps:

If you open up Active Directory Users and Computers and locate one of your users that is not working, Double-Click into the account and click on the Security Tab (if this is not visible, Click on View --> Advanced Features from the Menu at the top of the screen then navigate back to your user).

Once on the security tab, click on the Advanced Button and make sure that the ‘Include Inheritable Permissions From This Object’s Parent’ is ticked. Click OK twice to close the user account.

In the user account properties click the advanced button.

In the advanced security window select "Include inheritable permissions from this object"

This will fix the problem for the account in question.

A Note for Administrator Accounts

If your account has administrative privilages in Active Directory you may find after inheriting permissions that your account may stop working again an hour later.  This happens because Active Directory uses AdminSDHolder to define permissions the default protected security groups receive.  Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:

Wednesday, October 10, 2012

Unable to open PST file filepath. Error details: Access to the path filepath is denied.

When attempting to import a PST file from an administrative workstation running Exchange Management Shell you may experience the following error:

Unable to open PST file "filepath". Error details: Access to the path "filepath" is denied.

When examining the PST file you notice that your account does indeed have permissions to access the PST file on your local computer.  Why is this error occurring?

This is because the Mailbox Replication Server (MRS) is running as LocalSystem it can’t access a network share. By adding the Exchange Trusted Subsystem group to the share permissions you will give the LocalSystem account and therefore MRS access to the share.

 To ensure this works for all PST files on a machine in any share, you can simply add "Exchange Trusted Subsystem" to the local Administrators group.

Exchange PST Capture Tool: Import error: Error opening mailbox

Today a customer consulted me to import 600 mailboxes into Microsoft Exchange from PST files scattered across the network.  However when performing the import into Exchange the following error was experianced:

Import error: Error opening mailbox

Now this error ususally occurs when the user does not have Mailbox Import Export permissions. This can be assigned to a user using the following PowerShell command:

New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "PSTImportUser"

However in my case this was not the problem.  I found out the hard way that you must have a 64bit version of Outlook installed on the PST Importer server.  My version of Outlook was 32bit hence causing the error.

Sunday, October 7, 2012

A Quick Look at WinSAT

WinSAT.exe is a fantastic free tool made by Microsoft for checking performance utilisation of a server through command line.  WinSAT allows you to quickly look at the performance of your disk, cpu or memory plus much more.

For example to look at your disk performance simply type from command prompt:

"winsat disk"

The "winsat disk" command provided the following output:

You can also look at memory performance by typing "winsat mem" or CPU performance by typing "winsat cpu".
winsat comes by default with all Windows 7 and Windows Vista operating systems, however it does not come on Windows Server 2008 or Windows Server 2008 R2.  You can however run this application on Windows Servers which can be done by simply copying the Winsat files to the System32 directory on a WIndows Server from a client.

The Winsat program is made up of the following two files:
  • WinSAT.exe
  • WinSATAPI.dll
Simply copy these files from a Windows Vista or Windows 7 client to the server's system 32 directory.  Note if it is a x64 server, you need to copy the files from an x64 version of Windows 7 or Windows Vista.  If the server is 32bit, you need to copy these files from a 32bit version of Windows 7 or Windows Vista.

What about testing network performance clint?

If you need to test network performance, I recommend you looking at a tool called IPERF.  Please see my following article:

Note: If you are having problems running winsat it is most likely due to User Account Control.  Make sure you open a command prompt as administrator to bypass UAC by right clicking on cmd.exe and selecting "Run As Administrator".

Monday, October 1, 2012

Windows Server 2012 Deduplication

Tonight I am playing with the new Windows Server 2012 RTM which I have downloaded and installed in a virtual environment. One of the new features which I like in Windows Server 2012 is the File Storage deduplication option. No longer do customers need to purchase expensive 3rd party deduplication software - Microsoft allows customers to perform deduplication of there data for free witht he purchase of a Windows Server 2012 license.

Below is a screenshot of where you enable the deduplication feature in the new Windows Server 2012 server manager console.

Introducing Exchange Online Protection (EOP)

If you have yet to hear, Microsoft has retired their entire Forefront product suite.  For products which will continue such as Forefront Identity Manager, these products have been moved to the System Center product suite.

As part of this move to remove the Forefront product family, Forefront protection for Exchange (FPE) and Forefront Online Protection for Exchange (FOPE) are also being removed.
Forefront Protection for Exchange (FOPE) is being replaced with a new product called Exchange Online Protection (EOP).  When I say new, it is actually the next release of FOPE.  Exchange Online Protection is an online Microsoft cloud service for filtering email.  It can be implemented for both cloud based Exchange customers such as Office 365 as well as on-premises implementations of Exchange.

