Monday, December 29, 2008

Failing over to SCR target

Any of you who have done this knows it is a touchy game.  Luckily a coworker (Kevin Miller) decided to put all the info in one place, along with some good suggestions to think about whilst performing this procedure.

You can check it out here.

Wednesday, December 17, 2008

RPC/HTTP -- Outlook Anywhere Login Prompts Fail

The issue came up where users couldn't gain access to their email via RPC over HTTP / Outlook Anywhere.  An authentication prompt comes up, but does not allow the user to authenticate.
















When checking their configurations, everything seemed at first to be in order.  Upon checking into it further, I noticed that their mail FQDN is mail.domain.com, but it looks like the common name on the certificate is just domain.com (though mail.domain.com was also on the cert under the subject alternative names).  While the cert was registered as valid, it did not match up for the mutually authenticated session.  The problem?  The red outlined boxes didn't match up. 














































After changing the principal name to msstd:domain.com rather than msstd:mail.domain.com such that it matched the certificate name, the authentication began to work once again.

Tuesday, December 16, 2008

Calendar Items Disappearing From Mailbox - BlackBerry

When calendar items are disappearing from peoples' mailboxes, the first thing I ask nowadays is "Do you own a Blackberry?"  The reason for this is simple.  If the Blackberry handheld runs out of memory, the first things it goes for are your calendar items.

While it is a good idea to upgrade your your phone's memory anyways, you can also help your memory utilization by properly closing windows such that they do not continually occupy space.  It is also a good idea to periodically reboot your phone to clean this up.

I can't tell you how valuable this information is when users come to you wondering what happened to their meetings.  Kudos to my coworkers that attended the RIM/BlackBerry/BES training for the initial identification of this problem!

Reference:



Monday, December 15, 2008

Issues mounting NDMP Backed Up Luns

A coworker of mine cracked the case on this one with a bit of help from NetApp, but I thought I'd share as it was a strange little issue.  First off, what is an NDMP backup?

NDMP stands for Network Data Management Protocol, and was actually pioneered by Network Appliance (NetApp) in association with Intelliguard.  The purpose was to backup various platforms and provide interoperability.  Fast forward back to our current predicament..  

The current predicament is that someone uses Veritas to backup and restore.  They want to be able to restore from this, and have it correctly mount such that a they can recover data in Exchange.  The problem is that the restored lun won't mount in Snapdrive or otherwise.  Initially NetApp merely told us that the lun had to be in the root of the share rather than in a folder.. no problem.  Veritas must restore to a folder, but we can move it after the fact to the root. 

We then try to mount the lun, but it doesn't work.  It instead tells us that it is already mounted. 







The trick that my compatriot discovered was that it requires you to change the name as well by doing the following via command line:

lun move /vol/Volume1/restore.lun /vol/Volume1/restorenew.lun

He was then able to mount the lun.  Go team.

Tuesday, December 9, 2008

SMTP Categorizer Queue Length Spikes

The issue has cropped up with the Categorizer Queue Length intermittently spiking.  First off what is the Categorizer Queue Length?

This counter basically determines the items that reside in the categorizer queue.  The categorizer does a few things.  It resolves/validates recipients, determines whether the message should be queued for local or remote delivery, expands Distribution Lists (DLs), and detects limits and restrictions.

The first thing to check in order to resolve the spikes, would be that there are ample Global Catalog servers (GCs) and Domain Controllers (DCs) in the environment to perform the look-ups.  The best way to check this is on the DSAccess tab in ESM (2k3), or the System Settings tab under the properties of the Exchange server (2k7). 



















It would also be prudent to run a network diagnostic tool in search of a bottleneck.

Microsoft also recommends monitoring the processor utilization of Inetinfo.exe (categorizer component) and using the e2kdsinteg config object from the ConfigDSInteg tool in order to check for malformed objects that could be slowing the process of directory look-ups.  You can get the tool here.

Knowing that the environment probably wasn't the shining star on the top of the Active Directory hill, this was the first thing to check.

The e2kdsinteg log came back with numerous entries for old mail servers, and objects not seen by human eyes in many moons.  My advice was to continue to run diagnostics for bottlenecks, and to investigate the purging of these rogue/malformed objects.

Monday, December 8, 2008

Outlook Anywhere Failing - RPC End Points - 6004

It was brought to my attention that autodiscover was not behaving correctly externally.  I ran it through Microsoft's Exchange connectivity tester @ http://www.testexchangeconnectivity.com/ and received the following output:









To resolve this first simple part I just went into the EMS and gave it an ExternalURL via:

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

I now received this error:









"Failed to ping RPC Endpoint 6004 (NSPI Proxy Interface)"

..and also RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime

Most curious about an RPC error at this level.  Perhaps a connection between the Hub/Cas and MBX server or MBX server and AD/DCs/GCs?  The environment was not 2008, nor was it using IPv6.

The following is what fixed my issue:

Using the configurations here I was able to remedy the situation.  Basically what happened was that it could not use DSPROXY via HTTP, and it is a known issue.  The fix is to:

1. Changes for Mailbox servers..

a. create a DWORD called "Do Not Refer HTTP to DSProxy" at HKLM\System\CCS\Services\MSExchangeSA\Parameters\ and the value set to 1.  This will, as it spells out, stop it from trying to use DSProxy when using HTTP.
b. HKLM\System\CCS\Services\MSExchangeSA \Parameters key "NSPI Target Server" to the FQDN of the domain controller that you would like used for profile creation.

