Since 2014 is drawing to a close, I thought it would be interesting to see what were the 10 most popular articles on the blog. For reference purposes, the top 10 from 2013 were also included for comparison.
I also wanted to wish everyone a great holiday. If you are going skiing, staying home with family or slipping an extra shrimp on the barbie, take the time to enjoy it with your friends and family and see you in 2015!
For the year 2014 the following were the ten most popular articles on this blog:
And here is the top 10 for 2013:
Comparing 2014's with the 2013 top 10 posts we can see that there are certainly a few similarities, though there are also differences. Office 365 adoption has increased dramatically and this is reflected in what people are searching for. This is also reflected in what I am posting here too!
On-premises Exchange still commands the lions share of the traffic in 2014 with the Windows 2012 R2 & Exchange support post remaining rather popular. Autodiscover is always a contested area, and continues to bubble to the top. Exchange 2007/2010 version checking and calculating database whitespace still remain surprisingly active.
In addition to the core Exchange and Office 365 articles there are also posts which were never envisioned as highly desired, yet find themselves in the top 10. Downloading RDCMan and installing the Desktop Experience feature are prime examples.
Maybe next year the RDCMan 2.7 Download post will be in the top 10….
Cheers,
Rhoderick
Purpose of this script is to report on particular performance monitor counters for Outlook RPC Client Access, OWA and Exchange ActiveSync on multiple servers. This was required as during the course of the year there have been a few issues where the third party load balancer device was not really doing equitable load balancing. In some cases 60% of the user load of 50,000 mailboxes was directed onto a single server.
Using the script we can easily see the number of Outlook RPC connections, the number of OWA users and how many ActiveSync requests are issued per second. These are all standard performance monitor counters, the script simply pulls them all into one place.
The script will build a collection of all the Exchange 2010 CA servers in the organisation. if you need to restrict the list to a single site the query can be easily modified. For more PowerShell filtering examples please see this post. This is the line that would require editing if you wished to restrict the collection to a single AD site, or subset of servers:
$ExchangeServers = Get-ExchangeServer | Where-Object {$_.AdminDisplayVersion -match "^Version 14" -and $_.ServerRole -Match "ClientAccess" } | Sort-Object Name
The script has a handy dandy progress bar to show completion status:
And the finished results should look something like the below, except that your numbers will likely not be zero. Mine are zero as this is a lab…
Please download the script from the TechNet Gallery:
Please also provide feedback here or on the TechNet Gallery site!
PS Note to self: Script is clearly lacking as there is no magenta text………..
This is the case of one of those bizarre and very annoying issues to tack down. The server in question is one of my lab servers where an automated build was used to create it. It is a Windows 2008 R2 SP1 based server which has TMG 2010 SP2 installed as a reverse proxy. Said server has been a little “squirrely”, and some “interesting things have happened where a restart would flush the gremlins out. It managed to soldier on and worked.
After the last patch Tuesday I could not get the server to scan for updates. There were a multitude of errors noted by the Windows Update client. The data below is from the WindowsUpdate.log and you can see just how varied the errors are. To keep one of my older friends happy, yes that is you Charles Of the Desert, let’s use findstr to parse the log looking for the specific phrase:
Findstr.exe /i /c:"Warning: exit code =" WindowsUpdate.log
Using Excel, the de-duplicated list of errors were:
WARNING: Exit code = 0x80244023 WARNING: Exit code = 0x80072EE2 WARNING: Exit code = 0x8024D011 WARNING: Exit code = 0x8024001B WARNING: Exit code = 0x800401FD WARNING: Exit code = 0x8007000E WARNING: Exit code = 0xC80003F3 WARNING: Exit code = 0x8024402F WARNING: Exit code = 0x80080005
WARNING: Exit code = 0x80244023 WARNING: Exit code = 0x80072EE2
The error codes are all over the place so there is not single issue in the WU client that explains all of them. Time to expand the net….
Looking at the event logs there were some items of note:
Interesting, but nothing there screamed at a root cause. Though why is Windows complaining about low resources, and then the Windows Modules Installer terminated due to insufficient resources?
The server in question is a VM with 3GB of RAM installed, and task manager shows plenty of available memory. Yes that is not a perfect check but it’s generally sufficient for a quick peek. So if there is enough physical memory installed, but did the automated build set page file to match the RAM?
<Borat>
Not so much….
</Borat>
For some reason, the automated build had set the server with a single static page file of only 256 MB. If this was a NT4 server and the year was 1999 then that would be good. In the year 2014, it was far less than awesome….
Increasing the page file to match physical RAM immediately corrected the issues and Windows Update then installed all updates!
Exchange 2013 CU7 has been released to the Microsoft download centre! Exchange 2013 has a different servicing strategy than Exchange 2007/2010 and utilises Cumulative Updates (CUs) rather than the Rollup Updates (RU/UR) which were used previously. CUs are a complete installation of Exchange 2013 and can be used to install a fresh server or to update a previously installed one. Exchange 2013 SP1 was in effect CU4, and CU7 is the third post SP1 release. CU7 contains AD DS schema changes so please test and plan accordingly!
One aspect to note is that CU7 does contain the security fix for the issues described in security bulletin MS14-075. To address these security issues in pre CU7 builds of Exchange 2013, there are separate updates available. While not directly applicable to CU7, it is worth noting should you wish to implement the security fix prior to upgrading to CU7.
Update 10-12-2014: Corrected CU7 security update wording.
CU7 provides support for Public Folder Hierarchies in Exchange Server 2013 which contain 250,000 public folders. Yay!!!! CU7 also resolves backup and restore issues. The Exchange product group recommend upgrading to Exchange 2013 CU7 and then taking a full backup.
Please take the time to review these additional posts:
For those co-existing with Exchange 2007 there were some issues with CU6, that should all be resolved in CU7. For example if you are deploying into a mixed environment with Exchange 2007, you need to review KB2997209 Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007. Customer with Exchange 2007 and 2013 also had to review KB 2997847 You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6. There were some issues with the post CU6 IU that was released to correct these issues as it did not always copy all the OWA files. CU6 also had an issue which affected Hybrid mailboxes.
This is build 15.00.1044.025 of Exchange 2013 and the update is helpfully named Exchange2013-x64-cu7.exe. Which is a great improvement over the initial CUs that all had the same file name! Details for the release are contained in KB2986485.
