Category Archives: Microsoft

Exchange 2013 Emails stuck in Drafts

No outgoing Emails in Exchange 2013 fresh install , sent emails get stuck in Drafts folder in OWA,

Scenario: The problematic environment was a fresh install of exchange 2013, no migration and new mailboxes were created, but when emails were sent they got stuck in the drafts folder, OWA or outlook both failed sending emails. This is a 2012 environment, main DC and a member 2012 server, both being virtual and the server hosting exchange was a clone server.

Diagnosis: After enabling verbose logging on the default receive connector, the following error messages were seen in the SMTP recieve located here: C:\Program Files\MicrosoftExchange Server\V15\TransportRoles\Logs\Hub\ProtocolLogSmtpReceive\

X.X.X.X:2525,X.X.X.X:53103,>,421 4.3.2 Service not available,

Enabled kerberos logging  using :http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177

after this checked the eventlogs showed a huge number of Kerberos related errors under System:

A Kerberos error message was received:
on logon session DOMAIN.LOCALExchangeservername$
Client Time:
Server Time: 0:35:49.0000 3/19/2014 Z
Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN

Checked to make sure all services are running and checking SPN are set correctly using the setspn commands:

setspn -L hostname
setspn -r AccountName

more details here: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Also checked to make sure correct DNS settings were used in the Exchange server under EAC=>Servers=>edit=>DNS lookups.

In my case both internal and external lookups were set to ” all network adapters ipv4″

Solution: Eventually it turned out to be the Security Policy setting wasnt enabled for Access this computer from the network Policy in Group Policy

The default domain policy was applied to the OU where the Exchange 2013 server was, hence updated default domain policy: so open Group Policy Editor and go to

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

Put a tick on Define these policy settings and add the default groups as per : http://technet.microsoft.com/en-us/library/cc740196(v=ws.10).aspx

  • Administrators
  • Backup Operators
  • Users 
  • Everyone

Please note this is a 2012 server and for some reason there are no power users as per the article.

Did a gpupdate /force on DC and exchange and reboot exchange services and voila all stuck emails were going out one at a time.

At this point in time the kerberos errors are still being generated, I still need to fix this…more soon.

 

Advertisements

Remote Desktop Disconnected, unable to connect Windows 2003 Server via RDP

I ran into this problem after doing a successful recovery of server which failed miserably. Was able to ping and RDP was enabled and listening on the right port number etc, but kept getting the error when trying to RDP into the 2003 server.

“The client could not connect to the remote computer. Remote connections might not be enabled or the computer might be too busy to accept new connections. It is also possible that network problems are preventing your connection.”

The Resolution:

To resolve the problem make sure that the correct network adapter is bound to RDP-TCP connection. To do this, follow these steps:
1. On the server, logon to the server locally (not using Remote Desktop/Terminal Client).
2. Click Start, Run, type “tscc.msc /s” (without qutation marks and click OK.
3. In the Terminal Services Configuration snap-in double-click Connections, then RDP-Tcp in the right pane.
4. Click the Network Adapter tab, select the correct network adapter and click OK.
5. Make sure that you can establish an RDP connection to the server.

Alternative resolution steps.
Use these steps only if you can not perform local logon to the affected server.
WARNING: Using Registry Editor incorrectly may cause serious problems that may require you to reinstall your operating system. Use Registry Editor at your own risk and only after making backup of full Registry and the keys you are going to change. Please see More Information section for registry backup and restore information.
1. Start Registry Editor (Regedt32.exe).

2. Click File\Connect network Registry. Enter computer name or IP address and click OK. Firewalls between your computer and the affected server may prevent successfull connection. Remote Registry service should be running on the server.

3. Navigate to the following registry key (path may wrap):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

4. Under this key are one or more keys for the globally unique identifiers (GUIDs) corresponding to the installed LAN connections. Each of these GUID keys has a Connection subkey. Open each of the GUID\Connection keys and look for the Name value. Choose the connection you want Terminal Services to use.

5. When you have found the GUID\Connection key that contains the Name setting that matches the name of your LAN connection, write down or otherwise note the GUID value.