2. Changes for Client Access Servers..
a. Ensure that the "PeriodicPollingMinutes" key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\ is set to zero.  This will ensure that the system won't continue to over write our settings every 15 minutes.
3. b. Also modify "ValidPorts" at HKLM\Software\Microsoft\RPC\RPCProxy such that it lists the DCs which can be accessed via port 6004.  An example of this would be:










domaincontroller.domain.com:6004;domaincontroller2.domain.com:6004


4. Changes for all Global Catalog (GC) servers..
a. Be sure that there is an REG_MULTI_SZ entry created named NSPI interface protocol sequences at HKLM\System\CurrentControlSet\Services\NTDS\Parameters\ and the value set to "ncacn_http:6004"


Testing autodiscover/Outlook anywhere now yields the following output in the connectivity tester:















You can double check these settings by configuring a profile in Outlook, then Ctrl+RightClicking the outlook icon on the system tray, and running "Test E-Mail Autoconfiguration."

For the full explanation I highly recommend reading the official blog post by Siddhartha Mathu at:



Good read!

New Blog - Jeremy Hayes

Another of my coworkers has created a blog over at: http://www.irundis.com/

Primary topics will probably be powershell based.

Wednesday, December 3, 2008

Archive Attender - HTML Formatting on x64

As a followup to my previous blog located here, this issue has now been resolved.  With combined efforts of Azaleos and SherpaSoftware, we have successfully rolled out this update to our first 6 clients.  It was much anticipated, and has been well received so far.

Tuesday, December 2, 2008

OWA Exception - Exchange Cluster Name Stolen


ERROR:

While attempting to access OWA..


Outlook Web Access could not connect to Microsoft Exchange. If the problem continues, contact technical support for your organization.


https://email.fnal.gov/owa/8.1.336.0/themes/base/copy.gifCopy error details to clipboard

https://email.fnal.gov/owa/8.1.336.0/themes/base/expnd.gifShow details

 Request

Url: https://email.domain.gov:443/owa/forms/premium/StartPage.aspx
User host address: XXX.XXX.XXX.XXX
User: Username
EX Address: /o=DOM/ou=Exchange Administrative Group (--)/cn=Recipients/cn=
SMTP Address: SMTP ADDRESSS
OWA version: 8.1.336.0
Mailbox server: MBX SERVER

Exception
Exception type: Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException
Exception message: Event Manager was not created.

Call stack

Microsoft.Exchange.Data.Storage.EventPump..ctor(EventPumpManager eventPumpManager, String server, Guid mdbGuid)

Microsoft.Exchange.Data.Storage.EventPumpManager.GetEventPump(StoreSession session)

Microsoft.Exchange.Data.Storage.EventPumpManager.RegisterEventSink(StoreSession session, EventSink eventSink)

Microsoft.Exchange.Data.Storage.EventSink.InternalCreateEventSink[T](StoreSession session, EventWatermark watermark, ConstructSinkDelegate`1 constructEventSinkDelegate)

Microsoft.Exchange.Clients.Owa.Core.OwaFolderCountAdvisor..ctor(UserContext userContext, StoreObjectId folderId, EventObjectType objectType, EventType eventType)

Microsoft.Exchange.Clients.Owa.Core.OwaNotificationManager.CreateOwaFolderCountAdvisor(UserContext userContext, StoreObjectId folderId, EventObjectType objectType, EventType eventType)

Microsoft.Exchange.Clients.Owa.Premium.StartPage.OnInit(EventArgs e)

System.Web.UI.Control.InitRecursive(Control namingContainer)

System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)


Inner Exception
Exception type: Microsoft.Mapi.MapiExceptionNetworkError
Exception message: MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227) Diagnostic context: ...... Lid: 8600 dwParam: 0x721 Msg: EEInfo: ProcessID: 4208 Lid: 12696 dwParam: 0x721 Msg: EEInfo: Generation Time: 2008-12-02 16:23:58:282 Lid: 10648 dwParam: 0x721 Msg: EEInfo: Generating component: 3 Lid: 14744 dwParam: 0x721 Msg: EEInfo: Status: -2146893022 Lid: 9624 dwParam: 0x721 Msg: EEInfo: Detection location: 150 Lid: 13720 dwParam: 0x721 Msg: EEInfo: Flags: 0 Lid: 11672 dwParam: 0x721 Msg: EEInfo: NumberOfParameters: 3 Lid: 12952 dwParam: 0x721 Msg: EEInfo: prm[0]: Long val: 9 Lid: 12952 dwParam: 0x721 Msg: EEInfo: prm[1]: Long val: 6 Lid: 12952 dwParam: 0x721 Msg: EEInfo: prm[2]: Long val: 0 Lid: 24060 StoreEc: 0x80040115 Lid: 23746 Lid: 31938 StoreEc: 0x80040115 Lid: 19650 Lid: 27842 StoreEc: 0x80040115 Lid: 20866 Lid: 29058 StoreEc: 0x80040115

Call stack

Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, Int32 ec, DiagnosticContext diagCtx)

Microsoft.Mapi.ExRpcAdmin.Create(String server, String user, String domain, String password)

Microsoft.Exchange.Data.Storage.EventPump..ctor(EventPumpManager eventPumpManager, String server, Guid mdbGuid)


I've seen numerous things fix errors like this..  Resetting the Information Store (or verifying that it is started), or restarting the AD Topology Service and then the Information Store (one starts before the other, so creating a dependency would be a good idea) are both common fixes.  This problem was not fixed by either.