3008438 User who is trying to Log on to Exchange Admin Console is logged in to OWA instead
3006672 Move request fails if the IsExcludedFromProvisioning option is true in Exchange Server 2013
3005391 Exchange Server 2013 Cumulative Update 5 breaks free/busy lookup from Exchange Online to Exchange Server 2007
3001217 TLS 1.0 is hardcoded for SMTP traffic encryption in Exchange Server 2013
3003580 Event ID 4999 and 4401 when the Microsoft Exchange Replication service crashes in Exchange Server 2013
3004235 Exchange Server meetings in Russian time zones as well as names of time zones are incorrect after October 26, 2014
3012655 New-MailboxImportRequest causes unreadable characters when you import an ANSI format .pst file of Russian language
3012652 CalendarProcessing cmdlet does not generate delegate permissions to universal security groups in Exchange Server 2013
3009631 Advanced Find against the Sent Items folder in Outlook returns no result in Exchange Server 2013
3009612 Outlook Web App shows organization details on the contact card beyond the scope of user ABP in Exchange Server 2013
3009291 Shared mailbox cannot be opened in Outlook in an Exchange Server 2013 environment that has multiple domains
3008453 Cannot edit or delete forms from the organizational forms library in Exchange Server 2013
3003986 RejectMessageReasonText in transport rule appears in the user section of a DSN in Exchange Server 2013
3001037 Distribution group cannot send email messages to a mail enabled public folder in an Exchange Server 2013 environment
2999031 A cross-forest mailbox move from Exchange Server 2007 to Exchange Server 2013 finishes with CompletedWithWarnings status
2998144 New-MoveRequest cmdlet with RemoteLegacy parameter cannot perform a cross-forest mailbox move
2988553 Add-ADPermission and Remove-ADPermission can be run outside the management scope in Exchange Server 2013
2981538 Exchange Control Panel crashes when you proxy from Exchange 2013 to Exchange 2010
3014051 Cannot migrate mailboxes in a multiple domains environment in Exchange Server 2013
3012986 ContentIndexRetryQueueSize value for a passive node never drops to zero in Exchange Server 2013 Cumulative Update 6
3004011 Sound alerts do not work in Outlook Web App when new email or calendar notification is received in Exchange Server 2013
3003518 "550 5.7.1" NDR when you send messages to external recipients in an Exchange Server 2013 hybrid environment
3003068 Cannot see online archive mailbox after you upgrade to Exchange Server 2013 Cumulative Update 6
3000944 Subfolders under the Deleted Items folder are not visible in Outlook in an Exchange Server 2013 environment
2997847 You cannot route ActiveSync traffic to Exchange 2007 mailboxes after you upgrade to Exchange 2013 CU6
2997355 Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6
2997209 Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007
2995263 OAB cannot be rebuilt if the .flt file is larger than two GB in Exchange Server 2013
2994216 PublicFolderMoveRequest deletes all read or unread state in target mailbox for each user in Exchange Server 2013
2993871 Resource Booking Assistant crashes after you upgrade to Exchange Server 2013 Cumulative Update 5
2983216 Category setting on an item in Outlook jumps the selection to the top of the list in an Exchange Server 2013 environment
2931223 MAPI virtual directory is missing from Default Web Site node
As with previous CUs, CU7 follows the new servicing paradigmthat was previously discussed on the blog. The CU7 package can be used to perform a new installation, or to upgrade an existing Exchange Server 2013 installation to CU7. You do not need to install Cumulative Update 1 or 2 for Exchange Server 2013 when you are installing CU. Cumulative Updates are well, cumulative. What else can I say…
After you install this cumulative update package, you cannot uninstall the cumulative update package to revert to an earlier version of Exchange 2013. If you uninstall this cumulative update package, Exchange 2013 is removed from the server.
Note that customised configuration files are overwritten on installation. Make sure you have any changes fully documented!
CU7 contains AD Schema updates – please test and plan accordingly!
What do I mean by that? Well, you need to ensure that you are fully informed about the caveats with the CU and are aware of all of the changes that it will make within your environment. Additionally you will need to test the CU your lab which is representative of your production environment.
The Exchange team today announced the availability of Update Rollup 8 for Exchange Server 2010 Service Pack 3. RU8 is the latest rollup of customer fixes available for Exchange Server 2010. The release contains fixes for customer reported issues and previously released security bulletins. In addition to addressing previous security issues, Exchange 2010 SP3 RU8 also corrects the security issue MS14-075. For Exchange 2010 this is also discussed in Outlook Web App Token Spoofing Vulnerability - CVE-2014-6319.
Update 12-12-2014: Exchange Server 2010 SP3 Update Rollup 8 has been re-released to the Microsoft download centre resolving a regression discovered in the initial release. The updated RU8 package corrects the issue which impacted users connecting to Exchange from Outlook. The issue was isolated to the MAPI RPC layer and was quickly remediated to deliver the updated RU8 package. The updated RU8 v2 package is version number 14.03.0224.002.
Update 10-12-2014: Please see comments at the end of this post with an issue relating to RPC Client Access. There is a TechNet forum where the community is discussing this issue. In the RPC Client Access the forum post notes that the following can be observed: “Log Watson: [IndexOutOfRangeException] Index was outside the bounds of the array”.
Update 10-12-2014: Exchange 2010 SP3 RU8 has been removed from the download centre until the above issue has been resolved.
This is build 14.03.0224.002 of Exchange 2010 (14.03.0224.001 was the initial SP3 RU8 build) , and KB2986475 has the full details for the release. The update file name is Exchange2010-KB2986475-x64-en.msp.
Note that this is only for the Service Pack 3 branch of Exchange 2010. Why? Exchange 2010 SP2 exited out of support on the 8th of April 2014and will no longer receive updates.
3009132 Hybrid mailbox moves to on-premises environment but finishes with CompletedWithWarnings status
3008999 IRM restrictions are applied to incorrectly formatted .docx, .pptx, or .xlsx files in an Exchange Server 2010 environment
3008370 Group members are not sorted by display name when HAB is used with OAB in Exchange Server 2010
3008308 Public folder database migration issue in a mixed Exchange Server environment
3007794 Hub Transport server cannot deliver messages when a database fails over to a cross-site DAG in Exchange Server 2010
3004521 An Exchange server loses its connection to domain controllers if a public folder server is down in Exchange Server 2010
2999016 Unreadable characters when you import ANSI .pst files of Russian language by using the New-MailboxImportRequest cmdlet
2995148 Changing distribution group takes a long time in an Exchange Server 2010 environment
2992692 Retention policy is not applied to Information Rights Management protected voice mail messages in Exchange Server 2010
2987982 Issues caused by ANSI mode in Exchange Server 2010
2987104 Email message is sent by using the "Send As" instead of "Send on Behalf" permission in Exchange Server 2010
2982017 Incorrect voice mail message duration in Exchange Server 2013 and Exchange Server 2010
2977279 You cannot disable journaling for protected voice mail in Exchange Server 2013 and Exchange Server 2010
Now, before we rush off to download and install this there are a couple of items to mention!
Test the update in your lab before installing in production. If in doubt test…
If the Exchange server does not have Internet connectivity then this introduces significant delay in building the Native images for the .Net assemblies as the server is unable to get to http://crl.microsoft.com. To resolve this issue, follow these steps:
On the Tools menu in Windows Internet Explorer, click Internet Options, and then click the Advanced tab.
In the Security section, click to clear the Check for publisher's certificate revocation check box, and then click OK.
