Friday, December 10, 2010
Unable to Run New-TestCASConnectivityUser.ps1
By default Exchange 2010 does not have users created to use for the testing done by some of the CMDlets. So, you need to run new-testCasConnectivityUser.ps1 from the scripts folder to create them.
This script normally creates users in the "users" container. However, it uses a relative path which fails if there are multiple "users" OUs in your AD structure.
To resolve the issue, either make the "users" container unique or edit the script to use the distinguished path "CN=Users,DC=domain,DC=com"
However, this guy figured it out first: http://www.snowland.se/2010/01/19/problems-with-new-testcasconnectivityuser-ps1/
Monday, December 6, 2010
Exchange 2010 in a Secure Environment
This organization limits the processes that can run on computers and when performing the installation, we are domain admins, but not the "Administrator" account. Because we are not the "Administrator" account, UAC applies.
Issue #1
Installation failed because the ngen.exe service was disabled. Ngen.exe is used to compile .NET code to make it run faster. This service was disabled as per the security rules. This prevented the original installation and likely would have prevented installing the rollup update as it spent a lot of time compiling .NET code.
I'm not sure if this is an issue only when not using Administrator. Obviously in production, I'm not going to test all the possible permutations.
The relevant part of the exchange setup log is here:
[12/01/2010 21:52:06.0346] [2] Active Directory session settings for 'precompile-ManagedBinary' are: View Entire Forest: 'True', Configuration Domain Controller: 'dc.nowhere.com', Preferred Global Catalog: 'dc.nowhere.com', Preferred Domain Controllers: '{ dc.nowhere.com }'
[12/01/2010 21:52:06.0346] [2] Beginning processing precompile-ManagedBinary -BinaryName:'C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll'
[12/01/2010 21:52:06.0361] [2] Starting: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe with arguments: install "C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll" /queue /nologo /verbose
[12/01/2010 21:52:06.0517] [2] Process standard output: Installing assembly C:\Program Files\Microsoft\Exchange Server\V14\bin\microsoft.Exchange.PowerShell.configuration.dll
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422)
[12/01/2010 21:52:06.0517] [2] Process standard error:
[12/01/2010 21:52:06.0517] [2] [ERROR] Unexpected Error
[12/01/2010 21:52:06.0517] [2] [ERROR] Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [2] Ending processing precompile-ManagedBinary
[12/01/2010 21:52:06.0517] [1] The following 1 error(s) occurred during task execution:
[12/01/2010 21:52:06.0517] [1] 0. ErrorRecord: Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] 0. ErrorRecord: Microsoft.Exchange.Configuration.Tasks.TaskException: Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] [ERROR] The following error was generated when "$error.Clear();
$fullPath = [System.IO.Path]::Combine($RoleInstallPath, "bin\microsoft.Exchange.PowerShell.configuration.dll");
precompile-ManagedBinary -BinaryName $fullPath;
" was run: "Process execution failed with exit code -1.".
[12/01/2010 21:52:06.0517] [1] [ERROR] Process execution failed with exit code -1.
[12/01/2010 21:52:06.0517] [1] [ERROR-REFERENCE] Id=AllRolesPrecompileManagementBinaries___922e3423e7724c0e8892fe798af5ca08 Component=EXCHANGE14:\Current\Release\Shared\Datacenter\Setup
[12/01/2010 21:52:06.0517] [1] Setup is stopping now because of one or more critical errors.
[12/01/2010 21:52:06.0517] [1] Finished executing component tasks.
[12/01/2010 21:52:06.0580] [1] Ending processing Install-Bridgehead
Issue #2
The rollup update for Exchange 2010 SP1 was not UAC aware. So, when we ran it, it failed. Quick and easy fix. Go to a command prompt elevated to administrator and run manaully, just like you'd run an exe file.
Saturday, November 6, 2010
Exchange 2010 SP1 on Win 2008 (not as easy as I thought)
In this particular project, the original OS install was done by someone else. This may have caused part of my confusion as I didn't closely checkout the installation before starting.