This particular issue seemed to only affect OWA Premium users, but not Lite users.  We also received sproadic reports of issues creating MAPI profiles.  

About an hour earlier, we had fixed a clustering issue where the network name was in a failed state.  After checking the event logs, it was obvious that the disaster recovery machine was stealing the network name after an SCR fail over was tested.

Event Type:        Error

Event Source:    ClusSvc

Event Category:              Network Name Resource

Event ID:              1214

Date:                     10/31/2006

Time:                     7:30:45 AM

User:                     N/A

Computer:          NODE1

Description:

Cluster Network Name resource 'Network Name (EXCHANGE)' cannot be brought online because the name could not be added to the system for the following reason: You were not connected because a duplicate name exists on the network. Go to System in Control Panel to change the computer name and try again.

Event Type:        Error

Event Source:    NetBT

Event Category:                None

Event ID:              4321

Date:                     10/31/2006

Time:                     7:45:23 AM

User:                     N/A

Computer:          NODE1

Description:

The name "EXCHANGE          :20" could not be registered on the Interface with IP address XXX.XXX.XXX.XXX. The machine with the IP address XXX.XXX.XXX.XXX did not allow the name to be claimed by this machine.


We had rebooted the SCR server to get Exchange up and working, but we had neglected to shut it down until it could be cleaned up.  The problem is that it came back up and caused problems with Exchange authenticating, and thus generated a number of Kerberos errors.  Upon checking, a coworker noticed that the DCs weren't showing up as accessible in the EMC.  After shutting down the SCR node completely and failing Exchange over, the DCs repopulated, and OWA worked.  The moral of the story is don't leave your SCR failbacks in an incomplete state, or you get the fun task of scheduling a new maintenance window to perform clean ups.

Tuesday, November 11, 2008

Warning 2601, errors 2604 and 2501

Recently we received the following errors on a client:

Warning 2601, errors 2604 and 2501 -- In the event viewer.

A series of things can fix this issue.  

1.  Verify the Exchange server(s) is a member of the "Exchange Servers" and "Exchange Install Servers" groups.  Verify that these groups are under the manage/audit rights for the default domain policy (Under local policies -> user rights assignments). 

2. It could be related to the order Exchange services start up.  I think this was the right order:

"Microsoft Exchange Active Directory Topology Service" 
"Microsoft Exchange Anti-spam Update" 
"Microsoft Exchange EdgeSync" 
"Microsoft Exchange File Distribution" 
"Microsoft Exchange IMAP4" 
"Microsoft Exchange Information Store" 
"Microsoft Exchange Mail Submission" 
"Microsoft Exchange Mailbox Assistants" 
"Microsoft Exchange POP3" 
"Microsoft Exchange Replication Service" 
"Microsoft Exchange Search Indexer" 
"Microsoft Exchange Service Host" 
"Microsoft Exchange System Attendant" 
"Microsoft Exchange Transport" 
"Microsoft Exchange Transport Log Search" 
"Microsoft Search (Exchange)" 

3. The one that actually fixed the issue for me was to simply restart the Net Logon service and the "Microsoft Exchange Active Directory Topology Service."

Monday, November 10, 2008

Cannot enable a user for Communications Server


Why can't I enable users for Communications Server?  The option doesn't show up.


I have found that when I try to enable users on an x64 box, it doesn't show up.  You must run it via 32-bit with: 

dsa.msc -32

Wednesday, November 5, 2008

ESEUTIL - Maintenance and Recovery

ESEUTIL can provide a number of database functions including defrags and repairs.  I will be quickly covering a few of the more important tasks/scenarios.

ESEUTIL is in "C:\Program Files\Microsoft\Exchange Server\Bin" by default, and the rest of the commands I show run from this directory.

OFFLINE DEFRAG
-------------------------------
Offline defrags, under normal circumstances, do not need to be run.  This is because online maintenance typically does a good job of keeping things in order.  It may not get everything cleaned up, but what little bit it doesn't typically gets grown into anyways.  The need comes in when a chunk of users gets deleted, or if you have to add a very large quantity of users.

Steps:

Determine White Space

   a. eseutil /ms  c:\exchange\data\sg1\mb1.edb 

**Must be run on an database that is not mounted**

b. Check event 1221 in the event log.
























Once you determine that you have enough white space to warrant an offline defrag..

Run the Defrag

eseutil.exe /d c:\EXCHSRVR\mdbdata\SG1MS1.edb 






DATABASE IN AN INCONSISTENT STATE
------------------------------------------------------------------------

Steps:

  a. Check current state: 

 eseutil.exe /mh C:\exchange\data\SG1\MB1.edb 
Notice how the database is in a Dirty Shutdown state?

b. Typically to recover from this, we need only run a variation of the following command:
  
  eseutil /r E00 /d "C:\Exchange\Data\SG1\MB1.edb" /l "c:\exchange\logs\sg1" 

As shown below, this did the trick.


 c.  If this didn't work, we may have need to fall back on a full repair.  This is typically only used if log files are missing, the database is corrupt, or some other catastrophic event has occurred.  It is executed by instead using the /P switch, and basically it tosses any pages that it does not perceive as fixable.  According to Microsoft, you should follow this up with an isinteg.exe run, but I've been told by enough people that it is bad mojo to keep me shying away from it unless I have to.

