The properties on have invalid data. If you click OK, default values will be used..

A customer had a user with a mailbox throwing the following error whenever they tried to change a value:

The properties on [recipient] have invalid data. If you click OK, default values will be used instead and will be saved if you do not change them before hitting Apply or OK on the property page. If you click cancel, the object will be displayed read-only and corrupted values will be retained.

OK no problem, I'll just go in and get rid of anything that doesn't look right...wrong. The console wouldn't let me save the settings.

Apparently the storage quotas were such that the Prohibit Send Limit value was less than the Warning Limit. I was, however, unable to modify it in ADUC/DSA or in the EMC.

I attempted to change the value in EMS, but it threw the exact same error.

When finesse isn't enough, brute force wins. I popped open adsiedit.msc by launching adsiedit.msc from 'Run,' then navigated to where the user resided under Domain -> User OU, right clicked, and clicked properties. Sure enough the EMC and EMS were lying to me:

I modified the values to what I wanted them to be:

Voila.. Invalid Data errors are gone.

Digicert Intermediate Cert Eclipsed by Root - ActiveSync issues

We recently ran into an issue where using a new Digicert certificate essentially broke activesync for most people in the company. The issue is that the new root certificate for Digicert isn't compatible with older browsers and devices (they don't come standard with the new root certs for Digicert like they might with Verisign and others). The primary phone of the organization was a Motorola Q, which made the issue quite visible.

The problem boiled down to this root cert taking precedence over the intermediate cert (Digicert calls it eclipsing which I suppose is a more valid term), which would have worked fine. After the Digicert Root Cert was removed, the issue was resolved.

Note: Be sure that the intermediate is in place and functioning or else you will break all of the modern phones and browsers as well.

Also as an alternative fix, you could install the root cert on the phones in question. This is more labor intensive, but might be viable if there are only a few old straggler phones floating around.

Reference:

https://www.digicert.com/ssl-support/windows-cross-signed-chain.htm

You can also run a good test for this and other issues at:

https://www.digicert.com/help/

KB968389 LSASS Reboots

Recently we had an issue with an Exchange server constantly rebooting. The symptoms were extremely indicative of virus infection. Terminations of LSASS.exe, timed reboots, and permission revocations, were all occurring, and so we were immediately assuming Sasser/Blaster.

It then began to seemingly cause issues with domain communication. Upon checking the system properties, the domain registered as *Unknown* and it was nearly impossible to perform any action as all permissions had been stripped (we were using a domain account so this sort of made sense).

After having a local tech bounce the box and login with the KVM, the issue seemed resolved for these domain level issues, and we never saw them again. The original LSASS issues and reboots continued, however. Not wanting to waste any more time, we gave PSS a call. They informed us that a patch we had installed, KB968389, was likely causing the issue. Despite passing our patch testing and being installed on numerous other environments, MS told us that they have been informed of other sites experiencing the same issue. Removing the patch resolved the issue.

In summary.. KB968389 = Bad if you like a stable environment

RIM Finally Fixes PDF Vulnerability on BES

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327

I know it was out on the 4th, but I haven't had time for my blog lately unfortunately.

Powershell Reboot

Ever need to reboot a server remotely, and no standard tools (shutdown, etc) are working?

Can't RDP the box or get to it any other way?

I discovered a little trick about a year and a half ago, and it has been saving my life, and those of my colleagues ever since.  I just actually had to use it, which reminded me that I ought to post it.

$server = gwmi win32_operatingsystem -computer USSERVER1

$server.reboot()

Performing this will provide you with some output.  As long as it comes back with an output of zero, you are good to go.  I believe the target server doesn't even need powershell installed; just the one you are using to reboot it.

IOPS / Disks

It has been a while so I decided I'd post on something I've been having to work with a lot lately.

I/O can be a key bottle neck in disk intensive systems...such as Exchange.  

First let's establish some disks and their relative IO load capacity:

Fiber Channel 15k: 150-180 IOPS

SAS 15k: 150-180 IOPS (notice about the same, but less price than FC..)

Small Form Factor (SFF): Faster..usually ~230

SATA 7.2k: Claim 60-80, some will argue as low as 40.

Let's assume for our test case that we look at a customer with 1000 mailboxes on Exchange, and average-heavy users (spanning from light to very heavy).  Let us also assume they have a BES, an Archive server, AV, and DPM.

.32 IOPS per user is about a heavy user.  To gauge the others, view the follow:

DPM: Add 20%

Archiving:  Add 50% if performing compliance, 25% for compression/storage

AV: 50%

BES: Debatable.. I've heard any where from 2x to 7x!?!  I'd believe any of them..  Let's say 2x for the sake of argument. You're welcome RIM.

That .32 I/O mailbox has now turned into a 1.2 I/O mailbox (rough estimation that is usually on the safe side given involvement from outside entities).

1000 x 1.2 = 1200 / Disks = IOPS required per disk.

For our example let's say the company has a Stovevault S500.  This particular unit comes with a shelf of 14, 7200 RPM disks.  Remember to not include parity disks!   14 - 2 = 12

1000 x 1.2= 1200 / (14 - 2) = 100 IOPS/disk

Now let's compare.. 100 IOPS/disk requirement.  SATA 7200  RPM disks can pull 60-80 advertised (40 according to many in practice).

Looks like we have a problem.  Couple easy, though potentially costly ways around this.  The fact is we need more IOPS.  This can mean more speed, or it could mean more spindles..or both.

How about another SAN with, say, fourteen 15k SAS disks?  (150-180) > 100 -- Looks much better.

How about adding another shelf to the S500?

1000 x 1.2= 1200 / (28 - 4) = 50 IOPS/disk -- Looks better than advertised, but a bit above what some research has turned up.  This may work in production, but it would be ill advised to implement a system in which you run it so close it's breaking point right from the get-go.

So what good are SATA disks then?  SATA disks still have their uses.  Archiving storage, file storage, home drives, or any other storage that isn't being bombarded with read/writes will suffice with this type of storage, and a fraction of the cost.

If you want additional specifics, check out:

http://msexchangeteam.com/archive/2007/01/15/432207.aspx

There is an updated link off of it too.

Exchange 2010

In the words of my compatriot Kevin, we can now officially speak of Exchange 2010!

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=1898ed2c-2f88-48ac-824e-d3d20fad77d7

More to come despite my recent drought..