Tuesday, December 31, 2013

SSD + Dedup in Win 2012 - WOW!

I do a lot of work with Hyper-V virtual machines in a test environment. My Hyper-V host is a white box kludged together cheaply, but with reasonable hardware.

The VMs that are used for Microsoft courses use base drives for the core OS and then differencing drives for each individual VM. The bouncing back and forth between the base drive and the differencing drive tends to drag down performance. In addition, I often use snapshots to give me a backout point when developing labs. Which reduces performance even more.

I've got the storage system setup as four 7200 RPM SATA drives in a RAID 10 array using the Intel Storage Technology enterprise that is built into the motherboard. This gives far better performance than a single drive, but still not enough when I'm running many VMs. Storage speed is the bottle neck in this system.

Today I bought a Kingston 240 GB HyperX SSD drive to improve performance. Since the drive is not very large, I though I'd start by moving only the base drives onto the SSD to see what the performance improvement was like. Then I mounted the SSD as the folder that I copied the base files from. This retained the proper association between the differencing drives and the base drives.

The performance improvement was huge! Tasks that were painfully before now behave like normal servers. I figure that labs which took me an hour or more to complete will now take about 20 minutes just because of the wait time. As an example, for course 20417C there is a lab where AD FS is configured to authenticate an application. Accessing this application the first time used to take 2-3 minutes. Now it happens in a few seconds.

The differencing drives and the snapshots are still stored on the RAID 10 array. So, all write activity and some read activity is still done there. Even in this configuration the performance difference is amazing.

All together I have about 200 GB of base drives. Basically, they filled the SSD. Then I remembered that Windows 2012 has data deduplication functionality. I have never tried it before, but thought it might work.

Windows Server 2012 adds support for deduplication on live virtual hard drive files, but I didn't require that for these base disks because they are static and don't change.

I thought that deduplication might cut the space usage by half since I had multiple base disks for each operating system like Windows 7 and Windows Server 2012. However, when I ran the test tool (ddpeval.exe) it showed that the 200 GB would be reduced to about 63 GB without compression and 35 GB with compression. It was right!

After enabling deduplication disk utilization dropped from 200 GB to 34 GB leaving over 200 GB free on the SSD drive. I was scared that this might impact performance of the VMs but I could not see a performance difference at all.

Overall, I'm very impressed.

For details about how to implement data deduplication in Windows Server 2012 see here:

Friday, December 6, 2013

Free Online Hyper-V Training

I work with Hyper-V a lot for Microsoft training and we've starting to use it as our standard virtualization platform for clients. I've seen a lot of improvements in it since it was first introduced and honestly think that for smaller organizations it's easier to work with than VMware. For larger organizations, I think it's a contender.

One of the biggest impediments to implementation is knowledge. Microsoft is making online training for Hyper-V in Windows Server 2013 R2 available for free. They're also kicking in a certification exam.

Check it out:

Thursday, November 28, 2013

Windows Live Mail Not Forwarding Embedded Pictures

I recently ran into a computer using Windows Live Mail in conjunction with AOL. This resulted in some emails with embedded pictures not forwarding. It generated a warning about this when you went to send.

What seemed to fix it was disabling the option in Windows Live Mail to convert emails with pictures to picture emails. However, this conversion happened when the messages were received. For existing emails that have already been converted, right-click and forward as attachment seemed to do the trick.

To disable picture emails:
  • File > Options > Mail > Compose > Convert messages to photo e-mail when adding photos

Wednesday, November 27, 2013

Converting a Mail User to a Remote User Mailbox

I have an client with an existing Office 365 implementation and a separate on-premises Exchange organization. As part of linking these two together into hybrid mode, the local AD account became a Mail User.

A Mail User is a local AD account with an external SMTP address configured. This allows the user to have an email address in the GAL, but is not a local Exchange mailbox.

To move mailboxes, this Mail User needs to be configured as a Remote User Mailbox. A Remote User Mailbox also has a proper remote routing address property configured.

I couldn't find any documentation on performing this process. However, I did find a script that indicates it fixes up user accounts when a mailbox move to Office 365 does not complete properly. I used this script to identify the changes that needed to be made.

The script is here:
The changes that need to be made are:
  1. Configure the user attribute targetaddress to contain the remote routing address for the mailbox. This should be in the format of userid@domain.mail.onmicrosoft.com. In my case it would have been testmailbox@byronwright.mail.onmicrosoft.com.
  2. Set the msExchRemoteRecipientType attribute for the user account to equal 4.
  3. Set the msExchRecipientDisplayType attribute for the user account to equal -2147483642. (yes, this is a negative value)
  4. Set the msExchRecipientTypeDetails attribute for the user account to equal 2147483648.
Those steps changed the Mail User to a Remote User Mailbox. However, I was still unable to move the mailbox from Office 365 to the on-premises Exchange. This was due to the ExchangeGUID attribute not being set properly on the local user account. To fix this, I performed the following:
  1. In Office 365: get-mailbox testmailbox | fl ExchangeGUID
  2. In on-premises Exchange: set-remotemailbox testmailbox -ExchangeGUID 12345678-1234-1234-1234-123456789abc (note GUID is from step 1)
After setting the ExchangeGUID moves to the on-premises Exchange worked properly.

UPDATE: See a similar procedure for room mailboxes at: http://byronwright.blogspot.ca/2014/06/putting-office-365-room-mailboxes-in.html 

UPDATE: While the above seemed like a good procedure at the time. I've since become aware that you can use Enable-RemoteMailbox in this same scenario to fix up the local mail users to remote user mailboxes. For a script to do it on a whole OU, see here: http://byronwright.blogspot.ca/2014/10/script-to-resolve-error-when-running.html

Wednesday, November 20, 2013

AD FS Service Hangs on Starting

In previous versions of Windows Server and AD FS, it was not recommended to install AD FS on a domain controller due to security issue cause by running IIS on a domain controller. In Windows Server 2012 R2, AD FS does not use IIS. So, it is now possible to run AD FS on a domain controller.

I"m not sure whether is was possible in previous versions of AD FS, but AD FS in Windows Server 2012 allows you to run the service by using a group Managed Service Account (gMSA). The main benefit of using a gMSA is automatic password changes. The account password is changed automatically in the background to enhance service security.