In terms of Forefront Protection for Exchange (FPE), a product which is installed on a Windows server in the customers environment - there is no replacement I'm currently aware of.  Apart from the integrated spam filtering functionality which comes as part of Microsoft Exchange, Microsoft do not offer an on-premises product which customers can install for filtering email spam.  Customers will be encouraged moving forward to adopt Microsoft's online cloud services for filtering spam which can be found under EOP.

Exchange Online Protection offers customers the following functionality:

  • URL lists for spam filtering that block messages containing specific URLs within their message body. EOP includes additional lists beyond those available in FOPE.
  • The ability to skip spam filtering for trusted senders, based on subscription lists
  • The ability to filter messages written in specific languages, or sent from specific countries or regions
  • Malware filtering that can delete and strip unsafe attachments
  • The capacity to mark bulk email (such as advertisements) as spam through the user interface
  • The capability to search for, view, or release quarantined email messages in the EAC
  • Transport rules which you can use to control mail flow, based on a message’s content
  • Message tracing capability, which allows you to search for and view details about a specific message
  • Inbound connectors and outbound connectors you can use to enforce secure communication between you and a partner, or to make hybrid mail flow (where you host a portion of your mailboxes on-premises and a portion in the cloud) possible New reports, which you can use to monitor your organization’s mail flow, available in the Office 365 portal, by using a Microsoft Excel download application, or by using a Web service.
Previously FOPE had a seperate user interface to Office 365 for users to manage spam settings.  Microsoft has now consolidated this under the new Exchange Administrative Center (EAC).  For Exchange Online (Office 365) customers, EOP has now been intergrated directly into the EAC console, however for on-premises customers users will still need to go to another web address to access the online EAC for configuring Exchange Online Protection.
Below is a screenshot of the configuation interface for Exchange Online Protection (EOP):

Wednesday, September 26, 2012

Removing the requirement to specify domain name with Single Signon for Remote Desktop Services

Windows 2008 R2 Remote Desktop Services single signon provides the users the ability to login to RD Web Access and launch applications without having to provide login credentials twice.  While single sign on is great it does not just work out of the box, there are a few things you need to do to configure single sign on.  These steps are documented on the following blog post:

What is not documented however is for single sign on to work by default, users must login with:


For example:

If a user logs in with just the user name such bugs.bunny as show in the screenshot below, when the user enters the RD Web Access and attempts to launch a remote application the user will receive the error below.

Error experienced:

Your computer can't connect to the remote computer because an error occured on the remote computer that you want to connect to.  Contact your network administrator for assistance.

Note: This error message is generic and is presented for a wide range of problems relating to RDS.

For my this Active Directory we want users to login by simply entering their username, we do not want users to have to specify their domain name.  To do this perform the following procedure:


1.     Login to the Remote Desktop Web Access role-based server with local/Domain administrative permissions.

2.     Navigate to the following location:

 %windir%\Web\RDWeb\Pages\The Language of Your Location\

3.     Backup the login.aspx file to another location.

4.     Right click the login.aspx file, and select Edit. The file will be opened with Edit status in your default HTML editor.

5.     Change the original code section:

input id=”DomainUserName” name=”DomainUserName” type=”text” class=”textInputField” runat=”server” size=”25” autocomplete=”off” /

to be:

input id=”DomainUserName” name=”DomainUserName” type=”text” class=”textInputField” runat=”server” size=”25” autocomplete=”off” value=”domainname\” /
6.     Save the modification.

Now when users access the RD Web Access portal the username field will already be populated with domainname\


Sunday, September 23, 2012

Exchange 2010 Randomly Loosing Access to Active Directory

I had an issue at a customer site where a vitalised multi role Exchange 2010 server was randomly loosing access to Active Directory.  There were two Active Directory Domain Controllers with the Global Catalog role in the same Active Directory site as the Exchange 2010 server with highspeed 1gbps LAN between the servers.

When the issue occured Exchange 2010 would begin spitting the generic errors you receive whenever there is no Active Directory domain controller available.  Some of these errors include:

Log Name:      Application
Source:        MSExchange ADAccess
Date:          13/08/2012 8:58:37 AM
Event ID:      2114
Task Category: Topology
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
Process STORE.EXE (PID=3788). Topology discovery failed, error 0x80040952 (LDAP_LOCAL_ERROR (Client-side internal error or bad LDAP message)). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

Log Name:      Application
Source:        MSExchange ADAccess
Date:          13/08/2012 9:01:56 AM
Event ID:      2103
Task Category: Topology
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1468). All Global Catalog Servers in forest DC=internal,DC=domain,DC=com are not responding:

Log Name:      Application
Source:        MSExchange ADAccess
Date:          13/08/2012 9:04:56 AM
Event ID:      2604
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
Process MSEXCHANGEADTOPOLOGY (PID=1468). When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object Exchange2010 - Error code=80040934.
 The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions.

