Showing posts from 2011

Can't modify message delivery restrictions properties on Exchange 2010 EMC

In my case there was a distribution group with defined message delivery restrictions. That distribution group could accept messages only from senders defined in list box. And, when I tried to modify the list of users I was receiving following error message :
"Set-DistributionGroup Failed: Error: Couldn't find object "domain/local/disabled users/user who is no longer in company."  The disabled user was not on the list presented by Exchange 2010 EMC, so I can't remove it from the console. Resolution for this problem can be done by Exchage 2007 EMC (you can see the disabled user in message delivery restriction's dialog list box) if you are in migration period from Exchange 2007, or using Active Directory Users and Computers console from Windows Server 2008 or ADSIEdit. From properties of "problematic" distribution group using attribute editor tab (aduc console), there is authOrig attribute value populated with users that can send email messages to t…

How to request SAN certificate using mmc

You can use certificate mmc console to request SAN certificate for your web server (server authentication). After you have add snap-in for certificates for your local computer store, you can create custom request :

Certificate enrolment wizard will start. On Before You Begin page click Next and on Select Certificate Enrollment Policy select Custom Request (Proceed without enrollment policy) and Next.

On Custom Request page for Template options select (No template) Legacy key :

On Certificate Information click Details and click Properties :

enter friendly name for the certificate :

On Subject tab add desired common name and alternate names for certificate :

Some Public CAs require some additional information in certificate request, like Country:  On Extensions tab add Server authentication for application policies :

On Private Key tab select key options and key type :

Click OK to go back to wizard page and click Next to save the request to file :

After finishing wizard, you will hav…

How to create anonymous relay receive connector on Exchange 2010 ?

My best practice is to create another custom receive connector for anonymous users instead of using the default one, where you can limit by source IP address who will be able to anonymously relay emails. To do so you will have to grant anonymous connections extended right to accept any recipient email address (for example we have created new receive connector "AnoRel") :

Get-ReceiveConnector "AnoRel" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

More on this topic on

How to remove service pack (SP1) backup files on Windows 7 or Windows Server 2008 R2

If you're running out of space on your (virtual) machine with installed Windows Server 2008 R2 and you have installed SP1, and after some time you decide that everything is working fine with installed service pack, you have an option to remove service pack backup created files. One possible way to do that is using DISM :
DISM.exe /online /Cleanup-Image /spsuperseded More on SP1 about deployment, removal and uninstall on .

How to decompress files that have been compressed by disk cleanup

If you would like to decompress files that have been previously compressed by disk cleanup, because you have probably replaced (imaged) old small disk with bigger one, and you want to achieve better performance run :

compact /u /s /a /q /i *.* More on compact command

How to find delegated Send As on a user mailbox

If you would like to find delegated send-as permission on user mailbox, you can use the following powershell script :
Get-Mailbox | Get-ADPermission | where { ($_.ExtendedRights -like "*Send-As*") -and -not ($_.User -like "NT AUTHORITY\SELF") } | select Identity, User, ExtendedRights, IsInherited | FT -Wrap
For example you can use this script to find BES enabled users with delegated send as permission on BES admin user.

Changing logo on OWA Exchange 2010 SP1

If you would like to customize default owa logo after you log on to OWA 2010 :

you will have to change (replace) default OWA logo from the sprites file. You can find sprite and css file on following location :\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\<version>\themes\base\ (csssprites.png and csssprites.css) . If you open the the sprites you will see the default logo:

If you open the css file, you will see that logo size should be 144x42 :

.sprites-logoowa-png{background-image:url(‘csssprites.png’);background-position:-62px 0px;width: 144px;height: 42px;}After changing (inserting) new logo in the sprites file, you will be able to see your new logo after logging on to owa 2010 (note: be careful when modifying the sprites file).

Receiving warning event 1021 from MSExchangeTransport on Exchange 2010

You may experience following warning message on your Exchange 2010 HUB transport servers :

Receive connector <receive connector name> rejected an incoming connection from IP address a.b.c.d. The maximum number of connections per source (20) for this connector has been reached by this source IP address.
Receive connectors has parameter that specifies maximum number of inbound connections that receive connector serves at the same time from single IP address. You can change this value by using set-receiveconnector cmdlet (for example to set this parameter to 50 concurrent connections from same IP address:  set-receiveconnector "unique receive connector name" -MaxInboundConnectionPerSource 50 ). More on set-receiveconnector .

Insufficient access rights to perform the move mailbox operation from Exchange 2007 to Exchange 2010 organization

When moving mailbox from Exchange 2007 to Exchange 2010 organization I have experienced the following error message :

Error: Active Directory operation failed on dc.domain.local. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098:  problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 The user has insufficient access rights.
The reason for this is that inheritable permissions are not turned on for the user. As a resolution for this error check the "Allow inheritable Permissions from this object's parent" check box from AD user's advanced security setting dialog:

After setting the check box move mailbox operation should complete successfully.