It turns out that if you run AD FS on a Windows Server 2012 R2 domain controller and use a gMSA for the service, it prevents the service from starting. When you do the initial installation, it will look fine, but after you do a reboot, the service will have a status of Starting and hang. There are no events in the event log to indicate what the issue is.

I first noticed the hanging issue in prerelease versions of Windows Server 2012 R2, but didn't understand exactly what was causing the issue. This behavior still exists in the RTM release of Windows Server 2012 R2.

To avoid this issue, do one of the following:
  • Use a standard domain user account instead of a gMSA
  • Install AD FS on a Windows Srever 2012 R2 member server
You can see that this behavior has been confirmed by others here:

Wednesday, November 13, 2013

Free ebook on Windows Server 2012 R2

Just got the following from Microsoft:

Introducing Windows Server 2012 R2
Mobi (Kindle)
If you prefer a hard copy of the book, you can order it here from our official distributor, O’Reilly Media, for $9.99
This book is intended to provide you with an overview of the new features and enhancements introduced in Windows Server 2012 R2. The intended audience for this book is IT pros who deploy, manage, and maintain Windows Server workloads in data center, private cloud, and hosting provider environments.

We assume that you are at least somewhat familiar with the features and capabilities of the previous platform Windows Server 2012. If you are not familiar with all the new features and enhancements Microsoft introduced previously in Windows Server 2012, we recommend that you first read Introducing Windows Server 2012 RTM Edition (Microsoft Press, 2012).

A key feature of this book is the technical sidebars that have been contributed by Microsoft insiders. These sidebars were written by experts who have been closely involved in the Windows Server 2012 R2 development process and include Program Managers, Support Escalation Engineers, Technical Consultants, Data Center Specialists, and others who work at Microsoft in various capacities.

OWA 2010 Error: "The server operation timed out"

I was performing a small migration for Exchange 2007 to Exchange 2010. Because this migration was small, we didn't configure simultaneous access to owa on both platforms. Simultaneous access to owa on both platforms requires a second external IP and would have been too time consuming to bother with.

After migrating mailboxes to the new server, we could log on to owa, but when I accessed messages, we got the following error:
The server operation timed out. Please try again later.
A quick review of the owa configuration revealed that the owa on both Exchange 2007 and Exchange 2010 were using the same external URL. This was confusing the access to the messages.

After I removed the external URL from owa in Exchange 2007 the error was resolved and all was good.

Tuesday, October 29, 2013

Remove SendOnBehalfOf Permission From All Mailboxes

Today a client was looking for a method to remove a specific user from the SendOnBehalfOf permission of all mailboxes. The following script performs the task:
# Substitute the name of the user to remove for XXXX
$ToRemove=(Get-Mailbox XXXX).DistinguishedName

$mailboxes=get-mailbox -ResultSize unlimited
Foreach ($m in $mailboxes) {
    Set-Mailbox $m -GrantSendOnBehalfTo $new
There are probably more efficient ways to do this, but this script gets the job done. The only reason it's awkward is because GrantSendOnBehalfTo is a list that needs to be modified. 

Saturday, October 26, 2013

Free Exchange 2013 Training

Microsoft has added some Exchange 2013 Jump Start videos to Channel 9. For anyone interested in certification, they look like they'd be an excellent preparation tool for the 70-341 exam. Otherwise, they're definitely useful if you just want to learn more about how Exchange 2013 works.

The videos include:
  • Deploying and Managing Microsoft Exchange Server 2013
  • Configuring Mailbox Servers and Recipients
  • Deploying and Managing Client Access Servers and Clients
  • Configuring the Message Transport
  • Implementing High Availability and Disaster Recovery
  • Configuring Administrative Security and Auditing
  • Migrating to Microsoft Exchange Server 2013
Access the videos here:

Exception has been thrown by the target of an invocation

Recently I had to troubleshoot the following error for a client in ECP when trying to browse for an OU to create a new mailbox in Exchange 2013.
Exception has been thrown by the target of an invocation
The only reference to the error that I could find for Exchange 2013 related to domain controllers not being in the default Domain Controllers OU. Sure enough, this client had added child OUs inside of Domain Controllers. The child OUs were being used to control how WSUS was pushing out updates to the domain controllers.

To resolve the issue, we moved the domain controller computer objects back directly into the Domain Controllers OU and removed the child OUs from inside the Domain Controllers OU. We did this in all three domains.

A blog article that I used when troubleshooting:

Thursday, October 24, 2013

RDP Client for Android and iOS

Within the last few days, Microsoft has released an RDP (remote desktop) client for both Android and iOS. This is apparently the result of Microsoft buying the iTAP RDP application, which was fairly popular for iOS, about a year ago. As of now iTAP is no longer available and the Microsoft RDP clients are.

In the Play store, search for Microsoft Remote Desktop. If you search for RDP, you'll get a lot of other non-Microsoft apps listed. I've tested out the Android version and it seems pretty nice.

Microsoft Remote Desktop client for Andoid

 The controls are simple:
  • By default, it shows full screen.
  • Tap the zoom icon in the middle left for a larger view that you can scroll around it.
  • Tap the keyboard icon in the middle right to bring up a keyboard.
  • Press the menu button on the device to bring up special keys for the keyboard such as shift, control, and the Windows key.
Also note that it includes support for RD Gateways. This is a premium feature in many RDP clients.

UPN Not Available in ECP When Creating Mailbox

Recently I was working as part of a Notes to Exchange 2013 migration. The original vendor on the project had been replaced and we were taking over the process. As always in these scenarios, you're suspicious of everything that you see in the new environment because you don't know what is left at default.

When creating new mailboxes in Exchange Control Panel the client observed that only the forest root domain was available as a UPN suffix. Most of the environments that I work in are single domain, so I didn't identify the issue right away. The domains that the client uses are multiple trees. So, I was immediately concerned that the issue was related to that, but it was not. It was quite simple really and parallels what happens when using AD Users and Computers to set the UPN suffix for an account.

When you are using  AD User and Computers to configure the UPN suffix for an account, the root domain of the forest will always be one of the options. The other option will be the current domain if you are in a domain other than the root domain.

For example, if I have a forest with the following domains:
  • conexion.ca
  • child1.conexion.ca
  • child2.conexion.ca
If I'm running AD Users and computers in child1.conexion.ca, then I will see conexion.ca and child1.conexion.ca in the UPN suffix list. If I'm running AD Users and Computers in the conexion.ca domain then I will see only conexion.ca in the UPN suffix list.