We recommend that you clear this security option in Internet Explorer only if the computer is in a tightly controlled environment. When setup is complete, click to select the Check for publisher’s certificate revocation check box again.
Update Internet facing CAS servers first
Backup any OWA customisations as they will be removed
Test (yes technically this is in here for a second time but it is important!)
This is a link throw-down for the items that we discussed during a recent Office 365 workshop that I delivered to customers in sunny Calgary.
I’m posting the links here since they will be available to all of the attendees, and thought that others may also find them useful/interesting.
Exchange Online Service Description – required reading! Especially the limits section. Read this now. Do not be surprised…..
MXToolbox – useful site to test DNS records, SMTP blacklists etc.
Remote Desktop Connection Manager (RDCMAN) 2.7 is now available. Downloadable from here.
New Outlook for MAC - New version of Outlook for MAC (MacLook).
The new Outlook for Mac includes:
Planning an Exchange hybrid deployment. This page has the support statement that shared mailboxes and mailboxes accessing them must reside in the same premises.
Mailbox permissions On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online if the tenant in Exchange Online has been fully synchronized using Dirsync or AAD Sync. Inherited (non-explicit) mailbox permissions such as permissions applied to the mailbox database and any permissions on non-mailbox objects (such as distribution lists or a mail-enabled user) are not migrated. Therefore, you should recreate these permissions in Exchange Online using the Add-MailboxPermission or Add-RecipientPermission cmdlets.
Cross-premises permissions Mailbox permissions such as Send As, Receive As, and Full Access are not supported if the user trying to access the mailbox is in Exchange Online but the target mailbox is on-premises, or vice versa. Typically, when migrating a user mailbox from on-premises to Exchange Online, in order to overcome this limitation, mailboxes belonging to users who have access to the first mailbox should also be migrated at the same time to ensure the delegate scenarios continue to work.
Authentication changes to Office 2013. This was first announced at MEC 2014 and earlier this year on the Office blog. The November update is here.
Microsoft Virtual Academy – multiple training videos
Office Technical Blog
Garage Series
DirSync release announcement of Password Sync.
List of Attributes that are Synced by the Azure Active Directory Sync Tool
How To Run Manual DirSync / Azure Active Directory Sync Updates
DirSync: How To Switch From Single Sign-On To Password Sync
Exchange Innovation lab – if only it were real….
Do fish drown? – yes they do….
Cheese phobia is called Turophobia. It’s a long story…………….
This post was promoted from the draft bin to production after a customer visit a couple of weeks ago. When onsite we were looking at how the environment was configured. The admins had written a series of scripts to determine the environment state which was excellent to see! One thing that they had assumed though was that the ServerName attribute on a mailbox was where the database was currently mounted. In this customer’s case they had 12 mailbox servers in the DAG and this data led them to believe that mailboxes were evenly balanced across all of the servers.
Let’s see what is going on, and what caused the issue.
In this lab we have Exchange 2010 SP3 RU5 servers. A single Database Availability Group (DAG) exists which has three members CONSEA-MB1, CONSEA-MB2 and CONDAL-MB1
No database copies are mounted on mailbox server CONSEA-MB1 apart from DB01:
Just to ensure that there are no MMC refresh issues, PowerShell shows the same:
Since only DB01 is mounted and active on server CONSEA-MB1, then we should expect to see the same number of mailboxes returned if we check both – no?
Get-Mailbox –Server CONSEA-MB1 Get-Mailbox –Database DB01
Get-Mailbox –Server CONSEA-MB1
Get-Mailbox –Database DB01
Let’s run both commands, and pipe to Measure-Object since that makes it easy to count.
Are the numbers the same? Well, not so much…
In this case we are only off by one, but this is a tiny test lab and not representative of reasonable production environment.
What is causing this?
The ServerName attribute is written to AD when the mailbox is created or moved into that database. Which name is used? The server which was hosting the active mailbox copy at that time. The ServerName attribute is held in AD and is stamped on the user object. We can see this on the below test mailbox:
The ServerName value is not updated when the database is activated on another server. If it were, then that would add considerable overhead to AD replication. That would make the grumpy triangle people even more grumpy, and we don’t want that!
Even *IF* this value was updated and replicated by AD, the other issue is replication latency. AD may take hours to replicate between AD sites. This is far too slow for certain Exchange database tasks such as updating log generation values which is why we use the cluster database to ensure fast guaranteed updates for critical database information.
To illustrate, let’s activate DB01 on a different server, in this case CONSEA-MB2. In the below screen shot you will see that DB01 was moved from CONSEA-MB1 to CONSEA-MB2. Then we check to make sure that there are no other active databases on server CONSEA-MB1. Finally we re-run the Get-Mailbox –Server cmdlet to see how many mailboxes are stamped with a ServerName attribute of CONSEA-MB1, and if that value has changed from the initial result of 30.
Has the count changed from the initial value of 30?
No it has not. This shows that the attribute is not updated when a *-over event occurs in a DAG.
In the below example we shall move mailbox Test-100 from database DB01 to DB02. The initial ServerName value is CONSEA-MB1. DB02 is currently mounted on server CONDAl-MB1. This is indicated in the red box below. Note that once the move request completes, the ServerName value is updated with the name of the mailbox server which hosted the active copy of the database at that point –> CONDAL-MB1.
Again, we see in the below example that activating another copy of the mailbox does not change the ServerName value. Initially it was mounted on CONDAL-MB1, then moved to CONSEA-MB2.
In a DAG environment, the ServerName attribute becomes less useful as there are typically multiple copies of a given mailbox database which can seamlessly transition between multiple servers. The ServerName attribute is not updated in AD when the *-over event occurs.
The ServerName value is stamped based on where the database was mounted when the mailbox was created or last moved. It is possible to get it to update by running:
Set-Mailbox <user> –Database samedatabasename
Note that we are setting the same database to the user. In the lower line the ServerName field has now been updated.
When determining how many databases are actually running off a given mailbox server in a DAG, it is necessary to see what databases are currently mounted on each mailbox server and then enumerate the mailboxes from there. This could look something like the below one-liner:
$(Get-MailboxServer | Get-MailboxDatabaseCopyStatus | Where-Object {$_.Status –eq “Mounted”} | Sort-Object) | ForEach-Object { Write-Host $_.DatabaseName (Get-Mailbox –Database $_.Databasename –ResultSize Unlimited).Count }
Please note that the above is one line, and it may wrap.
Time flies. It’s now been 5 years since I completed the Exchange 2007 Microsoft Certified Master course in not so sunny Redmond. That was MCM rotation 4, which was the last Exchange 2007 rotation. If memory serves me correctly we started on the Monday the 2nd of November 2009 and finished on Saturday the 21st.
