ifmember.exe doesnt work Windows Vista/2008/7

ifmember.exe no longer works on Windows Vista, 2008 or Windows 7. ifmember.exe was a handy tool for checking a users group membership in bat scripts.

In previous versions of windows ifmember.exe was used like this:

ifmember.exe "MYOB Users"
if not errorlevel = 1
net use m: \\JCC-SBS\MYOB (
)

What about Windows Vista, 2008 and Windows 7? Is there an alternative for ifmember.exe? The answer is yes! I use this:

net user /domain %username% | find "MYOB Users"
if not errorlevel = 1 (
net use m: \\JCC-SBS\MYOB
)

Windows 7 Syncs 1 hour behind to 2008 SBS Server

I just setup a new SBS site. All windows 7 workstations were configured to use NT5DS (authoritative time). They were successfully syncing against the Windows Server 2008 SBS server.

Problem: Each time the workstations synced against the SBS server the time went back by 1 hour. You can force a sync using w32tm /resync.

This is because the SBS server is not syncing against an Atomic clock! Configure the SBS server to sync it's time against something (I use pool.ntp.org). Run the following commands on the SBS server!

w32tm /config /manualpeerlist:pool.ntp.org,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time
w32tm /resync

Then go to the Windows 7 workstations and run w32tm /resync. The time should be correct.

Note: Workstations will automatically sync.

Exchange 2010 SP2 - Enhanced Address List Segmentation

Exchange 2010 SP2 is expected to be released by Microsoft second half of 2011. With the release of SP2 the way GAL segmentation will work has been changed.

GAL segmentation allowed administrators to optimize address lists in large companies, creating smaller 'virtual' organizations, with users only able to see the users they need to see.

In previous versions of Exchange GAL Segmentation was ACL based on a permission structure.

With Exchange 2010 SP2 GAL Segmentation will be delivered using an "Address Book Policy" assignment model.

Microsoft's intended audiences for this feature are organizations that:
- Require some form of sub-divided address book or who wish to create several 'virtual' organizations within a single Exchange Organization.
- Enable users to share some resources between these segmented user populations
- Seek to control which objects are visible to a user when they open their address book picker.

I will post more information on the new GAL Segmentation feature when given the thumbs up from Microsoft.

Additional reading:
http://msexchangeteam.com/archive/2011/01/27/457820.aspx

VBS - Find if logged on user is member of group

This script finds out if the logged on user is a member of a group. This is very handy for logon scripts.

' Find the user logged in
Set WSHShell = CreateObject("WScript.Shell")
UserLoggedIn = WshShell.ExpandEnvironmentStrings("%username%")

'Run the functions if the user is a member of the group
Set oGroup = getobject("WinNT://kbomb.local/" & "Domain Admins")
For Each oMember in oGroup.Members
If lcase(oMember.Name) = lcase(UserLoggedIn) Then
RunRegModifications()
RunFileModifications()
End If
Next

Function RunRegModifications()
wscript.echo "reg modification code here"
End Function

Function RunFileModifications()
wscript.echo "file modification code here"
End Function

Find User Currently Logged In VBS

In VB Script the following code shows you which user is logged in:

Set WSHShell = CreateObject("WScript.Shell")
UserLoggedIn = WshShell.ExpandEnvironmentStrings("%username%")
wscript.echo UserLoggedIn

Very handy for logon scripts

Outlook on an Exchange 2007/2010 Server

Is outlook supported on an Exchange server? The answer is Yes!

http://technet.microsoft.com/en-us/library/aa996719.aspx

It is supported to install Outlook 2007 on the same computer on which you have installed Exchange 2007.

Why install Outlook on the Exchange server?

In Exchange 2007 (RTM, SP1, SP2 and SP3) and Exchange 2010 RTM, Outlook was a requirement to use the import/export from/to PST files powershell cmdlets as it used API's from Outlook to perform these operations.

In Exchange 2010 SP1 Outlook is no longer a requirement to use the import/export PST cmdlets in powershell.

For small organisations installing Outlook on the Exchange server is ok!

For large organisations it is best practice to install the exchange management tools on a Windows 7 PC or management server with Outlook.

Exchange 2003 Setup Error 0xc0070002

When Installing Exchange 2003 SP2 management tools on an Exchange 2003 SP2 mailbox server the following error was experianced.

Setup failed while installing sub-components Exchange System Management Snap-ins with error code 0xC0070002 (please consult the installation logs for a detailed description). You may cancel the installation or try the failed setup again.



After the setup process EventID 1002 was logged from MSExchangeSetup in the Application logs.

Exchange Server component Microsoft Exchange System Mangement Tools failed.
Error: 0xc0070002 - The system cannot find the file specified.



Microsoft has documented two possible causes to this problem here:

http://support.microsoft.com/kb/924257

This problem can also occur if you try install Exchange 2003 SP2 management tools without Exchange 2003 management tools installed.

