Can't modify message delivery restrictions properties on Exchange 2010 EMC


In my case there was a distribution group with defined message delivery restrictions. That distribution group could accept messages only from senders defined in list box. And, when I tried to modify the list of users I was receiving following error message :
"Set-DistributionGroup Failed: Error: Couldn't find object "domain/local/disabled users/user who is no longer in company." 
The disabled user was not on the list presented by Exchange 2010 EMC, so I can't remove it from the console.
Resolution for this problem can be done by Exchage 2007 EMC (you can see the disabled user in message delivery restriction's dialog list box) if you are in migration period from Exchange 2007, or using Active Directory Users and Computers console from Windows Server 2008 or ADSIEdit. From properties of "problematic" distribution group using attribute editor tab (aduc console), there is authOrig attribute value populated with users that can send email messages to that group. In authOrig attribute value you can see and remove the disabled account. After removing the disabled user you can modify message delivery restrictions properties using Exchange 2010 EMC.

How to request SAN certificate using mmc

You can use certificate mmc console to request SAN certificate for your web server (server authentication). After you have add snap-in for certificates for your local computer store, you can create custom request :



Certificate enrolment wizard will start. On Before You Begin page click Next and on Select Certificate Enrollment Policy select Custom Request (Proceed without enrollment policy) and Next.


On Custom Request page for Template options select (No template) Legacy key :



On Certificate Information click Details and click Properties :


enter friendly name for the certificate :



On Subject tab add desired common name and alternate names for certificate :



 
Some Public CAs require some additional information in certificate request, like Country:
 
 

On Extensions tab add Server authentication for application policies :


On Private Key tab select key options and key type :


Click OK to go back to wizard page and click Next to save the request to file :


After finishing wizard, you will have certificate request in BASE 64 format, and you can make a request to external or internal certificate authority. After processing your request, CA will issue certificate which you can import to computer local store and you will have valid SAN certificate with associated private key, ready for assigning to your web site.


How to create anonymous relay receive connector on Exchange 2010 ?

My best practice is to create another custom receive connector for anonymous users instead of using the default one, where you can limit by source IP address who will be able to anonymously relay emails. To do so you will have to grant anonymous connections extended right to accept any recipient email address (for example we have created new receive connector "AnoRel") :

Get-ReceiveConnector "AnoRel" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

More on this topic on http://technet.microsoft.com/en-us/library/bb232021.aspx

How to remove service pack (SP1) backup files on Windows 7 or Windows Server 2008 R2

If you're running out of space on your (virtual) machine with installed Windows Server 2008 R2 and you have installed SP1, and after some time you decide that everything is working fine with installed service pack, you have an option to remove service pack backup created files. One possible way to do that is using DISM :
DISM.exe /online /Cleanup-Image /spsuperseded
More on SP1 about deployment, removal and uninstall on http://technet.microsoft.com/en-us/library/ff817650(WS.10).aspx .

How to decompress files that have been compressed by disk cleanup

If you would like to decompress files that have been previously compressed by disk cleanup, because you have probably replaced (imaged) old small disk with bigger one, and you want to achieve better performance run :

compact /u /s /a /q /i *.*
More on compact command  http://technet.microsoft.com/en-us/library/bb490884.aspx

How to find delegated Send As on a user mailbox

If you would like to find delegated send-as permission on user mailbox, you can use the following powershell script :
Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap

For example you can use this script to find BES enabled users with delegated send as permission on BES admin user.

Changing logo on OWA Exchange 2010 SP1

If you would like to customize default owa logo after you log on to OWA 2010 :


you will have to change (replace) default OWA logo from the sprites file. You can find sprite and css file on following location : \Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\<version>\themes\base\ (csssprites.png and csssprites.css) . If you open the the sprites you will see the default logo:


If you open the css file, you will see that logo size should be 144x42 :


.sprites-logoowa-png{background-image:url(‘csssprites.png’);background-position:-62px 0px;width: 144px;height: 42px;}
After changing (inserting) new logo in the sprites file, you will be able to see your new logo after logging on to owa 2010 (note: be careful when modifying the sprites file).