This is an Exchange 2003 environment where Exchange 2010 is being added and coexistence will continue for about a week. Exchange 2010 was installed from the Exchange 2010 SP1 download rather than any sort of upgrade.
During the installation, an option exists to install necessary prerequisites. I figured I'd try it out and see. Unfortunately, even on a fully patched Windows 2008 server, I was still forced to download 6 hotfixes and additional chunks of software. I don't recally downloading any of these for Windows 2008 R2. So, it may be OS specific.
The Web server role was added, but did not have the necessary service roles. So, I added everything that was requested by setup. I'm not sure whether the Web server role was added by setup or whether it was preexisting when I started and that is why the setup was off.
When the installation was done, I patched it with rollup 1 for Exchange 2010 SP1. Finally it's time to test.
The first big issue was OWA not working properly on Exchange 2010. It went to a blank page instead of providing the logon screen and no errors were generated. It turns out that the Web server role did not have redirection or static pages enabled. I enabled both and then it worked fine. I'm not sure that the static pages were required as it appeared to be a redirection issue, but since it's a normal option to me, I turned it on.
Again, I'm not sure whether the odd IIS configuration was due to the installation routine or the original setup performed by another tech. However, it is interesting that Exchange setup did not tell me that the redirection was required. And it definitely is for correct OWA logons with forms-based authentication.
When searching related to my OWA issue, I saw that there are a number of people that have various OWA problems after applying Rollup 1 for Exchange 2010 SP1. However, my issue was not related to that.
My second big issue was that no routing group connector was created between Exchange 2003 and Exchange 2010 as should have been. I created it manually (New-RoutingGroupConnector) and all was good. During my multiple install attempts after applying updates, I seleted the option to reuse the existing installation options. I think the requirement to create the routing group connector may have been lost because of that, but I'm not sure.
Tuesday, October 26, 2010
The Best Little KVM Cheap
Recently we've been buying D-Link KVM-221 2-port USB KVM switches for about $50. I can say this is the first time I've never had any hiccups at all in implementation. It even includes the cables.
Unable to Use a USB Mouse in XP
Yesterday, I needed to replace the hard drive in that computer. After imaging the new drive I cleaned up some old junk software. One of the things I cleaned up was Flip software leftover from a Belkin KVM. It was running automatically at Startup.
After the Flip software was taken out of Startup, the mouse worked fine.
Oddly, the USB keyboard worked fine whether the software was installed or not.
Friday, September 24, 2010
Word Has Command-Line Switches
I have both Office 2003 and Office 2007 installed on my PC. All of the doc files were opening automatically in Word 2003, but I wanted them to open in Word 2007 by default. I tried changing the file association, but it wouldn't take.
My final solution was to run winword.exe /r from the Office12 folder. This re-registered the registry keys for Word 2007.
If you are curious about other Word switches check them out here: http://support.microsoft.com/kb/210565
Monday, September 20, 2010
Blackberry Activation Error with Transport Rules
A few months ago I spent an entire afternoon trying to figure out why a BlackBerry would not activate with a BES server. Activation failed when the PIN was entered and sent back by the BlackBerry.
A
s I searched I found a few possible causes:
forwarding on the user mailbox
firewall blocking BES access to blackberry servers on the Internet
None of these applied. Further investigation in the SERVER_MAGT log found this:
[40239] (05/12 01:29:44.514):{0x117C} {Userx@Companyx.com} Still handled by desktopAs you can see, it is complaining about being still handled by Blackberry Desktop. On further investigation, this really just means that the message coming back from the Blackberry for the activation has been modified. So, the BES server refuses to touch it.
[30160] (05/12 01:29:44.514):{0x117C} {Userx@Companyx.com} GetDeviceId() did not return a PIN, PIN currently is not set for this user.
