• Shortcuts : 'n' next unread feed - 'p' previous unread feed • Styles : 1 2

» Publishers, Monetize your RSS feeds with FeedShow:  More infos  (Show/Hide Ads)


Date: Wednesday, 30 Jul 2014 05:37

 

If you are looking into installing Certificate authority with widows 2012 server follow the simple steps listed in this article. Steps are pretty similar to windows 2008 CA installation

Step#1

Open Server Manager , Manage and Add Roles and Features

clip_image001[4]

Step#2

clip_image002[4]

Step#3

clip_image003[4]

Step#4

clip_image004[4]

Step#5

clip_image005[4]

Step#6

clip_image006[4]

Step#7

clip_image007[4]

Step#8

clip_image008[4]

Step#9

clip_image009[4]

Step#10

clip_image010[4]

Step#11

clip_image011[4]

Step#12

clip_image012[4]

Step#13

clip_image013[4]

Step#14

clip_image014[4]

Step#15

clip_image015[4]

Step#16

clip_image016[4]

Step#17

clip_image017[4]

Step#18

clip_image018[4]

Step#19

clip_image019[4]

Step#20

clip_image020[4]

Step#21

clip_image021[4]

Step#22

clip_image022[4]

Step#23

clip_image023[4]

Step#24

clip_image024[4]

Step#25

clip_image025[4]

Step#26

clip_image026[4]

Step#27

clip_image027[4]

Step#28

Open IIS

clip_image028[4]

Step#30

clip_image029[4]

Step#31

clip_image030[4]

Step#32

clip_image031[4]

Step#33

clip_image032[4]

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 23 Jul 2014 07:57

Here are some handy RBAC cmdlets to help you build your own custom Role Groups, role assignments etc. When you design RBAC Groups , you need to pay attention to your name convention to make sure , Groups, role assignments etc. makes sense, each Role Group created will be located on Microsoft Exchange Security Groups on the root of the forest/Domain , adding members to these security groups also possible using active directors users snap in, so you need to have plan to secure these groups. it might be good idea to tick the box “protect object from accidental deletion” for these groups.

image

image

image

#List all Management Roles

Get-ManagementRole

clip_image001

#List all role entries within given Management Role

Get-ManagementRoleEntry "View-Only Recipients\*"

clip_image002

Note: as you have noticed, all these cmdlet's , user can run if the user is assigned to a Role Group = Assigned Role = ManagementRoleEntry

Here is simple snapshot to digest the relationship

clip_image003

image

image

#Create new Role from existing Parent Role

New-ManagementRole "HelpDesk Permissions" -Parent "View-Only Recipients"

clip_image004

#Remove all Role Entries , except selected one

Get-ManagementRoleEntry “HelpDesk Permissions\*” | Where {$_.name -ne “Get-User”} | Remove-ManagementRoleEntry -Confirm:$False

image

#Locate managementRole

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image006

#Add additional CMDLET if needed to management Role

Add-ManagementRoleEntry “HelpDesk Permissions\Get-MailboxPermission”

clip_image007

#Locate ManagementRole to verify desired cmdlet is assigned to it

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image008

#Create New Role Group

New-RoleGroup "HelpDesk 1.5"

clip_image009

#Add Role assignment to Role Group

New-ManagementRoleAssignment -SecurityGroup "HelpDesk 1.5" -Role "HelpDesk Permissions"

clip_image010

#add member to Role Group

Add-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image011

#locate members

Get-ManagementRoleEntry “HelpDesk Permissions\*”

clip_image012

#remove Members from desired Role Group

Remove-RoleGroupMember “HelpDesk 1.5” –Member C-Ron.Buzon

clip_image013

# Find desired user, List all the Roles

Get-ManagementRoleAssignment -GetEffectiveUsers | ?{$_.EffectiveUserName -eq “Administrator”} | select Role

clip_image014

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Tuesday, 15 Jul 2014 14:57

We would like to utilize RBAC Role model and create custom RBAC Role for specific needs for a business. These needs could be different from one environment to another. This article will be good reference for you to get your customization. Having said that, first thing to understand is the RBAC Layers.

There are 6 Layers which make up the Role Group Model

  • Role group member
  • Management role group
  • Management role assignment
  • Management role scope
  • Management role
  • Management role entries

clip_image001[4]

Goal:

  1. Create Custom Role Group
  2. Create Custom RBAC Role Entry with desired cmdlet's
  3. Add Custom Role entry to Role
  4. Add role to Custom Role Group
  5. Add Members to Custom Role Group

In this example we will use following template

image

Note: You can build your own management Role , and modify management role entries same way in this article. The process is pretty straight forward.