6. Then navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\lanatable. Using the GUID you noted in step 5 select subkey. Note it’s LanaId.

7. Navigate to the following value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\LanAdapter. Change it’s data to the value you noted in step 6. If you want RDP to listen on all LAN adapters enter value of 0.

source: http://support.microsoft.com/kb/555382

nsebin.def files filling up C:\Windows\Temp folder; norman scan engine update issue in Microsoft Forefront

Recently bumped into problem where an exchange 2010 server was running low in disk space on the C drive.  After checking all aspects like exchange database location, log files, shadow copies and page file, in the end it was the C:\Windows\temp folder, there were a bunch of tmp files with the name nsebin.def files similar to below but too many in numbers

nsebin.def.xxxx.temp file

nsebin.def.xxxx.temp file

A quick Google search led me to this post on technet: http://social.technet.microsoft.com/Forums/en-US/FSENext/thread/ca55530e-3850-49a0-9cd6-2ffd562301ce

This problem is due to a recent bug on the Norman Scan Engine update which surfaced around 25/4/2013 following which older nsebin.def files weren’t removed and hence the build up. One can certainly imagine what this might do to a 40Gb System drive partition as each of these of files were around 320Mb and downloaded twice a day if you have forefront downloading automatically for you.

The solution as of now is to delete the nsebin.def files as and when you get low on space, there is no need to restart any services for this, just get in there and DELETE, do not delete the nse_temp files.

As there is no fix yet, as suggest on the post, disable the Norma Scan engine and update schedules as below in Forefront:

Disable Norman Scan engine and update schedule

Disable Norman Scan engine and update schedule

One has also suggested rebuilding the Norman Engine folder to get Forefront to automatically fix this, but this hasnt worked for me, but you are welcome to try.

Rebuild Norman Engine Folder:

To do this locate the Norman folder C:\Program Files (x86)\Microsoft Forefront Protection for Exchange Server\Data\Engines\x86\Norman  or on a different drive where you installed forefront and rename the folder to Norman.old

Rename Norman folder

Rename Norman folder

Once done renaming, open the forefront console and force an update by going to Policy Management > Global Settings > Advanced Options > Update Scheduling section,  right click the Norman engine there and select update now.

Update norman engine

Update norman engine

You should now see a new Norman folder created, but the problem is the old def files are still there.

MS is still working on this and I will update this post when I find out that my problem has been fixed.

update 13/5/13: Still nothing from MS, I have left Norman scan engine and update schedule disabled.

update: 15/5/13: MS have released a fix, if you have disabled the scheduled update, enable it.

Sent message is not saved in the Sent items folder of Shared/ additional mailbox when you “Send As” that mailbox

When you send an e-mail message from a shared mailbox in Outlook 2007, the sent message is not saved in the Sent Items folder of the shared mailbox

In this scenario, when you send an e-mail message from the shared mailbox, the message is sent successfully. However, the sent message is not saved in the Sent Items folder of the shared mailbox.

You configure the DelegateSentItemsStyle registry entry for Microsoft Office Outlook 2007.

To do this, you set the DWORD value of the following registry key to 1:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Preferences\DelegateSentItemsStyl

If you are on Office 2007 SPS3 you dont need the hotfix mentioned below.

To resolve this problem, install the Outlook 2007 hotfix package that is dated June 30, 2009 and then set the value for the

DelegateSentItemsStyle

registry entry to enable the hotfix package. To do this, follow these steps:

  1. Install the Outlook 2007 hotfix package that is dated June 30, 2009. For more information about this hotfix package, http://support.microsoft.com/kb/970944
  2. Set the value for the
    DelegateSentItemsStyle

    registry entry to enable the hotfix.

Or just run the Microsoft Fixit:

http://go.microsoft.com/?linkid=9780417

To edit the registry yourself:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Preferences
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type DelegateSentItemsStyle, and then press ENTER.
  5. Right-click
    DelegateSentItemsStyle

    , and then click Modify.

  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor.