During this Exchange love fest we had a total of 4 tests. 3 written tests and the qual lab. After each week there would be a written test which covered the content from the preceding week. For us it was on the following Monday. Though in week 3 we had the week 2 content tested on the Monday, the week 3 exam on Friday and the qual lab the next day (Saturday). Owch, that is still painful even thinking about it. The below MCP exam transcript does not really do justice to the effort, cost and blood spent to earn each line….;.
One common comment is that this is a marathon of Exchange! To get through it and stay healthy is a challenge. I elected to stay at the silver cloud hotel and walk to campus daily. That 15 minute walk there and back at the end of the day was a blessing! Before settling down to do more study at the end of a 12 hour day, I got into the habit of swimming in the highly chlorinated pool. And to assist with memory retention whilst in building 40, paid many frequent visits to one of Starbucks coffee dispensing contraptions.
Then there came the crazy little thing called the qual lab…
On the topic of other crazy little things, November the 24th is also the day that Freddie Mercury died. *
Greg, as only Greg can/will do, blogged as we were doing the qual lab in his normal style: 17 Frowns and a Box of Donuts. At the end of the day there were 10 happy souls, though only 9 knew about it. One person thought that they had not completed the final task, but they had. They just needed cached store data to expire and everything was perfect!
What has happened since that? Lots of good stuff, and some bad…
There was a great bunch of people in my rotation. And to this day we still all help each other out and that is one of the best outcomes from the MCM. The same is true for the wider MCM community. These are the most passionate and capable people that you’d every dream of working with and it is a vibrant community. Every day I learn some arcane aspect of Exchange.
12 months after this we had a mini-reunion and a lot of MCM R4 came back to do the Exchange 2010 MCM upgrade course. This was a beast. Lots of content compressed into a single week, with a written exam at the end followed by yet another qual lab. There were 25 people attending, all of which were existing MCMs and only half a dozen walked away fully upgraded. Thankfully I was one of them, but it was rough. I seem to remember not being able to sleep with my leg muscles going into spasm. After completing the written test things was a blur. Then the qual lab was done on vapours and RockStar (thanks for that Dan S!). Did I say it was a tough week?
There used to be a nice page on the Microsoft learning (MSL) portion of Microsoft.com where you could see all the people who had passed MCM/MCA and agreed to their name being publically displayed. Now there are a series of PDF files in lieu.
Having my brain melted with all of the MCM content certainly helped the technical interviews when applying to Microsoft. I’m still not really sure if Eric wanted to hire me for my technical acumen or since I was crazy enough to crack jokes with them whilst being interviewed.
I clearly remember being up late on a Friday evening in August, when an email popped up. It was the Friday on a long weekend. This was from MSL and it said that the MCM programme was being cut. I read it. Then re-read it and was wondering if the date was not the 1st of April. Unfortunately the date was the 30th of August 2013 and the email was real.
Neil has the content of letter posted, and there are some “interesting” comments.
While I can understand that MSL has the right to change/cancel any one of its programmes, the way that all of the MCM programmes were cancelled was inexcusable. IIRC there were non-exchange rotations currently in-progress when the news was released, and Exchange rotations starting in the near future. When a standard MCP exam is scheduled to retire there is significant amount of notice given so people can plan accordingly. One can only imagine why this was not also afforded to the MCM track. An MCP exam costs $150 USD. MCM was $18,500 or so….
The other not so good memory, relates to walking to the qual lab. After drinking a can of RockStar I then walked to campus. Half way up the hill I thought the scene in Alien featuring John Hurt was being re-enacted and my heart was about to detach itself. That was the last time I drank that potion, Well until the next qual lab!
* – That was 1991. Time certainly does fly.
The venerable Remote Desktop Connection Manager (RDCMan) 2.2 was starting to show its age.
After a slight hiatus, RDCMan 2.7 is now available. Please say thank you to Julian Burger for the early Christmas present. Remote Desktop Connection Manager (RDCMan) is a great tool to consolidate multiple RDP connections into a single window to prevent desktop clutter.
RDCMan 2.7 supports Windows 8, 8.1, Server 2012 and 2012 R2.
The tool can be obtained from the Microsoft download centre.
There are a couple of things worth noting about the tool:
It will install into the x86 Program Files folder on a x64 machine:
C:\Program Files (x86)\Microsoft\Remote Desktop Connection Manager
Do not save your custom RDG files in the installation folder, just in case your local workstation dies and the file is gone. I always keep my .RDG files in a subfolder of My Documents, which is a redirected folder to a file server.
The RDG files are portable, and you can share them within your organisation. For example, when you get a new admin give them a copy of the RDG files and they are able to review your list of servers and get connected easily – assuming they have the permissions….
The help file is located in a sub directory called Resources, - unsurprisingly this is called help.htm
From the above help file. Please review the help file for details.
Finally and most importantly, please say a big thank you to Julian Burger the developer who wrote this and David Zazzo for working to get the tool released initially!!
In some of the recent posts you will have noted that there have been some issues with VMware, and also network cards dropping packets in packets received discarded. One symptom of this is that nodes will be removed from the cluster and EventID 1135 is logged into the System log. EventID 1135 states that the Cluster node was removed from the active failover cluster membership. In Exchange 2010/2013 this impacts the Database Availability Group (DAG) as the databases will be moved off that server.
This is not good, and is something that warrants investigation.
To facilitate this I wrote a quick script to review the number of EventID 1135 on Exchange servers in a DAG.
The script is available in the TechNet gallery.
It will loop through all Exchange 2010 servers that have the mailbox role, and for each of these servers then determine how may 1135 errors are present in the system event log. The default value is to search back for the past 90 days.
As noted in this post for filtering PowerShell, you can edit the query to select different Exchange servers.
In order to try and improve performance a FilterHashTable was used rather than Where-object:
$Events = Get-WinEvent -ComputerName $ExchangeServer.Name -ErrorAction silentlycontinue -FilterHashtable @{logname='system'; ID=$EventIDToSearch; StartTime=$SearchDate}
The output data is saved into an array called $Output. You can edit the script to choose where the data is displayed. Either directly under each server as it is queried, at the end of processing or to a CSV file. By default the other are REMMED out, and the contents of $Output are written to a CSV in the directory where the script is executed from.
Comments and feedback are always welcome!
In the November 2014 security bulletin there were 14 updates released. The updates resolved security issues in IE, OLE and Schannel. It is the latter that is worth calling out for attention since this is the basis of the Microsoft implementation of SSL. Exchange makes heavy use of SSL, and is typically connected to the Internet.
You can read about the other security details in the security bulletin summary. CVE also has an entry for the issue.
MS14-066 / MS014-066 is pernicious for several reasons:
Update 16-11-2014: KB 2992611 has information on known issues.