Task#1

Figure out all role entry contains set-mailbox (set-mailbox is one of the cmdlet we have as our requirement)

Get-ManagementRoleEntry *\Set-Mailbox

clip_image002[4]

 

Task#2

Create the management role with related parent Role

New-ManagementRole -Name “Assign Mailbox Access” -Parent “Mail Recipients”

clip_image003[4]

Task#3

Get-ManagementRoleEntry "Assign Mailbox Access\*"

Verify all cmdlet assign to newly created management role, as you can see we have many cmdlet we don’t want, therefore we will need to remove most of them and only keep what we need.

clip_image004[4]

Task#4

Remove what you don’t need

Get-ManagementRoleEntry “Assign Mailbox Access\*” | Where {$_.name -ne “Add-MailboxPermission”} | Remove-ManagementRoleEntry -Confirm:$False

clip_image005[4]

Task#5

Verify the Role entry , minimum cmdlet is assigned.

clip_image006[4]

Task#6

Add additional cmdlet

  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailbox"
  • Add-ManagementRoleEntry "Assign Mailbox Access\get-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\remove-mailboxPermission"
  • Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image007[4]

Task#7

Add remove any role entries if desired

Verify one more time to make sure we have all we wanted. If required continue to add by using same one liner cmdlet

Add-ManagementRoleEntry "Assign Mailbox Access\set-mailbox" ---------------> you can replace set-mailbox

If you need to remove use

Remove-ManagementRoleEntry "Assign Mailbox Access\set-mailbox"

clip_image008[4]

Task#8

Create new Role Group

New-RoleGroup “Audit Team”

clip_image009[4]

Task#9

Let's put them together

New-ManagementRoleAssignment -SecurityGroup "Audit Team" -Role "Assign Mailbox Access"

clip_image010[4]

Task#10

Add-RoleGroupMember “Audit Team” –Member C-Ron.Buzon

clip_image011[4]

We are done lets look at this from ECP

clip_image012[4]

clip_image013[4]

Now if c-ron.Buzon logs in, he will only get the cmdlets assigned to him via RBAC Role. As you can see RBAC permissions model is very efficient and effective. When creating Roles, group and Role entries, you may want to think about unifying name convention and plan this out before start implementing it into production environment.

TechNet:

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 09 Jul 2014 13:56

We will recovery accidently deleted user account via PS in windows 2012 domain environment. To prepare the scenario we will fist delete the user and recovery it.

Log onto  Windows 2012 DC with administrator privileges.Open PS with administrator privileges

Type following.

Get-ADUser -Filter 'Name -like "*C-Ron Buzon"'

image

image

We will delete the user

Get-ADUser -Filter 'Name -like "*C-Ron Buzon"' | Remove-ADUser -Confirm:$false

image

user has been deleted

image

we can see user within the Deleted Objects container in ADAC

image

Get-ADobject -Filter 'Name -like "*C-Ron*"' -IncludeDeletedObjects

image

we will restore this user

Get-ADobject -Filter 'Name -like "*C-Ron*"' -IncludeDeletedObjects | Restore-ADObject

image

if I check to see user is back to ADDS

image

image

Read more

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

 

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 09 Jul 2014 13:53

 

Task: Introducing first Windows 2012 domain controller into Existing Forest /Domain. As you already  notices with Windows 2012 , promoting server to be additional domain controller is changed a lot. There is no more DCpromo instead we use GUI or PowerShell to get the work done.

High Level Steps :

  • Install Windows 2012 Server
  • Configure , Server name, IP address
  • Add Server into existing domain as member server ( preferred )
  • Use PS to promote the server to be additional domain controller and modify the DCpromo.ps1 Script

Step# 1

First task is to add the windows 2012 server into existing domain. Adding server into existing domain  before promoting to be domain controller is a good old habit ,  which allows A record to be created  within the existing DNS Forward lookup  zone and helps also ensures correct DNS settings has been configured.

Log into Server

Open PowerShell and type following command.

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

clip_image001

Step# 2

Now copy and paste the , below PowerShell command into notepad , and save it as DCpromo.ps1 ( we use this name to honor DCPromo we have used ages (-:   , you can name it anything you like.

image

You will need to change  “-DomainName "ZtekZone.com"  and if you like any additional customization , such as changing the defaults , SYSLOG, DatabasePath, LogPath etc.