[40371] (05/12 01:29:44.514):{0x117C} {Userx@Companyx.com} UserControl::HandleDatabaseChange - CalSyncState is empty
[40442] (05/12 01:29:44.514):{0x117C} User settings: email=Userx@Companyx.com, routing=Userx@Companyx.com, service=, device=, calendar=0, MDS=1, userOTAFM=0, incradle=0, SMIME=0, sentItems=1, dir=Userx, server=Exchange1
It turned out that there was an Exchange transport rule that was being used for add a CC for all messages delivered to this user. It was configured as an alternative to forwarding in the user mailbox, but had the same effect. After disabling the transport rule activation completed properly.
Disaster Recovery Is Not Just a Technology Issue
A RAID 5 array failed in a server and took out information that was business critical. The failure occured on an Thursday evening. Reviewing the backup log, the backup Thursday night appeared to complete successfully, but in fact it hadn't. The RAID 5 array failed partway through the backup. This leaves us restoring to Wednesday nights backup. All of Thursday's data changes were lost.
Here is where the twist comes in. This organization scans in historical documents and then shreds them afterwards. After the document has been shredded there is no backup copy except on the computer system. This is one of the databases that was lost.
Because the document is shredded before a backup is taken, there is small window where loss of data is an issue due to only a single failure. To protect that data, shredding needs to be delayed at least one day to ensure there is a good backup. And depending on how paranoid you are, maybe two.
In this case, no documents were processed in the lost window, but it could easily have happened.
Monday, September 13, 2010
Virus and Malware Removal
By far the fastest and easiest way to remove viruses and malware is to remove the hard drive and scan it in a different computer. By doing this, you ensure that the virus or malware is not running in memory when the scan is performed. As a best practice you should scan with multiple tools to be sure you catch everything.
I do this by using external USB enclosures for hard drives. I have three separate enclosures for SATA 3.5 inch, PATA 3.5 inch, and PATA 2.5 inch drives. This allows me to externally mount both desktop and laptop drives.
As an alternative, you can boot up by using something like the Ultimate Boot CD for Windows and scan from there. It gets you to the same place, but you are limited to the tools included on that CD instead of your preferred antivirus tools.
Thursday, August 19, 2010
Microsoft Exam Vouchers cheap
The free retry (second shot they call it) means you can study less and just go for it. If you fail the first one, at least you know the gist of the exam content, and you know what to study more.
For more info: http://www.microsoft.com/learning/Career/en/us/career-offer.aspx#certification
iPad for Business?
The real problem with the iPad is that it can't run many business applications, even Web-based ones. The iPad does not support Flash or Silverlight content. These are used for many Web-based applications. You don't realize how many applications until you don't have them.
This client is using the iPad as a remote access device for Terminal Services. They have a Windows application installed on the terminal server that can now be used by sales people on the road. So, the irony is, that iPad is a great remote access device for Windows, but not all that useful by itself.
I installed the iTap Terminal Services/RDP client for the iPad and it works very well. I strongly recommend it for $12.
Tuesday, August 10, 2010
Edge Transport Servers and Certificates
However, if you choose to implement and Edge server, you need to understand that it uses certificates to secure communication between the Edge server and Hub transport server on the internal network. Normally you want certificates to come from a external certification authority so that they are trusted by all computers in the communication process. However, for SMTP between Exchange servers, you can and should use internally generated certificates. This is the default configuration. However, the default certificates expire after 1 year.
The certificate assigned to SMTP for message transport can be (and typically is) different than the certificate you use for SSL on Web services such as OWA. Also, the same certificate cannot be used for SMTP message transport on multiple servers. If the same certificate is used for SMTP message transport on multiple servers, communication will fail with an error indicating LDAP lookup failures (ID 10104 and 1024).