Update 18-11-2014: V2 of the bulletin was released. Details from the update:
Reason for Revision: V2.0 (November 18, 2014): Bulletin revised to announce the reoffering of the 2992611 update to systems running Windows Server 2008 R2 and Windows Server 2012. The reoffering addresses known issues that a small number of customers experienced with the new TLS cipher suites that were included in the original release. Customers running Windows Server 2008 R2 or Windows Server 2012 who installed the 2992611update prior to the November 18 reoffering should reapply the update. See Microsoft Knowledge Base Article 2992611 for more information
As of writing, the MSRC and other security assets do not report that there attacks in the wild since the issue was responsibly disclosed to Microsoft. However it is only a matter of time….
Test, Validate And Install this update ASAP
There are other security issues also resolved by this month’s security releases. For example in TCP/IP which is MS14-070 / MS014-070. The TCP/IP vulnerability is an elevation of privilege, whereas the Schannel vulnerability allows remote code execution.
Both are not good, so please let’s get our servers patched and protected!
Since there will be a good few folks running Windows 10 who subscribe to the RSS feed, I though it would worthwhile sharing a recent issue I had with my Windows 10 laptop. This is a Lenovo W530 with ample CPU, SSD and video card performance. It should run like a beast, but the recently the graphics performance was terrible. Clicking around between windows took seconds, and searching for applications on the start screen took 5 – 10 seconds. It felt that glaciers were moving faster than this…
There have a couple of recent Windows Update driver releases for both the Nvidia and Intel cards. Both were installed. Prior to installing these driver updates, the video performance was OK.
After upgrading to Windows 10 I had to go into the BIOS and tweak the display settings to stop the laptop from changing settings on the fly. All was good and done at that point, well apparently not.
Turns out that there is a setting to allow the driver to revert the BIOS change that I’d just made, and since I had not locked the setting down it got changed and my performance suffered.
This is not a brand new issue with Nvidia Optimus solutions. For example take a peek here for some of the reasons behind why the two cards are used and why this also affects older models such as the W520.
Since the laptop is UEFI based, I initiated the boot to hardware settings from Windows. The full steps with screenshots are below for reference purposes.
Windows key + C brings up the charm from the start screen. Click settings then change PC Settings in the lower right hand corner. Then from Update and Recovery chose the Recovery menu option, and then Advanced start-up on the right hand pane. The machine will restart.
Depending upon what hardware you have the BIOS setup options will vary. This is from a Lenovo W530. On the Config tab, select display:
The graphics device setting provides three options:
This is the setting that I had previously changed, and told the laptop to use the discrete option. Job done! Well, actually no because of the very next option. Which I totally ignored the first time around…..
What is this option? You can see it highlighted here, with a blurb on the right hand side. From what I see this is Enabled by default. This is what allowed the setting to be reverted.
This time around let’s disable it and lock in the option that we want.
Hopefully this provides some relief for those with slow displays.
Do leave a comment to say if it helped or not!
You will then get something similar to the below. This is Taken from a Windows 10 Preview installation. Click the Advanced options
Then troubleshoot:
Then the UEFI Firmware Settings. Then select restart.
You will now be in the setup screen, and can follow the steps above.
When we are performing the Exchange Risk Assessment, one of things PFE love to check is how servers have been configured for IPv6. There have been numerous occasions where we have found servers whose admin has said that they have disabled IPv6, but when you look at the server it is not really disabled.
When we take a look at the Exchange server, the initial clue is that the network card’s TCP/IPv6 configuration looks like this, where IPv6 is unselected from the NIC.
There seems to be a belief that the simple act of clearing this ticky box disables IPv6 on the server. That is not the case. If we check the IP information we quickly see something like this:
ISATAP is part of the IPv6 protocol stack, so IPv6 is blatantly not disabled on this box…..
This is pretty frustrating, as this is a well documented process and a quick search using one’s favourite search engine quickly shows the steps required.
But let’s ask if IPv6 really should be disabled.
As Joseph Davies very eloquently said back in 2009 :
It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.
From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.
Exchange 2007, 2010, and Exchange 2013 support IPv6 with the details for each release contained within the documentation for the relevant product. Note that a dual stack configuration is required. In other words, for IPv6 to be supported IPv4 must also be enabled.
As discussed in KB 929852 the IPv6 configuration can be tuned or disabled via the registry. This is the DisabledComponents entry which is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
Setting DisabledComponents to 0xff disables all IPv6 components except the IPv6 loopback interface. This value also configures Windows to prefer using IPv4 over IPv6 by changing entries in the prefix policy table
REG.exe query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents
One thing to note is the value specified above for DisabledComponents. It is 0xFF and not 0xFFFFFFFF. Why you may ask as 0xFFFFFFFF was what was documented, no?
Well yes it was, but it transpires that this adds a 5 second delay to the boot process. Way back with Vista 0xFF was the value used, and the documentation got out of alignment.
Unless there are specific reasons for disabling IPv6 please do not do it. Microsoft tests Exchange with both IPv4 and IPv6 enabled, i.e. the default configuration.
One common theme you will pick up from my blog posts, is that walking the most frequently trodden supported path is a good thing since issues are less likely to crop up. If an issue does occur, then the priority of a fix being quickly developed is very high. Corner cases will get less priority and this can cause the fix to be delayed.
Please follow the official documentation and KB articles to disable or optimise the IP stack.
If there is a business case for disabling IPv6 then do so using the above procedures. For example there is a case for disabling specific IPv6 features in an Exchange 2007 and 2013 coexistence environment as discussed in KB 2794253.
TechEd Europe starts tomorrow! It is being held again in the beautiful and amazing city of Barcelona. You can be sure that TechEd will deliver lots of great product news and information.
You can use the catalog to review all of the sessions, but I wanted to call out a couple of particular interest.
The below sessions are being delivered by two of my Canadian colleagues, and internally within Microsoft these sessions have received great feedback, so please add them to your schedule and go get some great Lync content and advanced knowledge.
Connect and meet up with James and Matt, they are amazing guys and I’m very fortunate to have them as colleagues. Feel free to ask Matt why he loves Yamaha motorcycles, and ask James what makes him happy every day!
It seems like a long time since I was last in Barcelona, and it was. That would have been TechEd 2001, and the memorable UK breakout party still makes me smile.
Windows Update is a very important feature in the newer builds of the OS. If we think back to the NT 3.5/4.0 days the process to obtain updates was very different. Just to obtain a hotfix you needed to call in, provide credit card details and then obtain the update. How times have changed! And for the better!
This post is one of those Homer moments. When you realise for the last few years you been doing something somewhat silly!
We should all be familiar with the Windows update screen shown below:
In this example we have 15 Important updates to install:
And 1 Optional update:
Previously I would just click the Optional link as shown in the very first image above. I'd then tick the relevant updates as it then installs the optional update{s} and the important ones. Clicking the Important link would show those updates and I could never find a way to get back to the Optional ones as clicking Install, will immediately go off and install whatever is currently selected.
What I never realised, until last month, was that I can navigate between the two tabs. DOH!
In the left hand side of the window the Important and Optional updates are actually on separate tabs. This is the highlighted area in the below screenshot.
What this means is that you can toggle between then and select the appropriate updates. When you have chosen the appropriate update then you can click install.
