[{"content":"","date":"20 June 2019","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"20 June 2019","externalUrl":null,"permalink":"/","section":"Ilantz's Weblog","summary":"","title":"Ilantz's Weblog","type":"page"},{"content":" An essential part of a successful deployment of Office 365 is to make sure connectivity is optimal and that there are no restrictions being applied for the public endpoints of the service among other factors. this is all detailed on the Office 365 Network Connectivity Principles documentation. A good overview of the concept was delivered at Ignite 2019 - BRK3000 - Strategies for building effective, optimal and future proof connectivity to Office 365 that will delight your users\nOne of the tasks is to read the list of the endpoints from the Office 365 URLs and IP address ranges documentation page, due the dynamic nature of the endpoint list a Web Service was made available to ease automation, reporting and 3rd party solutions.\nMost of the times, you\u0026rsquo;ll just want to fetch the list of the URLs, and hand them over to your friendly networking team that would then do their magic. lucky enough PowerShell can be used to get that list easily, here\u0026rsquo;s an example:\n$endpoints = Invoke-WebRequest \u0026#34;https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7\u0026#34; | ConvertFrom-Json ; $endpoints | ?{$_.serviceArea -eq \u0026#34;Common\u0026#34; -AND $_.Required -eq \u0026#34;True\u0026#34;} | select urls -ExpandProperty Urls This would request the full list of endpoints from the web service, convert it PowerShell objects from Json and output only the Common Services which are also tagged as Required and list only the Urls.\nAnother example would be to pull the Optimize category:\n$endpoints = Invoke-WebRequest \u0026#34;https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7\u0026#34; | ConvertFrom-Json ; $endpoints | ?{$_.category -eq \u0026#34;Optimize\u0026#34; } Enjoy!\n","date":"20 June 2019","externalUrl":null,"permalink":"/2019/06/20/listing-office-365-endpoints-using-powershell/","section":"Posts","summary":"","title":"Listing Office 365 Endpoints using PowerShell","type":"posts"},{"content":"","date":"20 June 2019","externalUrl":null,"permalink":"/categories/office-365/","section":"Categories","summary":"","title":"Office-365","type":"categories"},{"content":"","date":"20 June 2019","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"14 May 2018","externalUrl":null,"permalink":"/categories/azure-ad/","section":"Categories","summary":"","title":"Azure-Ad","type":"categories"},{"content":" Most organizations are required these days to enable collaboration solutions and services with external parties. These may include B2B scenarios or B2C in some cases. In this post I\u0026rsquo;ll be specific to Office 365 Group resources, with Microsoft Teams as an example, you should be aware that each Team in Microsoft Teams corresponds to an Office 365 group.\nA common ask is \u0026ldquo;We wish to enable only named people to join as a guest to our Teams, we don\u0026rsquo;t want anyone from the organization to invite anyone they like - we need to control this with an internal workflow.\u0026rdquo; to satisfy this request, we will use native capabilities within Azure Active Directory and Office 365 to enable group owners to add existing external guests to their team/office 365 group. In addition, we will enable only specific people in the organization with the permission to create and add new guests accounts to the directory.\nNote: This is the basic example, this can be adapted to more complex workflows of approval/automation to make this more customized to a specific requirement. In Office 365 Admin Center, navigate to \u0026ldquo;Services \u0026amp; add-ins\u0026rdquo;, select \u0026ldquo;Office 365 Groups\u0026rdquo; and enable \u0026ldquo;Let group owners add people outside the organization to groups\u0026rdquo;\nEnabling the capability to add external guest accounts to Office 365 groups. To make sure your guests will also have access to the SharePoint files, enable external sharing using the SharePoint Admin Center. with alignment to our blog theme, we will enable access to Existing accounts only.\nEnabling external content sharing within SharePoint to allow guests to access the files within Microsoft Teams. We are now ready to limit who can invite external guests. we will configure this using the Azure Active Directory blade in the Azure portal. Disabling the capability for non-admin or users with the guest inviter role to add new external guest accounts to the directory Disabling \u0026ldquo;Members can invite\u0026rdquo; and \u0026ldquo;Guests can invite\u0026rdquo; will effectively achieve our goal - \u0026ldquo;Admins and users in the guest inviter role can invite\u0026rdquo;\nFinally add assign the \u0026ldquo;Guest inviter\u0026rdquo; role to whom ever you need\nAssigning the \u0026ldquo;Guest inviter\u0026rdquo; role to a specific user account. The configuration is now complete, a Guest Inviter or an Admin can now add new guests to the directory, and follow whatever internal due diligence or workflow prior to that. Using the (new) AzureAD PowerShell module is my personal recommendation, this way the guest user could be silently added to the directory - and an email will not be sent to him. later on an owner of an Office 365 Group or a Microsoft Teams group could add him easily like any other member - and that will trigger the email invite to the external user.\nNew-AzureADMSInvitation -InvitedUserDisplayName \u0026#34;John Doe (External)\u0026#34; -InvitedUserEmailAddress \u0026#34;john.doe@contoso.com\u0026#34; -SendInvitationMessage:$false -InviteRedirectUrl \u0026#34;http://just.a.placeholder.local\u0026#34; Using the Azure AD portal is also available to the guest inviter role if PowerShell is out of the question Adding a new external guest account to the directory. And if you\u0026rsquo;ve wondered, this is the error if someone would try to add a new guest account and they don\u0026rsquo;t have the proper permissions in Microsoft Teams. Enjoy!\n","date":"14 May 2018","externalUrl":null,"permalink":"/2018/05/14/controlling-external-collaboration-in-microsoft-teams/","section":"Posts","summary":"","title":"Controlling External Collaboration in Microsoft Teams","type":"posts"},{"content":" Disclaimer # Last updated: May 14, 2018\nThe information contained on this website is for general information purposes only.\nAll the content on this site are my own and do not represent the opinions of any entity whatsoever with which I have been, am now, or will be affiliated.\nNO WARRANTIES. THE SITE CONTENT IS PROVIDED “AS IS” WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT AND FREEDOM FROM COMPUTER VIRUSES. Ilantz\u0026rsquo;s Weblog PERIODICALLY ADDS, CHANGES, IMPROVES OR UPDATES THE SITE CONTENT WITHOUT NOTICE. Ilantz\u0026rsquo;s Weblog HEREBY DISCLAIMS ALL LIABILITY FOR ANY ERRORS OR OMISSIONS IN THE SITE CONTENT. YOU ARE SOLELY RESPONSIBLE FOR, AND ASSUME ALL RISKS ASSOCIATED WITH, YOUR ACCESS, LINK TO AND USE OF THIS SITE AND THE SITE CONTENT.LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES SHALL Ilantz\u0026rsquo;s Weblog BE LIABLE FOR ANY DAMAGES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING, WITHOUT LIMITATION, ANY DIRECT OR INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES (INCLUDING, WITHOUT LIMITATION, ANY REPUTATIONAL DAMAGES, ANY LOST PROFITS, DAMAGES FOR BUSINESS INTERRUPTION, OR LOSS OF INFORMATION, PROGRAMS OR OTHER DATA) THAT RESULT FROM ACCESS TO, LINK TO, USE OF OR INABILITY TO USE THIS SITE OR DUE TO ANY BREACH OF SECURITY ASSOCIATED WITH THE TRANSMISSION OF INFORMATION THROUGH THE INTERNET, REGARDLESS OF THE THEORY OF LIBAILITY AND EVEN IF FORESSEABLE OR EVEN IF Ilantz\u0026rsquo;s Weblog WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\nExternal links disclaimer # ilantz.com website may contain links to external websites that are not provided or maintained by or in any way affiliated with Ilantz\u0026rsquo;s Weblog\nPlease note that the Ilantz\u0026rsquo;s Weblog does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.