1. To resolve this reinstall Exchange 2003 with management tools - hit yes everytime prompted to replace any SP2 files.
2. Reinstall Exchange 2003 SP2 with SP2 management tools.
3. Reinstall SP2 security updates

Cross-Forest Migration and Exchange 2010 "hosting mode"

I'm consulting for a large company with 2 forests (Forest A and Forest B) running 7 domains - all Exchange 2003.

I am creating a new forest, Forest C.

All users, groups, computer objects and contacts are being migrated from all domains in Forest A and Forest B into a new domain in Forest C.

My customer wanted to know if it was possible to move the users mailboxes "into the cloud" during the migration a forth forest, Forest D by an Exchange hosting provider running Exchange 2010 "hosting mode".

Here is a copy of the response I received from Microsoft on the matter:

Hi Clint,

Thanks for your update.

So, here I would like to re-understand your concern: there are four forests A, B, C and D(D forest is installed with hosting mode Exchange 2010 ). You want to confirm that whether it is possible to migrate user accounts, groups, computer accounts and other Active Directory objects from forest A, B to forest C while migrating mailboxes to forest D. Please let me know if there is any misunderstanding.

If my understand is correct, I would like to let you know that it is not recommended migration because of the following reason:

1. If we migrate the mailbox and Active Directory account to different forest, we have to create linked mailboxes. However, Exchange 2010 which is installed in hosting mode don't support "resource forest". For example, based on the result of many tests, if we create a mailbox in forest D for the user in forest C, this user is not able to see others in Global Address List while others are able to see him/her in Global Address List.

2. Hosting mode Exchange server is designed for multi-tenant. It is designed for those companies and organizations which haven't Active Directory and Exchange. So if we migrate mailboxes to the forest which holds hosting mode Exchange server, I believe there will be a lot of unexpected issues and inconvenience.

For your reference, I would like to share the following article with you:

Multi-Tenant Support
http://technet.microsoft.com/en-us/library/ff923272.aspx

Please feel free to let me know if you have any concerns. I'm looking forward to hearing from you.

Best regards,
Leo Qin
Partner Online Technical Community

Hope this sheds some light on the matter for anyone facing the same scenario.

Invoke or BeginInvoke cannot be called

When running SQL 2008 setup I received the following error.

SQL Server Setup has encountered the following error:

Invoke or BeginInvoke cannot be called on a control until the window handle has been created..

Weirdly enough when I closed my Explorer window which I used to browse to setup.exe it stopped the error from being generated.

How to find the SPECint2006 Rate Value for CPU.

How to find out your SPECint2006 Rate Value CPU rating when filling out Ross Smith's Exchange 2010 Mailbox Server Role Requirements Calculator.

Navigate to the following SPEC website and bang in the CPU or System you to recieve the SPECint2006 Rate Value for:

http://www.spec.org/cgi-bin/osgresults?conf=cpu2006

Counting Number of Public Folders

Below I will show you a method to count the number of public folders you have in your Exchange organisation for both Exchange 2003 and Exchange 2007/2010.

Exchange 2003

For Exchange 2003 download PFDavAdmin from the following location:

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en

In PFDavAdmin click Tools --> Options. Enable logging to a file.



Then click Tools --> Content Report. Select All public folders for the scope.



Specify a location where to save the report.

When the report finishes generating you will have on your screen the total number of public folders residing on the server.



Exchange 2007/2010

Exchange 2007/2010 has native powershell support. Chris Schrimsher has produced a script that will automatically count the number of public folders you have in your organisation. To get a copy of his script please view the following link:

http://blogs.technet.com/b/gary/archive/2009/09/23/counting-public-folder-subfolders.aspx

SQL System Databases

Master Database

Purpose

Core system database to manage the SQL Server instance. In SQL Server 2005, the Master database is the logical repository for the system objects residing in the sys schema. In SQL Server 2000 and previous editions of SQL Server, the Master database physically stored all of the system objects.

Prominent Functionality

- Per instance configurations
- Databases residing on the instance
- Files for each database
- Logins
- Linked\Remote servers
- Endpoints

Additional Information

- The first database in the SQL Server startup process
- In SQL Server 2005, needs to reside in the same directory as the Resource database

Resource Database

Purpose

The Resource database is responsible for physically storing all of the SQL Server 2005 system objects. This database has been created to improve the upgrade and rollback of SQL Server system objects with the ability to overwrite only this database.

Prominent Functionality

- System object definition

Additional Information

- Introduced in SQL Server 2005 to help manage the upgrade and rollback of system objects
- Prior to SQL Server 2005 the system related data was stored in the master database
- Read-only database that is not accessible via the SQL Server 2005 tool set
- The database ID for the Resource database is 32767
- The Resource database does not have an entry in master.sys.databases

TempDB

Purpose

Temporary database to store temporary tables (#temptable or ##temptale), table variables, cursors, work tables, row versioning, create or rebuild indexes sorted in TempDB, etc. Each time the SQL Server instance is restarted all objects in this database are destroyed, so permanent objects cannot be created in this database.