Saved credentials not working when connecting to 2008 Terminal server from windows 7

“Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified”

You get the above error when attempting to connect via RDP to a 2008 terminal server session, you are then able to connect using the same password typed in manually no matter how many times you try saving the correct password for the RDP connection.

One would probably get frustrated having to enter the password for a zillion rdp connections as Win 7 is not using the saved credentials. To get around this:

  1. Click on Start, and then in the search bar type: gpedit.msc
  2. Expand Computer Configuration, Expand Administrative Templates, Expand System, Expand Credentials Delegation
  3. Double Click on “Allow Delegating Default Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  4. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  5. Double Click on “Allow Delegating Saved Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  6. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  7. Click on Start, and then in the search bar type: GPUPDATE /FORCE

You should now be able to save the password for the RDP connection.

Create a Shared Mailbox in Exchange 2007

Create shared mailboxes in Exchange 2007  using powershell  as the EMC in Exchange 2007 doesnt allow you to create shared mailboxes like the new exchange 2010.

You can do this with the help of the new-mailbox cmdlet.

Below is an example of creating a shared mailbox called Info and then assigning the info security group full access to the shared mailbox.

New-Mailbox -Name:’info’ -OrganizationalUnit:’contoso.loal/OU/users OU’ -Database:’Mailbox Database’ -UserPrincipalName:’info@contoso.com’ -Shared

Exchange 2007 will now create a shared mailbox and also create a disabled active directory account.

Now to assign full access

Add-MailboxPermission Info -User:’info group’ -AccessRights:FullAccess

You can also convert a mailbox to shared one usin the set-mailbox cmdlet.

Set-Mailbox Info -Type:Shared

Once this is done, you are now able to manage the shared mailbox via Exchange Management console if you need to assign permissions for full access or send as permission. The following powershell command is used to assign send-as rights and read/write personal information.

Add-ADPermission info -User:’info Group’ -ExtendedRights:Send-As -AccessRights:ReadProperty, WriteProperty -Properties:’Personal Information’

Active Directory Replication issues since time jump to the year 2000

Active Directory replication fails with Event 2042 reporting “It has been too long since this machine last replicated” and replication status 8614: “The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime.” and

Time of last successful replication:

2000-11-19 14:09:12

I got this error on a site with 3 DC’s and yes that puts you 12 years back, even before this company existed.
Normal solution would be demote and promote the problem DC, but, after looking around technet I bumped into this article : http://blogs.technet.com/b/askpfeplat/archive/2012/11/19/did-your-active-directory-domain-time-just-jump-to-the-year-2000.aspx and an updated article http://blogs.technet.com/b/askpfeplat/archive/2012/11/23/fixing-when-your-domain-traveled-back-in-time-the-great-system-time-rollback-to-the-year-2000.aspx, well that explains it all. the main PDC NTP was pointing at USNO.NAVY.MIL and on November 19th, 2012, time servers at USNO.NAVY.MIL incorrectly provided time samples listing CY 2000 as the current year between the hours of 21:07 UTC and 21:59 UTC (16:07-16:59 EST).

-Run W32tm /stripchart /computer:NTPServerAddress to make sure you are getting the correct time from your new source.

-Set the correct time settings to a known good source.

  1. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  2. In the pane on the right, right-click NtpServer, and then click Modify.
  3. In Edit Value, type Peers in the Value data box, and then click OK.

-Run w32tm /config /update

NOw ofcourse you are having replication issues as AD replication would have happened when the time was set to the year 2000 and when your time is back from the past you are bound to have replication issues due to tombstone settings.
Proceed with making sure “Strict Replication Consistency” is enable in the registry value(HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Strict Replication Consistency ) has been set to the default for Server 2003 and greater value, which is 0x1 before you do.“Strict Replication Consistency” will ensure that no lingering objects will be replicated out if they really exist after we force the replication to happen.

Note: This forces the replication even if the AD replication has failed with the partner for more than the tombstone lifetime. In most cases, if the server is really having the replication failure and is not caused by this unexpected time jump issue, you would see new replication errors caused by lingering objects as long as “Strict Replication Consistency” is 0x1; then no lingering objects would be really replicated out.