\n","date":"14 May 2018","externalUrl":null,"permalink":"/disclaimer/","section":"Pages","summary":"","title":"Disclaimer","type":"pages"},{"content":"","date":"14 May 2018","externalUrl":null,"permalink":"/pages/","section":"Pages","summary":"","title":"Pages","type":"pages"},{"content":"","date":"12 September 2017","externalUrl":null,"permalink":"/categories/powershell/","section":"Categories","summary":"","title":"Powershell","type":"categories"},{"content":"A quick PowerShell Tip.\nI\u0026rsquo;ve just stumbled upon this within the scripting guy blog, and I felt I must (re)share it. Don\u0026rsquo;t we all hate it when values are displayed and being truncated with \u0026ldquo;\u0026hellip;\u0026rdquo; ?\nPS C:\\\u0026gt; Get-Service -Name winmgmt | ft name, DependentServices -AutoSize Name DependentServices ---- ----------------- winmgmt {wscsvc, vmms, SUService, SharedAccess**...**} It turns out that the system variable $FormatEnumerationLimit is controlling this behavior and there\u0026rsquo;s a way to properly eliminate these. the article suggests setting to \u0026ldquo;4\u0026rdquo; but \u0026ldquo;-1\u0026rdquo; will be also a good option.\nhttps://blogs.technet.microsoft.com/heyscriptingguy/2013/02/19/powertip-change-powershell-to-display-more-info-by-default/\nEnjoy ! ( I know I did )\n","date":"12 September 2017","externalUrl":null,"permalink":"/2017/09/12/stopping-powershell-from-truncating-values-in-tables/","section":"Posts","summary":"","title":"Stopping PowerShell from truncating values in tables","type":"posts"},{"content":"","date":"23 July 2017","externalUrl":null,"permalink":"/categories/adfs/","section":"Categories","summary":"","title":"Adfs","type":"categories"},{"content":" Updates: # 2017-07-27 - I\u0026rsquo;ve included another important note about adding the \u0026ldquo;Authentication Methods References\u0026rdquo; claim Hi again, this is a quick note for anyone who will try to achieve this. I\u0026rsquo;m writing this post after the topic has been raised from customers and my colleges.\nHere are some of the challenges that might brought to you here\nAn Azure AD tenant, with a federated domain pointing to an ADFS ADFS server running 2012 R2 / 2016 with a Multi Factor setup, either with Azure MFA or a 3rd party MFA provider A conditional access / identity protection policy in Azure AD which should enforce Multi Factor authentication ADFS 2016 with Azure MFA set as primary authentication Event ID 364 on the ADFS server - Encountered error during federation passive request. MSIS7042: The same client browser session has made \u0026lsquo;6\u0026rsquo; requests in the last \u0026lsquo;4\u0026rsquo; seconds While configuring this, you might get multiple Multi Factor prompts, user performs MFA on-premises, but when redirected back to Azure AD - second factor prompt in cloud is presented. Here’s how you win:\nMake sure you configure the federated domain setting in Azure AD with -SupportsMFA $true – this will point Multi Factor“requests” to the ADFS: Set-MsolDomainFederationSettings -DomainName \u0026lt;name.com\u0026gt; -SupportsMFA $true See more here - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azuread-connected-apps#conditional-access-rules-with-mfa\nIn addition to the above you also need to make sure to configure -PromptLoginBehavior Disabled, this will make sure that authentication requests from Azure AD will reach the ADFS “correctly” and won’t cause it to re-authenticate your users: Set-MsolDomainFederationSettings -DomainName \u0026lt;name.com\u0026gt; -PromptLoginBehavior Disabled See more here - https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-prompt-login\nNote that for ADFS 2012 R2, the July 2016 update rollup is required for this parameter to work.\nMake sure you create a custom rule to pass \u0026ldquo;Authentication Methods References\u0026rdquo; as a claim, follow Secure Azure AD resources using AD FS With only setting Azure MFA set as Primary, you effectively do NOT perform Multi Factor. please read carefully Configure AD FS 2016 and Azure MFA and see the notes around it.\nIf you have policy which will enforce Multi Factor and your setup is Azure MFA as Primary - follow the steps above first.\nIf you\u0026rsquo;d like to \u0026ldquo;skip\u0026rdquo; the second prompt in the cloud, you can either re-think your CA policy :) or follow https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-send-claims-using-a-custom-rule to add the following claim using a custom rule:\nc:[Type == \u0026#34;http://schemas.microsoft.com/claims/authnmethodsreferences\u0026#34;] =\u0026gt; issue(Type = \u0026#34;http://schemas.microsoft.com/claims/authnmethodsreferences\u0026#34;, Value = \u0026#34;http://schemas.microsoft.com/claims/multipleauthn\u0026#34;); This rule will effectively add all your users a static \u0026ldquo;fake\u0026rdquo; claim which states they have performed Multi Factor successfully.\n","date":"23 July 2017","externalUrl":null,"permalink":"/2017/07/23/azure-ad-federated-sso-and-mfa-on-premises-with-adfs/","section":"Posts","summary":"","title":"Azure AD Federated SSO and MFA on-premises with ADFS","type":"posts"},{"content":" I\u0026rsquo;ve setup a GitHub Repo with all of my \u0026ldquo;public\u0026rdquo; PowerShell scripts: https://github.com/ilantz/ilantz-scripts The repo holds all of the scripts I\u0026rsquo;ve blogged about, and some others that I didn\u0026rsquo;t so make sure to check it out. I intend to keep that repo updated and maintain it with new versions and new scripts.\nNote: ANY CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. USE UNDER YOUR OWN RISK.\n","date":"8 June 2016","externalUrl":null,"permalink":"/2016/06/08/github-powershell-scripts-repo/","section":"Posts","summary":"","title":"GitHub PowerShell Scripts Repo","type":"posts"},{"content":"","date":"20 January 2016","externalUrl":null,"permalink":"/categories/ems/","section":"Categories","summary":"","title":"Ems","type":"categories"},{"content":" So you\u0026rsquo;ve purchased Microsoft\u0026rsquo;s Enterprise Mobility Suite (EMS) licenses, now you need to assign them to users within your organization. A typical situation will be that you already have Office 365 licensed users, and it make sense that all of them will get EMS licenses too. To achieve this, I would suggest using an Azure AD group with Dynamic Group membership. in this example, the group will include accounts that match ALL these conditions:\nEnabled users accounts Users with an email address Users with a-non empty Usage Location Synchronized user accounts Within the Azure AD management portal (http://manage.windowsazure.com) navigate to your Active Directory tenant, and perform the following:\nCreate a group in Azure AD Enable it for Dynamic Membership Enter the advanced rule: (user.accountEnabled -eq \u0026ldquo;true\u0026rdquo;) AND (user.mail -ne $null) AND (user.usageLocation -ne $null) AND (user.dirSyncEnabled -eq true) Assign EMS licenses to the Group You can read more about Dynamic Group Membership here:\nhttp://blogs.technet.com/b/ad/archive/2015/03/09/attribute-based-dynamic-group-membership-for-azure-ad-premium-is-now-in-preview.aspx\nhttps://azure.microsoft.com/en-us/documentation/articles/active-directory-accessmanagement-groups-with-advanced-rules/\nYou can also assign licenses with the following methods:\nUsing the Office 365 Portal - like you would add Office 365 licenses. This was made available late 2015 - http://blogs.technet.com/b/microsoftintune/archive/2015/09/01/intune-and-ems-subscriptions-now-available-in-the-office-365-portal.aspx Using Azure AD PowerShell - http://blogs.technet.com/b/treycarlee/archive/2013/11/01/list-of-powershell-licensing-sku-s-for-office-365.aspx ,you can use the following example to assign EMS licenses (with all options) only to users with an Office 365 E3 license: $EMSSKU = (Get-MsolAccountSku | ? { $_.AccountSkuID -like \u0026quot;*:EMS\u0026quot;})[0].accountSkuId Get-MsolUser -All | ? { $_.licenses.accountsku.SkuPartNumber -eq \u0026quot;ENTERPRISEPACK\u0026quot;} | Set-MsolUserLicense -AddLicenses $EMSSKU Azure AD Graph API - https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations#FunctionsandactionsonusersAssignalicensetoauser Enjoy\n","date":"20 January 