How did I ever miss that……??
Last week after showing a client some of new features in Windows 10, they went off and upgraded a laptop to the preview from Windows 8.1. Initially all seemed to go well. That is until they tried to start up VMs on their SSD drive. At that point Mr Sad & Grumpy came to visit.
They were getting errors such as:
Looking at the details they saw Error 0x80070780. That is a fairly generic file system error. Doing a quick search provided no immediate clues. Please note the image above has been edited and redacted to remove some customer identifiable information.
Uh oh Shaggy, it's now troubleshooting time!
Creating a brand new VM, and then powering it on worked perfectly. There were no issues, and everything worked as expected. This proves that the hypervisor is loaded and is functioning correctly.
All of the original VMs continued to experience an error. We could see all of the files on disk, and superficially at least everything looked OK.
Now that we knew the hypervisor is OK, we went back and reviewed all of the Hyper-V event logs. That did not provide sufficient detail to fully understand the issue. Then we went back to the 0x80070780 error. What was making that error fire?
A mini Spanish inquisition then ensued! *
During a barrage of questions, we quickly discussed multiple topics. This ranged from SSD firmware issues, previous issues with the SSD drive and also what was the history with that particular laptop. Then there was an epiphany!
The clue is that the VMs were on an SSD. This was a small 64GB SSD, and you could image that 64 GB is not a lot of space in today’s world. To get more VMs onto this small SSD they had followed some of the unsupported 3rd party blog postings on the Internet to install the Windows Server 2012 R2 dedupe feature onto their Windows 8.1 machine.
This is not a supported scenario. When Windows 8.1 was upgraded to Windows 10, the installer does not expect to find the server dedupe feature so it was removed. All of the VMs that had been deduped were now inaccessible since Windows had no way to understand how to access them.
They were able to get access to the VMs by again following unsupported 3rd party blog posts to re-add the Windows 10 server dedupe bits.
In this case the admin got a fright, and managed to regain access to their VMs. However this should be used as a case in point where Microsoft support would not have been able to fully help since this is not a supported scenario.
Please note installing the Windows Server dedupe feature onto client builds is not supported.
* No cushions or comfy chairs were harmed during the making of this blog post.
After updating my Windows 8.1 machine to the Windows 10 preview, some of my VMs were no longer visible in the Hyper-V Manager. Prior to powering on some VMs, all of them were visible. After powering on, some VMs disappeared in the Hyper-V Manager console.
In the screen shot below, there should be 10 VMs displayed which have the prefix of “HA”.
Restarting the Virtual Machine management service made no difference. The VMs that were not displayed remain in that state, i.e. hidden.
But they are certainly there! Looking in PowerShell using Get-VM showed all the VMs:
They were still manageable via PowerShell.
Get-VM | Where {$_.State –eq “Running”}
If they were saved using PowerShell, then they appear in the GUI once again:
Get-VM | Where {$_.State –eq “Running”} | Save-VM
After they had been saved, simply refreshing the Hyper-V Manager made them all re-appear.
If the VMs were started up again, some of them would “stick” at the starting phase. This is highlighted in the screenshot blow.
Despite being marked with a status of “Starting” all VMs were all successfully started and were fully accessible. Refreshing the Hyper-V Manager would then cause VMs to again disappear.
OK – what is up with that VM? Why is it saying it is stuck starting, but the VM is actually running? Why is it not reporting it is in a happy place?
If we look at the VM Integration Services, there is a difference between a VM that is happy and the one that was stuck in starting phase. Note the highlighted areas below:
Get-VMIntegrationService –VMName “VMName”
Digging deeper, how does the VM heartbeat appear for these VMs?
Get-VM HA* | Select Name, Heartbeat
As indicated with the big red arrow, there is a bit of a difference…..
In the Windows 10 Preview, there is currently an issue if the VM heartbeat is reported as unknown. In this case, VMs do not appear in the Hyper-V Management console.
To workaround this issue, disable the heartbeat for these VMs. The following command will disable the heartbeat for VMs that have a status of “OKApplicationsUnknown”.
Get-VM | Where {$_.Heartbeat -eq "OkApplicationsUnknown"} | Disable-VMIntegrationService Heartbeat
After running the above command and refreshing the Hyper-V Manager the VMs are now visible! The naughty VM listed above is now in the running state and all is good!
Please remember that this is the initial preview of Windows 10, and that this article was written specifically for the preview.
Six months ago, we discussed that Office 2010 SP1 support was drawing to a close. This means that you now need to have Office 2010 SP2 deployed on all machines as the end of Office 2010 SP1 support is the 14th of October 2014.
The Microsoft support lifecycle site has the above details.
One thing to note here! Since I am focussed on messaging, the main thingy in the Office stack that I work on is Outlook. But note that there is not an Outlook 2010 service pack. This is the OFFICE 2010 service pack. Why is this important? Well this means assessing the impact of updating all of the installed Office 2010 bits and ensuring compatibility with your various applications and services. This is worth mentioning as it can be no small task to do so in a large enterprise environment, and those customer will have been planning this install for months!
While we are discussing Outlook 2010 specifically here, the same holds true for all products covered with the Microsoft support lifecycle. Please sign up for the Microsoft Support Lifecycle Quarterly Update Newsletterto stay abreast of supportability dates and ensure you get the support you deserve!
Generally the Exchange external Autodiscover DNS entity is configured as a regular A record. Sometimes a service record (SRV) is used instead. Since I have the habit of forgetting the syntax of quickly querying for the SRV record, this is one of those shared bookmark posts!
Nslookup is the tool of choice here! It's documentation can be found on TechNet.
There are two ways to run nslookup – interactive and noninteractive. Noninteractive is good when you know that you only want to query a single piece of data. Let’s take a peek at an example of each. We will check for the _autodiscover SRV record in the Tailspintoys.ca domain. The record points to a host called autod.tailspintoys.ca. The full format of this record is:
_autodiscover._tcp.tailspintoys.ca
For more reading on SRV records, take a peek at this article. And for Autodiscover in general please review this post.
Open a cmd prompt and run
nslookup -q=srv _autodiscover._tcp.tailspintoys.ca
You should see the below output. Note that the svr hostname will be the Autodiscover target.
In this example we launched Nslookup in noninteractive mode. The query type is set to SRV and then we checked for the _autodiscover._tcp.tailspintoys.ca record.
Open a cmd prompt and run:
In this example we launched Nslookup in interactive mode, so we can interact with it. The query type is set to SRV and then we checked for the _autodiscover._tcp.tailspintoys.ca record.
For reference purposes, the steps to add a Autodiscover SRV record will be something like the below. They are intended to be general so please follow any specific notes or items for the DNS registrar you are using!
In your DNS zone editor ad a SRV record with the following information:
Service _autodiscover
_autodiscover
Protocol _tcp
_tcp
Name Enter one of the following values:
Enter @ if your registered domain is your cloud-based domain. For example, if your registered domain is contoso.com and your cloud-based domain is contoso.com, enter @.