Other ESEUTIL functions are more informational such as /G /M and /K.

You can reference the official Microsoft site for eseutil here.

Friday, October 31, 2008

Chrome Privacy Guard

"Google's new browser "Chrome" has raised a big wave of people that mistrust the new browser. A big point for this is the unique ID that will be assigned to the user's installation of Chrome. Because of that I wrote a small tool that automatically deletes the unique Client ID before each run of Google Chrome."


You can check it out here.

Tuesday, October 28, 2008

OWA Loop Back to Login Page Issue

After the installation of RollUp 4 there were issues getting to OWA on one of the CAS servers.  404 errors were received.  After reregistering ASP with IIS via:

%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe –I

We received an error to check the ASP log.  In the log, it was trying to create aspnet_client.  This did not exist on the CAS server that was not functioning.  We changed the home directory to c:\inetpub\wwwroot, reregistered, and iireset.  The folder was created successfully.  After changing the redirect back to owa as per their configuration, the login form came up again.

Upon trying to log in to OWA, however, we were presented with a new problem.  OWA would log in, but then boot the user right back to the FBA login page.  To solve this issue, all it took was recreating the OWA virtual directory with the following commands:

Remove-OwaVirtualDirectory -identity "CASSERVER\owa (Default Web Site)"


New-OWAVirtualDirectory -OWAVersion "Exchange2007" -Name "CASSERVER\owa (Default Web Site)"

Reset IIS again (iisreset)..

Users are now able to log in to OWA on this CAS server.  Now all that was left to do was reenable NLB for the front end cluster, change he authentication settings back, change back the default domain, and reset the internal/external OWA addresses.

Sunday, October 26, 2008

Microsoft Critical Security Release - MS08-067

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

New Security Bulletin Technical Details

 

Identifier

MS08-067

Severity Rating

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

Impact of Vulnerability

Remote Code Execution

Detection

Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.

Affected Software

All currently supported versions of Windows

Restart Requirement

The update requires a restart.

Removal Information

·         For Windows 2000, Windows XP, Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility

·         For Windows Vista and Windows Server 2008: WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.

Bulletins Replaced by This Update

MS06-040 is superseded on these operating systems: Windows 2000 SP4, Windows XP SP2, Windows XP X64, Windows Server 2003 SP1, Windows Server 2003 X64, Windows Server 2003 SP1 for Itanium-based Systems.

Full Details:

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx


To summarize.. Go update if you haven't already.

Thursday, October 23, 2008

Journaling + Archive = Ideal Litigation Searches -- Part 3 ?

Some notes when installing Journaling with archiving..this is sort of a part 3 to my previous two blogs.  

The more journaling mailboxes you utilize, the more you can take advantage of Archive Attender multithreading.  It is hard capped at one thread per mailbox though.  In order to ensure archiving keeps up in the event of a failure (especially if you are using a single journal mailbox), a good idea is to have tiered archiving policies as sort of layered message traps by date:







An example of the policy to be on the front line would be:
















Other policies would be between dates, with the final policy applying to anything older than the second to last policy's criteria.

I've noticed significant improvement once policies were added.  This method also sort of safe guards you against back logs by already have a system in place to deal with them.

If you are bent on journaling at the Hub Transport level, you may want to at least split internal and external mail into two different mailboxes.  If you are journaling at the database level, then you could go as far as to have a separate journal mailbox for each database.

Tuesday, October 21, 2008

Not enough storage is available to complete this operation

I realize this is a rudimentary issue, but I saw it in my notes and remembered how annoying it was.

"Not enough storage is available to complete this operation"

Here is the registry key to quickly eliminate this annoying bugger:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001
"MaxTokenSize"=dword:0000ffff




Monday, October 20, 2008

Quotes

Though I've tried to make this blog as professional as possible by leaving off most personal info, I've decided to start leaving quotes of the | time period | up in the upper right hand corner. I have no plans to leave a history, so if you catch it you catch it.  I say "time period" because I refuse to commit to daily changes. 

I'm jaded, bitter, aproachable, identifying across lines, smart enough to realize everyone has an agenda, dumb enough to no longer care, and hiding in plain sight.  Enjoy.

Adding Trusted Sites - Unblocked Downloads

At times you'll need to add your domain to trusted zones, and allow it to launch items.  This is necessary to avoid the annoying popup blocking that occurs when opening archived messages (especially if you do so frequently).  To get around this you can do the following:


1. Create a reg file out of the text between the lines.  Be sure to replace domain.net with yours.

--------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\domain.net]
"https"=dword:00000002
--------------------

Running this will add your domain to the trusted zones. 

 

2.  You can then make the change on  HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 2

Zone 2 = Trusted Sites

Value data for 2200
0  - Automatic prompting for file downloads is Enabled
3  - Automatic prompting for file downloads is Disabled

Value data for 2201
0  - Automatic prompting for ActiveX controls is Enabled
3  - Automatic prompting for ActiveX controls is Disable



Now instead of getting this:












You'll get this right away:



Friday, October 17, 2008

Exchange SP1 Rollup 4

Here is the link with the changes:

http://support.microsoft.com/?kbid=952580

My particular favorites are:

949512
950076
952152


That is all.