So, my assumption is that Exchange 2013 was using conexion.ca as it's base for doing the AD queries/work, because we were seeing only the root domain in the drop down list.

To make the child domains available as UPN suffixes when running AD Users and Computers in the root domain, the child domains need to be added as alternative UPN suffixes to the forest. After they are added here, they are available from any domain. Note that you can add anything you want here. You are not limited to UPN suffixes that match your domain names.

Configuring the UPN Suffix for a User Account

Ultimately, what works for AD Users and Computers also worked for ECP. At the client, after adding the name of the other tree as an alternative UPN suffix, it appeared in ECP and all was good.

Steps to add an alternate UPN suffix for the forest:

  1. Open Active Directory Domains and Trusts.
  2. In Active Directory Domains and Trusts, right-click the Active Directory Domains and Trusts node and click Properties.
  3. On the UPN Suffixes tab, add the subdomain required.
Adding an Alternative UPN Suffix

Monday, October 21, 2013

Removing Disconnected Mailboxes in Exchange 2013

In most cases, waiting the default 30 days for disconnected (disabled) mailboxes to be removed is not a concern. However, when doing implementation testing, you might have significant data that you want to remove before doing a final migration with good data.

Also, when moving mailboxes, the source mailbox is soft deleted and not purged for 30 days. If you were moving mailboxes to free up space in the database, then purging soft deleted mailboxes immediately is a reasonable way to go.

In Exchange 2010 you could purge disconnected mailboxes from the Exchange Management Console. In Exchange 2013, your only option is the Exchange Management Shell.

You can use the following to remove disabled/disconnected mailboxes from a specific database:
Get-MailboxStatistics -Database “YourDatabaseName″ | where {$_.DisconnectReason -eq “SoftDeleted”} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled -Confirm:$False
You can use the following to remove soft deleted mailboxes:
Get-MailboxStatistics -Database “YourDatabaseName″ | where {$_.DisconnectReason -eq “Disabled”} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted -Confirm:$False
To modify either of these to work for all databases in your organization, replace the Get-MailboxStatistics cmdlet with the following:
Get-Database | Get-MailboxStatistics | where ....

Saturday, October 19, 2013

ActiveSync-Based Email Access in Windows 8.1

Windows 8.1 includes the email application Windows Mail. This application can access email via IMAP or ActiveSync. Yes, that's right ACTIVESYNC!

I've been wondering why ActiveSync was good enough for mobile devices, but not desktop computers. It appears that this has finally arrived. Perhaps paying Microsoft a licensing fee for use of ActiveSync is holding other vendors back.

A standard IMAP client will synchronize only email messages. An ActiveSync client can synchronize messages, your calendar, and contacts. This is now an effective option for home users that want to access work email from their computer through a full email client but without purchasing a version of Office that includes Outlook.

Remote wipe is also supported for this application. However (and this is good news), remote wipe affects only the Exchange email data. This is unlike a phone remote wipe which wipes the entire device.

For more information see:

Forcing ECP to open in Exchange 2013

One of the annoyances I've been finding in Exchange 2013 during migrations is that when an administrator with a mailbox in Exchange 2010/2007 attempts to access Exchange Control Panel to administer, they are redirected the the older version of Exchange 2010. This happens because Exchange looks up where the user's mailbox is and assumes that you want to access the server where the mailbox is located.

Fortunately, there is an easy fix for this. Append the url with ExchClientVer=15 to force it to stay on Exchange 2013. For example:
  • https://server.domain.com/ecp?ExchangeClientVer=15

IE 11 Problems with OWA

I haven't had a chance to verify yet, but IE 11 appears to have issues working with OWA in Exchange 2007-2013. IE 11 is included in the Windows 8.1 Service Pack.

The core issue seems to be the at IE does not identify itself as IE anymore. Consequently, Exchange Server dumbs down the OWA experience to be sure that it is compatible.

You can update Exchange 2013 to work with IE 11 properly by installing Cumulative Update 2 for Exchange 2013.
You can update Exchange 2010 to work with IE 11 properly by installing update rollup 3 for SP3:
For Exchange 2007 there is currently no update available to fix the server side. Instead, you need to use compatibility mode in IE or InPrivate Browsing.

For a nice article about this and further explanation, see here:
*Updated Nov 26th to include new update that is available for Exchange 2010

Saturday, October 12, 2013

Error Creating Outlook 2010 Profile for Exchange 2013

We were recently connecting some newly imaged computers to Exchange 2013 and got an 0x80070057 error when attempting to create the user profile. This error did not occur when connecting to the older Exchange 2007 server. This error was a result of Office 2010 not being up to the correct update level.

Outlook 2010 must have at least Service Pack 1 with the November 2012 cumulative update. In this case, we installed Service Pack 2 and all was good.

Here is the link to the required versions of Outlook for Exchange 2013:
Update Oct 24/13: I have also seen this problem at a client using the HTTP proxy settings in IE. Make sure your Exchange servers are an exception that does not require the use of the proxy.

Thursday, October 10, 2013

New Tool to Remove Unneeded Windows Update Files

Microsoft has just released an update for Windows 7 that enables you to remove old files that allow Windows Updates to be removed. This will save a ton of disk space on many computers. If you are using a small SSD drive, the extra few GB would be nice to have back.

After applying the update, the Disk Cleanup wizard is updated to include the option Windows Update Cleanup. After performing the Windows Update Cleanup, you will not be able to remove Windows Updates that are cleaned up.

My only caution related to using this tool relates to Internet Explorer. We have several clients that require Internet Explorer 8 to use web-based applications. All of our new computers with Windows 7 have IE 9 preinstalled and we need to roll back to IE8. I'm concerned we would lose this ability if Dell starts to use this tool before shipping out computers. That said, I haven't had time to test yet.

For more information, see:
For the update go here:

Tuesday, October 8, 2013

Video on Basic Network Setup

Each year I help out with a networking class at the Asper School of Business in the University of Manitoba. I do a demonstration of basic server installation and configuration. Last year I made it into a video, and this year I've uploaded it to YouTube for the students.

In case anyone is interested the video is located here:
This video includes:
  • Installation of Windows Server 2008 R2
  • Joining a domain
  • Basic IP configuration
  • Create and configure file shares
  • Create and configure shared printers
  • Drive mappings via Group Policy preferences

Wednesday, September 4, 2013

Windows 7 Unable to Pin to Start Menu

In Windows 7, there is a little know registry that limits the names of items that you can pin to the taskbar and Start menu. Any item that contains one of the listed keywords cannot be pinned. However, you can modify the list if you desire.