Download the script from here

Run PS Command against pre-defied PS Script

#Installing Domain Controller

Write-Host "................................"

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "................................"

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now after modifying the script save it onto server into temp Directory

image

From PowerShell Run it

clip_image002

clip_image003

clip_image004

After server reboot if we open Site and Services we will see the additional domain controller

clip_image005

Now couple additional Configuration we will perform on the new domain controller

Add-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-AdminCenter

clip_image006

Now you can open ADAC from GUI

clip_image007

Or you can open it from PowerShell

clip_image008

clip_image009

You can also open Site and Services

dssite.msc

clip_image010

You can open ADUC

Dsa.msc

clip_image011

More to read… AD Team

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 09 Jul 2014 13:50

 

Task: Introducing first Windows 2012 domain controller into Existing Forest /Domain. As you already  notices with Windows 2012 , promoting server to be additional domain controller is changed a lot. There is no more DCpromo instead we use GUI or PowerShell to get the work done.

High Level Steps :

  • Install Windows 2012 Server
  • Configure , Server name, IP address
  • Add Server into existing domain as member server ( preferred )
  • Use PS to promote the server to be additional domain controller and modify the DCpromo.ps1 Script

Step# 1

First task is to add the windows 2012 server into existing domain. Adding server into existing domain  before promoting to be domain controller is a good old habit ,  which allows A record to be created  within the existing DNS Forward lookup  zone and helps also ensures correct DNS settings has been configured.

Log into Server

Open PowerShell and type following command.

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

clip_image001

Step# 2

Now copy and paste the , below PowerShell command into notepad , and save it as DCpromo.ps1 ( we use this name to honor DCPromo we have used ages (-:   , you can name it anything you like.

image

You will need to change  “-DomainName "ZtekZone.com"  and if you like any additional customization , such as changing the defaults , SYSLOG, DatabasePath, LogPath etc.

Download the script from here

Run PS Command against pre-defied PS Script

#Installing Domain Controller

Write-Host "................................"

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "................................"

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now after modifying the script save it onto server into temp Directory

image

From PowerShell Run it

clip_image002

clip_image003

clip_image004

After server reboot if we open Site and Services we will see the additional domain controller

clip_image005

Now couple additional Configuration we will perform on the new domain controller

Add-WindowsFeature RSAT-AD-PowerShell, RSAT-AD-AdminCenter

clip_image006

Now you can open ADAC from GUI

clip_image007

Or you can open it from PowerShell

clip_image008

clip_image009

You can also open Site and Services

dssite.msc

clip_image010

You can open ADUC

Dsa.msc

clip_image011

More to read… AD Team

http://blogs.technet.com/b/askpfeplat/archive/2012/09/06/introducing-the-first-windows-server-2012-domain-controller-part-2-of-2.aspx

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 09 Jul 2014 13:42

 

After finishing window 2012 server install , and logging into server all we get is  plain command prompt. If you are tasked to promote this newly installed  Core Server to be the additional domain controller you can use Sconfig to get the mission accomplish.

Type “Sconfig” and hit enter

image

image

Now first thing we will do is to rename the server

Option # 1

image

 

image

we will say no to this one for now, we will set the IP Address

Option # 8

image

Type the index number shown on the menu for the adapter you wish to configure

image

Option # 1

and select Static ( S )

image

as you can see the new configured IP is showing up next to 169.254.1.121

Now we need to take care of  DNS IP Addresses

Option # 2

image

image

image

Option # 4 return the Main Menu

image

Enable RDP Option # 7

image

and now I am going to re-start the server

image

After I login I made sure I can ping my existing DC/GC/DNS Server

image

Firing up SConfig one more time to add the server into existing domain as member server

image

image

Now server is part of the domain and ready to be promoted as additional domain controller

I make sure to log back into domain

image

Now lets fire-up PowerShell

image

image

Fire-up Sconfig  one more time to make sure I have the correct, desired configuration settings.

image

 

Install-WindowsFeature -Name Ad-Domain-Services | Install-WindowsFeature

image

Type notepad.exe on the PS and hit enter

image

Copy and paste below code into notepad.

Core.ps1 ( You need to change the desired filed in the PS script , such as domain name

I have used “-DomainName "ZtekZone.com" change this to suit to your scenario. Once you are done, on the notepad click file and save as , and save the file on the C:\temp directory as “CoreDeploy.ps1”

image 

You can download the script from here

image

 

#Installing Domain Controller

Write-Host "................................"

Write-Host "Please modify pre defined Script "

Write-Host "To Make sure it fits into your Environment"

Write-Host "................................"