We will now want to follow  http://technet.microsoft.com/en-us/library/cc757610(WS.10).aspx

On the downstream domain controller where it reported the replication error code 8614 (ERROR_DS_REPL_LIFETIME_EXCEEDED), setup the “Allow Replication With Divergent and Corrupt Partner” registry value.

  1. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  3. In the details pane, create or edit the registry entry as follows:If the registry entry exists in the details pane, modify the entry as follows:
    1. In the details pane, right-click Allow Replication With Divergent and Corrupt Partner, and then clickModify.
    2. In the Value data box, type 1, and then click OK.

    If the registry entry does not exist, create the entry as follows:

    1. Right-click Parameters, click New, and then click DWORD Value.
    2. Type the name Allow Replication With Divergent and Corrupt Partner, and then press ENTER.
    3. Double-click the entry. In the Value data box, type 1, and then click OK.

No restart is needed. Force replication in AD Sites and Services between the destination source and destination servers.

Remember to change the “Allow Replication With Divergent and Corrupt Partner” value back to 0x0 after the issue has been sorted out.
The DC I was working on had already been rebooted and one of the DC’s had kerberos related issues, so if you have noted this yr 2000 do not reboot DC’s.Event ID 4 is logged in system errors:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server <computer name>$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (<domain name>), and the client realm. Please contact your system administrator.

To get around this, on the problem DC where you getting this error set the Kerberos Key Distribution Center Service to manual and stop the service.

-From a command prompt on the broken DC enter the following:
netdom resetpwd /s:name_of_working_DC or PDC/ud:domain\user /pd:*
where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password.

And now reboot this reboot clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored, one can also run klist /purge and Y to all tickets to be deleted.
Support tools and commands useful to rectify this issue

– eventviewer

-repadmin /replsum

-repadmin /showrepl

-dcdiag

-replmon.exe

support tools windows 2003 32 bit: http://www.microsoft.com/en-gb/download/details.aspx?id=15326

Windows Server 2003 Resource Kit tools: http://www.microsoft.com/en-us/download/details.aspx?id=17657

Manage Exchange 2010 Calendar Permissions Using Powershell

You can add  Calendar Permissions Using Powershell for users using the following command:

if user2 needs to access user1’s calendar

Add-MailboxFolderPermission -identity “user1:\calendar” –user “user2” -AccessRights Reviewer

the same can be done to give permission to a security group

Add-MailboxFolderPermission -identity “user1:\calendar” –user “DomainName\securitygroup” -AccessRights Reviewer

Below is the list of access rights and explanation

None                                                   FolderVisible
Owner                                                CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingEditor                       CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
Editor                                                 CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
PublishingAuthor                    CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
Author                                              CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
NonEditingAuthor                   CreateItems, ReadItems, FolderVisible
Reviewer                                          ReadItems, FolderVisible
Contributor                                   CreateItems, FolderVisible

Redirect Exchange OWA to default site and force SSL in Exchange 2010

OWA redirect to default site forcing SSL

is useful If you have those one or two users who cant seem to remember to add the https or the OWA to the exchange OWA url.

To do this via IIS manger can be time consuming and tricky, below is the script which I came across (Mark Smith) which does it for you, just create a batch file with the script and run it once. The only thing you need to modify is https://mail.domain.com/owa

——-
c:
cd \Windows\System32\inetsrv

appcmd.exe ADD Backup “OWA REDIRECT BACKUP 01”

appcmd set config “default web site” -section:httpRedirect /childonly:true /enabled:true
appcmd set config “default web site” -section:system.webServer/httpRedirect -destination:”https://mail.domain.com/owa&#8221;

