Wednesday, October 28, 2009

The properties on have invalid data. If you click OK, default values will be used..

A customer had a user with a mailbox throwing the following error whenever they tried to change a value:

The properties on [recipient] have invalid data. If you click OK, default values will be used instead and will be saved if you do not change them before hitting Apply or OK on the property page. If you click cancel, the object will be displayed read-only and corrupted values will be retained.

OK no problem, I'll just go in and get rid of anything that doesn't look right...wrong. The console wouldn't let me save the settings.
Apparently the storage quotas were such that the Prohibit Send Limit value was less than the Warning Limit. I was, however, unable to modify it in ADUC/DSA or in the EMC.

I attempted to change the value in EMS, but it threw the exact same error.

When finesse isn't enough, brute force wins. I popped open adsiedit.msc by launching adsiedit.msc from 'Run,' then navigated to where the user resided under Domain -> User OU, right clicked, and clicked properties. Sure enough the EMC and EMS were lying to me:






I modified the values to what I wanted them to be:






Voila.. Invalid Data errors are gone.

Wednesday, September 9, 2009

Digicert Intermediate Cert Eclipsed by Root - ActiveSync issues

We recently ran into an issue where using a new Digicert certificate essentially broke activesync for most people in the company. The issue is that the new root certificate for Digicert isn't compatible with older browsers and devices (they don't come standard with the new root certs for Digicert like they might with Verisign and others). The primary phone of the organization was a Motorola Q, which made the issue quite visible.

The problem boiled down to this root cert taking precedence over the intermediate cert (Digicert calls it eclipsing which I suppose is a more valid term), which would have worked fine. After the Digicert Root Cert was removed, the issue was resolved.

Note: Be sure that the intermediate is in place and functioning or else you will break all of the modern phones and browsers as well.

Also as an alternative fix, you could install the root cert on the phones in question. This is more labor intensive, but might be viable if there are only a few old straggler phones floating around.

Reference:

https://www.digicert.com/ssl-support/windows-cross-signed-chain.htm

You can also run a good test for this and other issues at:

https://www.digicert.com/help/

KB968389 LSASS Reboots

Recently we had an issue with an Exchange server constantly rebooting. The symptoms were extremely indicative of virus infection. Terminations of LSASS.exe, timed reboots, and permission revocations, were all occurring, and so we were immediately assuming Sasser/Blaster.

It then began to seemingly cause issues with domain communication. Upon checking the system properties, the domain registered as *Unknown* and it was nearly impossible to perform any action as all permissions had been stripped (we were using a domain account so this sort of made sense).

After having a local tech bounce the box and login with the KVM, the issue seemed resolved for these domain level issues, and we never saw them again. The original LSASS issues and reboots continued, however. Not wanting to waste any more time, we gave PSS a call. They informed us that a patch we had installed, KB968389, was likely causing the issue. Despite passing our patch testing and being installed on numerous other environments, MS told us that they have been informed of other sites experiencing the same issue. Removing the patch resolved the issue.

In summary.. KB968389 = Bad if you like a stable environment

Monday, May 18, 2009

Powershell Reboot

Ever need to reboot a server remotely, and no standard tools (shutdown, etc) are working?

Can't RDP the box or get to it any other way?

I discovered a little trick about a year and a half ago, and it has been saving my life, and those of my colleagues ever since.  I just actually had to use it, which reminded me that I ought to post it.

$server = gwmi win32_operatingsystem -computer USSERVER1
$server.reboot()

Performing this will provide you with some output.  As long as it comes back with an output of zero, you are good to go.  I believe the target server doesn't even need powershell installed; just the one you are using to reboot it.


Tuesday, May 12, 2009

IOPS / Disks

It has been a while so I decided I'd post on something I've been having to work with a lot lately.

I/O can be a key bottle neck in disk intensive systems...such as Exchange.  