Log Name:      Application
Source:        MSExchange ADAccess
Date:          13/08/2012 9:07:56 AM
Event ID:      2501
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Exchange2010.domain.local
Process MSEXCHANGEADTOPOLOGY (PID=1468). The site monitor API was unable to verify the site name for this Exchange computer - Call=HrSearch Error code=80040934. Make sure that Exchange server is correctly registered on the DNS server.

When this issue was occuring I verified that the Exchange 2010 server was successfully talking to a domain controller in the same Active Directory site by issuing the following command from a command prompt:
NLTEST /DSGETDC:domain.local
The problem was with the Exchange 2010 application itself randomly loosing access to Active Directory.
After further diagnosing I made the following changes to the Windows TCP Network stack on the Exchange2010 server:
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
netsh int tcp set global taskoffload=disabled
netsh int tcp set global autotuninglevel=disabled
This resolved the problem.

Only run these commands on your Exchange 2010 server if you are sure that there is a Active Directory Domain Controller in the same Active Directory site as your Exchange 2010 server and the Exchange 2010 server is able to communicate with the Active Directory domain controller.  Ensure you diagnose all other possible resolutions first such as network/storage/cpu/memory bottlenecks.

Hope this post has been helpful.

Thursday, September 20, 2012

Reset Backup Exec 2012 to Factory Defaults

Symantec has published an article on how to restore Backup Exec to factory defaults using BEUtility.exe however this article only works for  Backup Exec 11D/12.0/12.5/2010/2010R2/2010R3.  This article can be found here:

When trying to perform this procedure on Backup Exec 2012 it fails with the following error message:

Error: Unable to drop database

This is a bug with Backup Exec 2012 however there is a work around, to restore the Database to Factory Defaults perform the following procedure:

1. Stop all backup exec services.
2. Go to C:\program files\symantec\backup exec\data
3. Rename the current database file bedb_dat.mdf to something else.
4. Rename the current log file database  bedb_log.ldf to something else
5. Now use bedb_dat.bak file and rename it to bedb_dat.mdf
6. Now use the bedb_log.bak file and rename it to bedb_log.ldf
7. Now restart all backup exec services.

Monday, September 17, 2012

View Mailbox Sizes for Exchange 2003 and Exchange 2010 through Powershell

If you need to view mailbox sizes for users in your Exchange organisation, you can do this from an Exchange Management Shell (EMS) for both Exchange 2003 and Exchange 2007/2010.

For your Exchange 2007/2010 users use the following command from EMS:

get-mailboxstatistics | fl displayname,totalitemsize

For your Exchange 2003 users use the following command from EMS:

Get-Wmiobject -namespace root\MicrosoftExchangeV2 -class exchange_mailbox -computer Ex2003ServerName | sort -desc size | select storageGroupName,StoreName,MailboxDisplayName,Size,TotalItems

Wednesday, September 12, 2012

Microsoft Axes the Forefront Product Suite

Today, Microsoft has announced that the Forefront product suite is no longer being continued.  Gartner started the rumours quite some time ago claiming that Microsoft was no longer going to continue Threat Management Gateway, however who would have thought this was to extend to the entire Forefront product suite.

Please read the following article by Forefront TMG MVP, Richard Hicks:

For the official annoucement from Microsoft please see:

Outlook can finally deal with Passwords Expiring

Outlook has never had the ability to deal with passwords expiring, until now!  The Microsoft Outlook team has released updates for Outlook 2010 and 2007 that provide Office 365 users with password expiration notifications. The advance password expiry notification will be displayed in a pop-up message (near the system clock) within a certain time period before their password actually expires. That time period is configurable by the tenant admin (see links below for more info). For users whose passwords have already expired, Outlook will flash an error message when users try to connect to their mailbox. In both scenarios, Outlook also provides a link (URL) to update passwords via the browser. When users click on those links, they are taken to the Microsoft Online Portal to change/update their passwords.

Very cool!

The knowledge base article for this update can be found under the KB2745588

Tuesday, September 11, 2012

Windows Server 2012 IIS8 Server Name Indication

A new version of Windows Server is about to become upon us, Windows Server 2012 and with this a new version of Internet Information Services (IIS), version 8.  IIS8 comes with a new cool feature called Server Name Indication (SNI).

In pervious versions of 5, 6, 7, 7.5 etc we have always had the ability to host multiple web sites under same IP address/port using HTTP/1.1 virtual hosting, i.e."Host Headers" where the web server looks at the DNS address entered into the Internet Browser and forwards the user to the appropriate site.  Of course if a user accesses a website by IP, the Host Header will not work.