The default list contains:
  • Documentation
  • Help
  • Install
  • More Info
  • Readme
  • Read me
  • Read First
  • Setup
  • Support
  • What's New
  • Remove
The registry key that contains these names is:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\AddRemoveNames
There is an additional registry key with a list of  application names that cannot be pinned. The default list of application names is:

The registry key that contains the application names is:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\AddRemoveApps

Wednesday, July 31, 2013

Finding the Error Type for Use with Trap and Try/Catch

I've read tons of web pages over last few years looking at error handling in PowerShell. Many of the blogs and examples assume that you already know the error type that you are looking for. Finally today I found an example of viewing the error type so that you can identify it and use it with Try/Catch or Trap.

To view the error type, first generate the error. This stores the error in the variable $error[0]. To view the error type use the following:
You can use this with Try/Catch to catch different error messages and perform different actions based on the specific error type.
Try {
     code to try
Catch [fullnameOfErrorType] {
     stuff to do for that error type
Catch {
     stuff to do for a non-defined error type

Tuesday, July 30, 2013

Passing Pipeline Objects byPropertyName Fails

In class this week, the text had the following example of a Powershell command that should work:
Get-ADComputer -Filter * | Select-Object @{name='ComputerName';expression={$_.name}} | Get-Service
The text claimed this would work and I initially thought it would. Here was my theory.....

Get-ADComputer retrieves the computer objects from Active Directory. Those computer objects have a property 'Name' that we can convert to a property named 'ComputerName'. Then the list of ComputerName property values is passed to Get-Service which has a ComputerName parameter that accepts pipeline input by property name.

However, like all good students, my class wanted to see it work. So, we tried it out, and it didn't work.

It failed with the following error:
Get-Service : Cannot find any service with service name '@{ComputerName=VAN-DC1}'

Further in there was a clue:
ObjectNotFound: (@{ComputerName=VAN-DC1}:String)

The problem relates to how parameters are passed through the pipeline. The preferred choice by PowerShell is to pass byValue. This means that values are matched to parameters based on the type of object that is being passed. Note that PowerShell will also convert data types to match a parameter that accepts pipeline data byValue if it can. Only if all options for binding based on value fail will it kick over and attempt to match byPropertyName.

In this case, the ComputerName property that we added (technically a PropertyNote) was being converted to a string. The Get-Service cmdlet accepts strings as input for the -Name parameter which expects the value to be a service name.

So, the end result is that it was a poorly constructed way to get the list of services from all computers. This example is perhaps easier and works. However, it doesn't showcase passing values along the pipeline.

Get-ADComputer -Filter * | Foreach {Get-Service -ComputerName $_.Name}

Monday, July 29, 2013

EventID 5139 and Kerbauth.dll Error

I recently reinstalled Exchange on a computer that has been installed into the incorrect domain. To do this Exchange 2010 was uninstalled, the computer joined to the other domain, and Exchange 2010 reinstalled.

During the installation process, all appeared good. However, the  Exchange Management Console and Exchange Management Shell were unable to connect locally on the new server. They tried to connect locally, timed out, and then connected to another Exchange 2010 server.

The following errors were in the event logs:
Event ID 5139
A listener channel for protocol 'http' in worker process '1028' serving application pool 'MSExchangePowerShellAppPool' reported a listener channel failure. The data field contains the error number.

Event ID 2280
The Module DLL D:\Microsoft\Exchange Server\V14\Bin\kerbauth.dll failed to load. The data is the error.
The source of this error turned out to be a line in the Windows\System32\inetsrv\config\applicationHost.config file. This line contains the path D:\Microsoft\Exchange Server\V14\Bin\kerbauth.dll when in fact is should have been C:\Microsoft\Exchange Server\V14\Bin\kerbauth.dll. After further investigation, it appeared that the original install of Exchange was done to the D: drive rather than the C: drive and that the change on the second install cause the error.

The line that needed to be modified was:
<add name="kerbauth" image="D:\Exchange Server\V14\Bin\kerbauth.dll" />

After the change to the C: path, all was good.

Friday, July 19, 2013

Dust Protection for Server

We have a client with two physical locations in the same town. To provide offsite backup, we create a system that replicates virtual machines to the second site. The second site is a machine shop that is quite dusty.

Plan A was to locate the server in a large utility room. However, it turns out that in the summertime, that utility room hovers at about 30C (86F). This is much warmer than I'm comfortable with. So, on to Plan B which is the air conditioned office area which is still dusty, but much cooler.

To host the server in the office area, we need some kind of box to house it in that can filter out dust. In my research, I found that the standard for this rating is IP 54 or NEMA 12. Those are two different standards that say the case makes the computer safe from dust and light splashing.

I did some research and here are the best options I found.

  1. APC NetShelter CX. This is a nice looking cabinet that is sound proof and comes in various sizes. The smallest of these is an 18U box that is about $3800CDN retail. The dust filtering option is and extra $100 or so. I think this would be my choice in a standard office environment because of the looks and the soundproofing.
  2. Tripplite SR42UBEIS. This is a 42U rack that looks like a server rack. It's large and not pretty but gets the job done for dust protection. However, there is no sound proofing. So, this one seems best suited to a dusty utility area than within an office. You're looking at about $2300CDN retail.
  3. Dust Free PC. This company has a wide range of dust enclosures for computers and servers. The most basic enclosure for tower servers is about $600 plus shipping. Versions for rack mounting start at about $1500 for a 10U rack. These are not as pretty or sound proofed as the APC NetShelter CX, but they look very functional.
At this point, because it's for a shop, we're not that concerned about noise suppression or pretty. So, I think we're going to go with the Dust Free PC unit. A machine on their shop floor already uses a Dust Free PC enclosure for a PC and they've been happy with it.

Wednesday, July 17, 2013

Exchange Without a DMZ or Reverse Proxy?

For many years I've been implementing Exchange server in SMB environments without using a DMZ or reverse proxy to control access to Exchange services. At least since Exchange 2010 came out, I've been arguing that they don't really add much security value and that none of my customers  (nor any others I've heard of) had any issues with doing this.