Import-Module ADDSDeployment

Install-ADDSDomainController `

-NoGlobalCatalog:$false `

-CreateDnsDelegation:$false `

-CriticalReplicationOnly:$false `

# Change the DatabasePath if desired

-DatabasePath "C:\Windows\NTDS" `

# Change the Domain name if desired

-DomainName "ZtekZone.com"

-InstallDns:$true `

# Change the LogPath if desired

-LogPath "C:\Windows\NTDS" `

-NoRebootOnCompletion:$false `

# Change the AD Site Name if necessary

-SiteName "Default-First-Site-Name" `

# Change the SYSVOL if necessary.

-SysvolPath "C:\Windows\SYSVOL" `

-Force:$true

Now within the PS , change the directory to C:\temp directory

image

 

Type “CoreDeploy.ps1”

image

 

image

ZtekZone.com ( is the domain name in my case)

image

image

After server reboots , you need to make sure replication is working etc.

here is AD site and services with the newly promoted server

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 09 Jul 2014 04:27

 

MS has large e-book offerings , click here to get them

 

image

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 11 Jun 2014 05:14

There are times specific IP address explicitly needs to be added into Active Directory site and services to ensure the application or the servers is talking to specific domain controllers for certain task such as authentication, Global catalog selection etc. Very recent ExRAP program I have worked , indicated some of the Exchange servers were talking to domain controllers out of its own AD SITE. As you may already know Exchange servers will select DC/GC from their own AD Site and if they cannot reach them out they will try to communicate other available domain controller ( DC/GC) the magic lays down on how TCP/IP settings configured on the client as well as AD Site and services , subnets.

In this example we will add Exchange server IP Addresses is  10.10.10.121 /24

On  the domain controller we will open Site and Services snap in

DSSite.msc 

image

Click Subnets , new subnet , type the IP address and Subnet mask and select the corresponding ( desired)  AD Site.Once finish you can make right click on Site and make sure the IP address is added on the properties.

 

image

image

 

By doing this simple task, we made sure the very specific IP address and its subnet mask is added to AD Site we choose.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 28 May 2014 05:12

Exchange Server 2013 Cumulative Update 5 has been released kb2936880 has list of improvements and fixes CU5 contains. Don’t forget to test the latest CU and RU updates before applying them to production servers.

image

List of Issues CU5 has fixed and improved are,

This update resolves the issues that are described in the following Microsoft Knowledge Base (KB) articles:
  • 2963590 Message routing latency if IPv6 is enabled in Exchange Server 2013

  • 2963566 Outlook Web App accessibility improvement for UI appearance in Exchange Server 2013

  • 2962439 You cannot sync contacts or tasks in Microsoft CRM client for Outlook in an Exchange Server 2013 environment

  • 2962435 CRM synchronization fails if the time zone name of a meeting is not set in an Exchange Server 2013 environment

  • 2962434 Slow performance in Outlook Web App when Lync is integrated with Exchange Server 2013

  • 2958430 "Some or all Identity references could not be translated" error when you manage DAG in Exchange Server 2013 SP1 in a disjoint namespace domain

  • 2957592 IME is disabled in Outlook Web App when you press Tab to move the focus in an email message in Exchange Server 2013

  • 2942609 Exchange ActiveSync proxy does not work from Exchange Server 2013 to Exchange Server 2007

  • 2941221 EWS integration for Lync works incorrectly in an Exchange Server 2013 and 2007 coexistence environment

  • 2926742 Plain-text message body is cleared when writing in Outlook Web App by using Internet Explorer 8 in Exchange Server 2013

  • 2926308 Sender's email address is broken after importing a PST file into an Exchange Server 2013 mailbox

  • 2925559 Users always get the FBA page when they access OWA or ECP in Exchange Server 2013

  • 2924519 "SyncHealth\Hub" folder is created unexpectedly after installing Cumulative Update 2 for Exchange Server 2013

  • 2916113 Cannot open .tif files from email messages by using Windows-based applications in an Exchange Server 2013 environment

  • 2592398 Email messages in the Sent Items folder have the same PR_INTERNET_MESSAGE_ID property in an Exchange Server 2010 environment

Exchange Server and Update Rollups Build Numbers

http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx

 

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Tuesday, 20 May 2014 21:02

 

If  you are in the middle of migration and you have started to run into issues moving mailboxes, you might have seen MB move fails when it gets to 95 percent with above error. First thing to look at is the move logs to determine the root cause of the problem. From my experience the issues related to a corrupted item within the user mailbox. ( see details of the MB move report)