When the certificates are close to their expiry events will be generated in the Application event log warning you. This is the error description: http://technet.microsoft.com/en-us/library/bb217963(EXCHG.80).aspx
The fix for this is easy. On the server that is experiencing the error, in the Exchange Management Shell, run the New-ExchangeCertificate cmdlet and say Yes to overwriting the SMTP certificate. Then restart the ExchangeTransport services for it to take effect immediately.
If you create a new certificate on an Edge server, then you also need to recreate the Edge Subscription. Run the New-EdgeSubscription cmdlet on the Edge server to create an XML configuration file. Then use that XML file to create a new Edge Subscription on the Hub Transport server by using the Exchange Management Console. You can also delete the old Edge Subscription as it is no longer required. To force the new Edge Subscription to start, use the Start-EdgeSynchronization cmdlet. If this fails, try restarting the ExchangeTransport service or reboot the box.
If you know it's coming, it's easy to fix up. If you don't know it's coming, this can result in hours of downtime due to communication failing between Edge Transport server and the internal Exchange organization.
Tuesday, July 27, 2010
Expanding Wireless Networks
For the purposes of my examples, I’m assuming that the clients will be accessing the wireless access point (WAP) by using a shared-key (password) and that all users will be using the same key. The use of 802.1x for authentication is beyond the scope of what I’m dealing with.
Vendors use slightly different terminology for the same scenario. I've attempted to use generic terminology that is similart to most vendors.
You can often use just the WAP functionality of a wireless router. However, many of these do not have as many wireless configuration options. If you use a wireless router as a second WAP, be sure that you disable DHCP on the device. Only the internal IP address of the device will need to be configured.
Scenario 1 – Wired WAPs
If you have Ethernet ports close to the location that you want each of your WAPs, then this is the simplest scenario. Obtain as many WAPs as you need and place them where required to get coverage. Ideally the signals from the WAPs should not overlap too much. The rule of thumb appears to be 25%. However, you’ll need equipment or software to measure that. Most WAPs have an option to reduce signal strength if required.
All WAPs should be configured with the same SSID (network name) and key but be using different channels. Wireless clients are configured with a single SSID and key. It is the responsibility of the client to select the appropriate WAP based on signal strength. If the client moves while it is connected roaming should occur with very little interruption as the connection changes from one WAP to the next.
Scenario 2 – Wireless Repeater
This scenario allows you to extend your wireless network without requiring an Ethernet port for the WAP. The WAP accepts connections from wireless devices and also connects with another WAP that connects back to the main network (typically via Ethernet, but could be wireless). Be aware that network speed is halved in this scenario as half of the network capacity is devoted to clients and half to the other WAP connection.
Some devices support a protocol called Wireless Distribution Service to support this. However, this protocol has many interoperability problems between vendors. So, don’t count on it.
The WAPs should be both be configured with the same SSID and key. The WAP configured as a wireless repeater should not be connected via Ethernet to the main network. If you do connect the wireless repeater to the Ethernet network, you may cause all devices on the network to get duplicate IP address errors. The duplicate address errors in the Windows event log will indicate the MAC address of the WAP.
Scenario 3 – Wireless Bridge
This mode is used to connect two or more wired networks via a wireless network. For example, two computer labs without a physical wire between them or two offices separated by only a short distance. A computer in one physical location is able to communicate with computers in the other physical location. This could allows you to share an Internet connection or other network resources.
A WAP in bridge mode is connected to each wired network. Each WAP is configured with the same SSID. You also typically have the option to allow wireless clients to connect to each WAP.
Thursday, May 13, 2010
Find a Process Using a Port
In a perfect world, we'd know all the ports used by various pieces of software on our servers and instantly understand where the conflict is. However, we don't live in perfect world, and some apps pick random port numbers.
On a Windows server, you friend is netstat -ab > C:\portlist.txt. This command dumps a list of ports and the processes using those ports to a text file. Then you can find out which process is conflicting with your failed service/application.
I used this just today to find out that a watchguard logging process was using port 4101 that a BES routing service wanted to use. I've also used it in the past to find out that Symantec Mail Security was randomly selecting a port in the low 10xx range that another application wanted to use.