2016","externalUrl":null,"permalink":"/2016/01/20/ems-license-assignment-to-all-users-made-easy/","section":"Posts","summary":"","title":"EMS license assignment to all users made easy","type":"posts"},{"content":" There are some known limitation and inconsistency with user photos synchronization from Active Directory (using the thumbnailPhoto attribute) to Azure AD and Office 365 apps: Exchange, SharePoint and Skype for Business (aka Lync), specifically if you want to upload high resolution photos of your users that will span across all of Office 365 services. After spending some research time around this issue, here are my findings:\n\u0026ldquo;High Resolution\u0026rdquo; in our context is a 648 x 648 pixel dimension size JPEG photo The Active Directory thumbnailPhoto attribute value is limited to about 100KB in size - this will mostly prevent you from uploading a \u0026ldquo;high resolution\u0026rdquo; photo \u0026ldquo;Common knowledge\u0026rdquo; around synchronizing the thumbnailPhoto using Directory Synchronization (aka DirSync / AAD Sync/ AAD Connect) to Office 365 / Azure AD is that the attribute should not exceed 10KB, and the recommended photo dimension is 96 x 96 pixels - This is really an \u0026ldquo;Exchange\u0026rdquo; limit as far as I know.. List of attributes that are synced by the Azure Active Directory Sync Tool aka KB 2256198 Office 365: thumbnailPhoto - Obtaining Photo Sizes from Active Directory When User Photos are stored within Office 365 a web service handles requests for the photo with predefined allowed sizes for example - https://outlook.office365.com/owa/service.svc/s/GetPersonaPhoto?email=emailaddress@domain.com\u0026size=HR648x648 Modify this to your email address to try this out There are quite a few possible sizes, try for example 96x96 and 240x240 to get the idea SharePoint holds a separate location and also a few versions for it\u0026rsquo;s images within each users profile folder and is suppose to synchronize those from Exchange Web Services See this post for additional details around SharePoint - Options for SharePoint User Profile Properties and Photos The Set-UserPhoto cmdlet from Exchange (Online and On-Prem) allows you to save high resolution photos, and integrates with Skype for Business Server 2015 (also for Lync 2013) and SharePoint 2013/2016 - each product with it\u0026rsquo;s own flow which I\u0026rsquo;m not going into explaining. See Configure the use of high-resolution photos in Skype for Business Server 2015 SharePoint part is covered at Options for SharePoint User Profile Properties and Photos So to summarize at this point, we want to import high resolution photos to our users. If we rely on the thumbnailPhoto attribute value from Active Directory, we will end up with low resolution images (needs more JPEG effect) or inconsistent results if we look on the SharePoint case.\nTo upload high resolution photos to Office 365, you should use Set-UserPhoto. This approach works great for Exchange Online, Skype for Business and Azure AD. Although promising, my testing (and others..) showed that if your users\u0026rsquo; photos were previously synced to SharePoint Online - they will not necessarily be updated using this method.\nHere is my take on solving this, in a somewhat chronological order:\nIf you need your on-premises thumbnailPhoto attribute populated, keep your current practice of maintaining them. To avoid future inconsistencies - use \u0026ldquo;Azure AD app and attribute filtering\u0026rdquo; to filter out thumbnailPhoto using Azure AD Connect - Custom installation of Azure AD Connect Utilize the Set-UserPhoto cmdlet in Exchange Online PowerShell to upload your users high resolutions (648x648 px) photos Note Uploading High Resolution Photos using PowerShell for Office 365 to workaround - “The remote server returned an error: (413) Request Entity Too Large” error if you get this. To upload your users high resolution photos to SharePoint online use the Core.ProfilePictureUploader sample app from the OfficeDev PnP GitHub repo. To make this easier to non coders :) I\u0026rsquo;ve complied the code sample for your usage - http://ilantz.com/files/Core.ProfilePictureUploader.zip Get the source code here and also make sure to read the FAQ - https://github.com/OfficeDev/PnP/tree/master/Samples/Core.ProfilePictureUploader Follow the explanations in the GitHub page link above around how to run the utility (configuration.xml , the CSV input file and the command syntax). Make sure your pictures are JPEG files\u0026hellip; This sample app is also documented here, with some additional explanations - Upload user profile pictures sample app for SharePoint That\u0026rsquo;s it !\nHope this helps anyone, please comment if it did.\n","date":"17 November 2015","externalUrl":null,"permalink":"/2015/11/17/high-resolution-user-photo-synchronization-to-office-365/","section":"Posts","summary":"","title":"High Resolution User Photo Synchronization to Office 365","type":"posts"},{"content":" Just a quick note for everyone missing the log files location of Microsoft Intune On-Premises Exchange Connector, seems like there is no documentation on where those files exists. and they are very useful for debugging this component. This info came from a support case I\u0026rsquo;ve had with the on-premises connector :)\nAnyhow:\nLog files are here - C:\\ProgramData\\Microsoft\\Windows Intune Exchange Connector\\ If you wish to enable verbose tracing for more advanced debugging do the following: Open the Exchange Connector tracing configuration file. The file is located at: %ProgramData%\\Microsoft\\Windows Intune Exchange Connector\\TracingConfiguration.xml Locate the TraceSourceLine with the following key: OnPremisesExchangeConnectorService Change the SourceLevel node value from Warning ActivityTracing (the default) to Verbose ActivityTracing. _\u0026lt;TraceSourceLine\u0026gt;_ _\u0026lt;Key xsi:type=\u0026#34;xsd:string\u0026#34;\u0026gt;OnPremisesExchangeConnectorService\u0026lt;/Key\u0026gt;_ _\u0026lt;Value xsi:type=\u0026#34;TraceSource\u0026#34;\u0026gt;_ _\u0026lt;SourceLevel\u0026gt;All\u0026lt;/SourceLevel\u0026gt;_ _\u0026lt;Listeners\u0026gt;_ _\u0026lt;Listener\u0026gt;_ _\u0026lt;ListenerType\u0026gt;CircularTraceListener\u0026lt;/ListenerType\u0026gt;_ _\u0026lt;SourceLevel\u0026gt;**Verbose ActivityTracing**\u0026lt;/SourceLevel\u0026gt;_ _\u0026lt;FileSizeQuotaInBytes\u0026gt;10000000\u0026lt;/FileSizeQuotaInBytes\u0026gt;_ _\u0026lt;FileName\u0026gt;Microsoft\\Windows Intune Exchange Connector\\Logs\\Connector.svclog\u0026lt;/FileName\u0026gt;_ _\u0026lt;FileQuota\u0026gt;30\u0026lt;/FileQuota\u0026gt;_ _\u0026lt;/Listener\u0026gt;_ _\u0026lt;/Listeners\u0026gt;_ _\u0026lt;/Value\u0026gt;_ _\u0026lt;/TraceSourceLine\u0026gt;_ It is important to note that the ActivityTracing setting should remain or be included with ANY value that is set for the setting.\nenjoy\n","date":"22 October 2015","externalUrl":null,"permalink":"/2015/10/22/intune-on-premises-exchange-connector-log/","section":"Posts","summary":"","title":"Intune On-Premises Exchange Connector Log","type":"posts"},{"content":" Quick note, make sure you do not forget to modify your PSModulePath system variable when installing a new PowerShell module\u0026hellip; Quoting from Installing Modules:\nEffect of Incorrect Installation\nIf the module is not well-formed and its location is not included in the value of the PSModulePath environment variable, basic discovery features of Windows PowerShell, such as the following, do not work.