Prominent Functionality

- Manage temporary objects listed in the purpose above

Additional Information

- Each time a SQL Server instance is rebooted, the TempDB database is reset to its original state

Model Database

Purpose

Template database for all user defined databases. This is the template that is used when creating a new database.

Prominent Functionality

- Objects
- Columns
- Users

Additional Information

- User defined tables, stored procedures, user defined data types, etc can be created in the Model database and will exist in all future user defined databases
- The database configurations such as the recovery model for the Model database are applied to future user defined databases

MSDB Database

Purpose

Primary database to manage the SQL Server Agent configurations

Prominent Functionality

- SQL Server Agent Jobs, Operators and Alerts
- DTS Package storage in SQL Server 7.0 and 2000
- SSIS Package storage in SQL Server 2005

Additional Information

- Provides some of the configurations for the SQL Server Agent service
- For the SQL Server 2005 Express edition installations, even though the SQL Server Agent service does not exist, the instance still has the MSDB database

Distribution

Purpose

Primary data to support SQL Server replication.

Prominent Functionality

- Database responsible for the replication meta data
- Supports the data for transaction replication between the publisher and subscriber(s)

ReportServer

Purpose

Primary database for Reporting Services to store the meta data and object definitions.

Prominent Functionality

- Reports security
- Job schedules and running jobs
- Report notifications
- Report execution history

ReportServerTempDB

Purpose

Temporary storage for Reporting Services

Prominent Functionality

- Session information
- Cache

Exchange Public Folder Tools

pfadmin 1.3
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/PFAdmin/Used for: imports, or interactively
Works with: Exchange 5.5, 2000, 2003
Description: This is the original pfadmin from the Exchange 5.5 days. The most typical use is for running permissions imports that were generated with pfinfo 3.x, which are made up of SETACL command lines. You can also use it interactively to run SETACL and SETREPLICA commands. Pfadmin lets you view the current permissions and replicas using LISTACL and LISTREPLICAS respectively. However, these dumps can not be imported since they don't use SETACL or SETREPLICAS command format.

pfinfo 3.x
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/PFInfo/55/
Used for: exporting permissions in pfadmin 1.3 command syntax, also reports certain properties
Works with: Exchange 5.5
Description: This is the original pfinfo from the Exchange 5.5 days. The most typical use is for running permissions exports, which are actually just a list of SETACL commands. These can be imported using pfadmin 1.3. Pfinfo also generates a report that includes various other properties of the folder, such as item count and folder size. The property export can not be imported. You can try running this against Exchange 2000 and 2003, but you will find that in some cases subfolders will appear as root folders in the export, because pfinfo gets the folder path from the directory object, which is not always populated in 2000 and 2003.

pfadminE2K
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/PFAdmin/Used for: imports
Works with: Exchange 2000 RTM only
Description: This is an updated pfadmin for Exchange 2000, but it is not widely used due to several shortcomings. First, its command and permissions syntax is completely different from pfadmin 1.3, meaning you can't import your old pfinfo exports with the new pfadminE2K. Second, with E2K Sp1 and later, most operations fail. It only works reliably with the RTM version of E2K.

pfinfoE2K
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/PFInfo/2000/
Used for: exporting permissions in pfadminE2K command syntax, also reports certain properties
Works with: Exchange 2000 RTM only
Description: This is the updated pfinfo for Exchange 2000, which was also not widely used for similar reasons. The new permissions export format made it incompatible with any tool except pfadminE2K, and it only works reliably with E2K RTM.

OutlookFolders
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/Outlook_Folders/
Used for: exports permissions in pfadmin 1.3 command syntax
Works with: Exchange 5.5, 2000, 2003
Description: This utility accesses Exchange via a MAPI profile, and thus it works with any version of Exchange. It generates permissions exports in pfadmin 1.3 SETACL command syntax.

PFDavAdmin
Available at: ftp://ftp.microsoft.com/pss/tools/Exchange%20Support%20Tools/PFDavAdmin/
Used for: exporting and importing permissions and replica lists in pfadmin 1.3 command syntax, version 2.3 and later exports properties
Works with: Exchange 2000, 2003
Description: PFDavAdmin accesses the information store through webDAV, thus the name, and was originally written to correct non-canonical DACLs on public folders. Its features eventually expanded to include imports and exports of permissions and replicas in pfadmin 1.3 command syntax. Version 2.3 and later can also export properties such as item count (PR_CONTENT_COUNT) and folder size (PR_MESSAGE_SIZE) into a tab-delimited file similar to the old pfinfo output (which also can not be imported, just like the old pfinfo output). In addition, it can be used to propagate single permissions and replicas down a tree of subfolders, instead of overwriting as ESM does. It has other features as well, which are discussed in the included doc.