Thursday, April 22, 2010
ODBC oddness for 64-bit clients
In a 64-bit version of Windows, you need to create an ODBC connector to that matches the application. For a 64-bit application, you create a 64-bit ODBC connection. For a 32-bit app, you create a 32-bit ODBC connection.
The most common problem is creating an ODBC connection by using the ODBC Data Source Administrator tool in control panel and then you are unable to see of view the ODBC connection from a 32-bit application. The ODBC Data Source Administrator tool that you can open from control panel creates only 64-bit ODBC connections. To create 32-bit ODBC connections you need to run Odbcad32.exe from the C:\Windows\SysWoW64 folder.
Bad McAfee, Go to Your Room
They now supply a tool to fix the problem: http://vil.nai.com/vil/5958_false.htm
You figure that sort of thing would show up in testing. XP SP2 and XP SP3 were affected.
Friday, April 9, 2010
So, you deleted that object, eh?
Option 1 - Restore AD objects from backup
If you have a system state backup of a DC (and you should!!), you can restore the deleted object from backup. Then you mark it as authoritative. However, to have group memberships restored correctly, you need to perform an ugly process where objects are restored twice to make sure the links are correct. Also the DC needs to be down during this mess. Doable, but not the preferred option.
Detailed info: http://support.microsoft.com/kb/840001
Option 2 - Reanimiate the deleted object
Yes, just like a zombie, you can bring back an object from the dead. And also like a zombie, it is a shadow of its former self. Only some properties are kept in the deleted object. When you reanimate it, many properties are lost. However, it does keep the SID. So, a reanimated objects retains file permissions that were assigned to it.
In the case of a reanimated user, the group membership is lost. I expect that you would also need to recreate the membership of a reanimated group, but I haven't tried it out recently.
Detailed info: http://www.microsoft.com/technet/technetmag/issues/2007/09/Tombstones/default.aspx
Simplified reanimation with ADRestore: http://www.microsoft.com/technet/sysinternals/utilities/AdRestore.mspx
Thursday, April 8, 2010
Intermittent DNS lookup failures for Exchange Server
By default the Windows DNS server caches DNS lookups for 24 hours. However, I don't want to be manually clearing the cache on this each time the error occurs (or wait up to 24 hours to automatically resolve). The solution: modify the cache TTL.
In all of the forward lookup zones that you create, you can set the TTL for the zone or individual records. However, in the cache, you can't set the TTL by using the DNS Manager console. You can either use dnscmd.exe or edit the registry.
In HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters, create a REG_DWORD value named MaxCacheTtl and provide a value in seconds. I did not find any documentation saying that this registry key works in Windows Server 2008, but tested it, and it does. There is documentation for Windows Server 2003 and earlier versions.
After setting the registry key, you need to restart the DNS server for the change to take effect.
UPDATE: A client started having this issues and I found a knowledgebase article that talks about this exact issue. Oddly the recommendation is to set the MaxCacheTtl at two days rather than shorter as I had done. See here: http://support.microsoft.com/kb/968372.
There is also a similar issue with 2008 R2 and 2008 R2 SP1 for which there is a hotfix. See here: http://support.microsoft.com/kb/2508835/en-us
UPDATE#2: We have now had several clients with this problem and the solution has always been to implement the MaxCacheTtl at two days. The hotfix has not ever resolved the issue for us.
Saturday, March 27, 2010
Back to Basics: RTFM
The print server came with a tiny (literally physically tiny, like you get with kids toys) set of instructions that worked great only for the basic windows printing scenario. Unfortunately, I was in the ancient NetWare printing zone (NetWare 5.1, shiver...).
So, the basic manual did not provide enough info. Step 2....Vendor web site.
Nope, same tiny manual as came with the box.
Step 3....Google.
Unfortunately the product is sold by so many places that all I got was sale listings.
