After the 2nd install of SP2 for W2k3 and after installing all the prereqs for DPM on my W2k3 SP2 VM I had had enough of it not installing.

After a quick read it seems you cant have DPM on a machine that is a DC.... Doh

Strange one this (as my posts tend to be)! Two nodes of a cluster, both newly build. Both W2k3 SP2 and E2k3 SP2.

Clients were getting "Error: Access is Denied" in the browser. We tried this locally and we saw that thsi was happening on the back end directly as well.

We followed the article on this to find out whether permissions on exchweb etc were correct. They were.

It was then found that the w3core.dll file had not updated correctly along with other IIS files with the applicaiton of SP2.

Checking the version number of the two files on the respective nodes showed this conclusively.

Interesting one this, and sounds odd initially but upon some further reading is an issue that is known around the iPhone.

http://discussions.apple.com/thread.jspa?messageID=6689175

It seems over IMAP the iPhone (perhaps through iTunes?) pulls down the entire PF hierarchy.

The workaround to this is that you can uncheck the option to "Include all public folders when a folder list is requested” on the IMAP virtual server under protocols in ESM.

So, you go to change a setting in a policy on a machine, but its greyed out. This is essentially because this is being pushed down from some other policy. Be it Domain, OU, site etc. You will also note the icon is different for that element of the policy.

To get a better clue as to where this has come from we can use a couple of tools:

We can enable further logging by creating the key USERENVDEBUGLEVEL and set it to 10002 hex.under HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

Then if we run a GPupdates /target:computer or user depending on what youre looking at

Then in %windir%\debug\usernmode we have a collection of files. userenv being a very useful one where we have a fairly step by step guide as to what policies have been considered and what have been applied.

Using other files we can also see what elements of a policy have been pushed down in what policies, it gets quite granular.

If its anything but obvious at this stage as to where this setting is coming from its time to log a CSS call for deeper digging, as it can get very intricate!

Ususally an Exchange man but currently working to expand cross platform knowledge I came accross this....

When the motheboard of a DC is replaced (in a simple power down, swap, power up scenarie ie no backups/restores of AD) we can hit an issue where AD replication to replication partners is stopped.

After some digging this turned out to be down to when the replaced motherboard DC came back up the system time made the machine outside the TSL (tombstone lifetime) and this all replication partners not speaking to the DC any more. Despite the system time being changed back to correct.

In a repladmin we see something lke:

 ==== INBOUND NEIGHBORS ======================================

DC=domain,DC=com

    Default-First-Site-Name\DC1 via RPC

        DC object GUID: DCguid

        Last attempt @ 2008-12-08 12:43:33 failed, result -2146893022 (0x80090322):

            The target principal name is incorrect.

        4278 consecutive failure(s).

        Last success @ 2008-12-03 11:31:47.

To get around this we:

1) Verify that the time between the domain controller which had the motherboard replaced and the rest of the domain is in synch.

2) Add the registry key below to direct replica partners of the domain controller which had the motherboard replacement (be sure to set the value to 0 and restart that DC once the issue is resolved) then restart that domain controller for the value to take affect:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner
DWORD value of 1

Then restart DC.

3) Monitor the AD replication with repadmin /showrepl command. The AD replication for transitive replica partners should take place without the need for the "Allow Replication With Divergent and Corrupt Partner" registry value once AD replication for those that have that value succeeds.

4) When this is setup and when replication appears to be running again we can go back to DC and disable this registry key (set to 0) and then restart again.

5) Monitor replication again.

Really if we speculate that this sort of issue is occuring then it should be a case of make a call to MS CSS to help establish that this is the issue and not go in with a sledhammer to crack a nut as it could be a number of other issues. Interesting issue though....

Ive seen a couple of cases now where Non paged pool memory is leaking and causing HTTP resourses to fail, machines to become unresponsive - the usual high NPP fun!

When looking at a poolmon of tags over time we see that the MPIO tag is leaking, this is the case with version 1.21 of MPIO when on a cluster. This is installed by default with PowerPath 5.2.

The current workaround is to downgrade to PowerPath 5.1 to fall back to a known good version of MPIO.sys

Unofficial word on the street is that PowerPath 5.2 SP1 may be available around mid December.

<Update>

5.2 SP1 of Powerpath is now available. So far it looks like we don't have the same issues with this build

<Update>

It looks like there may still be some issues around 5.2 SP1 (MPIO.sys v 1.22). So for the moment reverting back to something like 1.18 of MPIO.sys under the advice of the vendor would perhaps be a good idea... this is under investigation.

Okay, not strictly Exchange but interesting none the less.

 FSMO roles (Flexible Single Maaster Operations), there are 5, three of which are domain wide and 2 are forest wide... Here they are:

Okay, so this isnt going to work, however the error could perhaps be a bit more verbose as to why and how to fix this.

The script runs a get-mailboxdatabase, it then tries to add the new user to the last one of these returned, if you have an RSG this will be returned last, and thus fail.