Receiving warning event 1021 from MSExchangeTransport on Exchange 2010

You may experience following warning message on your Exchange 2010 HUB transport servers :

Receive connector <receive connector name> rejected an incoming connection from IP address a.b.c.d. The maximum number of connections per source (20) for this connector has been reached by this source IP address.
Receive connectors has parameter that specifies maximum number of inbound connections that receive connector serves at the same time from single IP address. You can change this value by using set-receiveconnector cmdlet (for example to set this parameter to 50 concurrent connections from same IP address:  set-receiveconnector "unique receive connector name" -MaxInboundConnectionPerSource 50 ). More on set-receiveconnector http://technet.microsoft.com/en-us/library/bb125140.aspx .

Insufficient access rights to perform the move mailbox operation from Exchange 2007 to Exchange 2010 organization

When moving mailbox from Exchange 2007 to Exchange 2010 organization I have experienced the following error message :

Error:
Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098:  problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.

The reason for this is that inheritable permissions are not turned on for the user. As a resolution for this error check the "Allow inheritable Permissions from this object's parent" check box from AD user's advanced security setting dialog:


After setting the check box move mailbox operation should complete successfully.

Receiving error event 4002 from MSExchange Availability on Exchange 2010

During upgrade process from Exchange 2007 to Exchange 2010 I was experiencing error event 4002 from Application log on Exchange 2010 servers. Here is a part of the error :

Process 5436: ProxyWebRequest IntraSite from S-1-1-0 to https://casserver2007.local.domain/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapException: Microsoft.Exchange.InfoWorker.Common.Availability.TimeIntervalTooBigException: The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days. ---> The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.Proxy.Service.EndGetUserAvailability(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.FreeBusyApplication.EndProxyWebRequest(ProxyWebRequest proxyWebRequest, QueryList queryList, Service service, IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequest.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling(). The request information is ProxyWebRequest type = IntraSite, url = https://casserver2007.local.domain/EWS/Exchange.asmx

By default, Exchange 2007 allows availability queries for 42 days, and for Exchange 2010 this limit is 62 days. So, when Exchange 2010 performs a request for a user on Exchange 2007, the request will fail because Exchange 2010 will be requesting for 62 days information, while Exchange 2007 expects maximum for 42 days request. To avoid this issue you can set maximumQueryIntervalDays value in EWS web.config located in exchange 2007 installation folder\ClientAccess\Exchweb\ews . maximumQueryIntervalDays must be added under appsettings section. By default, this value does not exists and Exchange 2007 is using the default interval of 42 days. Here is the sample how appsettings section should look like:

<appSettings>
<add key="maximumQueryIntervalDays" value="62" />
</appSettings>

After adding this setting, you will have to IISReset, and Exchange 2007 CAS server will accept the new value. This setting helped in my case for the error event 4002 on Exchange 2010 to disappear.

Warning messages on BES Express hosted on Exchange 2010

After delegating all permission to your service account for your BES Express on your Exchange 2010 databases, define policy throttling and so on ... (check installation guides on http://docs.blackberry.com/en/admin/subcategories/?userType=2&category=BlackBerry+Enterprise+Server&subCategory=BlackBerry+Enterprise+Server+for+Microsoft+Exchange ) you're expecting that everything is working properly on server and client side. Unfortunately, if you have configured Load Balancers in your Exchange 2010, you will receive tons of warning messages in your application log on BES Express server, something like :


The resolution for the problem is published as kb KB22812 , or long story short try to avoid load balancers (point bes express server on some of your CAS servers behind defined Load Balancer, using hosts file).

Blackberry Administration Service - Native Code Container (BAS-NCC.exe) is stoping and restarting every hour

You can experience something like BAS-NCC.exe is restarting couple of times, every ten minutes past the hour on your BES Express server and your receiving the following error in your application event log :




Blackberry has a published kb (KB23927) describing the following problem for Windows Server 2008 and Windows Server 2008 R2, and as a resolution for the problem you should upgrade to BES Express 5.0 SP3. In my case the OS is Windows Server 2003 R2 SP2 and the BES version is 5.0 SP3 MR 1 and I'm experiencing the same problem ?!?!?!

As a resolution for the problem in my case was to remove proxy server settings from the account the service was running. The account did not have permission to use the proxy settings. BES Express server 5.0 will try to connect to Internet to download device.xml and vendor.xml files. More about it on published kb KB13589 .