The top ones to look

  • Corrupted or empty outlook rules
  • Corrupted Calendar Items
  • Corrupted item in the deleted item folders

Easy way to deal with all these issues before you start messing with MFCMAPI is

  • Backup User mailbox to PST File
  • Assign yourself Full mailbox permissions
  • Delete everything ( send items , deleted items, all rules, all contacts etc.
  • Perform MB move
  • Import PST
  • Remove full MB permissions

Working with MFCMAPI

You need to assign Full mailbox permissions to yourself for mailbox the problem mailbox

clip_image001

Setup an Outlook profile with the mailbox that has the problem, logon with your credentials.

Picture (Device Independent Bitmap) 3

  1. Open MFCMAPI,
  2. click Session
  3. Logon
  4. Pick the outlook profile you like to load into MFCMAPI

In our case this the problem user is "Aki.Armstrong" we will log into her mailbox

  1. Right click on Problem  mailbox
  2. Choose Open store
  3. Expand the tree, and find the problem folder listed in the MB Move log file
  4. Locate the folder listed in the logs.

Example: Folder: '/Top of Information Store/Inbox/USers's Emails/Inbox', entryId [len=46, data=000000001026823AF4CCDA45936168C4A4275CE001008 )

  1. Right click on the folder and choose Other tables... and then Rules table...
    Delete the corrupted Item ( rule etc.)
  2. Right click on the folder and choose Other tables... and then Rules table...
  3. Delete the corrupted rule.
  4. Go back to the Exchange Management Console and resume the move-request.

 

Picture (Device Independent Bitmap) 4

Picture (Device Independent Bitmap) 5

Picture (Device Independent Bitmap) 7

Picture (Device Independent Bitmap) 6

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 26 Mar 2014 14:01

Back pressure is a resource monitoring feature with Exchange servers which build into Transport service. ( Mailbox Servers ) The idea is to have Exchange Server detect the issues and take necessary action so the messaging servers wont be completely un available.

There are 4 event ID associated with correlating events and actions messaging server would perform.

Figuring out such event can be very usefully when back pressure becomes the issue.

# Explain event descriptions
Write-Host "--------------------------                              ------------------------------"
Write-Host "Event ID 15004 = Resource pressure increased" -Fore Cyan
Write-Host "Event ID 15005 = Resource pressure decreased" -Fore Cyan
Write-Host "Event ID 15006 = Low available disk space" -Fore Yellow
Write-Host "Event ID 15007 = Low available memory" -Fore Yellow
Write-Host "---------------------------                                  ------------------------"

image

To automate the process we have developed PS script. You can download from TechNet scripting library.

image

Special thanks to Benjamin Bohn for taking his time and turning my simple script into great resource script.

Stay tuned until next time.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Saturday, 22 Mar 2014 17:31

We will migrate DHCP Service from windows 2003 DC onto Windows 2008 R2 DC. Just follow the simple steps to get the work done

Environment :

  • Source Server  windows 2003 ( DC,GC) DHCP Installed here server name is = Server
  • Destination Server Windows 2008 R2 ( DC,GC) = We will migrate DHCP Service and all related configurations here
  • Log into Source Server where DHCP is installed
  • Click Start Open Cmd.exe

Netsh dhcp server export c:\temp\dhcp.txt

Make sure temp directory exist if not create one on the C drive….

image

Now log into Target Server

  • Click start
  • In the search type
  • ServerManager.msc
  • Hit enter
  • Click Add Roles

image

image

image

image

image

image

image

image

image

image

image

image

image

image

  • Now you need the file we have created earlier to import into this server
  • I am going to connect the first server and get the file we have created which does have all existing settings for the DHCP server

image

image

I am going to copy the dhcp.txt file onto server1 onto temp directory

Click Start

Type Cmd.exe and hit enter

type following and hit enter

Netsh dhcp server import c:\temp\dhcp.txt

 

image

Now open back to DHCP management

If you refresh all your existed settings are now in this new DHCP Scope

image

Last thing we need to do is to go back and un-install DHCP services from source server, running DHCP from two servers will same scope will be ugly (-:

Log back onto first server

image

image

image

image

image

image

Well done you have completed DHCP migration

Stay tuned until next time.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 19 Mar 2014 15:05

FSMO roles always been one of the most hot topics of every interview I have ever been. Even for Exchange Server interviews. Knowing the FSMO roles makes your job easy and understanding Active Directory for sure keeps your place in Exchange world safer.