First let's establish some disks and their relative IO load capacity:

Fiber Channel 15k: 150-180 IOPS
SAS 15k: 150-180 IOPS (notice about the same, but less price than FC..)
Small Form Factor (SFF): Faster..usually ~230
SATA 7.2k: Claim 60-80, some will argue as low as 40.

Let's assume for our test case that we look at a customer with 1000 mailboxes on Exchange, and average-heavy users (spanning from light to very heavy).  Let us also assume they have a BES, an Archive server, AV, and DPM.

.32 IOPS per user is about a heavy user.  To gauge the others, view the follow:

DPM: Add 20%
Archiving:  Add 50% if performing compliance, 25% for compression/storage
AV: 50%
BES: Debatable.. I've heard any where from 2x to 7x!?!  I'd believe any of them..  Let's say 2x for the sake of argument. You're welcome RIM.

That .32 I/O mailbox has now turned into a 1.2 I/O mailbox (rough estimation that is usually on the safe side given involvement from outside entities).

1000 x 1.2 = 1200 / Disks = IOPS required per disk.

For our example let's say the company has a Stovevault S500.  This particular unit comes with a shelf of 14, 7200 RPM disks.  Remember to not include parity disks!   14 - 2 = 12

1000 x 1.2= 1200 / (14 - 2) = 100 IOPS/disk

Now let's compare.. 100 IOPS/disk requirement.  SATA 7200  RPM disks can pull 60-80 advertised (40 according to many in practice).

Looks like we have a problem.  Couple easy, though potentially costly ways around this.  The fact is we need more IOPS.  This can mean more speed, or it could mean more spindles..or both.

How about another SAN with, say, fourteen 15k SAS disks?  (150-180) > 100 -- Looks much better.

How about adding another shelf to the S500?

1000 x 1.2= 1200 / (28 - 4) = 50 IOPS/disk -- Looks better than advertised, but a bit above what some research has turned up.  This may work in production, but it would be ill advised to implement a system in which you run it so close it's breaking point right from the get-go.

So what good are SATA disks then?  SATA disks still have their uses.  Archiving storage, file storage, home drives, or any other storage that isn't being bombarded with read/writes will suffice with this type of storage, and a fraction of the cost.

If you want additional specifics, check out:


There is an updated link off of it too.

**EDIT**


SATA disks can be great for Exchange 2010 depending on the deployment!

Tuesday, April 14, 2009

Friday, March 20, 2009

ArchiveXchange - Archive Attender 3.5 released!

The Azaleos offering for ArchiveXchange is making strides!   Thanks to our friends at Sherpa Software hearing our input, as well as our customers' input, we now have access to new and exciting features to work with.

The console has been overhauled:



 














An auto aging stub feature has been added:




















All stub activity can now be acted upon based on criteria, and best of all for my practical purposes, archive auto creations!   Auto archive creations based on thresholds are essential for keeping maintenance windows small, especially when journaling.  It allows admins to essentially have 'save points' where data ceases to change, and thus, remains more stable in the isolated environment.  Maintenance need only be run against the deltas!

Another benefit to upgrading is the new web-based search features.  As the product continues to evolve toward a hybrid product, more options open up to users as to if they want full reliance on stubs, searching, or both.















The listed upgrades combined with other admin and user bound benefits make this a great release, and a product worth watching when comparing to other technologies.

Wednesday, March 4, 2009

Deleting a Message From Everyone's Mailbox

Need to delete a message from everyone's mailbox at the server level?  Here is the command for you:

Get-Mailbox | Export-mailbox -SubjectKeywords "FillintheSubject" -StartDate "03/04/09" -EndDate "03/04/09" -TargetMailbox "Admin" -TargetFolder "Inbox" –DeleteContent

You can also add -ContentKeywords for additional filtering.

Thursday, February 19, 2009

Apparently I'm Published at CTR

Not my best writing, but you all know how on-the-job technical writing goes.  Information gets stripped, vocabulary cut down, etc.  :)


It was posted on Computer Technology Review.  You can check it out here.