\nThe Module Auto-Loading feature cannot import the module automatically. The ListAvailable parameter of the Get-Module cmdlet cannot find the module. The Import-Module cmdlet cannot find the module. To import the module, you must provide the full path to the root module file or module manifest file. In my case, I\u0026rsquo;ve noticed that because I did not modified the PSModulePath system variable, a schedule task of the PowerShell script using that module failed to import the module\u0026hellip;. the fun part was that running it in Interactive Mode (while being logged in to the server) actually worked\u0026hellip;\nLearn from the mistakes of others\u0026hellip;\n","date":"22 June 2015","externalUrl":null,"permalink":"/2015/06/22/lesson-learned-on-powershell-modules/","section":"Posts","summary":"","title":"Lesson learned on PowerShell Modules","type":"posts"},{"content":" Just to help anyone out there that might be facing this issue. I\u0026rsquo;ve helped troubleshoot an Exchange 2010 RTM upgrade to Exchange 2010 SP3 which kept failing due to missing language files\u0026hellip; Event ID 1603 was also thrown as per to the KB 2784788 - \u0026ldquo;1635\u0026rdquo; or \u0026ldquo;1603\u0026rdquo; error code when you install update rollups or service packs for Exchange Server 2007 or Exchange Server 2010\nThe MSILOG indeed showed that the setup was looking for the RTM language files in the original location where the setup files were, but they are long gone\u0026hellip; with the RTM DVD no where to be-found (RTM trial files + the oldest Language Pack bundle are in a non compatible version) this situation was doomed to failure.\nSo, I\u0026rsquo;ve turned to manually remove any references to the Client / Server language packs on the server, this included removing a whole bunch of registry keys:\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ExchangeServer\\v14\\Language Packs\\ \u0026lt;-- the whole KEY HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Products\\ \u0026lt;-- Whatever \u0026#34;Microsoft Exchange ** Language Pack\u0026#34; I found HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ \u0026lt;-- Whatever \u0026#34;Microsoft Exchange ** Language Pack\u0026#34; I found HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products \u0026lt;-- Whatever \u0026#34;Microsoft Exchange ** Language Pack\u0026#34; I found Following this brutal way, I\u0026rsquo;ve stumbled upon a way to Applying Small Updates by Reinstalling the Product this actually achieves what the installer wants:\nmsiexec /i Server\u0026lt;or\u0026gt;ClientLanguagePack.msi REINSTALLMODE=vomus And it works ! Now, I guess that with a script this would have been much quicker then the registry method, but at least now I\u0026rsquo;m (and you are) aware of this workaround , and here\u0026rsquo;s the script for your usage:\n** edit the $setuplocation variable for your directory of the servicepack.\n$setupLocation = \u0026#34;c:\\sp3\u0026#34; $allDirs = dir $setupLocation -Directory foreach ($dir in $allDirs) { if (Test-Path ($dir.FullName + \u0026#34;\\clientlanguagepack.msi\u0026#34;)) {Write-Host \u0026#34;Installing\u0026#34; $dir.name ; Start-Process -FilePath msiexec -ArgumentList /i, ($dir.FullName + \u0026#34;\\clientlanguagepack.msi\u0026#34;), \u0026#34;REINSTALLMODE=vomus\u0026#34; -Wait } if (Test-Path ($dir.FullName + \u0026#34;\\serverlanguagepack.msi\u0026#34;)) {Write-Host \u0026#34;Installing\u0026#34; $dir.name ; Start-Process -FilePath msiexec -ArgumentList /i, ($dir.FullName + \u0026#34;\\serverlanguagepack.msi\u0026#34;), \u0026#34;REINSTALLMODE=vomus\u0026#34; -Wait } } Additional references:\nUpgrading Service pack - keep asking for language pack\nhttp://stackoverflow.com/a/7916340 - credit for the REINSTALLMODE=vomus trick\nHow to restore the missing Windows Installer cache files and resolve problems that occur during a SQL Server update - kb 969052\n","date":"14 June 2015","externalUrl":null,"permalink":"/2015/06/14/exchange-upgrade-fails-due-to-missing-language-files/","section":"Posts","summary":"","title":"Exchange upgrade fails due to missing language files","type":"posts"},{"content":"","date":"14 June 2015","externalUrl":null,"permalink":"/categories/exchange-2007/","section":"Categories","summary":"","title":"Exchange-2007","type":"categories"},{"content":"","date":"14 June 2015","externalUrl":null,"permalink":"/categories/exchange-2010/","section":"Categories","summary":"","title":"Exchange-2010","type":"categories"},{"content":"","date":"14 June 2015","externalUrl":null,"permalink":"/categories/exchange-2013/","section":"Categories","summary":"","title":"Exchange-2013","type":"categories"},{"content":"","date":"14 June 2015","externalUrl":null,"permalink":"/categories/server-2008-r2/","section":"Categories","summary":"","title":"Server-2008-R2","type":"categories"},{"content":"","date":"14 June 2015","externalUrl":null,"permalink":"/categories/server-2012/","section":"Categories","summary":"","title":"Server-2012","type":"categories"},{"content":" Following a troubleshooting session I\u0026rsquo;ve had lately, I wanted to share with you an important recommended settings that most folks (myself included) often overlook. With more and more virtual servers and less and less physical servers being deployed, capabilities like SpeedStep of a CPU were forgotten. Take for example the following \u0026ldquo;modest\u0026rdquo; specifications of Intel Xeon E5-2690 v2, with 10 cores @ 3.0 GHz this is a \u0026ldquo;fare\u0026rdquo; spec for a high load / CPU intensive profile server.\nBUT ! if you forget to select the \u0026ldquo;High Performance\u0026rdquo; power option in Windows Server for example, you could end up with:\nNotice that the speed of the CPU is less the half the speed it can run at. now to make things better, just make sure to select the \u0026ldquo;preferred\u0026rdquo; settings for your busy server:\nJust a heads up for all you folks out there, the default \u0026ldquo;Balanced\u0026rdquo; option caused a performance issue with an Exchange 2013 server that was running on this physical hardware and once the option was changed - all was back to normal :)\n","date":"16 February 2015","externalUrl":null,"permalink":"/2015/02/16/dont-forget-to-modify-your-windows-server-power-options/","section":"Posts","summary":"","title":"Don't forget to modify your Windows Server Power Options","type":"posts"},{"content":"","date":"16 February 2015","externalUrl":null,"permalink":"/categories/misc/","section":"Categories","summary":"","title":"Misc","type":"categories"},{"content":"","date":"22 January 2015","externalUrl":null,"permalink":"/categories/exchange-2003/","section":"Categories","summary":"","title":"Exchange-2003","type":"categories"},{"content":"","date":"22 January 2015","externalUrl":null,"permalink":"/categories/outlook-mapi/","section":"Categories","summary":"","title":"Outlook-Mapi","type":"categories"},{"content":" I\u0026rsquo;ve just bumped into Chad Solarz\u0026rsquo;s \u0026ldquo;The Exchange toolkit\u0026rdquo; blog entry. it\u0026rsquo;s quite dated\u0026hellip; but nonetheless has great links and a great \u0026ldquo;one stop shop\u0026rdquo; here. For your usage..\nhttp://blogs.technet.com/b/csolarz/archive/2013/05/13/the-exchange-toolkit.aspx\n","date":"22 January 2015","externalUrl":null,"permalink":"/2015/01/22/the-exchange-toolkit/","section":"Posts","summary":"","title":"The Exchange toolkit","type":"posts"},{"content":" Looking to download QAD / Quest AD cmdlets / Quest ActiveRoles Management Shell for Active Directory ? Took me a while to locate it now once Quest was integrated into the Dell Software website\u0026hellip; so here\u0026rsquo;s your quick way to download :\nhttp://software.dell.com/register/71110\nIt was just hiding in the Trial downloads section - http://software.dell.com/trials/\nHappy QAD\u0026rsquo;ing :)\n","date":"28 December 2014","externalUrl":null,"permalink":"/2014/12/28/quest-dell-activeroles-management-shell-for-active-directory/","section":"Posts","summary":"","title":"Quest (Dell) ActiveRoles Management Shell for Active Directory","type":"posts"},{"content":" Recently I\u0026rsquo;ve messed with my Windows 8.1 profile account, and shortly after my OneDrive for business client started crashing in a loop\u0026hellip; it just went crazy, filling my notification area with icons failing to stop. I had no way to reach any menu or remove the folders I\u0026rsquo;m syncing. I\u0026rsquo;ve tried the easy (lazy) way of repairing / uninstalling / removing Office 365 ProPlus (in my case) which turned out useless.. did some manual clean up of registry entries, removed caching files and obviously looked-up forum threads and KB\u0026rsquo;s which also turned out as you\u0026rsquo;ve guessed it - useless\u0026hellip;\nAlmost desperate, I\u0026rsquo;ve turned to the all mighty Process Monitor and started debugging the errors.