@
Enter the subdomain name if your cloud-based domain is a subdomain of your registered domain. For example, if your registered domain is contoso.com, but your cloud-based domain is the subdomain test.contoso.com, enter test.
test
Priority 10 (or as per your design)
10 (or as per your design)
Weight 10 (or as per your design)
Port 443
443
Target server.contoso.com (in the example above this was autod.tailspintoys.ca)
server.contoso.com (in the example above this was autod.tailspintoys.ca)
TTL Verify that an appropriate TTL is selected, 1 hour is a common default. (If you are approaching a migration, this should be decremented to allow for quicker cutover)
In addition to the SRV record pointing us to the correct location, we also have to ensure that there is a valid certificate installed which is published to the Internet. This could be something as simple as a NAT rule with the appropriate firewall rule for TCP 443 or it could involve TMG or a load balancer's APM.
The choice as they say - is yours!!
Depending upon the version of the sync solution that you are using to replicate directory data from on-premises Active Directory to Office 365 there are different commands that you will need to use.
We can see a listing of the DirSync versions on the TechNet wiki. And for AAD Sync, the version listings are on MSDN.
In September 2014 the Microsoft Azure AD Sync tool was released. This changed how manual sync requests are issued.
To perform a manual update we now use the DirectorySyncClientCmd.exe tool. The Delta and Initial parameters are added to the command to specify the relevant task.
This tool is located in:
C:\Program Files\Microsoft Azure AD Sync\Bin
The steps to migrate from DirSync to AAD Sync are listed here.
With build 6862 the PowerShell module has moved. The location for this module is now:
C:\program Files\Windows Azure Active Directory Sync\DirSync\ImportModules,ps1
To allow us to execute the Start-OnlineCoexistenceSync cmdlet we can either:
In the older builds of DirSync, we would use the DirSyncConfigShell.psc1 that was located in:
C:\Program Files\Windows Azure Directory Sync
or
C:\Program Files\Microsoft Online Directory Sync
Imagine the scenario -- all is working well with your Office 365 hybrid solution until you come into the office tomorrow morning and you get calls saying on-premises users are unable to see the free/busy information for mailboxes in Office 365. While this sounds like a bad dream, this reality could come true tomorrow morning, so let’s to check to make sure that this does not happen!
The background here is that there is a planned change to the Microsoft Federation Gateway (MFG). A certificate is being updated which means customers with a federation trust to the MFG must refresh their configuration so that they are aware of the new certificate. While this will affect Exchange hybrid deployments, it will also affect on-premises deployments that have a trust to the MFG.
Exchange 2013 SP1 systems installed onto Windows Server 2012 will automatically update themselves, but previous versions of Exchange will not. The same is true for Exchange 2013 installed onto Windows Server 2008 R2. Either you do this manually or create a scheduled task to periodically do this work for you. The steps to create the scheduled task are in the link to the planned change.
Update 31-10-2014: Added nuance above to call out that manual work will be needed when Exchange 2013 is installed onto Server 2008 R2.
The steps to update the MFG metadata are straight forward. Open the Exchange Management Shell and run:
Get-Federationtrust | Set-FederationTrust –RefreshMetadata
In the example below, the optional –Verbose option was added:
We can use the Test-FederationTrust cmdlet to validate the Federation Trust to the MFG.
This is before updating the metadata:
After Get-Federationtrust | Set-FederationTrust –RefreshMetadata was executed this is the result:
If you have not created the test CAS account to run some of the other test cmdlets or for SCOM, then you will receive the below error:
Couldn't find object "extest_blahblahblahblah". Please make sure that it was spelled correctly or specify a different object
This is a test lab with a single mailbox server so I ran the below to create a single test CAS mailbox.
Get-MailboxServer | .\New-TestCasConnectivityUser.ps1
Note that in Exchange 2010 there is only one extest account per AD site.
Use the Test-FederationTrustCertificate cmdlet to see the certificates:
Additionally we can also look at the Get-FederationTrust cmdlet to see the certificates. The below screenshots show the certificates before and after updating the Federation Trust.
Note that in the screenshot below from prior to updating the metadata, the TokenIssuerPrevCertificate Expires on the 15th of July 2015.
After updating the metadata, the certificates have been changed so that the above TokenIssuerPrevCertificate certificate has ben replaced:
Go forth and update your metadata, if you have not done so already!
Previously we discussed an interesting feature of the Exchange virtual directory cmdlets where they check data stored in AD, rather than making a trip to the server and querying its IIS metabase. For the details on this, please read the original post here: Slow Response To Exchange Virtual Directory Cmdlets.
In that article we were using the ADPropertiesOnly switch so that it was very quick to review all of the URL settings on hundreds of Exchange servers. This worked very well, and saved many hours of waiting for remote servers to respond.
Then one of my colleagues noticed an issue checking the auth types on the virtual directory, which was initially interpreted as a false positive by the customer.
In the below example we are running two commands. The first one is what most folks normally use and then in the second example the ADPropertiesOnly switch is added.
Get-OWAVirtualDirectory –Server Consea-HT-Cas1 | Select Name, *auth*
Get-OWAVirtualDirectory –Server Consea-HT-Cas1 –ADPropertiesOnly | Select Name, *auth*
Looking at the output closely we can see that there are differences in the output. For example, look at the BasicAuthentication field. This is highlighted below to show the difference.
When looking at the ADPropertiesOnly line, BasicAuthentication is reported as $False.
Checking in the IIS console locally on the server, we can see that Basic Auth is present and enabled:
The properties in the Exchange 2010 Management console are shown below for this OWA virtual directory. Note that it shows the default permissions for an Exchange 2010 SP3 box. Forms based auth is selected, and the tick boxes for integrated windows and basic auth are implicitly enabled.
What’s up? Why is ADPropertiesOnly showing $False for basic auth when basic is enabled?
Looking at Exchange 2013’s Get-ActiveSyncVirtualDirectory cmdlet, we see the following description for ADPropertiesOnly:
ADPropertiesOnly switch specifies whether to return only the properties about the virtual directory stored in Active Directory. The properties stored in the Internet Information Services (IIS) metabase aren't returned
The OWA virtual directory object is stored in the below location in AD’s configuration naming context:
Dn: CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=CONSEA-HT-CAS1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com
The auth properties are listed below for reference, but do not manipulate them directly:
msExchExternalAuthenticationMethods: 4; msExchInternalAuthenticationMethods: 23;
So we can see that Exchange is able to query against the values stored in AD. This is returned in the msExchInternalAuthenticationMethods cmdlet out. However the additional metabase properties are not returned.
The way this is shown in the cmdlet output using ADPropertiesOnly is with a $False. Maybe $Null could have been used.