If you need refresher for the FSMO Just take a look at this question. Considering having single FOREST if you have 12 domains, how many FSMO roles in total exist ? Id your answer is not 38 then you need the refresher (-: and here id nice summary Why do We Need FSMO Roles

You can quickly Fire up CMD and type

NetDom Query FSMO

image

Or you can open PowerShell

$Domain = Get-ADDomain | select -ExpandProperty Name

image

Get-ADDomain $Domain | fl PDCEmulator,RIDMaster,InfrastructureMaster

image

Or here is the simple script can show you the FSMO roles for your Domain Name Space

http://gallery.technet.microsoft.com/scriptcenter/Find-FSMO-Roles-6950d3c7

image

Stay tuned until next time.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Monday, 10 Mar 2014 08:37

 

Installing Exchange 2013 SP1, receiving error “The Windows component RSAT-Clustering-CmdInterface isn't installed on this computer and needs to be installed before”

image

On the problem server open PowerShell with administrator privileges and use following PS command

Install-WindowsFeature RSAT-Clustering-CmdInterface



image


image


Verify ….





Get-WindowsFeature | where-object {$_.Installed -eq $True} | fl name,*RSAT*

 


image


image


image


Stay tuned until next time.


Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Wednesday, 05 Mar 2014 05:25

When you want your Tier2 to have ability to manage distribution Groups by adding multiple managers to it, you may receive the error “You don’t have sufficient permissions. This operation can only be performed by a manager of this group.” in Exchange 2010 SMTP organization.

The issue might have been caused by “security group management check” outlined in the following KB

Remedy to this issues is to add the helpdesk administrators into RBAC Role Groups called “Role Management” so that they can populate the DL group membership with multiple managers.

image

image

“A positional parameter cannot be found that accepts that argument –BypassSecurityGroupManagerCheck “ this error simply being generated due to “Un sufficient rights”

Set-DistributionGroup "CTOS" –ManagedBy brian@ZtekZone.gov,Sam@ZtekZone.gov

image

Log into ECP with org administrator privileges

https://mail.ztekzone.com/ECP

Open Administrator Roles, select “Role Management” assign this to your Helpdesk  administrators.

image

Role Management Role allows

This role enables administrators to manage management role groups; role assignment policies and management roles; and role entries, assignments, and scopes in an organization. Users assigned this role can override the role group managed by property, configure any role group, and add or remove members to or from any role group.

image

After changes have been made you should not be receiving the same error.

Stay tuned until next time.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Tuesday, 04 Mar 2014 14:14

Exchange 2013 SP1 has been released with several improvements over the product. The new futures listed in the release notes , that can be found here

If you are in the production environment it is critical you have to be !!!aware of these changes!!! and found issues with SP1 release. As you can tell clearly, without proper planning and preparation the SP1 upgrade can turn into !!!disaster!!!, which all of must avoid being there.

image

Some of the highlights for SP1…

1. Mail flow stops after Exchange 2013 SP1 is installed

  • Reboot the server after upgrade
  • (Microsoft Exchange Frontend Transport)

2. Mailbox size increase when migrating from previous Exchange versions

  • To prevent users from exceeding their mailbox size quotas, increase the database or mailbox quota
  • Mailbox size reported may increase 30 percent to 40 percent,
  • Disk space used by the mailbox database has not increased
  • Only the attribution of space used by each mailbox has increase

3. You must adjust the user quotas to prevent interruption

4. Installing Exchange 2013 in an existing Exchange organization may cause all clients to download the OAB 

  • This could result in network saturation and server performance issues especially on large enterprise platforms

5. MAPI over HTTP may experience poor performance when you upgrade to Exchange 2013 SP1

  • clients that connect to an Exchange 2013 SP1 server using the protocol may experience poor performance.

From CAS Servers ( Elevated command prompt)

  • set AppCmdLocation=%windir%\System32\inetsrv
    set ExchangeLocation=%ProgramFiles%\Exchange Server\V15
  • %AppCmdLocation%\appcmd.exe SET AppPool "MSExchangeMapiFrontEndAppPool" /CLRConfigFile:"%ExchangeLocation%\bin\MSExchangeMapiFrontEndAppPool_CLRConfig.config"
    %AppCmdLocation%\appcmd.exe RECYCLE AppPool "MSExchangeMapiFrontEndAppPool"

From MBX Servers ( Elevated command prompt)