\nThru closely examining the endless output of entries, I\u0026rsquo;ve spotted an undocumented registry entry that was being checked by the Groove.exe (which is your OneDrive sync process) upon start-up.\nSo there I was, crossing fingers, editing the registry hoping\u0026hellip; and BINGO! I have performed a reset to the OneDrive for Business client, and it behaved like the first time I\u0026rsquo;ve opened it up.\nHere it is, Add/Modify these two DWORD values: [HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Groove] \u0026quot;FirstSyncComplete\u0026quot;=dword:00000000 [HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Groove\\Development] \u0026quot;IsResyncEnabled\u0026quot;=dword:00000001\nHope this post will help more good folks out there.\n","date":"27 December 2014","externalUrl":null,"permalink":"/2014/12/27/how-to-reset-onedrive-for-business-when-its-crashing-constantly/","section":"Posts","summary":"","title":"How to reset OneDrive for Business when it's crashing constantly","type":"posts"},{"content":"Just ran into this one,\nAn existing Exchange 2013 CU2 installation was requested to be updated to CU5, nothing special there\u0026hellip; Once trying to run the CU5 setup.exe /PrepareAD , the setup failed with an error: [02/07/2014 11:57:49.0192] [1] [ERROR] Active Directory operation failed on dc.domain.com. The object 'CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com' already exists. [02/07/2014 11:57:49.0192] [1] [ERROR] The object exists.\nDigging in the ExchangeSetup.log file, I\u0026rsquo;ve tried to identify the cause.\n[02/07/2014 11:57:49.0192] [1] [ERROR] The following error was generated when \u0026#34;$error.Clear(); $policyDefault = Get-OwaMailboxPolicy -DomainController $RoleDomainController | where {$_.Identity -eq \u0026#34;Default\u0026#34;}; if($policyDefault -eq $null) { New-OwaMailboxPolicy -Name \u0026#34;Default\u0026#34; -DomainController $RoleDomainController } \u0026#34; was run: \u0026#34;Microsoft.Exchange.Data.Directory.ADObjectAlreadyExistsException: Active Directory operation failed on dc.domain.com. The object \u0026#39;CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com\u0026#39; already exists. ---\u0026gt; System.DirectoryServices.Protocols.DirectoryOperationException: The object exists. So I\u0026rsquo;ve tried to reproduce the test manually using the same command in the setup: Get-OwaMailboxPolicy -DomainController $RoleDomainController | where {$_.Identity -eq \u0026quot;Default\u0026quot;} And the result was indeed $null .. which made no sense here\u0026hellip; because it does exists, as the error states - the object \u0026lsquo;CN=Default,CN=OWA Mailbox Policies,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com\u0026rsquo; already exists.\nThen I\u0026rsquo;ve noticed that the CN was \u0026ldquo;default\u0026rdquo; with lower \u0026ldquo;d\u0026rdquo; \u0026hellip; although the Where-Object and -eq should be case insensitive, the check failed\u0026hellip;\nSo, I\u0026rsquo;ve modified the value to be \u0026ldquo;Default\u0026rdquo; with capital \u0026ldquo;D\u0026rdquo;:\nSet-OwaMailboxPolicy -Identity default -Name Default that did the trick :) and the setup.exe /PrepareAD was successful.\n","date":"7 August 2014","externalUrl":null,"permalink":"/2014/08/07/exchange-2013-cu5-upgrade-fails-with-error-the-object-already-exists/","section":"Posts","summary":"","title":"Exchange 2013 CU5 upgrade fails with error - The object already exists","type":"posts"},{"content":" Update 2 - February 24th 2016 - The new February AD Connect release has no schedule task anymore. So we now have a new command in the ADSync module - Start-ADSyncSyncCycle. To initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:\nInvoke-Command -ComputerName **DirSync-Server.domain.com** -ScriptBlock {\u0026amp; Import-Module ADSync;Start-ADSyncSyncCycle} Update - July 7th 2015 - For those who have installed the latest AADSync - Azure Active Directory Sync or AD Connect - Azure Active Directory Connect\nThere has been another change to the module name, it is now ADSync. and the great news is that forcing replication will no longer be a PowerShell cmdlet.\nTo initiate a synchronization locally or remotely (if enabled) , you could run the following command for example:\nInvoke-Command -ComputerName **DirSync-Server.domain.com** -ScriptBlock {\u0026amp; \u0026#34;C:\\Program Files\\Microsoft Azure AD Sync\\Bin\\DirectorySyncClientCmd.exe\u0026#34;} If you\u0026rsquo;re looking also to force a full password sync to Azure AD , visit this page - How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync\nJust noticed now that the new build of Windows Azure Directory Synchronization Tool, is missing the DirSyncConfigShell.psc1 file. Moreover, the Coexistence-Configuration PSSnapin is also gone. Trying to add the pssnapin would generate the error - The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine.\nSo if you\u0026rsquo;ve trying to use the known way to force a synchronization with DirSync, use these PowerShell commands to achieve what you were used to. Import-Module DirSync Start-OnlineCoexistenceSync\nenjoy !\n","date":"10 June 2014","externalUrl":null,"permalink":"/2014/06/10/the-windows-powershell-snap-in-coexistence-configuration-is-not-installed-on-this-machine/","section":"Posts","summary":"","title":"The Windows PowerShell snap-in Coexistence-Configuration is not installed on this machine","type":"posts"},{"content":" After a few incidents from Office 365 deployments, I\u0026rsquo;d like to share this issue to help anyone facing it. If you or anyone of your users tried to send an email and use the \u0026ldquo;From\u0026rdquo; option to send as another recipient you might face NDR\u0026rsquo;s (non delivery reports) which will include these errors:\nDelivery has failed to these recipients or groups This message could not be sent. Try sending the message again later, or contact your network administrator. Error is [0x80070005-00000000-00000000] Using Exchange Server Error Code Look-up (Download Err.exe), 0x80070005 resolves back to MAPI_E_NO_ACCESS or E_ACCESSDENIED which bring us to the actual cause of the issue.\nSendAs / Send-as permissions are not retained in migrations to Office 365 just because it is based on an ACL set in Active Directory and ACLs are not synced to Office 365.\nTo add a SendAs permission use the Add-RecipientPermission cmdlet with Exchange Online Remote PowerShell or use the Exchange Admin Control Panel and add the Send As permission from the \u0026ldquo;Mailbox Delegation\u0026rdquo; menu.\nAdd-RecipientPermission \u0026#34;Help Desk\u0026#34; -AccessRights SendAs -Trustee \u0026#34;Ayla Kol\u0026#34; See the full reference about the command here - http://technet.microsoft.com/en-us/library/ff935839(v=exchg.150).aspx\nAs a result of this issue, I\u0026rsquo;ve created a small script to report which recipients (of any type) have non inherited SendAs permissions ACL\u0026rsquo;s. You can later use the report to re-create the permission in 365.\nDownload the script here: http://gallery.technet.microsoft.com/Report-non-inherited-Send-86ab658b\n","date":"4 June 2014","externalUrl":null,"permalink":"/2014/06/04/this-message-could-not-be-sent-error-0x80070005-office-365-report-non-inherited-send-as-permissions-script/","section":"Posts","summary":"","title":"This message could not be sent - Error 0x80070005 - Office 365 | Report non-inherited Send-As permissions script","type":"posts"},{"content":"Hi,\nSince Office 365 projects started, setting users` licenses with scripts has been somewhat of an issue. There are great scripts out there to automate assigning licenses to users, but the prerequisite of assigning an Office 365 license to a user is to choose the Usage Location for that user. When dealing with several dozens or hundreds of users that might be fine, but for large scaled deployments this becomes also an issue. and I\u0026rsquo;ve decided to script it and share this in case anyone will need this as much as I did.\nThis script is has a really simple logic, trace down the Country attribute value for each user, match that with the two letter country code (required for the PowerShell Set-MsolUser command) and set that value for the user.