Either way, the net result is that ADPropertiesOnly works great for those properties that do not require a trip to the metabase and be careful to ensure that you don’t read too much into a false positive result. Use the attributes that are stored in AD for such comparisons – the ExternalAuthenticationMethods and InternalAuthenticationMethods.
Please be aware of an emerging issue in Exchange 2013 and Exchange Online. In a delegate scenario it is possible that OWA can be used to delete a folder from the other user’s mailbox and not appear in the Deleted Items section of the recoverable items folder.
This is covered in KB 2996477 -- Folder deletions are not preserved for mailboxes put on litigation or in-place hold in Exchange Server 2013 OWA.
Update 15-9-2014: Bharat tweeted that the Office 365 fix is being rolled out and CU7 is the target delivery mechanism for on-premises customers.
Consider the following scenario:
In this scenario, the deleted or moved folder items do not appear in the "Deleted Items" section of the Recoverable Items folder.
Please monitor the KB for updates and progress on this issue.
In Exchange 2010 the Set-AdServerSettings cmdlet is used to manage the AD environment in the current Exchange Management Shell (EMS) session. In Exchange 2007 there was a variable called AdminSessionADSettings for the same purpose. Exchange admins normally use the Set-AdServerSettings cmdlet to change a session’s view scope, so that they can see objects in multiple domains. By default EMS places the focus on the local domain.
This can become tedious if we have to change scope at the start of every EMS session.
This was exactly the question posed during a recent workshop - How to set EMS so that it will default to the forest?
Please note: If any issues are caused by changes in the method outlined below, Microsoft support may request that the changes are removed since they are not officially tested or documented by the Exchange Product Group. You are also advised to document the initial settings so any change can be successfully reverted.
While we are on the support topic, directly loading the Exchange 2010 and 2013 PowerShell snap-in is not supported except in very specific scenarios. Those scenarios are documented in release notes and certain KB articles. The snap-in should not be loaded directly, and a regular remote PowerShell must be used for all normal activities.
PowerShell does have the option to embed commands into the profile so that they are executed when PowerShell is started. However if you try to add the Exchange 2010 Set-ADServerSettings cmdlet into the PowerShell profile you will receive an error stating that the cmdlet cannot be found. This is since the remote PowerShell session has not been establish to make the Set-ADServerSetting cmdlet available. Bit of a chicken and egg situation…
For completeness sake, this is what some folks will try to do and modify the PowerShell profile. Please see here for more details on PowerShell profiles you can ask PowerShell by running:
Get-Help about_profiles | MORE
If we check the PowerShell $Profile variable, it shows the following location:
$Profile.PSExtended | Format-List
Let’s modify the PowerShell profile that is referenced in the $Profile variable. This is the one under the user’s documents folder and is the CurrentUserCurrentHost one listed above.
Since the folder path does not fully exist, let’s create it and the file with the New-Item cmdlet specifying that it is of type “file”.
Then Notepad will open up the file so that we can add the Set-ADServerSettings command.
Finally we test expecting great results, but what do we see…..
Bah! Time for plan ‘B’….
Before we move onto plan ‘B’ the above PowerShell profile file should be removed since it does not work.
If you view the properties of the Exchange Management Shell shortcut, there are some interesting properties contained within.
You should see something like so:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto"
What does the above do? PowerShell is started specifying the version and that it should not exit after completing the command. The command to execute is the RemoteExchange.ps1 script that lives in the \Bin Exchange directory. Then there is the continuation character “;” so execution continues and calls one of the functions created by the Exchange scripts “Connect-ExchangeServer”. As a side note it is these scripts that customise the EMS and provide the Get-ExBlog, Get-Tip and Connect-ExchangeServer functions.
Do not modify the Exchange scripts that are signed. What we can do is shim in an extra command into this shortcut. Note that the syntax is a little demanding and that the script must be preceded with a “.” prior to the script name.
Let’s Make an additional Script called StartMeUp.ps1 and place this into the C:\Scripts folder. This is where the Contoso admins place all of their scripts. Don’t you? We will then call StartMeUp.ps1 when the EMS is started. The properties of the EMS are adjusted like so:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -noexit -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer –auto; . ‘C:\Scripts\StartMeUp.ps1’ "
Please note this is one line, though it may wrap.
The contents of the StartMeUp.ps1 file are shown here for reference:
Set-AdServerSettings -ViewEntireForest $True Write-HostWrite-Host Write-Host "Hello Michael, this is KITT. How are you doing today?" -ForeGroundColor magenta Write-Host "Your current ADServerSettings are:" -ForeGroundColor magenta Get-AdserverSettings Write-Host
Set-AdServerSettings -ViewEntireForest $True
Write-HostWrite-Host
Write-Host "Hello Michael, this is KITT. How are you doing today?" -ForeGroundColor magenta
Write-Host "Your current ADServerSettings are:" -ForeGroundColor magenta
Get-AdserverSettings
Write-Host
When you then open up the Management Shell, now we automatically have the ViewEntireForest Set to $True without having to do anything!
* - Can you guess what was one of my favourite television programmes from the past?
One thing to note. If additional copies were made from the initial EMS shortcut (like a desktop shortcut or pinned to the taskbar) they will likely not have the additional script embedded within them. You may have to delete and then re-pin to the taskbar.
Hope this saves you one line of unnecessary typing every day!
* – Bonus points if you can remember the name of the bad prototype of this car! Hint!
In the previous post on the topic of the Registry Editor’s favourites menu, Andrew Higginbotham was kind enough to point out that there was also an easy way to export the favourites from one machine and import to another. Since its always good to show how to arrive at a solution, let’s breakdown the process of finding out where this data is squirreled.
As always we can use the venerable Sysinternals Process Monitor to tell us where the Registry Editor is saving the Favourites data.
To ensure that we do not capture a load of useless data, we can set a filter in Process Monitor to only show us what regedit.exe is doing. Click on the filter icon, or use the shortcut of Ctrl + L.
In the process Monitor Filter Window add a new filter for process name is regedit.exe
Click Add, and the regedit.exe process is added
Clear any existing data with Ctrl + X and then make sure the capture is running when we add a test favourite.
We should then see that the favourites are stored under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
This is shown below in the capture:
On that line in Process Monitor,right click the entry and choose “Jump to” or use Ctrl + J to scoot directly to the registry location where the data is stored.
We can also use another neat shortcut to copy the registry path to avoid typos! Right click the key, and select Copy key name:
We can export the registry data from here to a .reg file, take that to another server and import it, but let’s automate this!
Let’s use reg.exe to pull out the data:
REG.exe EXPORTHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites \\Consea-mb1\stuff\Favourites.reg
Please note that the above command may wrap and is one line. You will also note that it is saving the .reg file onto a UNC where we can write to. This can be your home folder or a share where multiple admins have access and you can all access the same shared favourites from to streamline your operational tasks.
To then load up our export file run
REG.exe IMPORT \\consea-mb1\stuff\favourites.reg
If you are super keen on the feature, go crazy and add it to your server build process