Thursday, October 16, 2008

How to Publish More Free Busy Data

It has been a bit since I posted, so I figured I'd toss out some easy fodder for those that don't know (which seems to be a lot more than I thought initially).

Unfortunately there is no quick easy server side change to publish more free/busy data for a user.  It is a client side setting.  The setting itself can be deployed this way:

Tools -> Options ->Calendar Options-> Free/Busy Options -> Permissions Tab -> Other Free/Busy.. -> Modify the number of months to publish.


Being a client side change, if you want to roll it out on a mass scale you'll either have to build it into your ghost images, or you'll have to roll out a GPO/login script.  I went to find the exact one, and ran across the Exchange team's blurb on it:

http://msexchangeteam.com/archive/2004/06/10/152698.aspx 

Tuesday, October 7, 2008

A Good Summary For Explaining Databases/Logs

This.

Mail.que Issues - White Space, Defrags, etc

What is the Mail.que?

The Mail.Que is an ese database that acts as the transport queue on your Exchange 2007 server - Hub Transport or Edge Transport roles only.

Why would I need to run maintenance/fix issues with mail.que?

Issues can arise with the mail.que file getting very large, and fragmented.  This can cause problems ranging from performance issues, to a full blown outage on an Exchange environment.  This scenario can come about from multiple avenues, but a couple of seemingly more common culprits can be email blasts (especially with a large attachment on it), or if the database has not been maintained.  

If my mail.que file gets large/fragmented, how do we rein it in?

Prerequisites:

1.  You must be at least an Exchange Server Administrator. (Local admin on the Edge Transport server).

2.  Per Microsoft, the following rights must exist to the mail.que:

Network Service: Full Control
System: Full Control
Administrators: Full Control

3.  If you are planning to restore the mail.que file to another transport server, that server must have the same roles as the server you are taking it from.  Mail delivery issues can arise if this is not the case, or if that server is located in a different AD forest (in which case you may have to resubmit through the categorizer).


Now that the prereqs are out of the way, we can begin to repair the database.


Step 1:  Locate the database.  

Unless you've changed the location, the database should reside at "C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue" on a Hub Transport server. 

You can find the location on an Edge Server in the EdgeTransport.exe.config file under C:\Program Files\Microsoft\Exchange Server\Bin.  Look for the 'QueueDatabasePath' and 'QueueDatabaseLoggingPath' values.


Step 2: Move the database out.

Stop the MSExchangeTransport service then move the following files to a temporary location: Mail.que, Trn.chk, Temp.edb, Trn.log, Trnnnn.log, Trnres00001.jrs, Trnres00002.jrs, and Trntmp.log. 

Upon restarting the MSExchangeTransport service, a new mail.que will be created so mail and continue to flow.  


Step 3: Recovering/Maintaining the Database

Open a command prompt and navigate to the directory where you moved the database to.

eseutil.exe /r Trn /d

This command will run a recovery against the database.  You could run this from another location, but you'd have to specify where the database exists after /d.  Either way works.

eseutil /d mail.que

This command will defrag the database and rid it of any white space that has ballooned it up, thus increasing performance and/or resurrecting it.


Step 4:  Prepare for reinsertion of the old mail.que.

The first thing we need to do is to pause the queues via:

Net Pause MSExchangeTransport

This will stop the flow into queues and delivery all current mail.

Just to make sure the queues are clear before we continue, lets have a look.

VIA Get-Queue in the Exchange Management Shell:







VIA Exchange Management Console:



























It would probably be a good idea to resubmit your unreachable queues, though this is optional. 

If you want to, MS provides us the following command to do so:

Retry-Queue -Identity "Unreachable" -Resubmit $True

You can recover your poison queues too, though I personally don't usually bother.




Step 5:  Reinjection.

Now all we have to do is reinsert the old mail.que.  Stop the MSExchangeTransport service, copy the old files back in, and Start MSExchangeTransport.  

This is the part where I stray from the MS plan.  I would recommend to go back to Step 4 and let the queues drain out again.  Once they are empty, stop the MSExchangeTransport service, delete the mail.que database, and restart the MSExchangeTransport service letting the mail.que database recreate.  The reason I say to do this is that I know a colleague of mine had an issue using the original mail.que file.  It suffered corruption, and would balloon back out to upwards of 7 gigs with no real data in it to speak of!  This type of behavior could bring the Exchange system to its knees.  I'd just as soon start with a fresh slate.

Friday, October 3, 2008

Scripts to Create Archive Attender Service Account

Save this one as usercreation.vbs or something along those lines:

'Creates ArchiveUser in the Archive OU and assigns Password


Option Explicit
Dim objRootLDAP, objContainer, objUser, objShell, objNetwork, objLocalGroup, objDomainGroup, objWshNet
Dim strUser, strName, strContainer, strPassword, strDescription, strDomain, strLogon, strLastName, strDisplayName, strComputer

'Variables
Set objWshNet = CreateObject("WScript.Network")
strUser = "ArchiveUser"
strName = "Archive"
strContainer = "OU=Archive ,"
strPassword = "Password"
strDescription = "Archive Attender Service Account"
strLogon = "ArchiveUser"
'Automatically pulls Domain
strDomain = objWshNet.UserDomain
strLastName = "Archive"
strDisplayName ="ArchiveUser"