\nI\u0026rsquo;ve worked up to match the list from https://www.iso.org/obp/ui to the countries available for selection within the Office 365 portal.\nKeep in mind that the script will not handle any spelling errors, so be sure to maintain the country value BEFORE you run this script. If you are using Directory Synchronization this should be more productive as your Active Directory will also benefit from this move\u0026hellip;\nThe script will try to find an exact match of the country value, although - case Insensitive.\ngrab it here: http://gallery.technet.microsoft.com/office/Setting-Office-365-Usage-4d685175\nPlease share your comments if you have any, I would love hearing this script is being used.\n","date":"10 April 2014","externalUrl":null,"permalink":"/2014/04/10/setting-office-365-usagelocation-value-using-the-country-attribute-value/","section":"Posts","summary":"","title":"Setting Office 365 UsageLocation value using the Country attribute value","type":"posts"},{"content":"Hi Again,\nWhile setting up the Hybrid Configuration Wizard on an Exchange 2010 server for Office 365, I\u0026rsquo;ve encountered this error: [2/4/2014 13:36:8] INFO:Running command: Get-FederationInformation -DomainName 'contoso.mail.onmicrosoft.com' -BypassAdditionalDomainValidation 'True' [2/4/2014 13:36:8] INFO:Cmdlet: Get-FederationInformation --Start Time: 2/4/2014 3:36:08 PM. [2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --End Time: 2/4/2014 3:36:16 PM. [2/4/2014 13:36:16] INFO:Cmdlet: Get-FederationInformation --Processing Time: 7690.8. [2/4/2014 13:36:16] INFO:Disconnected from On-Premises session [2/4/2014 13:36:17] INFO:Disconnected from Tenant session [2/4/2014 13:36:17] ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Creating Organization Relationships. Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings. Operation is not valid due to the current state of the object. at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection`1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke() at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors) '. Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\\Program Files\\Microsoft\\Exchange Server\\V14\\Logging\\Update-HybridConfiguration\\HybridConfiguration_2_4_2014_13_35_39_635271177398297855.log. Looking at the application log in the Exchange server showed an Event ID 403 with source MSExchange Common: The Certificate named xxxxxxx in the Federation Trust \u0026#39;Microsoft Federation Gateway\u0026#39; is expired. Please review the Federation Trust properties and the certificates installed in the certificate store of the server. After checking of course, the Federation certificate was just created\u0026hellip; and is indeed valid\u0026hellip;..\nAll that was required was a quick \u0026ldquo;restart\u0026rdquo; to the application pools on the server, I usually just restart the MSExchangeServiceHost and MSExchangeProtectedServiceHost services. after that the wizard completed successfully :)\nHope this helped anyone,\n","date":"12 February 2014","externalUrl":null,"permalink":"/2014/02/12/exchange-hybrid-configuration-failed-with-error-subtask-configure-execution-failed/","section":"Posts","summary":"","title":"Exchange Hybrid Configuration failed with error Subtask Configure execution failed","type":"posts"},{"content":" Update - 05-02-2015 - Thanks for the feedback about this post, some more work has been done, please download the new version\u0026hellip; Update - 07-30-2014 - Thanks for the feedback about this post, I\u0026rsquo;ve republished the code. it is now wrapped as a script and also logs results to a log file. download the new version\u0026hellip;\nI\u0026rsquo;ve been busy with more Office 365 and Hybrid Exchange Online deployments and came up with a script I hope will help some of you out there.\nWhile deploying an Hybrid Exchange Online setup, one of the steps the Hybrid Configuration Wizard is doing is modifying the email address policy and adding \u0026ldquo;alias@tenant.mail.onmicrosoft.com\u0026rdquo; to the relevant EAP policies. This is great although there\u0026rsquo;s a good chance you have some mailboxes that are set with EmailAddressPolicyEnabled:$false\nI\u0026rsquo;ve written a function script that will help you add the additional secondary SMTP proxy address to those mailboxes easily :)\nHere\u0026rsquo;s an example on how to use the script:\n.\\Add-OnMicrosoftSMTP.ps1 -Tenant:ilantz\nThe script will require your \u0026ldquo;Tenant\u0026rdquo; name, for example - if your Office 365 tenant is ilantz.onmicrosoft.com, enter ilantz as the tenant name. Once entered it will find all mailboxes with the property EmailAddressPolicyEnabled:$false and have no routing SMTP address like *@tenant.mail.onmicrosoft.com (following the default Exchange Hybrid Configuration Wizard settings). Then the script will add the required SMTP proxy address following the PrimarySmtpAdress prefix, if that SMTP proxy address is already taken, the function will add a random 5 digit number to the prefix - John.Doe12345@tenant.mail.onmicrosoft.com.\nThe script will catch and display any exceptions that may occur during the process. and will automatically log the results to a log file.\nGet the script here - http://gallery.technet.microsoft.com/Office-365-Add-Exchange-14c7f0c3 Revision History \u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026mdash;\u0026ndash;\n1.0 - Initial release\n1.1 - Updated and rewritten as a script instead of a function which caused confusion\n1.2 - Added Logging of successful addresses being added and failures\n1.3 - Updated with server-side filtering to get all relevant users for better efficiency, an updated logging mechanism and using now the PrimarySmtpAddress prefix value for the routing address.\nEnjoy !\n","date":"22 December 2013","externalUrl":null,"permalink":"/2013/12/22/manually-adding-a-secondary-smtp-proxy-address-for-hybrid-exchange-online-and-office-365/","section":"Posts","summary":"","title":"Manually adding a secondary SMTP proxy address for hybrid Exchange Online and Office 365","type":"posts"},{"content":"Quick note from the field..\nI\u0026rsquo;ve encountered an issue with an Exchange 2010 and Office 365 Hybrid configuration, users that were moved to Office 365 and tried to reach the original On-Premise OWA URL were receiving an error - The Outlook Web App address https://owa.domain.com/owa is out of date. What should have happen is that the OWA will offer the users to use the URL configured on the TargetOwaUrl parameter on the Organization Relationship to the Office 365 routing domain. After some digging I\u0026rsquo;ve realized that this hybrid setup was performed using the manual steps that were documented for Exchange 2010 SP1, so the Hybrid Configuration Wizard did not do it\u0026rsquo;s magic\u0026hellip;.\nAnyhow, after comparing this setup with a working hybrid configuration including the OWA redirection, I\u0026rsquo;ve noticed that the TargetOwaUrl value did not had xxx**/owa/**xxxx in it\u0026rsquo;s URL.\nSo instead of http://outlook.com**/owa/**domain.mail.onmicrosoft.com - I\u0026rsquo;ve had http://outlook.com/domain.mail.onmicrosoft.com\nSo after running Set-OrganizationRelationship -TargetOwaURL \u0026ldquo;http://outlook.com/owa/domain.mail.onmicrosoft.com” the redirection worked as expected.\nHope this helps out anyone,\nSee also: Simplify the OWA URL for Office 365 Hybrid\n","date":"2 September 2013","externalUrl":null,"permalink":"/2013/09/02/the-outlook-web-app-address-is-out-of-date-office-365-hybrid/","section":"Posts","summary":"","title":"The Outlook Web App address is out of date - Office 365 Hybrid","type":"posts"},{"content":" In case you\u0026rsquo;ve missed it, Microsoft has released a few security patches this week, among them a highly recommended patch that will safeguard your ADFS deployment from a possible DDoS attack -Microsoft Security Bulletin MS13-066 Make sure you visit the link above and patch your servers today !