Receiving error event 4002 from MSExchange Availability on Exchange 2010

During upgrade process from Exchange 2007 to Exchange 2010 I was experiencing error event 4002 from Application log on Exchange 2010 servers. Here is a part of the error :

Process 5436: ProxyWebRequest IntraSite from S-1-1-0 to https://casserver2007.local.domain/EWS/Exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Web.Services.Protocols.SoapException: Microsoft.Exchange.InfoWorker.Common.Availability.TimeIntervalTooBigException: The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days. ---> The requested time duration specified for FreeBusyViewOptions.TimeWindow is too long. The allowed limit = 42 days; the actual limit = 62 days. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Bo…

Warning messages on BES Express hosted on Exchange 2010

After delegating all permission to your service account for your BES Express on your Exchange 2010 databases, define policy throttling and so on ... (check installation guides on ) you're expecting that everything is working properly on server and client side. Unfortunately, if you have configured Load Balancers in your Exchange 2010, you will receive tons of warning messages in your application log on BES Express server, something like :

The resolution for the problem is published as kb KB22812 , or long story short try to avoid load balancers (point bes express server on some of your CAS servers behind defined Load Balancer, using hosts file).

Blackberry Administration Service - Native Code Container (BAS-NCC.exe) is stoping and restarting every hour

You can experience something like BAS-NCC.exe is restarting couple of times, every ten minutes past the hour on your BES Express server and your receiving the following error in your application event log :

Blackberry has a published kb (KB23927) describing the following problem for Windows Server 2008 and Windows Server 2008 R2, and as a resolution for the problem you should upgrade to BES Express 5.0 SP3. In my case the OS is Windows Server 2003 R2 SP2 and the BES version is 5.0 SP3 MR 1 and I'm experiencing the same problem ?!?!?!

As a resolution for the problem in my case was to remove proxy server settings from the account the service was running. The account did not have permission to use the proxy settings. BES Express server 5.0 will try to connect to Internet to download device.xml and vendor.xml files. More about it on published kb KB13589 .

You're unable to activate database copy on Exchange 2010 mailbox server

If you receive the following error message when you try to activate mailbox copy one some of your DAG member servers :

An Active Manager operation failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'Mailbox Database 01' on server '' has content index catalog files in the following state: 'Failed'..

You can check the status of the mailbox database content index with :

Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name              : Mailbox Database 01\Server3
ContentIndexState : Failed

Name              : Mailbox Database 02\Server3
ContentIndexState : Healthy

Also on the mailbox server where the content index is corrupted you can see the following event:

Event ID: 123
Level: Error
Source: ExchangeStoreDB

At <timestamp> the Microsoft Exchange Information Store Database <identity> copy on this server experienced a corrupted search catalog…

Public folder database does not replicate on Exchange 2010

In my case Exchange organization was migrated from Exchange 2000 to Exchange 2007. Public folder replication between Exchange 2000 and 2007 servers was OK, before removing the last Exchange 2000 server. Also, after removing the last Exchange 2000 server, public folder replication was working fine, between Exchange 2007 mailbox servers. When Exchange 2010 mailbox servers were introduced into organization, email flow was OK, but public folder databases created on Exchange 2010 servers were not replicating with public folder databases mounted on Exchange 2007 mailbox servers. On Exchange 2010 mailbox servers event log I have found the following event :

Log Name: Application
Source: MSExchange Store Driver
Event ID: 1020
Level: Error

The store driver couldnt deliver the public folder replication message "Hierarchy (" because the following error occurred: The Active Directory user wasn't found.

The resolution for this problem is to dele…

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Microsoft Office Communicator 2007 could not retrieve calendar or Out of Office information from Exchange Web Services

If you upgrade your Exchange organization to Exchange 2010 (or greenfield installation), and your not patching your office communicator 2007 regulary, you may experience the following message :

Resolution for the problem can be found on the following Microsoft published article : or .

BSOD (Blue Screen Of Death)

I have experienced few BSOD last week, after updating some of my device drivers on my workstation Windows 7 SP1 (x86). Since I was updating from Microsoft update, i was not suspecting that there might be problems with updated drivers. So, I have scheduled checkdisk of my HDD for surface scan, suspecting for bad sectors. Fortunately, my HDD was free of bad sectors, so I decided to examine the crash dump file using windbg. For more info how to obtain windbg, how to read small memory dump and how to setup symbols please check Microsoft articles : and .

Here is the output from my minidump :

0: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                               …

Asking yourself how many messages are transported in your Exchange organization ?