  • set AppCmdLocation=%windir%\System32\inetsrv
    set ExchangeLocation=%ProgramFiles%\Exchange Server\V15
  • %AppCmdLocation%\appcmd.exe SET AppPool "MSExchangeMapiMailboxAppPool" /CLRConfigFile:"%ExchangeLocation%\bin\MSExchangeMapiMailboxAppPool_CLRConfig.config"
    %AppCmdLocation%\appcmd.exe RECYCLE AppPool "MSExchangeMapiMailboxAppPool"
  • %AppCmdLocation%\appcmd.exe SET AppPool "MSExchangeMapiAddressBookAppPool" /CLRConfigFile:"%ExchangeLocation%\bin\MSExchangeMapiAddressBookAppPool_CLRConfig.config"
    %AppCmdLocation%\appcmd.exe RECYCLE AppPool "MSExchangeMapiAddressBookAppPool"

 

MapiHttp (codename Alchemy). 

  • Microsoft has designed MapiHttp protocol to replace the existing RPC/HTTP protocol. MapiHttp is new communication protocol in between outlook and Exchange 2013 SP1.
  • The gain is obvious, taking out the RPC out the picture will improve the end-user messaging experience. As you could tell this will have big positive impact & effect on Office 365 cloud scenario, over user outlook usage.

MapiHttp protocol

  • Provides faster reconnection times after a communications break because only TCP connection unlike RFC requires "rebuild"
  • Offers a session context that is not dependent on the connection

Read more

To enable MapiHttp run following

Set-OrganizationConfig -MapiHttpEnabled $true

Read more some other real cool futures listed in Scotts Blog

Windows Server 2012 R2 and Database Availability Groups

Channel 9

Joseph Warren…

Exchange 2013 and MapiHttp

Scott Schnoll

Microsoft Exchange Server 2013 Tips & Tricks

Stay tuned until next time.

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Monday, 10 Feb 2014 21:25

if you are seeing X400 addresses on the mailbox properties you probably went through migration from legacy version of Exchange Server.

X.400 addresses required with Exchange 2003 and down, it is present with in the Default Recipient Policy.Exchange 2007 and 2010  environments with no 2000/2003 servers do not  require the X.400 address to function.

If you decide to clean all up here is simple PS can do the work.

foreach ($mbx in (get-mailbox -resultsize unlimited  )){

$addrs = $mbx.emailaddresses |? {$_.prefixstring -ne "x400"}

set-mailbox $mbx -emailaddresses $addrs

}

As good practice test the script in your test environment before using it in production

Stay Tuned….

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Monday, 10 Feb 2014 21:06

You are moving mailbox from legacy systems onto Exchange 2010 environment and some of your mailboxes are failing when they get to 95 percent. You need to troubleshoot the issue.

Steps for troubleshooting:

Before we deep dive into fixing this issue, I need to remind you this could be tedious work and if you are luck you only have handful users  to deal with (-:

Most obvious reason is corrupted item or items source  mailbox might have

Possible causes:

  • OFF turned on
  • User mailbox contains corrupted outlook rules ( folders moved etc. they no longer work)

How to deal with this:

You have couple options to remediate the issue and let the move request complete moving offensive mailbox. Shortest way is to assign yourself full mailbox permissions for the problem user ( You might be very careful if your company policies requires you to go to change control and obtain permissions to perform the work, don’t forget so)

Problem User Account name: Aki.Armstrong

Administrator needs full permissions: Casey.Dedeal

Add-MailboxPermission Aki.Armstrong -AccessRights FullAccess -User Casey.Dedeal

image

Let’s take a look to see if we can verify the full access rights Casey.Dedeal has been granted with previous one liner PowerShell.

Get-MailboxPermission aki.armstrong | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false -and $_.Deny -eq $false} | Select User

Or we could simply do this

$Permission = Get-MailboxPermission aki.armstrong

image

Pipe this into same command,

$Permission |  where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false -and $_.Deny -eq $false} | Select User

image

Great now , from Casey.Dedeal outlook we will need to configure Aki.Armstrong outlook profile

Click Start

Control locate mail icon and double click

image

Show Profiles, switch outlook to “prompt for profile to be used”

image

Add

image

Aki.Armstrong ( you need to adjust this to fit into your scenario)

image

As you can see Autodiscovery knows Casey.Dedeal logged in , I need to change the e0mail address here to user I am configuring outlook profile too.

image

When I hit next , Exchange settings confirmed the user account Casey.Dedeal has already Full Mailbox permissions, therefore it allow me to get to last page.

image

I click finish here Now I can open outlook , pickup Aki.Armstrong outlook profile

image

Now we logged into Aki.Armstrong Mailbox E-mail which is corrupted in this case is here

image

*** Now it is a good time to backup user data, you can simply use outlook***

 

We will attempt to delete this e-mail by using MFCMAPI

Download MFCMAPI if you have not done it yet, there is 32bit and 64 bit versions, pick the  one which is proper to your environment.