'Gets you bound to AD
Set objRootLDAP = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & strContainer & _
objRootLDAP.Get("defaultNamingContext"))

' Performs user creation
Set objUser = objContainer.Create("User", "cn=" & strUser)
objUser.Put "sAMAccountName", strUser '25
objUser.Put "givenName", strName
objUser.put "sn",strLastName
objUser.put "UserPrincipalName",lcase(strLogon)&"@"&strDomain
objUser.put "DisplayName",strDisplayName
objUser.put "name",strName
objUser.put "description",strDescription
objUser.Setinfo

' Do not force a change of password on first login
objUser.SetPassword strPassword
objUser.Put "pwdLastSet", CLng(-1)
objUser.SetInfo

' Enable the user account
objUser.Put "userAccountControl", 512
objUser.Put "userAccountControl", &H10000
objUser.SetInfo

WScript.Quit



Now that we have a user, lets give themlocal admin rights.  You can name this localadmin.vbs or something like that:

Set objWshNet = CreateObject("WScript.Network")

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

strUser = "ArchiveUser"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")

'Add user to group

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If


We now have a user with local admin rights.   What about Exchange rights though?  


For Exchange 2007:

Create this script and name is ExchangeRights.ps1:

Add-ExchangeAdministrator -Identity ArchiveUser -role 'orgadmin'
$server = Get-MailboxServer
Add-ADPermission -Identity $server.Identity -User "ArchiveUser" -ExtendedRights ("Send As", "Receive As")
Get-MailboxDatabase | Add-ADPermission -user ArchiveUser -AccessRights GenericAll -ExtendedRights ("Send As", "Receive As", "MS-EXCH-STORE-ADMIN")

For Exchange 2003:

First enable the security tab to be displayed in ESM via this registry key:

HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdmin 

ADD--
Value Name: ShowSecurityPage
Data Type: REG_DWORD
Value: 1  


Once that is done, you need only do to the org level in ESM and add full rights for your new account (be sure to include Send As / Receive As rights).  If it isn't working, be sure that you didn't inadvertantly add the user to Domain Admins.  Domain Admins was set to have an explicit deny set for send/receive as as part of Microsoft's security push.

If you are not wanting to set permissions at the org level, you can set the permission levels down further so long as they apply to all the users/databases that you wish to process against.

DPM - Consistency Checking Versus SLAs

There can sometimes be issues with meeting SLAs while using DPM within tight constraints.  The problem is that while consistency checking is essential, it kills other scheduled synchornizations while it runs.

"Synchronization with consistency check, also referred to as “a consistency check,” is the process by which DPM checks for and corrects inconsistencies between a protected volume and its replica. As part of the synchronization process, a consistency check performs block-by-block verification to ensure that all the data on the replica is consistent with the protected data. This process is slower than incremental synchronization because all the data on the replica is compared rather than just applying the data changes to the replica."


Example:

Lets say your SLA is something very low such as having the ability to restore to the last 30 minutes.  We set up a 30 minute synchronization in DPM, which in itself isn't bad (though it seems to be more commonly set around 3-4 hours).  The issue comes when the consistency check runs, which could take for example 1.5-2 hours.  This would result in at least 3 failed synchronizations, thus breaking the SLA.

The only methods I am aware of to somewhat work around this would be to modify the SLA, or manually schedule consistency checks.

Thursday, September 25, 2008

Using LDIFDE & ADSIEdit to Verify Recipient Policies

Originally I wanted to run something like this:

ldifde -f C:\test.txt -t 3268 -s DC.domain.com -j C:\ -r "(&(|(mailnickname=*)(objectClass=user))(|(homeMDB=*)(msExchHomeServerName=*))(userPrincipalName=*@domain.com))" -l "msExchPoliciesIncluded"

Unfortunately userprinicipalname doesn't play nicely with  "msExchPoliciesIncluded."  I'm guessing this is the case with more than one user defined attribute.  Example output:

dn: CN=sname\, gname,OU=Users-Company,OU=User,DC=Corp,DC=com
changetype: add


If we change it to reflect only objectclass=user:

ldifde -f C:\test.txt -s DC.domain.com -j c:\ -r "(&(objectClass=user)(homeMDB=*))" -l "msExchPoliciesIncluded"

It pulls this as example:

dn: CN=sname\, gname,OU=User,DC=domain,DC=Corp,DC=com
changetype: add
msExchPoliciesIncluded
 {86129EE7-F6C7-4CE2-9549-C242356184C6},{3B6813EC-CE89-42BA-6F11-D87D4AA30DBC}
msExchPoliciesIncluded
 {7DF5DEB4-C2EA-4920-BC8C-5342BC1E95E6},{26491CFC-4EB1-4857-861B-0CB8DF22B5D7}

You can also find this in adsiedit here to verify:














Tuesday, September 23, 2008

WM 6.1 - MOTO Q9h

I was a day or so behind my coworker Jeremy Phillips upgrading my MOTO Q.  A couple good points are the threaded text messages, and the soft delete key for email (I've REALLY been wanting this).  You should check it out his blog posting on this @ http://jeremyphillips.org/?p=176. as it has a couple pretty screenshots to illustrate the changes a little better.