\nStay safe,\n","date":"21 August 2013","externalUrl":null,"permalink":"/2013/08/21/patch-alert-vulnerability-in-active-directory-federation-services-ms13-066/","section":"Posts","summary":"","title":"Patch Alert - Vulnerability in Active Directory Federation Services - MS13-066","type":"posts"},{"content":" In case you\u0026rsquo;ve missed it, Microsoft released a roll-up update Hotfix for Windows 7 SP1 and Server 2008 R2 SP1 which includes 90 updates (!) post-SP1 - An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 Here\u0026rsquo;s a quote from the KB:\nThis article describes a hotfix rollup for Windows 7 Service Pack 1 (SP1)-based and Windows Server 2008 R2 SP1-based computers. This hotfix rollup contains 90 hotfixes that were released after the release of SP1 for Windows 7 and Windows Server 2008 R2. These hotfixes improve the overall performance and system reliability of Windows 7 SP1-based and Windows Server 2008 R2 SP1-based computers. We recommend that you apply this hotfix rollup as part of your regular maintenance routine and build processes for Windows 7 and Windows Server 2008 R2 computers. Note This hotfix rollup primarily addresses the issues that occur on domain-joined client computers and servers. Therefore, this hotfix rollup is available only from the Microsoft Update Catalog. You can also install this hotfix rollup on computers that are running Windows 7 SP1 in nonenterprise environments. After you install the hotfix rollup, the performance of the computers may be improved.\nstay updated :)\n","date":"22 July 2013","externalUrl":null,"permalink":"/2013/07/22/update-your-windows-7-sp1-and-server-2008-r2-sp1/","section":"Posts","summary":"","title":"Update your Windows 7 SP1 and Server 2008 R2 SP1","type":"posts"},{"content":"","date":"22 July 2013","externalUrl":null,"permalink":"/categories/vista-7/","section":"Categories","summary":"","title":"Vista-7","type":"categories"},{"content":"Hi Again,\nDuring a simple migration (cutoff) to Office 365 Exchange Online, I\u0026rsquo;ve encountered a few errors that prevented the migration batch to complete successfully, and wanted to share in case anyone is struggling with them. Active Directory operation failed on AMSPR01A001DC01.EURPR01A001.prod.outlook.com. The object \u0026lsquo;CN=user,OU=tenant.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR01A001,DC=prod,DC=outlook,DC=com\u0026rsquo; already exists. This error states that the migration batch failed to create a new object because that specific name is already taken. sadly enough the value for the CN=xxxx is taken from the alias property of the user/contact/group being migrated from the on-premise server.. and alias is not unique within (most) Exchange deployments.\nTo Solve this, work with the \u0026ldquo;alias\u0026rdquo; property value on your local AD to locate the conflicting objects, work with the results of the migration job and cross-reference until you will eliminate all duplicates of the alias values.\nFailed to overwrite the existing Migration Job Item found for \u0026ldquo;user@domain.com\u0026rdquo; [Mailbox]; the Job Item was created with different Recipient Type [Contact]. You may delete the newly created Mailbox and recreate the actual Contact for user@domain.com. This error could be a result of your actions to fix duplicates issues, if for some reason the migration batch started with user@domain.com being a contact and that object has changed it will fail to \u0026ldquo;update/sync\u0026rdquo; and will continue to expect the original object type which was different in this example a contact.\nTo solve this Connect to Exchange Online Using Remote PowerShell and work with two commands - Get-MigrationUser and Remove-MigrationUser to remove the incorrect object from the migration batch and then resume it. This will make sure the new (correct) object will be synced successfully. Here\u0026rsquo;s an example of how to use these commands:\nGet-MigrationUser -Identity User@Domain.com | FL\nNotice the output here and make sure this is indeed the incorrect object that needs to be removed, and then pipe the output to remove that user from the Migration Batch:\nGet-MigrationUser -Identity User@Domain.com | Remove-MigrationUser Once removed, you can resume the migration again and it should now sync correctly your mailboxes.\nHope this helps !\n","date":"14 July 2013","externalUrl":null,"permalink":"/2013/07/14/office-365-migration-batch-error-failed-to-overwrite-the-existing-migration-job-item-found-for-user@domain.com/","section":"Posts","summary":"","title":"Office 365 Migration Batch Error - Failed to overwrite the existing Migration Job Item found for \"user@domain.com\"","type":"posts"},{"content":"Hi,\nWith Exchange 2013 deployments already in place, I\u0026rsquo;ve wanted to share with you all some \u0026ldquo;new\u0026rdquo; behaviors, tips and more to help you prevent headaches and issues :) With regards to two previously posts - Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover and also Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere - this post is some sort of a follow-up.\nWith Exchange 2013, Outlook Anywhere (aka RPC over HTTP/s) is the default method for Outlook clients connections - that is no more direct RPC connections to the servers for Outlook clients. Exchange 2013 will essentially require you to utilize Autodiscover and Outlook Anywhere to actually get your Outlook client connected. This is the main reason for writing this post. This information will come useful if you are getting ready or already started to deploy Exchange 2013, I\u0026rsquo;ll try to keep it simple and write this down as a list of things to consider so this will be rather easy to all.\nIf you followed my post about how to prevent Outlook Anywhere from being configured and removed the EXPR outlook provider, start with restoring it. Run the following powershell command to restore it: New-OutlookProvider -Name:EXPR If you\u0026rsquo;re using any additional methods to configure Outlook Clients or Outlook Anywhere like, static XML files, Registry settings or Group Policy settings make sure to revise or even remove them. See also http://support.microsoft.com/kb/2212902 Pay attention to publishing guides for Exchange 2013 - see Publishing Exchange Server 2013 using TMG and also Exchange 2013 Client Access Server Configuration When enabling Outlook Anywhere on Exchange 2013 notice the following: Retain the current External authentication method (Basic,NTLM) your internal authentication method should always be NTLM. Get-OutlookAnywhere –Server (hostname) | Set-OutlookAnywhere -InternalHostname \u0026quot;mail.domain.com\u0026quot; -InternalClientAuthenticationMethod Ntlm -InternalClientsRequireSsl $true -ExternalHostname \u0026quot;mail.domain.com\u0026quot; -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl $true -IISAuthenticationMethods NTLM,Basic -ssloffloading:$false Enable NTLM on the IIS /rpc directory of your Exchange 2007/2010 servers Get-OutlookAnywhere | ?{ $_.AdminDisplayVersion -notlike \u0026quot;Version 15.*\u0026quot;} | Set-OutlookAnywhere -IISAuthenticationMethods NTLM,Basic Plan the CertPrincipalName value you will use, that is the certificate Subject Name that your clients will use to populate the msstd:server.domain.com value - both internally and externally (reminding you to see the note above). My personal best practice is to use the same Subject Name on the certificate you will use on your External TMG/UAG/Juniper/F5 reverse proxy and your internal server or servers. Once you are aware of this value you can configure your Outlook Provider accordingly (you can refer to this post for more information on the subject). If you installed a wildcard certificate on your Exchange 2013 server - you must perform the following: Update your EXPR setting - Set-OutlookProvider EXPR -CertPrincipalName msstd:*.company.com Update your EXCH setting (yes!) - Set-OutlookProvider EXCH -CertPrincipalName msstd:*.company.com Don\u0026rsquo;t freak out when you see Exchange 2013 \u0026ldquo;new\u0026rdquo; server name - it\u0026rsquo;s value is actually the Mailbox GUID value, and will be unique for all users. This means that - you must use the Autodiscover wizard to configure outlooks from now on, Email, password and click next. If you have full mailbox access to a different mailbox - that\u0026rsquo;s great- just type it\u0026rsquo;s email address and enter whatever you want for password. (will work only inside the LAN\u0026hellip;) Don\u0026rsquo;t forget to update your Outlook clients - or else they will not connect to Exchange 2013 - see Exchange 2013 System Requirements for the exact information. That\u0026rsquo;s it for now, while deployments continue I will update this topic with new \u0026ldquo;gotchas\u0026rdquo;.