  • Open MFCMAPI,
  • click Session
  • Logon

image

image

After selecting the profile , click okay and Open Store

image

Now Click on Root Container to expand

Now go down to Top of Information store

locate Mailbox, Locate the folder the e-mail was under

image

we will make right click and delete this folder

image

*** Be careful as good practice always make sure you have backup before you start deleting*** you never know if you need to go back that being said it would be good ideal to have PST export for this user at the least before we deleting data from outlook.

Now Click delete and select the option you like

image

If you wont select hard deletion you can still recovery deleted items

Exit twice to close MFCMAPI

image

Now opening outlook you can verify the corrupted folder and its content is gone

image

you will use same technique for each corrupted item, which is the pain part of it. The Mailbox move request will give you idea what is corrupted, you will need to get the information and locate within MFCMAPI to get rid of it.

IF you think all these too much work, wait there is another trick you can do, simply

Click File

Open Export

image

Export Import

Export to file

image

Choose PST and next

image

image

Note the location of PST backup file and name it if you like

This is default location

C:\Users\UserName\Documents\Outlook Files\backup.pst

image

Once you are done Delete everything !!!!!!

  1. E-mails
  2. All contact
  3. All Rules
  4. All deleted items
  5. All Sent items
  6. All draft E-mails

image

Once you are done , Resume MB move, you will see it will complete

Now time to  put all back

File , Open Export, Import/Export

image

image

image

image

image

all good everything is back , you have successfully migrated your mailbox or took care of the corruption. Thanks to MFCMAPI (-:

 image

Don’t forget to remove your full mailbox permissions

Remove-MailboxPermission Aki.Armstrong -AccessRights FullAccess -User Casey.Dedeal

and verify (-: so that you have no worries Security is knocking your door

Stay Tuned….

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Date: Sunday, 09 Feb 2014 20:29

The Exchange 2010 OOF option to external audience is “enabled out the box” .In many organizations allowing OOF for external usage is up to company security policies. In large environments disabling OOF requires bulk changes and coming up with process to make sure newly created accounts OOF External is set to “internal” meaning these account wont have OOF External option. You may also consider allowing this option or disallowing it per your needs. In this article we will touch in each scenario and give you tips and show you how to deal with OOF settings for mail enabled users.

image

You will see the options under “Automatic Replies”

image

Lets take a look  same settings from PowerShell.

ExternalOofOptions : InternalOnly  (  External OOF option is set to “InternalONLY” )

ExternalOofOptions : External ( External OOF option is set to “External” )

image

Now lets start disabling OOF.Following procedures outline how to enable and disable OOF External option for single mailbox.

Procedure:

  1. Log in to Exchange 2010 server or use your management computer with proper privileges
  2. Click Start
  3. All Programs
  4. Microsoft Exchange Server 2010
  5. Exchange Management Shell

Enabling OOF External Option for single user

set-mailbox casey.dedeal -ExternalOofOptions "External"

Disabling OOF Option for single user

set-mailbox casey.dedeal -ExternalOofOptions "InternalOnly"

image

Disable OOF External for Everyone

get-mailbox -ResultSize Unlimited | set-mailbox -ExternalOofOptions "InternalOnly" -Confirm:$False

How to turn the OOF External option in large environments and only allow certain people ?

If this is the scenario one of the good way to handle such request coming up with process

Procedure:

1. Come up with User Creation SOP ( Standard Operation Procedure) and include disabling OOF External for each user creation.

2. Create Active group called “OOF-Allowed-External-Recipients” Universal Security for instance.

3. Add the exception members in the group

image

In the Second Article I will post OOF Script which will Disable OOF External option for everyone, Enable only for member of Allowed group in AD.

Stay Tuned

Best regards,
Oz Casey , Dedeal
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Http://smtp25.blogspot.com (Blog)
Http://telnet25.wordpress.com (Blog)

Author: "Oz Casey, Dedeal (noreply@blogger.com)"
Send by mail Print  Save  Delicious 
Next page
» You can also retrieve older items : Read
» © All content and copyrights belong to their respective authors.«
» © FeedShow - Online RSS Feeds Reader