I differ with Jeremy in that my phone seems a bit slower now, whereas his seemed faster.  I speak primarily on basic functionality though, whereas he may have been coming from a purely activesync perspective.  The only difference I can tell right off the bat is that my phone is a Q9h and his is a Q9c.  I haven't put in the appropriate research to really decipher the major differences between my AT&T Moto Q and my colleague's Sprint doppelganger.  Here are the specs though:

 9Qh * 

Simple, elegant and stylish, the ultra-slim MOTO Q™ 9h, at only 11.8 millimeters thick packs in a host of advanced features * QWERTY keyboard and large, crisp display * Quad-Band (GPRS/EDGE) functionality * Video capture and playback at 30fps * HSDPA technology for fast data transfers, streaming media and web browsing¹ * Connectivity: EMU, USB 2.0 full speed transfers and data access * Integrated Class 2 Bluetooth® wireless technology (A2DP, AVRCP - stereo) for hands-free connectivity with compatible Bluetooth® enabled stereo devices² * Messaging via MMS, SMS, Instant Messaging and Windows Outlook Mobile * Supports a variety of audio formats including AMR NB, AMR WB, MWA, MP3, AAC, AAC+, eAAC+, WAV, MIDI * Video formats supported includeH.263, MPEG4, WMV, H.264 decode * Up to 2 GB of optional removable storage space with a microSD memory slot * Integrated 2.0 megapixel camera with digital zoom and LED photo indicator light * Special productivity features: Opera browser, Attachment Viewer or Editor, Voice Recognition, File Manager, Voice Notes, VPN capability and Anti-Virus protection

9Qc* 

Network o Type + CDMA dual band ( 800/1900 MHz) o Data + CDMA2000 1xRTT/1xEV-DO rev.0 o 3G Support + Yes * Size o Dimensions + Help dummy popup info 4.6 x 2.5 x 0.5 inches (117 x 65 x 11.9 mm) o Weight + 4.8 oz (135 g) * Battery o Capacity + 1170 mAh o Talk + 4.55 hours ( 273 mins) of Talk time o Standby + 212 hours ( 9 days) of Stand-by time * Main Display o Resolution + 320 x 240 pixels o Type + 65 536 colors, Color, TFT o Features + 2.4 inches * Camera o Resolution + 1.3 megapixels Resolution o Video + Yes o Features + Flash, 8x Digital zoom * Multimedia o Video Playback + H.263, MPEG4, WMV, H.264 formats supported , Windows Media Player 10 o Music Player + MP3, AAC, AAC+, eAAC+, WAV, WMA formats supported , Windows Media Player 10 * Memory o Memory Slot + miniSD * Smartphone o OS + Windows Mobile for Smartphones o OS Version + 6.0 Standard o Processor + Intel StrongArm o Memory + 256MB Flash, 96MB RAM * Input o Predictive Text Input + Yes o Full Keyboard + QWERTY * Connectivity o USB + miniUSB 2.0 o Connectors + HeadSet Jack (2.5mm) * Other Features o PhoneBook + capacity depends on system memory, Multiple Numbers Per Contact, Picture ID, Ring ID o PIM + Alarm, Calendar, Calculator, TO-DO, Notes o Voice + Dialing, Commands, Recording, Speaker Phone o GPS + aGP


Sunday, September 21, 2008

Tricking Exchange - A Different Database Move

The issue arose of moving a database to a new location.  Now there are built in commands for this:

FOR LOGS:
Move-StorageGroupPath -identity SERVER\StorageGroup -LogFolderPath X:\PathToLogFiles -SystemFolderPath X:\SystemFolderPath

FOR DATABASES:
Move-DatabasePath  Server\StorageGroup\MailboxStore -EDBFilePath X:\PathToDatabase

The problem was that we wanted to specifically use eseutil to move the databases.  We used eseutil to push a good copy over, however, we couldn't repoint the database without Exchange trying to copy it over.  I believe you can repoint the registry, but we opted to just trick Exchange in a manner of speaking.  Due to size constraints, we created a new empty database, ran the above command to move it, then deleted the new database and replaced it with the eseutil copied one.  This mounted up and worked great.

An alternative method to the normal methods of moving it over if you have odd circumstances to work under.

Thursday, September 18, 2008

Sychronization Errors - 0X80190193 / 0X8004010F

12:11:28 Synchronizer Version 11.0.8200

12:11:28 Synchronizing Mailbox 'Kym Thomas'

12:11:28 Done

12:11:28 Microsoft Exchange offline address book

12:11:28        0X8004010F

AND

9:44:33 Synchronizer Version 12.0.6315

9:44:33 Synchronizing Mailbox 'Paul Morris'

9:44:33 Done

9:44:35 Microsoft Exchange offline address book

9:44:35 0X80190193


These can commonly be caused by the SSL check box being checked on the OAB virtual directory.  This requires an iisreset to undo.

Tuesday, September 16, 2008

Azaleos Blog Note

Checking the Azaleos blog link on the right hand side can be good for extra information about my business, and my coworkers.  I submit some blogs there that I don't submit here as well. 

Exchange 2007 Certificate Install with Autodiscover

Generate the CSR

New-ExchangeCertificate -GenerateRequest -Path c:\SANCERT.txt -SubjectName "c=US, l=City, s=Washington, o=company, cn=mail.company.com" -DomainName www.mail.company.com, autodiscover.company.com, mailarchive.company.com -PrivateKeyExportable:$true

This will create a CSR text file that will be sent to the third part cert issuer.  