pfmigrate
Available at: http://www.microsoft.com/exchange/downloads/2003/default.mspx, as part of the E2K3 deployment tools
Used for: adding and removing replicas for all folders on a server, site consolidation
Works with: Exchange 2000, 2003
Description: Pfmigrate is especially useful for Exchange 2003 Sp1 site consolidation, since it changes the legacy DN of a public folder, which no other utility does. Site consolidation is outside the scope of this article. However, pfmigrate can also be used to simply add replicas of all folders on one server to another server, and remove replicas of all folders from the original server.

exdeploy
Available at: http://www.microsoft.com/exchange/downloads/2003/default.mspx, as part of the E2K3 deployment tools
Used for: besides other things that exdeploy is used for, the /pubfoldcheck switch is of interest in regards to public folders as /pubfoldcheck runs a part of the DS/IS Consistency Adjuster that removes the unknown accounts from public folder ACLs. Those unknown accounts, if unhandled, could then get replicated to Exchange 200x servers as zombie users, thus causing problems. Exdeploy /pubfoldcheck can be scripted and run against multiple servers. NOTE: earlier version of exdeploy help stated that /pubfoldcheck also synchronized the public folder store and the Exchange directory (which could possibly cause public folders to be rehomed). This is however incorrect and it has been fixed in the new version of help file available with the tool at the above link.

ExFolders - Exchange 2010 RTM
Available at: http://msexchangeteam.com/files/12/attachments/entry453398.aspxThis is the ExFolders tool, an Exchange 2010 (RTM) compatible replacement for the PFDAVAdmin tool.

ExFolders - Exchange 2010 SP1
Available at: http://msexchangeteam.com/files/12/attachments/entry456255.aspxThis is the ExFolders tool, an Exchange 2010 (SP1) compatible replacement for the PFDAVAdmin tool.

More about the new Exchange 2010 ExFolders tool:
http://msexchangeteam.com/archive/2009/12/04/453399.aspx


This is an updated version of Bill Long's article. The original article can be found here:
http://msexchangeteam.com/archive/2004/11/05/252979.aspx

Exchange Jetstress

Use Jetstress 2010 to verify the performance and stability of a disk subsystem prior to putting a Microsoft Exchange Server 2003, 2007 and 2010 server into production. Jetstress helps verify disk performance by simulating Exchange disk Input/Output (I/O) load. Specifically, Jetstress simulates the Exchange database and log file loads produced by a specific number of users. You use Performance Monitor, Event Viewer, and ESEUTIL in conjunction with Jetstress to verify that your disk subsystem meets or exceeds the performance criteria you establish. After a successful completion of the Jetstress Disk Performance and Stress Tests in a non-production environment, you will have ensured that your Exchange disk subsystem is adequately sized (in terms of performance criteria you establish) for the user count and user profiles you have established. It is highly recommended that the Jetstress user read through the tool documentation before using the tool.

You should always run Jetstress on your new Exchange 2003/2007 or 2010 server before putting it into production.

Download the x86 version here:
http://www.microsoft.com/downloads/en/details.aspx?familyid=94b9810b-670e-433a-b5ef-b47054595e9c&displaylang=en

Download the x64 version here:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=13267027-8120-48ed-931b-29eb0aa52aa6

Microsoft-Windows-GroupPolicy Event ID 1006

I had a very frustrating issue today with group policy at a client on a few member servers running Windows Server 2008 R2.

A quick google showed DNS as a cause - I checked my DNS configuration and it was correct so I discarded this as the reason.

A few member servers were receiving the following error:



Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 12/01/2011 11:51:40 AM
Event ID: 1006
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: torwmg832.domain.local
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

On the details tab I was getting ErrorCode 49.



The following TechNet article from Microsoft says Error Code 49 is the following:

Error code 49 (Invalid credentials)
This error code might indicate that the user's password expired while the user is still logged on the computer.
To correct invalid credentials:
1. Change the user's password.
2. Lock/unlock the workstation.
3. Check if there are any system services running as the user account.
4. Verify the password in service configuration is correct for the user account.

http://technet.microsoft.com/en-us/library/cc727283.aspx

This error code description from Microsoft completely threw me off track diagnosing the computer account passwords, rejoining PC's to the domain and diagnosing the Kerberos Key Distribution Center (KDC) service.

All tests against the domain using nltest for the computer account were passing successfully!

/SC_QUERY: - Query secure channel for Domain on ServerName



I was confident it was nothing to do with authentication!

There were so many forum posts on the Internet leading to DNS as being the cause for this error. I decided to revisit my name resolution even though DNS was working correctly.

I checked the local host file. It was full of entries.



Removed these entries and the problem was resolved. A very simple fix for such a painful problem.

Hopefully this post will stop others from going through my pain!

Exchange 2010 Storage Planning and Testing

I have been arguing with clients for the last 2 years against purchasing expensive SAN's and RAID solutions to run their Exchange 2010 infrastructure. I explain to them a mailbox server or a disk is not important. Set your infrastructure up so you can remove any server from the equation and allow users to continue to receive email!