Sunday, February 15, 2009

Parts on order!

Finally buckled and decided a new computer is for me.  After a ton of research, my build is as follows.  This isn't meant to be the biggest beast on the block, but price for power, it seems to be the best bargain.

I went mostly with NewEgg.com because I just like the service I've gotten from them in the past.

AMD Phenom II X4 940 Deneb 3.0GHz 4 x 512KB L2 Cache 6MB L3 Cache Socket AM2+ 125W Quad-Core Black Edition Processor on a Foxconn A79A-S AM2+/AM2 AMD 790FX ATX AMD Motherboard.  This was a combo from NewEgg and seemed to be the best deal.  I originally was only looking at Intel processors, but after reviewing numerous benchmarks, I couldn't beat the power for the price.

HIS Hightech H487F1GP Radeon HD 4870 1GB 256-bit GDDR5 PCI Express 2.0 x16 HDCP Ready CrossFire Supported Video.  Though the GPU is slightly under the next bump up, the price price jumped significantly.

Corsair ddr2-1066 pc2-8500 4gb.  I would have gone with the cheaper Patriot, but Fry's was out, and I missed the deals on NewEgg.  I'd probably save the $40 and go with Patriot if I had it to do over again.  Corsair's warranty is better though, so that is a plus.

1.5 TB SATA drive from Dell.  Can't beat ~$100 + shipping.  Coworker hooked me up with a coupon.  Now I just need to figure out how I'm going to fill 1.5TB..images perhaps..

750w Corsair PSU.  I am no expert on power, nor do I claim to be.  That being said, it was a good price and single 12V rail with good reviews.  I was looking at the ThermalTake with it's 4x 12V rails, but from what I've read it really doesn't matter how many rails it has as long as the single has decent components (which mine should).  The split rails can help with power management, but a single rail also helps make to ensure that core components have the power they need without being limited.  (4 rails could mean 13A, 16A, 18A, 8A which can just get confusing).  If I'm way off base here, feel free to leave me a comment and contradict me. :)

I went with the Sunbeam CR-CCTF 120mm "Core Contact Freezer" for cooling.  From what I can tell, the ThermalRight 120 Ultra Black Edition seemed like the best choice, but at half the price, the SunBeam was more appealing to me.  All reviews point toward it being quite comparable.  Tomshardware and Frostytech both show the "Core Contact Freezer" as being near the top of the charts.  Can't beat $30 from NewEgg for a quality product.

I'll be using Arctic Silver for the thermal compound as well.  We'll see how it goes.  Should be here in a few days..  Hopefully everything fits in the case and on the motherboard without covering RAM slots..

Wednesday, February 11, 2009

Windows 7 Tips and Tricks

Here is a good little list of tips and tricks for Windows 7.  The problem steps recorder looks cool among other things.  Also has the fix for mp3 corruption with WM12.

http://www.maximumpc.com/article/features/20_windows_7_tweaks_tips_–_every_secret_uncovered_date?page=0,0

Wednesday, February 4, 2009

Creating a Custom Volume in DPM


Why?

Custom Volumes are good when you’d like to offload a backup of something to a specific place rather than using the disk pools.    My example was that the current backup location was on the same filer as my source data.  I wanted to offload this single application’s backups to a separate SAN than the source data in order to have the ability to recovery from a hardware failure.  There may be reasons to use this for Exchange, but I would avoid as disk pools are more seamless.  The planning for a deployment of Exchange should account for this.  My example is backing up archives.

Prerequisites

The prerequisites are that you have available storage, the DPM agent installed on the target, and the needed VSS hotfix on the target.

 


Procedure

1.      Create storage

a.      Carve out a volume/lun (or use DAS)

b.      Attach that storage to the machine via iSCSI, a VHD hard drive if virtual, or whatever other means.