EXAMPLE (yes it is fake):

-----BEGIN CERTIFICATE-----
MIIFkjCCBHqgAwIBAgIQceeHYPQhfEuFCNJTLIZjNzANBgkqhkiG9w0BAQUFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
GOsM8XxUg6/tAPqIpsoYNdJttM9TlLZQh6WfQHLmBgiJzQdy4uWdHTmMbm+GxElv
A21yJjtWgIJlKgQKRBJ6aWd7gnRU8DLpOd5gSPdzoIss2Q+QBWBgSL5v3oDZ1j59
z17jzljy/j/BZZVsvcQGJ6WfvPhjkIRo5SiOSZ5pj5e5V+9R1/bhPpr/AupVifix
Zh5kCM2f8bpQ7Lky0y/6g+VBR/DHXv80yioMR1o481Z8NQEqGXRZweisxWrdMuug
zLs81M9W4WD7hiNvgdgB2dHYrFvnyUOgz8NzCPM5N9fOdm98wvafC6UCAwEAAaOC
AbAwggGsMB8GA1UdIwQYMBaAFDBD3GTNGVyp8xnSNwmWkZ4M6NY9MB0GA1UdDgQW
BBSkBs+ovwl4zkfHVb6u763uERYYPjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/
BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4QgEB
BAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQMEMCswKQYIKwYBBQUHAgEW
lksfoiuPOEifrjpioPUOewopPIOJEFipefIFoIefpOEFIOPEF[foipeEFOPifPEFOIEIOFpOPEFb+Rkgso
z38mcr83UL88DtthcLPYY+BXkfmNv+sb4j1jfDiCO5wsHlL/s2pHhKIl485D31V/
e1VIQELus5tRACV1njH5JoLt6QnDXmZvwRBYJSUr+4vIx1ETDF80QsSvUm5CgruA
xofSeWcz4kxNiin9qWNWSZbC5L8D45+RebXOlr5dzp4Eye5lzAdx1eVAnLKTOm7n
Gli866BFG98yKjgNgX6kQWPgsZN0Oz7UmmkPMuhwuTBRBrya8/D55lC+vMHHkTnZ
1dTlipPYgkgxUXaPF3veQulaA88z1JKO/D7FykCc5tUBAIN7HfI=
-----END CERTIFICATE-----

Once they send it back to you, proceed to the next step.


Checking Certificate Properties

There are two things we need.  First thing is to verify that that the certificate has a valid private key.  Double click the certificate, look below:
















The next piece of information that you’ll need is the thumbprint:















Importing the Certificate into Exchange

Import-ExchangeCertificate -path

This will import the certificate into Exchange and make it available for use.

 

Enable the Certificate

Enable-ExchangeCertificate -Thumbprint C45DD764DE2F36CD907FJSND7682970F1358 -Services "POP, IMAP, IIS, SMTP"

Confirm.

Overwrite existing default SMTP certificate,

'E38LKJS5766237D887DN7SJBF66192CF018801' (expires 9/7/2009 5:59:59 PM), with

certificate ' C45DD764DE2F36CD907FJSND7682970F1358' (expires 1/23/2009

4:59:59 PM)?

[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help

(default is "Y"):a

 

Confirm the Configuration

Get-ExchangeCertificate

Thumbprint                                Services   Subject

----------                                --------   -------

C45DD764DE2F36CD907FJSND7682970F1358  IP.WS      CN=mail.company.com,...

 

I, P, W, S stand for the four layers that you set above;  IMAP, POP, Web (IIS), SMTP

The certificate is now available for the messaging protocols and IIS.


Configure For Use With Autodiscover

**NOTE**

Wherever you see “get-ClientAccessServer | Set-ClientAccessServer” you are getting all CAS servers and setting this on all of them.  If this is not what you want, perform a get-ClientAccessServer and only set it on the ones you want by using “Set-ClientAccessServer –identity SERVER”.

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory –Identity  "SERVER\EWS (Default Web Site)" -InternalUrl https://mail.company.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "SERVER\oab (Default Web Site)" -InternalUrl https://mail.company.com/oab

Get-ClientAccessServer | Set-ClientAccessServer  -AutodiscoverServiceInternalUri https://mail.company.com/autodiscover/autodiscover.xml

 

Get the Certificate in Use

Right click MSExchangeAutodiscoverAppPool in IIS, and then click 'Recycle'

 

Verify

 Load up a web browser and browse to OWA.  Use the browser to check the certificate (usually a lock in the lower corner).  Verify that OWA works, and that autodiscover works in Outlook.  To test Outlook,  hold ctrl and right click on the Outlook icon in the lower right hand corner (system tray).

 









In order to configure externally you can run the following command templates:

Enable-OutlookAnywhere -Server CASSERVER -ExternalHostname "mail.domain.com" -ExternalAuthenticationMethod "Basic" -SSLOffloading:$False

Set-OABVirtualDirectory -identity "CASSERVER\OAB (Default Web Site)" -externalurl https://mail.domain.com/OAB -RequireSSL:$true

et-UMVirtualDirectory -identity "CASSERVER\UnifiedMessaging (Default Web Site)" -externalurl https://mail.domain.com/UnifiedMessaging/Service.asmx  -BasicAuthentication:$True

Set-WebServicesVirtualDirectory -identity "CASSERVER\EWS (Default Web Site)" -externalurl https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$True