I get IT professionals and and Solution Architects look at me like I'm an idiot when I say things like "you don't even need RAID on your cheap mailbox servers in many cases".

Before purchasing expensive storage infrastructure to run Exchange 2010 please read the following article:

http://msexchangeteam.com/archive/2011/01/07/457471.aspx

A big thank you to Robert Gillies from Microsoft for taking the time to document Exchange 2010 storage and giving me some backup in my arguments with customers.

Exchange Cloud Based Archives with Office 365

Exchange Server 2010 RTM released archives allowing you to archive the users mailbox within the same Exchange mailbox database.

Exchange Server 2010 SP1 made it possible to store your archive mailboxes in a different mailbox database on the Exchange 2010 server.

With Office 365 beta, we can now enable organizations to store archive mailboxes in the cloud, while maintaining the primary mailbox on your on-premises Mailbox servers running Exchange 2010 SP1. Users can seamlessly access their primary on-premises mailbox and their archive in the cloud using Outlook 2010, Outlook 2007 and Outlook Web App (OWA).





http://msexchangeteam.com/archive/2011/01/10/457525.aspx

Exchange Journaling Questions

Is it possible for my email to get journaled more then once by a single hub transport server?

Yes it is. With Exchange 2010, it's possible to have that message journalized several times because of the way the transport expands the Distribution List. The transport will try to send the message as soon as possible, so it "chips" the DL into chucks of 1000processes each chuck with any enabled transport agents (including the journal agent) then sends the first chuck of 1000. If you have a DL of, say, 4500 members, you'd get 5 messages in the journal. You can change the size of the "chip" to a value large enough that no DL would have more than the value of the "ExpansionSizeLimit". You have to make that change in the file edgetransport.exe.config on each HT server and then restart the transport service.

This is explained on the following link:

http://clintboessen.blogspot.com/2011/01/email-gets-journaled-multiple-times-for.html

If an email passes through multiple Hub Transport servers is it journaled more then once as it's being processed by multiple transport agents? Hub Transport servers marked as Hub Sites can cause emails to be processed by multiple Hub Transport servers along the way.

No emails are only ever processed by one journal agent. Once an email passes through the first Hub Transport server the Transport Agent or Journal Agent "stamps" the email as being processed in the message header with X-MS-Exchange-Organization-Processed-By-Journaling x-header, so other Hub Transport servers can determine it’s already journaled. This prevents the Journal Agent or Transport Agent from processing it more then once.

Email gets Journaled Multiple times for Large Distribution Lists

With Exchange 2010, it's possible to have that message journalized several times because of the way the transport expands the Distribution List. The transport will try to send the message as soon as possible, so it "chips" the DL into chucks of 1000processes each chuck with any enabled transport agents (including the journal agent) then sends the first chuck of 1000. If you have a DL of, say, 4500 members, you'd get 5 messages in the journal. You can change the size of the "chip" to a value large enough that no DL would have more than the value of the "ExpansionSizeLimit". You have to make that change in the file edgetransport.exe.config on each HT server and then restart the transport service.

A big thankyou to Rich Matheisen [MVP] for explaining this to me.

[EDIT]

The following comment was made from Ross Smith from Microsoft:

We don’t recommend changing the chipping size as it is a feature to help with memory management. Sure you can manipulate a knob and increase the number, but ultimately either a) there will be performance issues (undefined) or b) a message will still contain more recipients than the custom number entered. In other words, there is no guarantee a single message will always be used when generating the journal report.

Exchange 2010 Group Metrics

Every organisation only contains one mailbox server responsible for generating the Offline Address Book. This server is known as the OAB Generation server. The OAB Generation server then distributes the OAB to Client Access Servers for distribution to Outlook clients. I explained this process on a previous blog post.

Please see:
http://clintboessen.blogspot.com/2009/05/how-oab-distribution-works.html

The mailbox server running OABGen also has another role, to generate group metrics. Group metrics counts the members of all groups periodically on mailbox servers, and uses Exchange File Distribution to get the group metrics files out to CAS servers. Exchange File Distribution is the same method used in OAB distribution.

The Exchange 2010 mailbox server will have a share called \\mailboxserver\GroupMetrics where your group metrics are generated. If you're not seeing that on any mailbox servers, you're not generating group metrics. When you look in that share, make sure the files in it have been changed within the past 24 hours. Restarting the Exchange Service Host will generate a fresh file; that process may take minutes or hours depending on the number of groups in your organization. Also, make sure the Exchange File Distribution service is running on Client Access servers and Mailbox servers, and that your CASes can connect to \\mailboxserver\GroupMetrics.

It is possible to separate the mailbox servers generating OABGen and Group Metrics. To configure a different server to generate Group Metrics use the following command:

Set-MailboxServer -GroupMetricsGenerationEnabled $true

I do not recommend this however as both the OABGen and Group Metrics generation roles cannot be clustered or made highly available in anyway. As a result it is best to put both these tasks on the same box so your mentally aware of the single point of failure (SPOF).