In my case i removed the (unused) RSG then reran the script, and off we go, it worked! 

So, you are either using or are testing with self signed certificates. It seems there are a plethora of places to find out about how to do this. And a lot of them offer conlicting information. So here is a method that has worked with me!

• On the CAS etc server you are on use the management shell to create the certificate request:

new-exchangecertificate -generaterequest -includeautodiscover -friendlyname NewCert -domainname casbox.mydomain.com,casbox,mail.mydomain.com -privatekeyexportable $true -path c:\newcertreq.req

• Usine Internet Explorer on the CAS etc box go to http://certservername/certsrv
• Click Request a Certificate and then go to advanced certificate request
• Click Submit a certificate request by using.....
• Open the c:\newcertreq.req in notepad and copy and paste the text into the Base-64 encoded certificate box
• Select Web Server from the drop down list, then click submit
• Click Download the certificate chain (depending on how/where your root certificate is) and save it to a .p7b file
• Using then management shell use import-exchange certificate commandlet as below

import-exchangecertificate -path c:\thep7bfile.p7b | enable-exchangecertificate -services iis,smtp

And thats it!

You can now take a look on the Default web site in IIS and see that this has been added. Please note there can be some strange behaviour when there are multiple unnecessary certificates with the same subject names on the same server tring to do the same thing, so any mistake made along the way get rid of the bad certificates!

Is your cluster failing over?

Is it the HTTP resource going first? This seems the first resource to fail if NPP goes to a critical level.

Things to check include:

Is the TCPChimney in place (See my other blog post :) http://blogs.technet.com/andym/archive/2008/03/13/exchange-2003-2007-windows-2003-sp2-high-non-paged-pool-memory.aspx )

Check System Pages is set appropriatey (BPA will tell you this)

Is HeapDeCommitFreeBlockThreashold set appropriately? (BPA tells you this too)

Are you using the standard VGA driver? If not why not!

Have you upgraded any drivers recentlt? These could be suspect.

Get a perfmon, establish when its leaking, is a certain process taking a chunk of memory?

If in doubt we have tools to monitor the tags that take up the PP and nonPP memory, log a case!

Last week I was lucky enough to get to go to the Microsoft Technical Readyness preperation in Seattle.

Unfortunately youre not going to find out any top secrets here! However I think its fair to say there are some really exciting things on the way.

For me it was a great opportunity to not only attend sessions that were realated to the product I deal with day in day out (Exchange) but to get some learnings in areas that are newer to me.

I spent some time attending sessions on Mobility, something that does definitely interest me and this is definietly an area we should all be excited about!

Additionally to the technical events in the day was the chance to do some "networking" where I met some people I only usually communicate with over email. There was also a gaming night (excellent chance to show off my Halo 3 skills (or lack thereof!)) and a party where we could again meet others in the company.

Great event and looking forward to see the new technologies get to RTM stage. It is, as ever an exciting time for technology (I believe there will never be an unexciting time!). If you get chance to attent either TechReady or TechEd do grab that chance!

Hi,

This is a very odd one, what makes it more frustrating is its a tough one to narrow down when its working and when its not.

We have seen a small handful of cases on this (ever) where when accessing OWA (event on the back end server itsself) you can logon fine, you can open some mails but not others. With some narrowing down it is those that have colons (these :) in the subject line of the mail.

This seems to be fixed by:

In IIS the Exchange directory / Properties /Virtual directory /Configurations/
davex.dll
Edit unchecked the option "Verify that file exists".
* Restarted IIS, tested with the test mail with special characters, able to access and able to forward that mail.

A very odd one but hope that helps someone!!

How do I know if my application of RU has worked?

Why hasnt my build number updated in EMC/EMS/AD/anywhere?

So many questions...

As with previous versions of Exchange the build number in the consoles/AD etc is only updated on a Service Pack, and not on an interim rollup. This saves any confusion regarding why certain build numbers dont equate exactly to the rollup number.

So the next question is how do I tell the build number then/how do I know if it worked?

Add/Remove Programs will show the presence of the interim rollups for Exchange 2007. The other essential check is the setup logs, please do take a look over these after an update install. If nothing else scroll to the bottom of the file to ensure it all looks clean. This is your best bet on ensuring the install went well, that and there were no errors on install!

We have seen a few cases where since applying SP1 for Exchange 2007 9874s have appeared in the event logs, there is a fix for this in Rollup 1 for Exchange 2007 SP1. However we are still seeing a few of these after RU1 is applied. This is currently under investigation, any updates on this I will update here accordingly.

I have seen a few issues along the lines of having a PF store on a CCR cluster for Exchange 2007, this has, in the times I have seen it resulted in some pain.

A search in the Internet proves there is some confusion on this, whether its suppored, why stores aren't mounting, does CCR and PF replication work together?

The best practice i have found on this is as below: (taken from http://technet.microsoft.com/en-us/library/bb123996(EXCHG.80).aspx )

Cluster Continuous Replication and Public Folder Databases