appcmd set config “default web site/Aspnet_Client” -section:httpRedirect /enabled:false
appcmd set config “default web site/Autodiscover” -section:httpRedirect /enabled:false
appcmd set config “default web site/ECP” -section:httpRedirect /enabled:false
appcmd set config “default web site/EWS” -section:httpRedirect /enabled:false
appcmd set config “default web site/Exchange” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Exchweb” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Microsoft-Server-ActiveSync” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/OAB” -section:httpRedirect /enabled:false
appcmd set config “default web site/OWA” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/PowerShell” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Public” -section:httpRedirect -commit:apphost /enabled:false
appcmd set config “default web site/Rpc” -section:httpRedirect /enabled:false
appcmd set config “default web site/RpcWithCert” -section:httpRedirect /enabled:false

appcmd set config “default web site” -section:access -sslflags:”” -commit:apphost

appcmd set config “Default Web Site/Aspnet_Client” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Autodiscover” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/EWS” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/ECP” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchange” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Exchweb” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Microsoft-Server-ActiveSync” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/OWA” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “default web site/PowerShell” -section:access -sslflags:”” -commit:apphost
appcmd set config “default web site/OAB” -section:access -sslflags:”” -commit:apphost
appcmd set config “Default Web Site/Public” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost
appcmd set config “Default Web Site/Rpc” -section:access -sslFlags:Ssl -commit:apphost
appcmd set config “Default Web Site/RpcWithCert” -section:access -sslFlags:Ssl,Ssl128 -commit:apphost

cacls “C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB\web.config” /E /P “NT Authority\authenticated Users”:R

iisreset
——

Insufficient System resources in Exchange 2010, disable back pressure/resource monitoring

Starting from Exchange 2007,  the edge transport service uses the system resource monitoring feauture to determine vital resources such as hard drive space and memory and take action in an attempt to prevent service outages. This can be a pain as the whole thing is calculated on a formula,

100 * (hard disk size – fixed constant) / hard disk size

this feature is called Backup pressure, more info on http://technet.microsoft.com/en-us/library/bb201658.aspx and how this formula works http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/back-pressure-exchange-2010-part1.html

Now simply put, you have this error from other smtp servers trying to contact yours : Insufficient System resources, to get around this you will need to increase the hard drive space or memory, until then you could temporarly disable this monitoring feature so that you can start recieving important emails. WARNING: this is not a recommended permanent solution, do this until youve figured what resource needs looking at i.e hard drive space, RAM etc.

Make a backup copy of the edgetransport.exe.config file before you start.

  1. Open the EdgeTransport.exe.config file from \Exchange Server\bin directory using notepad
  2. Add the following key+value pair:
    <add key=”EnableResourceMonitoring” value=”false” />
  3. Save file
  4. Restart the Microsoft Exchange Transport Service (MSExchangeTransport):
    Restart-Service MSExchangeTransport
  5. and you’ve got mail

Other options are to

configure the edgetransport.exe config file to reflect your server configuration and resources (not recommended by MS)

OR

move the queue database to another volume which has lots of space, add the following key to change the path of the queudb.

  1. Open the following file by using Notepad: C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe.config.
  2. Modify the following line in the <appSettings> section.
    <add key="QueueDatabasePath" value="<LocalPath>" />

    This example creates a queue database at the location C:\Queue\QueueDB.

    <add key="QueueDatabasePath" value="C:\Queue\QueueDB" />
  3. Save and close the EdgeTransport.exe.config file.
  4. Restart the Microsoft Exchange Transport service.
  5. Verify that the new Mail.que and Trn.chk files are created at the new location.
  6. Remove the unused Mail.que and Trn.chk files from the original location.

ref: http://technet.microsoft.com/en-us/library/f170cb0c-04a9-4fa7-b594-206e3a787e14.aspx
The following event logs will be logged:

  • Event ID 15004: Increase in the utilization level for any resource (eg from Normal to Medium)
  • Event ID 15005: Decrease in the utilization level for any resource (eg from High to Medium)
  • Event ID 15006: High utilization for disk space (ie critically low free disk space)
  • Event ID 15007: High utilization for memory (ie critically low available memory)

Have look out for the Event id which will help you in diagnose what resource needs to be looked at.

ref:http://exchangeserverpro.com/exchange-transport-server-back-pressure