Large companies have fairly rigid security policies. One of these policies is typically that no network traffic is passed directly to the LAN from the Internet. There needs to be some sort of reverse proxy in a DMZ (perimeter network in MS speak). In classes where I teach Exchange, the students from larger organizations typically believe strongly in these policies. They are risk adverse and this is the way it's always been. And many times, they have no control over this policy.

Well, a beautifully written article from Greg Taylor on the Exchange Team lays it all out for you to consider. From my perspective, it solidifies what I've thought for some time. It may give you some new ideas to consider.

Check out Greg's article here:

Monday, July 15, 2013

Exchange 2013 Corrupted Health Mailboxes

While in the process of removing a database from an Exchange 2013 server, I got the following error:
Failed to remove monitoring mailbox object of database "DBname". Exception: Active directory operation failed on Servername. This error is not retriable. Additional information: Access is denied. Active directory response: 000000005: SecErr: DSID-031520B2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0.
The database was removed, but there seemed to be some sort of Active Directory error when deleting the monitoring mailboxes associated with the database.

Next I tried to view the monitoring mailboxes by using:
Get-Mailbox -Monitoring
This showed me mailboxes with the following error:
WARNING: The object domainname/Microsoft Exchange System Objects/Monitoring Mailboxes/HealthMailboxbiglongGUID has been corrupted, and it's in an inconsistent state. The following validation errors happened: WARNING: Database is mandatory or UserMailbox.
After doing some searching, this problem is a result of Exchange 2013 not having sufficient permissions to the domainname/Microsoft Exchange System Objects/Monitoring Mailboxes OU. The database attribute is blank because the database it referenced no longer exists.

The simple fix is to manually delete the objects referenced by the errors from that OU by using Active Directory Users and Computers. After removing the object, the error is gone. You cannot use the Remove-Mailbox cmdlet to remove the accounts because Exchange does not have the necessary permissions.

It may be possible to resolve this error by giving Exchange Trusted Subsystem additional permissions to this OU, but I'll leave that for the Exchange team in the next cumulative update.

Note: Exchange 2013 RTM created the user accounts for these mailboxes in the Users folder. Exchange 2013 CU1 creates them in this new location. This may account for the changed behaviour causing the errors.

Deleting the health mailboxes is low risk because they should be recreated by the Microsoft Exchange Health Manager service on the Exchange 2013 server when that service is restarted.

Update: If the health monitoring mailboxes are not being recreated after you delete them, verify that the domainname/Microsoft Exchange System Objects/Monitoring Mailboxes OU exists. One commenter below was having issues and running ADPrep again created the container which allowed the health mailboxes to be recreated.

Exchange 2013 Hidden Mailboxes

In the graphical/web-based interface for Exchange 2013, the list of recipients does not include utility mailboxes such as:
  • discovery search mailbox
  • arbitration mailboxes
I recently had an issue at a client where rather than trying to fix an Exchange server having issues, we just replaced it and moved the mailboxes. However, before I could actually uninstall Exchange 2013 from the old server, I needed to move the mailboxes that did not appear in the graphical interface.

In the Exchange Management Shell (EMS), the discovery search mailbox is retrieved by the Get-Mailbox cmdlet. So, you can use the following to move the discovery search mailbox:
Get-Mailbox -Server RetiringServer | New-MoveRequest -TargetDatabase DBonNewServer
To get a list of the arbitration mailboxes, you need to use the -Arbitration switch with the Get-Mailbox cmdlet as shown in the screenshot below:

We had not implemented these, but other things that might trip you up are:
  • archive mailboxes (use the -Archive switch)
  • public folder mailboxes (use the -PublicFolder switch)
After you have removed all mailboxes from a database, then you can remove the database and finally, uninstall Exchange 2013. Uninstalling Exchange 2013 is the proper way to remove the server from the Exchange organization.

If you have not removed all mailboxes from a database before attempting to delete it, you will get the following error:
The mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes, or arbitration mailboxes.

Tool for SMART Status

I have an inexpensive test server that includes Intel's built in RAID functionality on the motherboard (Intel Rapid Storage Technology enterprise). This is a simple RAID controller that allows me to run RAID 10 on the server and have a bunch of virtual machines. However, it has a tendency every few months or so, to drop a drive from the array.

When a drive drops, I want to see the SMART status of the drive. This allows me to see the physical status of the drive and determine whether the drive is failing. However, the Intel management tool for the controller does not show the SMART status for the individual drives. Kind of a big oversight in my mind. Also, many tools that you can download to view SMART status don't work when RAID is enabled.

Today I found a nice open source utility for Windows to view the SMART status that works with this RAID controller. It is hddguardian. You can get it here:
Here is a screenshot:

Wednesday, June 26, 2013

Free Online Training for Windows Server 2012 R2 and System Center 2012 R2

Microsoft has a couple of free online training events coming up in July:
After these events are over, Microsoft typically makes them available as online videos. I expect that the above links will be updated.

Tuesday, June 18, 2013


While testing mail flow before an Exchange 2007 to Exchange 2013 migration is received the following error from an Exchange 2013 server to an Exchange 2007 server:
454 4.7.0 Temporary authentication failure
Further investigation in the SMTP receive protocol log showed this error:
Inbound ExchangeAuth negotiation failed because of UnexpetectedExchagneAuthBlob
Luckily based on some quick searches I was able to identify time synchronization as the source of the issue. Active Directory authentication starts to fail when time synchronization is not within 5 minutes. In this case the time difference was 6 minutes.

In the short term, I change the time on one server and verified that mail flow started to work properly. Long run I need to identify why time what not properly synchronized and fix it.

Exchange Authentication Error

I'm just performing a migration from Exchange 2007 to Exchange 2013. After installing Exchange 2013 and configuring the certificates, my next step was to verify mail flow between the two systems. Mail flow from Exchange 2007 to Exchange 2013 was fine. However, mail flow from Exchange 2013 to Exchange 2007 was failing.

In the Queue Viewer on the Exchange 2013 server I could see the following message:
451 4.4.0 Primary target IP address responded with: "451 5.7.3 Cannot achieve Exchange Server authentication." Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.
This message indicates that Exchange Server authentication is failing before the message is sent. This can happen because of the following reasons:
  1. A firewall between the servers strips out extended SMTP verbs that are required for Exchange Server authentication. Specifically the following SMTP verbs must be allowed: X-ANONYMOUSTLS, X-EXPS, and GSSAPI. In most cases, this is not an issue on internal networks.
  2. Exchange Authentication is not enabled on the receive connector being used. This is most likely.
In my case, the receiving server had two receive connectors listening on port 25:
  • Default ServerName
  • Anonymous Relay for internal devices
When I reviewed the configuration of these connectors, the Default connector had Exchange Server authentication enabled. The Anonymous Relay connector did not have Exchange Server authentication enabled.