What are Group Metrics used for?

Group metrics counts the members of all groups periodically on mailbox servers. Group metrics is used by a Mail Tip which counts the number of users your about to send an email to.

Recover Deleteded Items and Mailbox Quota's

An item that is often asked about is does the Recover Deleted Items folder contribute to the users mailbox quota? The answer is No. Microsoft has documented this on TechNet under a bazaar location.

http://technet.microsoft.com/en-us/library/ee861123.aspx

Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota. In Exchange 2010, the Recoverable Items folder has its own quota. When a user's Recoverable Items folder exceeds the warning quota for recoverable items (as specified by the RecoverableItemsWarningQuota parameter), an event is logged in the Application event log of the Mailbox server. When the folder exceeds the quota for recoverable items (as specified by the RecoverableItemsQuota parameter), users won't be able to empty the Deleted Items folder or permanently delete mailbox items. Also copy-on-write won't be able to create copies of modified items. Therefore, it's critical that you monitor the Recoverable Items quotas for mailbox users placed on litigation hold.

For mailbox databases, the default RecoverableItemsWarningQuota and RecoverableItemsQuota values are set to 20 Gb and 30 Gb respectively. These settings are usually sufficient for storing several years of mailbox data when on litigation hold. To modify these values for a mailbox database, use the Set-MailboxDatabase cmdlet. To modify them for individual mailboxes, use the Set-Mailbox cmdlet.

DAG Failover and Journaling

DAG Failover and Journaling is not an area highlighted on TechNet. If you configure journaling on a mailbox database and a failover of that mailbox database occurs what happens with the journaling? Does it still work?

The answer is Yes... Let me explain.

When a journal rule is created it is stored in Active Directory. The journal rule is replicated to all domain controllers throughout your infrastructure and applied to all Hub Transport servers in the Exchange 2010 organization.

When a mailbox database fails over from Site1 to Site2, the hub transport server in Site2 will still have the journal rules applied as it was replicated using Active Directory replication. The store driver on the hub transport servers in Site2 will pull the emails from the failed over database as it would in Site1. The journal agents on the hub transport servers in Site2 would then process the journal rules.

It doesn't matter what location the mailbox database is located, it will always be journaled if the rule is configured!

Warning...

If you journal all emails coming in and out of a mailbox database the the disk I/O will be two times the typical disk I/O. It is recommended that a separate server be setup to act as a journaling server and to hold the journal recipient mailboxes. If your journal recipient mailbox is located in Site1 and the mailbox database being journaled is located in Site2 due to a DAG failover then all journal emails will be replayed back to Site1 which can cause WAN link congestion.

Journal Rule wont work right away on Groups?

You have created a journal rule which you have applied to a distribution/security group. Every email sent through this distribution/security group. However when you add a user to this distribution group the email they send or receive is not journalled for sometimes up to half a day. Why is this?

Each Hub Transport server caches distribution group membership. This reduces load on your Active Directory domain controllers. By default, entries in the expanded groups cache expire in four hours.

I don't want to wait the 4 hours?

If you want to make group membership changes immediate so journaling takes effect right away you must restart the Microsoft Exchange Transport service on each Hub Transport server. This will force an immediate update of the recipient cache. You must do this for each Hub Transport server where you want to forcibly update the recipient cache.

For more information on journaling take a look at:

http://technet.microsoft.com/en-us/library/aa998649.aspx

451 4.4.0 DNS query failed

Problem: Emails to a particular domain were not going through. Emails to all other domains were being received fine.

dcswa-ex01 = Edge Transport
dcswa-ex02 = Hub Transport

domain.com = sending companies email suffix.
example.com = recieving companies email suffix.

Symptoms

Emails sent to example.com are not arriving to the destination. Doriseng.com emails are being passed from the hub transport server dcswa-ex02 to the edge transport server dcswa-ex01 successfully. The emails then sit in the edge transport queue for example.com with the following error:

LastError : 451 4.4.0 DNS query failed



Dcswa-ex01 is resolving DNS correctly for example.com, we can verify this by using the nslookup utility.



The edge transport server Dcswa-ex01 is able to open TCP25 connections to example.com SMTP servers.



The Exchange 2010 connectivity logs shows that the DNS queries exchange is generating for example.com were timing out on the edge transport server:

2010-12-22T02:26:15.708Z,08CD6F05CD2DBD8F,SMTP,example.com,+,DnsConnectorDelivery afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad;QueueLength=1
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,example.com,>,DNS server returned ErrorTimeout reported by 0.0.0.0
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,example.com,-,Messages: 0 Bytes: 0 (The DNS query for 'DnsConnectorDelivery':'example.com':'afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad' failed with error : ErrorTimeout)

Resolution

On the Edge Transport server dcswa-ex01 set the external DNS servers to use for external mail relay.