You're unable to activate database copy on Exchange 2010 mailbox server

If you receive the following error message when you try to activate mailbox copy one some of your DAG member servers :

An Active Manager operation failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'Mailbox Database 01' on server 'Server3.domain.name' has content index catalog files in the following state: 'Failed'..

You can check the status of the mailbox database content index with :

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name              : Mailbox Database 01\Server3
ContentIndexState : Failed

Name              : Mailbox Database 02\Server3
ContentIndexState : Healthy

Also on the mailbox server where the content index is corrupted you can see the following event:

Event ID: 123
Level: Error
Source: ExchangeStoreDB

At <timestamp> the Microsoft Exchange Information Store Database <identity> copy on this server experienced a corrupted search catalog. Consult the event log on the server for other "ExchangeStoreDb" and "MSExchange Search Indexer" events for more specific information about the failure. Reseeding the catalog is recommended via the 'Update-MailboxDatabaseCopy' task.

To resolve this problem you can update content index on failed server with Update-MailboxDatabaseCopy  http://technet.microsoft.com/en-us/library/ee633475.aspx :

Update-MailboxDatabaseCopy "Mailbox Database 01\Server3" -CatalogOnly

After reseeding, the content index should be in healthy state:

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\Server3
ContentIndexState : Healthy

Name : Mailbox Database 02\Server3
ContentIndexState : Healthy

Now, you can succesfully activate Mailbox Database 01 on Server 3.

Public folder database does not replicate on Exchange 2010

In my case Exchange organization was migrated from Exchange 2000 to Exchange 2007. Public folder replication between Exchange 2000 and 2007 servers was OK, before removing the last Exchange 2000 server. Also, after removing the last Exchange 2000 server, public folder replication was working fine, between Exchange 2007 mailbox servers. When Exchange 2010 mailbox servers were introduced into organization, email flow was OK, but public folder databases created on Exchange 2010 servers were not replicating with public folder databases mounted on Exchange 2007 mailbox servers. On Exchange 2010 mailbox servers event log I have found the following event :

Log Name: Application
Source: MSExchange Store Driver
Event ID: 1020
Level: Error
Description:

The store driver couldnt deliver the public folder replication message "Hierarchy (PublicFolder@domain.name)" because the following error occurred: The Active Directory user wasn't found.

The resolution for this problem is to delete the empty Servers container (using ADSI Edit) in Active Directory, which was from Exchange 2000 organization :



Microsoft has published article regarding this issue http://support.microsoft.com/?kbid=2487271 .

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Official version available for download: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27603 .

Microsoft Office Communicator 2007 could not retrieve calendar or Out of Office information from Exchange Web Services

If you upgrade your Exchange organization to Exchange 2010 (or greenfield installation), and your not patching your office communicator 2007 regulary, you may experience the following message :




Resolution for the problem can be found on the following Microsoft published article :
http://support.microsoft.com/kb/2028885 or http://support.microsoft.com/kb/2300255 .

BSOD (Blue Screen Of Death)


I have experienced few BSOD last week, after updating some of my device drivers on my workstation Windows 7 SP1 (x86). Since I was updating from Microsoft update, i was not suspecting that there might be problems with updated drivers. So, I have scheduled checkdisk of my HDD for surface scan, suspecting for bad sectors. Fortunately, my HDD was free of bad sectors, so I decided to examine the crash dump file using windbg. For more info how to obtain windbg, how to read small memory dump and how to setup symbols please check Microsoft articles : http://support.microsoft.com/kb/311503 and http://support.microsoft.com/kb/315263 .

Here is the output from my minidump :