This made me suspect that the Anonymous Relay connector was being used instead of the Default connector. To confirm this I looked in the SMTP Receive protocol log in C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive. Searching the most recent log for the IP address of the Exchange 2013 server showed that the Anonymous Relay connector was being used.

I then looked in the configuration of the Anonymous Relay connector on the Network tab. There were a large number of remote IP addresses listed as allowed to use the Anonymous Relay connector (probably more than there should be, but that's an issue for another day). The entire subnet that the Exchange 2013 was located on was listed.

Exchange Server chooses a receive connector to use based on how specific the remote IP addresses listed in the connector are. The subnet listed in the Anonymous Relay connector was more specific that the listed in the Default connector. Therefore the Anonymous Relay connector was being used.

To fix this problem, I added the individual IP addresses of the Exchange 2013 servers to the Default connector on the Exchange 2007 server. This was then more specific than the subnet in the Anonymous Relay connector. After this was complete, the Default connector was used.

Tuesday, June 11, 2013

Viewing the Exchange 2010 Anti-Spam Logs

In most cases, you should have anti-spam filtering for Exchange 2010 that is provided by software other than Exchange 2010. Exchange 2010 has some basic anti-spam filtering features but they are not as nice or easy to work with as online filtering services (such as ForeFront Online for Exchange) or on-premises services (such as Barracuda devices or Symantec Mail security).

Note: SBS2011 enables the built-in anti-spam filtering capabilities of Exchange 2010 by default.

If you select to use the spam filtering in Exchange 2010 (or do so by accident) it's pretty awkward to view the logs. The only interface provided by Exchange 2010 is the Get-Agent log cmdlet. This cmdlet only gives parameters to display by start date and end date. You'll need to filter down the output of Get-AgentLog to see only what you want.

To make life easier for you, here are the list of properties supplied for each message that you can filter based-on:
  • RunspaceId - Not useful
  • Timestamp - But you'd use the start and end date with Get-AgentLog to filter this instead
  • SessionId - Not useful
  • IPAddress - The mail server sending the message
  • MessageId - Generally not useful unless the sender provides this information to help you search for it
  • P1FromAddress
  • P2FromAddresses
  • Recipients
  • Agent - Indicates which anti-spam filter caught the spam
  • Event - When the filtering was applied (OnEndOfData is typical)
  • Action - Look for RejectMessage when identifying spam that is filtered
  • SmtpResponse - The SMTP code that was provided to the sender (5.7.1 is a spam rejection)
  • Reason - Provides a summarized reason as to why the message was blocked
  • ReasonData - When blocked because of a high SCL, this displays the SCL value
  • Diagnostics - Codes that don't look useful to me
An example of filtering for rejected messages for a specific user:
Get-AgentLog -StartDate "06/11/2013 9:00:00 AM" | Where-Object {($_.Recipients -like "*username*") -and ($_.Action -eq "RejectMessage")}
The above example uses Get-AgentLog to list all messages in the log after 9am on June 11, 2013. The list of messages is piped to Where-Object for filtering.

The filter looks for recipients that contain the test username. You could use -eq and search for a specific full email address, but I find it easier to just search for the user portion of the email address. The list of recipients is an array and -eq may force you to put in all email addresses to match properly.

The filter also looks for messages that have an action of RejectMessage. I am only interested in viewing the rejected messages to verify is a sender is being blocked.

Friday, June 7, 2013

New DirSync Does Not Require ADFS for O365

On June 3rd, Microsoft released a new version of DirSync (Windows Azure Directory Sync Tool) that can synchronize on-premises password up to Office 365. With the addition of this functionality, you can have users log on to Office 365 without the requirement to configure Active Directory Federation Services (AD FS). Let me give a fairly long explanation as to why this is a good thing. First, how did it look with AD FS.

O365 Authentication with AD FS
A traditional configuration of O365 with single sign-on allows users to authenticate to O365 by using their corporate username and password. To enable this process, two components needed to be in place:
  • DirSync. This component replicates information from the on-premises AD to O365. This allows on-premises user accounts to be automatically created in the cloud.
  • AD FS. This component is a service that provides authentication for external services that use the on-premises AD as a source for user accounts.  For example, when you authenticate to O365, the credentials you provide are passed to AD FS in your organization for authentication. If AD FS indicates that your username and password are correct, then you are given access to your O365 account. Basically, it allows authentication to be outsourced from the location hosting the application.
There were two main issues with using AD FS:
  1. If AD FS is not available, you could not authenticate to O365. So, if the corporate internet connection was down or if AD FS experienced any issues at all, your access to O365 was in jeopardy. When a selling feature of cloud-based services is high availability, this makes AD FS a major weak point.
  2. AD FS is relatively complex to setup and configure if you want it to be highly available. At minimum, the recommended solution requires two AD FS servers and two AD FS proxies combined with load balancing for each level.

How Does the New DirSync Help
The new version of DirSync has an option to synchronize passwords from the on-premises AD to O365. Once the password has been synchronized, you authenticate only within O365. This can be used with hybrid deployments of Exchange Server.

To me this provides two big benefits:
  1. The complexity and cost of AD FS is avoided.
  2. O365 accounts can be authenticated even when the on-premises network is unavailable.
Things to Think About
Nothing is a completely free ride. So, there are things that you need to consider when selecting password synchronization over AD FS:
  1. How paranoid are you? Your AD password information being replicated into the O365. This is done by replicating the hash value of the password, not the actual password, but if someone got the hash value, they could run a brute force attack on the hash and might be able to get the password.
  2. Users will be prompted for credentials. AD FS provides single sign-on. For domain joined computers, this meant that access to O365 could be made seamless by passing workstation credentials to O365 for authentication. When you use password synchronization, users will be prompted for a password when starting Outlook. At least until you save the credentials during logon to O365.
  3.  Password synchronization from AD to O365 is not immediate. Password synchronization takes place outside the standard 3 hour interval for synchronization. Typically, password synchronization is complete within a few minutes, but it is not immediate.
  4. This tool has apparently been available on the eduction side of O365 for a while. So, it's not completely new. That makes me feel better about looking at implementing it sooner rather than later.
  5. You can convert from an AD FS federated domain to using password synchronization fairly easily by using Convert-MsolDomainToStandard.
Additional Resources
Here are some additional resources that will help you evaluate whether password synchronization is right for your organization:

Tuesday, May 28, 2013

Renewing an Exchange 2010 Certificate from Go Daddy

When you use the Exchange Management Console for Exchange Server 2010 to generate a certificate renewal request, the format used is not compatible with Go Daddy. The EMC provides some sort of binary request. Go Daddy expects a standard text-based renewal request.