In my migration scenario for Exchange 2010 I was using Exchange calculator from Exchange team , and in order to calculate required number of IOPS per database (or server), one of the required input parameters are total messages per mailbox per day and average message size in KB. So, if you don't want just to guess number of total messages per mailbox per day and average message size, you can use Rob's script for gathering email statistics . From all the data gathered you can use "Received Total Messages" and "Sent Unique Total" to get Total Number of messages per user. Also, you can use Received MB Total and Sent Unique MB Total to count daily traffic in MB for each user. Using these two parameters you can count average number of total messages per mailbox per day, and average size in MB (KB) for…

You can't make your Exchange 2010 Jetstress tests to pass

If you're testing your disk subsystem for Exchange 2010 with Jetstress and you're unable to make it "green" pass because database read latency is higher than 20 msec than it's time for reducing number of threads and for fine tuning. But, if you reduce number of threads than you will lose number of IOPS.
For example: with 2 threads you can't achieve required number of IOPS and with 3 threads you're achieving number of IOPS but database read latencies are higher than 20 msecs, in that case you can use "SluggishSessions" parameter. You can find this parameter in JetstressConfig.xml file. By default this parameter is set to 1, you can start increasing this number by 1, which will make Jetstress to add pause between tasks. With increasing "SluggishSessions" parameter you will lose IOPS.

For example : with thread count 3 and SluggishSession 2, I was able to achieve required number of IOPS but database read latencies were still higher than 20…

Your VM running on Hyper V is not in sync (time)

I have experienced something strange on Hyper V cluster based on Windows Server 2008 R2 SP1 Enterprise and VM guest with same OS but Standard edition, with time synchronization enabled but VM was still out of sync.
I have checked that Windows time service was running and queried the source for synchronization and it was free running system clock !
After restarting the windows time service, the VM started to sync with local CMOS clock instead of synchronizing with host (parent partition).
I'm guessing that VM was not reading the setting for the time synchronization from the VM configuration, so I have disabled the setting and re enabled and restarted the windows time service, and finally within few seconds the VM was synchronizing the time with host :

One more thing : if the server is Windows 2008 R2 and the machine is not domain joined the windows time service will stop automatically. On reboot you can see the following event :

This behaviour is by default and you can find more in…

Object "computername" contains other objects

If you try to delete computer object in AD, you might receive warning message that Object <computername> contains other objects. To see what that computer object contains select in View menu "Users,Contacts,Groups and Computers as containers" in Active Directory Users and Computers Console and you will be able to see what that computer object contains.

In most cases it will be a printer, if the computer object is client workstation.

"Internet Explorer has modified this page to help prevent coss-site scripting."

Internet explorer 9 includes cross-site scripting (XSS) filter which is enabled by default . In my case IE 9 was pushed via WSUS, and there were couple of older web applications still running, that IE9 was preventing from running properly thanks to the enabled XSS filter.
If you trust the application or it is running on intranet, and from some reason IE 9 is not applying local intranet zone settings, just add the link manually to the local intranet zone (local intranet zone has by default XSS filter disabled).

You can't deploy OS on client in SCCM 2007 SP2

If you try to install OS to the same client within one hour from the previous deployment, the machine will fail to boot into PXE. To fix this change the (HKLM\Software\Microsoft\SMS\PXE\CacheExpire value to for example 120 (2 minutes), 0 is presumed 60 minutes. For more info please check .

You can't access pages via TMG as proxy with https inspection enabled on port different than 443

So, if you try to access pages via https on port different than 443 via TMG with https inspection enabled and you check logs on TMG you can see the following error "12204 The specified Secure Sockets Layer (SSL) port is not allowed. Forefront TMG is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests".
As a solution to this error I have bumped on the following article . There are three scripts for managing tunnel port ranges (view,add,delete). In my case I should access 8443 for ssl. So, I have added new tunnel port range with single port 8443. Started the script like : "cscript addrange.vbs ssl8443 8443" . And, TMG started proxyng ssl requests to requested destination on 8443.

Blank page when accessing streamed pdf file over https

If you receive a blank page on your Internet Explorer when you try to open streamed pdf document, and you have tried almost anything including resetting the browser, re-installing Adobe Reader (pre-registering active-x plug-in), installing the latest version of Adobe Reader ...and still you're receiving white blank page, try opening the same streamed pdf document via http (if you're hosting the web server, or someone can provide that for you). In my case I could successfully open streamed pdf document when the document was provided via http. So, I started digging deeper and bumped on the following article "Internet Explorer file downloads over SSL do not work with the cache control headers". In my scenario the client is running on XP with IE 8 and Adobe reader 8, and the web server IIS 7.5. In Microsoft's KB there is a solution for IE 8, where I have added the following key "BypassSSLNoCacheCheck"=Dword:00000001 an…