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
VIDEO_TDR_FAILURE (116)
Attempt to reset the display driver and recover from timeout failed.
Arguments:
Arg1: 864cf100, Optional pointer to internal TDR recovery context (TDR_RECOVERY_CONTEXT).
Arg2: 92906326, The pointer into responsible device driver module (e.g. owner tag).
Arg3: c00000b5, Optional error code (NTSTATUS) of the last failed operation.
Arg4: 0000000a, Optional internal context dependent data.
Debugging Details:
------------------
Unable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
FAULTING_IP:
nvlddmkm+de326
92906326 55              push    ebp
DEFAULT_BUCKET_ID:  GRAPHICS_DRIVER_TDR_FAULT
CUSTOMER_CRASH_COUNT:  1
BUGCHECK_STR:  0x116
PROCESS_NAME:  System
CURRENT_IRQL:  0
STACK_TEXT: 
8e4fdb74 9333507b 00000116 864cf100 92906326 nt!KeBugCheckEx+0x1e
8e4fdb98 93329937 92906326 c00000b5 0000000a dxgkrnl!TdrBugcheckOnTimeout+0x8d
8e4fdbbc 9336592c c00000b5 00000102 8710a008 dxgkrnl!TdrIsRecoveryRequired+0xb8
8e4fdc34 9338f944 fffffcfb 00565127 00000000 dxgmms1!VidSchiReportHwHang+0x3c0
8e4fdc5c 93390065 00000000 00000000 00000000 dxgmms1!VidSchiCheckHwProgress+0x68
8e4fdc98 9336c8f0 8e4fdc90 86104c20 8636dd08 dxgmms1!VidSchiWaitForSchedulerEvents+0x1b1
8e4fdd28 933913c9 8710a008 82c4d509 8710a008 dxgmms1!VidSchiScheduleCommandToRun+0xaa
8e4fdd3c 93391485 8710a008 00000000 87121410 dxgmms1!VidSchiRun_PriorityTable+0xf
8e4fdd50 82e1efda 8710a008 be498b21 00000000 dxgmms1!VidSchiWorkerThread+0x7f
8e4fdd90 82cc71d9 93391406 8710a008 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

STACK_COMMAND:  .bugcheck ; kb
FOLLOWUP_IP:
nvlddmkm+de326
92906326 55              push    ebp
SYMBOL_NAME:  nvlddmkm+de326
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: nvlddmkm
IMAGE_NAME:  nvlddmkm.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4c379162
FAILURE_BUCKET_ID:  0x116_IMAGE_nvlddmkm.sys
BUCKET_ID:  0x116_IMAGE_nvlddmkm.sys
Followup: MachineOwner
---------

From the output I have noticed that BSOD was caused by the Nvidia video card and graphic driver nvlddmkm.sys. So, after updating the graphic driver with latest drivers from Nvidia site, case was successfully closed.

Asking yourself how many messages are transported in your Exchange organization ?

In my migration scenario for Exchange 2010 I was using Exchange calculator from Exchange team http://blogs.technet.com/b/exchange/archive/2009/11/09/3408737.aspx , and in order to calculate required number of IOPS per database (or server), one of the required input parameters are total messages per mailbox per day and average message size in KB. So, if you don't want just to guess number of total messages per mailbox per day and average message size, you can use Rob's script for gathering email statistics http://gallery.technet.microsoft.com/scriptcenter/bb94b422-eb9e-4c53-a454-f7da6ddfb5d6?SRC=Home . From all the data gathered you can use "Received Total Messages" and "Sent Unique Total" to get Total Number of messages per user. Also, you can use Received MB Total and Sent Unique MB Total to count daily traffic in MB for each user. Using these two parameters you can count average number of total messages per mailbox per day, and average size in MB (KB) for each message and fill in the required parameters in Exchange calculator for Total Send/Receive Capability / Mailbox / Day and Average Message Size (KB).
With small modification of the script you can gather statistics for maximum of 30 days (if you have not changed the default settings for tracking logs history on hub transport servers) and if hub transport server has not hit 1GB of disk space limit. To eliminate so many "ifs" you can use Rob's great script for hub transport message tracking log information : http://mjolinor.wordpress.com/2011/02/11/how-far-back-do-your-message-tracking-logs-really-go/ .

You can't make your Exchange 2010 Jetstress tests to pass

If you're testing your disk subsystem for Exchange 2010 with Jetstress and you're unable to make it "green" pass because database read latency is higher than 20 msec than it's time for reducing number of threads and for fine tuning. But, if you reduce number of threads than you will lose number of IOPS.
For example: with 2 threads you can't achieve required number of IOPS and with 3 threads you're achieving number of IOPS but database read latencies are higher than 20 msecs, in that case you can use "SluggishSessions" parameter. You can find this parameter in JetstressConfig.xml file. By default this parameter is set to 1, you can start increasing this number by 1, which will make Jetstress to add pause between tasks. With increasing "SluggishSessions" parameter you will lose IOPS.