You can use this process instead:
  1. Perform the certificate renewal on the Go Daddy web site and select the option to  reuse the existing CSR. If you do this then you do not need the renewal request from Exchange.
  2. Download the approved certificate in zip format and extact it to obtain the .crt file.
  3. Use IIS Manager (at the server node) to complete a certificate request. Provide the .crt file and a friendly name that you recognize. Note that .crt files are not displayed by default when browsing for the file.
  4. Use the Exchange Management Console to assign services to your renewed certificate.
And my best recommendation for avoiding this process is using multi-year certificates. And remember to use the discount codes in the Go Daddy spam messages. Typically you can get about 20% off.

Sunday, May 26, 2013

Cheap US Roaming for Canadians

I do occasional travel to the US for work and vacations. My biggest annoyance when traveling is the cost of cell phone roaming. It adds up to a ton of money for voice, text, or data (especially data).

I had been considering getting a T-Mobile prepaid account and a separate phone to use just for travelling. They have prepaid service for $3/day. Which is pretty good with unlimited data, voice, and text.

However, I recently learned about a new option that is based in Canada and it seems to work really well. Roam Mobility resells T-Mobile services for use when you are roaming.

Roam Mobility has plans with unlimited voice, unlimited text, and 100MB of data for $4 per day. This is a bit more that T-Mobile, but Roam Mobility has a couple of advantages:
  • You can keep your number for up to a year without using it. T-Mobile expires the prepaid cards after 3 months.
  • Voice to Canada is included. I have not verified, but I believe that outbound T-Mobile to Canada would be long distance.
  • I like the idea of someone specializing in the task we're trying to accomplish. They provide tech support.
You need an unlocked cell phone
To use Roam Mobility, you need a cell phone that is unlocked. Most are locked by the vendor (your friendly telco) because they don't want you to switch networks. There are a bunch of places online that will provide a code to unlock your cell phone for $10-15. If you are more adventurous, there are a lot of hits on Google about how to unlock your particular model of phone for free.

I haven't played much with unlocking phones, but my wife won an HTC Desire from Telus somehow that we've never used with phone service. It has been our "not-a-phone" with Wifi for the last couple of years. So, armed with Google, optimism, and a phone I didn't really care about, I set off and unlocked the phone. I did it for fun. Everyone else should probably just kick out the $10 and be done with it.

To test the unlocked phone, we took a SIM card from an MTS Blackberry and put it in the phone. The phone came up and connected to the MTS network. Sweet.

You need to get a SIM card
Next up was purchasing the SIM card from Roam Mobility. In Winnipeg, the only vendor at this time is London Drugs in St. Vital Mall. The first day we went, they were sold out but let us know there would be more in a couple of days.

London Drugs sold the SIM card, but didn't provide any service to speak of (like explaining that additional setup may be required). So, I'd be happy to recommend to anyone that they purchase online instead of from a local retailer.

After purchasing the SIM card for $20, we inserted it into the phone, but there was no way to tell if it was working because we were not anywhere near the T-Mobile network.

You need to do additional configuration of your phone for data
My wife was the first to travel with the phone and was surprised that, when she arrived in the US, the voice and text functionality was working, but not the data. We were both pretty confused by this, but like the older and wiser technical geek that I am, I recommended calling Roam Mobility tech support (611 from your phone, or 1-888-762-6487) instead of me trying to figure it out. The younger version of me would have spent a week researching it instead.

It turns out that in order to connect to data, you need to perform some additional configuration steps:
  1. Enable data roaming
  2. Add the APN (Access Point Name) for Roam Mobility ("roam")
After performing these steps with tech support the data on the phone was good to go.

Some info about this configuration:

You will save a ton of money
Standard rates from Rogers are: $1.45/min, $.75/text, and $8 per 50MB of data in 24 hours. You can get Travel Packs that lessen the pain, but they are still expensive. For example, the cheapest data plan that can be used for up to 1 month is $80 for 50 minutes, 50 outbound texts, and 50MB of data. Some people would use that in a day.

Traveling to the US for 5 days cost us $20 for the SIM card and $20 for unlimited voice, unlimited texts, and 500 MB of data. The only hassle is unlocking the phone. In the future, it will be just the $4/day.

Thursday, May 16, 2013

Exchange 2013 Management Pack - RELEASED!

Microsoft is on a roll this week. Not only do we now have the role requirements calculator for Exchange 2013, but now we have the management pack for Exchange 2013. For many larger organizations that use System Center Operations Manager this was a critical components before considering the deployment of Exchange 2013.

Wednesday, May 15, 2013

Exchange 2013 Hybrid Configuration Wizard Fails

Several weeks ago I was working on a project where we were implement a hybrid environment with Office 365 by using Exchange 2013 as the hybrid servers for an existing Exchange 2010 environment. Adding Exchange 2013 went pretty smoothly overall and I thought the hybrid wizard would be the easy part.

When we ran the hybrid configuration wizard and selected the certificate, we got the following error:

The length of the property is too long
What a delightfully vague response. Well, after several days working with Office 365 tech support, the client was able to identify that the subject in the certificate was too long. The certificate was perfectly valid, but the hybrid configuration wizard was unable to handle the subject length.

The client had obtained an extended validation certificate that included a lot of additional information in the subject such as a long organization ID. After replacing the extended validation certificate with a standard certificate it completed without any problems.

Exchange 2013 Role Requirements Calculator - RELEASED!

At long last, the Exchange 2013 Role Requirements Calculator has been released. Any Exchange 2013 deployments up to this point have been based on educated guesses. Now we have official guidance from Microsoft.