IIS has supported utilising Host Headers for HTTPS sites also for quite some time, however this has always been harder to configure with manual editing of the IIS metabase being required in previous versions of IIS, see  However although SSL Host Headers were supported there was one problem which administrators faced.  There was no way to sign a different digital certificate for each HTTPS website.

Now with IIS8 in Windows Server 2012, a new feature has been added tha extends the SSL and TLS protocols to indicate what hostname the client is attempting to connect to at the start of the handshaking process.  This allows the IIS8 server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites to be served off the same IP address without requiring all those sites to use the same certificate.  Multiple digital certificates assigned to the same the same IP/Port - very cool.

I'm sure we will see many changes to applications which leverage IIS adopting this new technology.

Monday, September 10, 2012

Internal Names and Public Certificates

I have just found out today that internal domain names are no longer supported on public certificates.  Please view the following article by DigiCert.

For Exchange this is going to increase the requirement for split DNS within organisations to ensure customers can use the same address for both the Internal and External URLs.  However there are examples which I can see as being a problem moving forward.

When setting up a Remote Desktop Gateway server (for RDP over HTTPS) you need two public certificates, or one certificate with multiple subject alternative names. One public certificate will terminate the SSL endpoint of the RD Gateway server such as "" and is enabled within Internet Information Services.  The second certificate requires the internal name of the Remote Desktop Session Hosts or Terminal Servers to ensure the RDP traffic is digitally signed such as "terminalserver01.domain.local". This server certificate needs to be installed on the terminal server(s) themselves with the name matching the internal FQDN of the server(s).  Most companies do not install digital certificates to sign RDP traffic, instead they leave the default self-signed certificate on the servers (which does not show up in the local MMC certificates store).  This is why you always see the following warning when initiating remote desktop to a server:

Now we could use an internal certificate authority to issue the certificates for our RD Session Hosts, however this would require that all computers who access the RD Farm to be on the Active Directory domain to ensure they trust the internal certificate authority.  What about if there are users who are connecting in from machines that are not a member of the Active Directory domain?  One of my clients develops an application and sells the application by presenting it to clients as a RemoteApp meaning computers all over the world are launching this application.  Without having a public certificate containing internal names, my customers would receive warnings relating to the RDP traffic being untrusted.

I spoke to a representative from DigiCert about this today, and I ran this example past him.  The advise he presented to me was to rename the Active Directory forest to "" to ensure the domain ended with a dot com.  I do not see this as practical especially for large Active Directory domains which consist of thousands of users.

I wonder what other headaches these changes to the certificate standard will present for IT professionals around the world.

Please feel free to leave your comments on the matter.

Tuesday, September 4, 2012

The Limit for Outlook OST Files

How big can your Outlook OST file grow for cached Exchange mode?  Well the answer to this is BIG.  Outlook 2003/2007 out of the box has a 20GB limit on OST files, while Outlook 2010 has a 50GB limit on OST files.

This is documented by Microsoft on the following KB article:

Whilst these limits have been put in place they can be extended by modifying the MaxLargeFileSize DWORD registry value located under the following location:

Outlook 2010

The policy location for the registry entries is located in the following path in Registry Editor:

The user preference location for the registry entries is located in the following path in Registry Editor:

Outlook 2007

The policy location for the registry entries is located in the following path in Registry Editor:

The user preference location for the registry entries is located in the following path in Registry Editor:

Outlook 2003

The policy location for the registry entries is located in the following path in Registry Editor:

The user preference location for the registry entries is located in the following path in Registry Editor:

So whats this harp about PST files and OST files limited to 2GB in size?  ANSI (the format previously used for OST/PST files) is limited to 2GB in size - and it does not handle hitting this limit very well.

The new format which is used is Unicode - the actual Unicode limit is unknown.  We do believe it is in the TB, perhaps around 4 TB, but we have never tested (nor have we ever been able to test) to find the limit for performance reasons.

Move Messages to Another Working Queue

In the event a Hub Transport server is completely out, you may have the requirement to move all messages in a queue to another Hub Transport server in your organisation to ensure the messages are delivered.  How can you do this?

First you need to export all messages in the current queue.  You can do this with the following powershell commands:

$array = @(Get-Message -Queue "QueueName" -ResultSize unlimited)

$array | ForEach-Object {$i++;Export-Message $_.Identity | AssembleMessage -Path ("c:\MailsExport\"+ $i +".eml")}

To import the messages into the new Hub Transport server, simply place the .eml files into the Transport Pickup folder.  The new server should immediately start processing the messages.