2.      Figure out how much space you need for your volumes.

a.      You can follow the MS guidelines using the calculator:

                                                              i.      http://blogs.technet.com/dpm/archive/2007/10/31/data-protection-manager-2007-storage-calculator.aspx

b.      OR you can just use DPM to pull what you’ll need.  This only applies to backing up current data, with however many recovery points you need.  You will want to tack some extra on for growth.

                                                              i.      Create a new protection group.

                                                            ii.      Choose the data you want to protect 

                                                          iii.      Choose your retention 

                                                          iv.      Click modify 

                                                            v.      These are the values for today, so leave some overhead.

 

3.      Carve out your two volumes; one for replica, one for recovery point.

a.      Right click the unallocated space, and choose New volume.. 

b.      Choose Simple (other options may not be grayed out) 

c.       Choose the Size – I had 200gb to play with, so I allocated 160 to replica and 40 to recovery point. 

d.      Rinse repeat for the other.  This does not have to be on the same disk.

  

4.      Create the Custom Volume and Protection Group

a.      Go back to DPM and create the Protection Group as we outlined before.

b.      Pull down the menu for storage, and choose custom volume 

c.       Assign the replica volume and recovery point volume to their respective places.  Leave it at no formatting. 

d.      Choose manually as it is your only option. 

e.      Click create group (ignore the values in the box..) 

f.        Once this is all done, you must just manually create the new replica (Perform consistency check), and you’re set! 

Afterthoughts

In order to expand storage with this configuration, you cannot use DPM, but rather you must use standard windows disk management.  I realize there are no screenshots, but it was a disaster with the formatting  on this blogger.  I will make them available upon request.

 

 

Tuesday, January 27, 2009

Blackberry Users Setting Out of Office in Outlook 2003 Won't Update on Exchange 2007

There is a known issue that I decided to post on because there seems to be a relatively small amount of information out regarding it.  The problem is blackberry users configuring their out of office in Outlook 2003, but the change doesn't show up on OWA.  This can cause old out of office settings to be used as well, and only seems to apply when the user has the unique cocktail of Outlook 2003 and a blackberry that connect to an Exchange 2007 server.

The known work-arounds for this issue are to use Outlook 2007, or run Outlook with the /cleanrules switch.  You will, of course, want to export your rules first just in case.

Unfortunately RIM does not support the OOO feature (a phone call from our NOC to RIM discovered this) which was technically re-written in Exchange 2007. They supposedly released a fix in a service pack, but the BES in this case had the service pack which does not increase my faith in RIM despite the love I harbor for its constant desire for attention (reboots).

Monday, January 12, 2009

You do not have permission to send to this recipient

If you get the following while sending to an internal recipient, chances are you haven’t set your environment to accept for the domain you are sending to.

Your message did not reach some or all of the intended recipients.

Subject: Subjects are fun!

Sent: 1/1/2009 1:00 PM

The following recipient(s) could not be reached:

Lastname, Firstname on 1/1/2009 1:00 PM

You do not have permission to send to this recipient. For assistance, contact your system administrator.

user@domain.com

The example that prompted me to post this was one where admins were adding SMTP addresses on to their users for domains that they weren’t configured to be responsible for. How do we solve this? In this case the servers were Exchange 2003, so we will start there. We need to open ESM, navigate to Recipients -> Recipient Policies







Right click and choose New -> Choose E-Mail Addresses








Navigate to the E-Mail Addresses (Policy) tab, click New, and choose SMTP Address.















Enter an example SMTP address with domain you'd like to be able to send to.















Enter a name and select who you'd like to automatically receive this policy (I left mine blank as they wanted to sporadically assign the e-mail address as needed.)















Click OK. it should ask you to run this policy now, but if it doesn't you may right click your new policy and choose 'Apply this policy now...'






In Exchange 2007 you need only make your Exchange organization authoritative for the domain in question. The place to do this is under Organization Configuration -> Hub Transport -> Accepted Domains tab.




Add your domain here as authoritative and it will accomplish the same feat.

There are other causes for this issue, but this is the most common from what I have seen.


Tuesday, January 6, 2009