I was about to give up when it occurred to me that perhaps there was some thing on the CD that came with the product. Turns out there is a one hundred and some page manual that covers just about everything conceivable, but only on the CD.
Friday, March 19, 2010
Free Tool for Remote Control of Customer Desktops
Well, I finally found a freebie. Mikogo is free presentation/remote control software. It appears to be originally designed for more collaboration, but works well for servicing clients remotely.
The application does not require an install. They visit a web site, put in a sessionID, and then download and run an executable. A person with standard user rights can do it.
Obviously this won't help in advanced scenarios when you need to reboot and retain control or go into safe mode. However, if all you need to do is a bit of configuration or show/see steps on the remote computer, it works great.
Check it out at www.mikogo.com.
Your List of Passwords
I'm asking myself this question because a client recently had a breakin where a server storing backups was stolen. The server happened to contain a file that had a list of passwords. Lots of passwords. This particular organization was storing not just a few admin passwords for devices and such, but also the passwords for all users.
First, I'd argue that there is no need to store user passwords. If I need to log on as user, I can reset the password and then inform the user. Unfortunately in this scenario, we needed disable remote access, force password resets, and then enable remote access again only after passwords were changed. A hassle for everyone.
Now, for the ones you need to document, what do you do? Storing them on a server protected by file permissions is apparently not enough, because if anyone steals the server, getting around file permissions is trivial.
At this point, I'm thinking that encryption is the obvious solution. AxCrypt is a nice free solution for encrypting files as an EXE. It would be a bit of pain but it's certainly a step up from just putting a password on a Word doc.
Sunday, March 14, 2010
Blackberry Server on the Exchange server
The biggest changes:
- total freebie, no licensing
- runs right on the Exchange server or SBS server
- runs on 64-bit and supports up to Windows Server 2008
From my perspective this means we can start installing BES right on the SBS box and save our clients a Windows Server license fee and hardware costs. In some cases, it will mean we can retire an old box that was being used just for BES.
While I think of this from the perspective of our smaller clients. It is scalable up to 2000 users on a dedicated box. There are a number of policies and add-ons that don't work with BES Express, but if all you need is the basic e-mail, calendar stuff. This one is a winner and helps compete with ActiveSync on the iPhone which is effectively free.
Learn more at: http://na.blackberry.com/eng/services/business/server/express
Sunday, March 7, 2010
Resolve Random Problems with Update Installation
The error I was trying to resolve was was 0x80070490 when installing update KB967723 via Windows Update. However, it did not successfully install for me afterwards and the logs indicated that no errors were found or fixed.
I was able to manually download the file and install it. So, it seems to be a specific issue with Windows Update.
A repair install is the next step, but I don't think I'll go there yet. As only one update would not apply. If it becomes an issue for all updates then I'll do the repair.
Tuesday, February 16, 2010
SBS 2008 Console Crash
It turned out that someone had been changing the default network settings for the SBSMonitoring database instance and had enabled IP. This caused a conflict with another database running on the server that was also using port 1433. If the SBSMonitoring database was down, the console crashed.
The solution was to disable IP communication for the SBSMonitoring database. By default it uses only shared memory for communication.
Recovering from a Removed Exchange Organization
Fortunately it was a relatively small environment with a single Exchange 2007 server and about 120 mailboxes.
Here's what we did:
- use ADSI Edit to completely remove the existing Exchange organization
- completely wipe out and reinstall Windows on the Exchange 2007 box
- reinstall Exchange 2007 creating the same organization name
- recreate the storage groups and copy databases into the storage groups.
- Disable and reenable all users in EMC to recreate Exchange attributes
- Disable and reenable all distribution groups in EMC to recreate exchange attributes
- Configure certificate and smtp connectors.
Basically a whole rebuild. In retrospect, I should have tried just running /PrepareAD to see if that resolved the AD issues.
Note that the organization name needs to be the same during the reinstall or the databases will not mount.