On the hub transport server dcswa-ex01 configure "Use the External DNS Lookup setting on the transport server" for all send connectors configured for edge sync with dcswa-ex01.



Force an Edge Sync on the hub transport server dcswa-ex02:



Restart the Microsoft Exchange Transport service on the edge transport server to utilize the new DNS settings.

After making this change it took 5-10 minutes for the email to successfully leave the queue!

Looking at the queue for example.com again:



The email was successfully delivered as it no longer resides in the queue.

If we look at the SMTP send log on the edge transport server dcswa-ex01 we can see that the email transferred correctly. One interesting thing I found about example.com was they are digitally encrypting all email communication traffic, I don't see how this would cause DNS to fail but I want to point that out.

2010-12-22T03:59:00.740Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,0,,81.80.156.146:25,*,,attempting to connect
2010-12-22T03:59:01.052Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,1,202.160.101.139:2546,81.80.156.146:25,+,,
2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,2,202.160.101.139:2546,81.80.156.146:25,<,220 example.com [ESMTP Server] service ready;DORIS ENGINEERING Email Gateway ok; 12/22/10 04:57:30, 2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,3,202.160.101.139:2546,81.80.156.146:25,>,EHLO dcswa-ex01.cloud.dcswa,
2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,4,202.160.101.139:2546,81.80.156.146:25,<,250-example.com, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,5,202.160.101.139:2546,81.80.156.146:25,<,250-SIZE 13631488, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,6,202.160.101.139:2546,81.80.156.146:25,<,250-8BITMIME, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,7,202.160.101.139:2546,81.80.156.146:25,<,250 STARTTLS, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,8,202.160.101.139:2546,81.80.156.146:25,>,STARTTLS,
2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,9,202.160.101.139:2546,81.80.156.146:25,<,220 Ready to start TLS, 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,10,202.160.101.139:2546,81.80.156.146:25,*,,Sending certificate 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,11,202.160.101.139:2546,81.80.156.146:25,*,CN=dcswa-ex01,Certificate subject 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,12,202.160.101.139:2546,81.80.156.146:25,*,CN=dcswa-ex01,Certificate issuer name 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,13,202.160.101.139:2546,81.80.156.146:25,*,67E29A29EDE76AAF4BDBC5340D3185F0,Certificate serial number 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,14,202.160.101.139:2546,81.80.156.146:25,*,2A3B56F723AD7056F9372E486B3192E0EF877C6D,Certificate thumbprint 2010-12-22T03:59:01.990Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,15,202.160.101.139:2546,81.80.156.146:25,*,dcswa-ex01;dcswa-ex01.cloud.dcswa,Certificate alternate names 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,16,202.160.101.139:2546,81.80.156.146:25,*,,Received certificate 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,17,202.160.101.139:2546,81.80.156.146:25,*,B6CDD7D2A3CAC50AB653830A828037EC0D0B3901,Certificate thumbprint 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,18,202.160.101.139:2546,81.80.156.146:25,>,EHLO dcswa-ex01.cloud.dcswa,
2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,19,202.160.101.139:2546,81.80.156.146:25,<,250-example.com, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,20,202.160.101.139:2546,81.80.156.146:25,<,250-SIZE 13631488, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,21,202.160.101.139:2546,81.80.156.146:25,<,250 8BITMIME, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,22,202.160.101.139:2546,81.80.156.146:25,*,29980,sending message 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,23,202.160.101.139:2546,81.80.156.146:25,>,MAIL FROM: SIZE=5233,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,24,202.160.101.139:2546,81.80.156.146:25,<,250 Sender OK,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,25,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,26,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,27,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,28,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,29,202.160.101.139:2546,81.80.156.146:25,>,RCPT TO:,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,30,202.160.101.139:2546,81.80.156.146:25,<,250 Recipient OK,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,31,202.160.101.139:2546,81.80.156.146:25,>,DATA,
2010-12-22T03:59:04.521Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,32,202.160.101.139:2546,81.80.156.146:25,<,354 Start mail input; end with .,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,33,202.160.101.139:2546,81.80.156.146:25,<,250 OK: <1f3f0b7e00007399@example.com>,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,34,202.160.101.139:2546,81.80.156.146:25,>,QUIT,
2010-12-22T03:59:05.458Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,35,202.160.101.139:2546,81.80.156.146:25,<,221 [ESMTP Server] service closing transmission channel,

There is another workaround that has been documented on the internet to add the external MX servers to the local "hosts" file on the edge transport server. I tested this and it does work however I do not recommend it. If another domain does fail, it will be a manual exercise on a case by case basis.

How to Force EdgeSync Synchronization

You can use the Start-EdgeSynchronization cmdlet to force synchronization to start immediately. You may want to do this to start initial replication immediately after you create the Edge Subscription or if you have made significant changes to the configuration or recipients in Active Directory. The Start-EdgeSynchronization cmdlet resets the EdgeSync synchronization schedule. The time of the subsequent synchronization intervals is based on the time that this command is initiated.