Sunday, April 28, 2013

Activate Exchange 2010 for SBS 2011

When you install SBS 2011, the Exchange Server 2010 installation should be activated automatically. However, in some cases, you it might not be. Typical situations where Exchange 2010 is not activated automatically include:
  • Manual removal and installation of Exchange Server 2010
  • Active Directory communication problems during installation
There is no license key provided for Exchange Server 2010 in SBS 2011. Instead, you need to download a hotfix from Microsoft to activate Exchange Server 2010. The hotfix is available here:

Wednesday, April 17, 2013

Error Installing Dirsync with FullSQL Option

Normally when you install Dirsync for account synchronization with Office 365, you let it install and configure a local instance of SQL Express. However, in large environments (over 50,000 accounts or so), you need to use a full version of SQL server to support a larger database and more memory.

To install Dirsync for a full version of sql, you need to use the following command-line to install:
dirsync /fullsql
After following the wizard to install Dirsync to the correct location, you still need to do some configuration. You specify the location of the SQL Server by using the Dirsync Install Shell. You start this PowerShell prompt by running C:\Program Files\Microsoft Online Directory Sync\DirsyncInstallShell.psc1. Then for a local SQL instance, you run:
Install-OnlineCoexistenceTool -UseSQLServer -Verbose

When you run the psc1 file from Windows Explorer, it does not open with administrative privileges even if the account you are using is an administrator. You need to run the install shell as Administrator or you will get an error like the following:
Install-OnlineCoexistenceTool : Local Administrator permissions are required to install the Windows Azure Active Directory Sync tool. Supplied credentials are not valid domain\username.
When you right-click DirsyncInstallShell.psc1, you do not get the option to Run as administrator. Instead, open a normal PowerShell prompt as administrator and the run DirsyncInstallShell.psc1 manually from within the prompt. This provides the necessary elevated privileges to complete the configuration.

Detailed steps for installing Dirsync are here:
Note that the detailed steps in the link above imply that you will be prompted for service credentials for Dirsync. In our installation, that was not the case, a local user account was created automatically and used for the service account because it was a local instance of SQL and network communication is not required between SQL and Dirsync. You will be prompted when using a remote instance of SQL and using the -ServiceCredential parameter because network communication requires and Active Directory account.

Saturday, March 30, 2013

Paging File Error in Hyper-V Virtual Machine

I'm experimenting with Hyperoo Backup software for Hyper-V virtual machines at some clients. Hyperoo analyzes the virtual disk files and sends changes to a backup copy. I rather like it so far.

To minimize the changes inside the VM disks, I've be moving the paging file to a separate virtual disk. We can then exclude this disk from the backup process.

One one VM (and only one) we got the following error:
Windows created a temporary paging file on your computer because of a problem that occurred with your paging file configuration when you started your computer. The total paging file size for all disk drives may be somewhat larger than the size you specified.
It turns out that on this particular virtual machine, we needed a total of four virtual disks. This combined with the virtual DVD drive meant that we needed to use SCSI disks in the VM. In a Hyper-V VM, you cannot place the paging file on a virtual hard drive on the virtual SCSI bus. The virtual SCSI bus is not available early enough in the boot process.

So, in this case, the easy fix was to move the paging drive to be an IDE disk and all was good.

Microsoft has a knowledge base article to this effect:

Wednesday, March 13, 2013

Cached Credentials for a Mac using AD

When you have a laptop computer, you want to be able to use the same logon credentials when you are in the office as when you are on the road. With a Windows-based laptop, this is accomplished by cached credentials. The cached credentials on a Windows computer are automatically created the first time you log on. A network administrator can disable this, but it is enabled by default.

On a Mac that logs on using AD credentials, you can get similar functionality by enabling the option "Create mobile account at  login" in the Directory Utility that you use to configure AD connectivity for the MAC. When this option is enabled, the local mobile account is enable the first time the user logs on by using AD credentials.

Many times, no one thinks of this option until after the user has already logged on. In such a case, you need to log on as root and manually create the mobile account by using createmobileaccount. It is located in /System/Library/CoreServices/ManagedClient.app/Contents/Resources/.
createmobileaccount -n Bob -p Pa$$w0rd
A couple of links with additional info:

Tuesday, March 12, 2013

New Tool for Analyzing Outlook Configuration

Microsoft has recently release the Microsoft Office Configuration Analyzer Tool. This tool scans the configuration of locally installed Microsoft Office components, including Outlook to identify potential issues. This can be useful for technicians troubleshooting Outlook related problems for users.

You can download the tool here:

If you run the tool only for Outlook, it takes 2-3 minutes to run and the provides a report. I was surprised to see that my installation of Outlook has a few issued that need to be investigated. Apparently 60,000 deleted items is considered a potential issue.

Wednesday, March 6, 2013

TurboTax 2012 Won't Run

When attempting to run TurboTax 2012, the application would close with no error message. When the application started, it identified the application as untrusted, but that is normal for this application and just means that Intuit for some reason was too cheap to digitally sign their application. After looking in the Application log, I found this:
Event 1000, Application Error
Faulting application path: C:\Program Files (x86)\TurboTax 2012\tt2012.exe
Faulting module path: C:\Program Files (x86)\Intel\iCLS Client\LIBEAY32.dll
It seemed odd to me that TurboTax was using a DLL from another folder. It turns out that LIBEAY32.dll is a generic dll used for cryptography and can come with several products. The iCLS Client is separate software from Intel that has nothing to do with TurboTax.

So, I made a guess that TurboTax installed it's own version of LIBEAY32.dll in an alternate location and that it's using the wrong one. My fix was to rename the LIBEAY32.dll in the iCLS Client folder to LIBEAY32.dll.old. After this was completed TurboTax started without any issues (well, it still complained missing a digital signature, but the application worked now).

Unable to Install FileOpen Client

One of the staff at a client is taking a course that uses the FileOpen client for DRM on PDF documents that are distributed as part of the course. Unfortunately, he was having issues installing the FileOpen client on his computer. It was Windows 7 Pro 64-bit and he has full Administrative permissions on the local computer. He had even tried disabling user account control with no success.

The error during installation was:
Service 'FileOpen Manager Service' (FileOpenManagerService) could not be installed. Verify that you have sufficient privileges to install system services.

Support at FileOpen responded very quickly with the following:
Please run this program: http://plugin.fileopen.com/tools/FileOpenUninstallTool.exe
Then install via this program: http://plugin.fileopen.com/new/current/FileOpenInstaller.exe

This resolved the problem and FileOpen installed with no issues.