For example : with thread count 3 and SluggishSession 2, I was able to achieve required number of IOPS but database read latencies were still higher than 20msec:

So with increasing number of SluggishSessions to 3 I was loosing IOPS but database read latencies were lower than 20 msec:


For more on threads and "SlugishSessions" check the following Technet article : http://technet.microsoft.com/en-us/library/ff459238.aspx

Your VM running on Hyper V is not in sync (time)

I have experienced something strange on Hyper V cluster based on Windows Server 2008 R2 SP1 Enterprise and VM guest with same OS but Standard edition, with time synchronization enabled but VM was still out of sync.
I have checked that Windows time service was running and queried the source for synchronization and it was free running system clock !
After restarting the windows time service, the VM started to sync with local CMOS clock instead of synchronizing with host (parent partition).
I'm guessing that VM was not reading the setting for the time synchronization from the VM configuration, so I have disabled the setting and re enabled and restarted the windows time service, and finally within few seconds the VM was synchronizing the time with host :

One more thing : if the server is Windows 2008 R2 and the machine is not domain joined the windows time service will stop automatically. On reboot you can see the following event :

This behaviour is by default and you can find more info on translated Japanese kb :
http://translate.google.com/translate?hl=en&sl=ja&u=http://support.microsoft.com/kb/2385818/ja

Object "computername" contains other objects

If you try to delete computer object in AD, you might receive warning message that Object <computername> contains other objects. To see what that computer object contains select in View menu "Users,Contacts,Groups and Computers as containers" in Active Directory Users and Computers Console and you will be able to see what that computer object contains.


In most cases it will be a printer, if the computer object is client workstation.

"Internet Explorer has modified this page to help prevent coss-site scripting."

Internet explorer 9 includes cross-site scripting (XSS) filter which is enabled by default http://windows.microsoft.com/en-GB/internet-explorer/products/ie-9/features/cross-site-scripting-filter . In my case IE 9 was pushed via WSUS, and there were couple of older web applications still running, that IE9 was preventing from running properly thanks to the enabled XSS filter.
If you trust the application or it is running on intranet, and from some reason IE 9 is not applying local intranet zone settings, just add the link manually to the local intranet zone (local intranet zone has by default XSS filter disabled).

You can't deploy OS on client in SCCM 2007 SP2

If you try to install OS to the same client within one hour from the previous deployment, the machine will fail to boot into PXE. To fix this change the (HKLM\Software\Microsoft\SMS\PXE\CacheExpire value to for example 120 (2 minutes), 0 is presumed 60 minutes. For more info please check http://support.microsoft.com/kb/2019640 .

You can't access pages via TMG as proxy with https inspection enabled on port different than 443

So, if you try to access pages via https on port different than 443 via TMG with https inspection enabled and you check logs on TMG you can see the following error "12204 The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests".
As a solution to this error I have bumped on the following article http://technet.microsoft.com/en-us/library/cc302450.aspx . There are three scripts for managing tunnel port ranges (view,add,delete). In my case I should access 8443 for ssl. So, I have added new tunnel port range with single port 8443. Started the script like : "cscript addrange.vbs ssl8443 8443" . And, TMG started proxyng ssl requests to requested destination on 8443.

Blank page when accessing streamed pdf file over https

If you receive a blank page on your Internet Explorer when you try to open streamed pdf document, and you have tried almost anything including resetting the browser, re-installing Adobe Reader (pre-registering active-x plug-in), installing the latest version of Adobe Reader ...and still you're receiving white blank page, try opening the same streamed pdf document via http (if you're hosting the web server, or someone can provide that for you). In my case I could successfully open streamed pdf document when the document was provided via http. So, I started digging deeper and bumped on the following article http://support.microsoft.com/kb/323308 "Internet Explorer file downloads over SSL do not work with the cache control headers". In my scenario the client is running on XP with IE 8 and Adobe reader 8, and the web server IIS 7.5. In Microsoft's KB there is a solution for IE 8, where I have added the following key "BypassSSLNoCacheCheck"=Dword:00000001 and the IE has finally showed the streamed pdf file ! But you must be aware that the server is using "cache-control:no-store", check with your developers !
In order not to change (add registry settings) on all workstations, I have pushed developers to change their code to response.setHeader("Cache-Control","private") , and the case was successfully closed.

How to check EMBG (Unique Master Citizen Number) using regex

In this post, I will share my implementation of how to check if some number looks like EMBG or Unique Master Citizen Number. For those of yo...