Note:
If you try to run this procedure during regular synchronization, an error will occur.

Start-EdgeSynchronization

How to Setup Auto QOS Cisco

The config below sets up Auto QOS (Quality of Service) on a Cisco Switch.

Single interface
Conf t
Int fa0/1
Auto-qos voip trust
End
Write mem


Multiple Interface
Conf t
Int range fa0/1 – 24 (to what ever port you want)
Auto-qos voip trust
End
Write mem

Cisco ADSL Config with NAT

Below is a basic ADSL for Cisco routers with ADSL chip sets installed. This config if for a PPPoE based connection. I set this config up to use Amnet Broadband.

ip cef

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
dsl operating-mode auto
hold-queue 224 in

interface Vlan1
ip address 10.60.59.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452


interface Dialer0
description Amnet ADSL
bandwidth 1300
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 999999
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp pap sent-username USERNAME password 0 PASSWORD

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit 10.60.59.0 0.0.0.255

To port forwards to the config create static NAT entries like this:

ip nat inside source static tcp 10.60.59.10 25 interface Dialer0 25
ip nat inside source static tcp 10.60.59.10 3389 interface Dialer0 3389

To get some verbose logging on your ADSL connection please see the following website:

https://supportforums.cisco.com/docs/DOC-14125

SBS 2008 System Synchronizing but Not Downloading Updates

I had an issue where wsus on a Windows SBS 2008 system was saying it was synchronizing successfully, but it wasn't downloading updates. All you would get was a message in the event logs from Windows Server Update Services (event id 10032) saying that "The server is failing to download some updates". Clients would show that they needed updates through the WSUS console and via the SBS Console, but the updates would never show up on the server for installation. In the local client WindowsUpdate.log file you would see something similar to the following

2010-10-12 10:39:45:574 784 1a20 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2010-10-12 10:39:45:574 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:49:011 784 1a20 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2010-10-12 10:39:49:011 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:52:433 784 1a20 Agent * Found 0 updates and 57 categories in search; evaluated appl. rules of 643 out of 1075 deployed entities

So why would the WSUS server recognize the server needed updates and the client not recognize and download them? Further investigation uncovered the fact that the WSUS Content Repository was nearly empty. Total size of the repository was less than 100 MB. Obviously, none of the patch data had been downloaded.

So why was the sync successful? Moving on, after more investigation, I discovered that the ISA server was blocking what appeared to be anonymous web traffic from the SBS server even though there was a access rule set to allow all http, https, and ftp traffic from the SBS server. So, skipping to the solution. First, ISA 2004 has a problem with BITS 7.0 that is used in Windows 2008 and Windows 7. Because the initial synchronization from WSUS ONLY downloads metadata, ISA was letting that out and it would show success in the consoles. Then WSUS turns over processing and downloading of the actual patch files (.cabs, etc.) to BITS. ISA was blocking BITS background download processing so what we had was metadata for the updates, but no updates. WSUS knew the servers needed the updates, but the servers had nothing to download because the actual content for the updates wasn’t there. The fix is to change the processing of update downloads using BITS from a background to a foreground process. ISA seems to allow that just fine.

Do it by running the following query against the WSUS database. The connection can be made via SQL Management Studio Express in most cases…you are just looking to run the query against the SUSDB database.

update tbConfigurationC set BitsDownloadPriorityForeground=1

If you are using Windows 2008 with the Microsoft Internal Database (as SBS 2008 does), this proves to be a little more challenging because you have to connect with SQ Management Studio Express using named pipes instead of TCP/IP. Connect using named pipes by using this as the server

\\.\pipe\mssql$microsoft##ssee\sql\query

HP ML350 G6 hangs at Completing Installation on a Windows 2008 and SBS2008

I had a HP ML350 G6 server that was unable to complete the SBS 2008 install. Everytime it would hang forever at the Completing Installation stage of the Windows setup.



All hardware roms were running latest firmware.

It got to the stage where I had to start removing server hardware to find out what was causing SBS Installation to fail.

The item that was causing the problem was a HP Smart Array P212 SAS Controller which was connected to a HP StorageWorks Ultrium 920 SAS Tape Drive. After removing this card the SBS 2008 installation completed successfully.

Below is a picture of this SAS Card taken from my iPhone 4G:



I removed this card, completed the install of SBS 2008, then installed the card again once Windows was up and running on the system.

VBS - List all users in OU

The following script lists all users in an organisational unit:

Set objDictionary = CreateObject("Scripting.Dictionary")

Set objOU = GetObject("LDAP://OU=myou,DC=domain,DC=local")
objOU.Filter = Array("User")

For Each objUser in objOU
strUser = objUser.displayName
If Not objDictionary.Exists(strUser) Then
Wscript.Echo strUser
End If
Next


Very handy if you want to add all users in an OU to a security group!