\nHope this helps anyone out there. Ilantz\n","date":"29 June 2013","externalUrl":null,"permalink":"/2013/06/29/exchange-2013-outlook-anywhere-considerations/","section":"Posts","summary":"","title":"Exchange 2013 Outlook Anywhere Considerations","type":"posts"},{"content":"Hi Again,\nI\u0026rsquo;ve encountered a situation today with an Exchange 2003 to 2010 migration, The Exchange 2003 Back-End server was missing the virtual directories in IIS, but this issue had an interesting twist \u0026hellip; both vdirs were missing also in the Active Directory ! Missing or corrupt virtual directories with Exchange are common and can be easily solved with KB 883380 - How to reset the default virtual directories that are required to provide Outlook Web Access, Exchange ActiveSync, and Outlook Mobile Access services in Exchange Server 2003\nExchange Server setup creates each virtual directory in the AD forest configuration partition under services, microsoft Exchange, administrative groups, administration group name, server name, protocols, http, virtual server name (usually 1).\nIn this case, both ActiveSync and OMA virtual directories were missing from Active Directory and as a result were also missing from the System Manager MMC, so performing a Repair Setup or the Reset virtual directories method will render useless.. both will not write anything new to the AD.. we had to re-create the two virtual directories both in AD and the IIS, so using System Manager, we try to create a new virtual directory, but the ActiveSync and OMA is greyed out !\nCreating New Virtual Directory With System Manager Grayed out With some searching I\u0026rsquo;ve reached a solution that worked perfectly (dated back to 2007 from the Microsoft Exchange newsgroup), this will enable the options within the System Manager and allow us to re-create the virtual directories and restore order :)\n1. Using ADSIEDIT locate the Exchange 2003 server container - services, microsoft Exchange, administrative groups, administration group name and right click the server name to open it\u0026rsquo;s properties. 2. Locate the Heuristics attribute and note the current value (just in-case\u0026hellip;) our value in this case was 805310468. 4. Change the value to 270012416 , click apply and ok. 5. Refresh the Exchange System Manager or close and re-open it. 6. Now, locate the server name within the tree, expend it, expend protocols, expend HTTP, expend the virtual server name and right click to create a new Virtual Directory. You should now be able to recreate the Microsoft-Server-ActiveSync and OMA virtual directory.\nNote - This will also reset your RPC over HTTP and other \u0026ldquo;server specific\u0026rdquo; settings that you configured on the server using the System Manager GUI. so make sure to note all configurations under the server properties page and re-enable any changes after setting the value.\nCredits - http://microsoft.newsgroups.archived.at/public.exchange.setup/200702/07021815421.html\nI hope this helps anyone struggling with this,\n","date":"6 May 2013","externalUrl":null,"permalink":"/2013/05/06/missing-microsoft-server-activesync-and-oma-virtual-directories-in-iis-and-active-directory-with-exchange-2003/","section":"Posts","summary":"","title":"Missing Microsoft-Server-ActiveSync and OMA virtual directories in IIS and Active Directory with Exchange 2003","type":"posts"},{"content":"","date":"5 May 2013","externalUrl":null,"permalink":"/categories/group-policy/","section":"Categories","summary":"","title":"Group-Policy","type":"categories"},{"content":"Hi,\nQuick note from the field, if you are moving to Exchange Online / Office 365 you should double check your current office group-policy settings and registry for Outlook. You should make sure that you did not enable the Closest GC setting, or configured a specific global catalog server with the DS Server registry entries under HKEY_CURRENT_USER\\Software\\Microsoft\\Exchange\\Exchange Provider\nBoth registry values, errors and methods for resolution are located at:\nhttp://support.microsoft.com/kb/2507626 - Error in Outlook: \u0026ldquo;The action cannot be completed. The Bookmark is not valid\u0026rdquo;\nhttp://support.microsoft.com/kb/319206 - How to configure Outlook to a specific global catalog server or to the closest global catalog server\nAnd if we are on the subject, it\u0026rsquo;s also a good practice to make sure the following when moving to Office 365:\nYou do not have Autodiscover related registry settings also - http://support.microsoft.com/kb/2212902 - Unexpected Autodiscover behavior when you have registry settings under the \\Autodiscover key Make sure that the \u0026ldquo;Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server\u0026rdquo; option under account settings of the Outlook Profile is indeed selected. Office 365 is restricting clients to encrypt MAPI traffic - see the following KB for additional information (originally written for Exchange 2010 RTM) - http://support.microsoft.com/kb/2006508 ","date":"5 May 2013","externalUrl":null,"permalink":"/2013/05/05/the-action-cannot-be-completed-error-using-outlook-exchange-2010-or-office-365/","section":"Posts","summary":"","title":"The action cannot be completed error using Outlook - Exchange 2010 or Office 365","type":"posts"},{"content":"Hi,\nI\u0026rsquo;ve just encountered this issue during a LAB for migrating Exchange 2010 to Exchange 2013, migration batches were getting stuck in Syncing, in addition I noticed two annoying warning messages in the application log of the server with Event ID 1009 and Event ID 1013 with source MSExchangeFastSearch I\u0026rsquo;ve looked in the migration report using: Get-MigrationUserStatistics -IncludeReport -Identity ilantz@lab.com | fl ...... 4/28/2013 7:44:46 AM [EX2013] The job is currently stalled due to 'Content Indexing' lagging behind on resource 'CiAgeOfLastNotification(Mailbox Database .....\nSo, indeed the Content Indexing which was failing and keeping the migration back\u0026hellip; nothing special here, Exchange 2010 had this issue as well \u0026hellip; Quick search showed a very odd solution to this\u0026hellip;\nQuoting http://support.microsoft.com/kb/2807668 - Content Index status of all or most of the mailbox databases in the environment shows \u0026ldquo;Failed\u0026rdquo;\nThis issue may occur if the search platform tries to check its membership in a security group that is named \u0026ldquo;ContentSubmitters.\u0026rdquo; This group is not created by the search platform or by Exchange Server 2013 and is therefore not usually present. Although the check usually fails silently, without any consequences, an exception sometimes occurs. This causes the search component to fail.\nWow \u0026hellip; well :) .. hope this will be fixed with CU2.. go with Method 1 in the KB, worked like a charm here.\n","date":"28 April 2013","externalUrl":null,"permalink":"/2013/04/28/exchange-2013-migration-batch-stalled-due-to-content-indexing-ciageoflastnotification/","section":"Posts","summary":"","title":"Exchange 2013 Migration Batch Stalled Due To Content Indexing CiAgeOfLastNotification","type":"posts"},{"content":"Hi All,\nFollowing a workaround mentioned on http://support.microsoft.com/kb/2512023 - \u0026ldquo;GetUserOofSettings\u0026rdquo;, \u0026ldquo;SetUserOofSettings\u0026rdquo; and \u0026ldquo;GetUserAvailability\u0026rdquo; operations do not support Exchange Impersonation on the Exchange Server 2010 SP1 schema Seems like the EWS Managed API 1.1 download link does not work anymore, and it\u0026rsquo;s virtually impossible to get a hold of the files on the WEB, so I\u0026rsquo;ve uploaded the redistributable package here for anyone looking around for it.\nAnyway - grab it here: Microsoft Exchange Web Services Managed API 1.1\nHope this helps.\nExchange Web Service Managed API 1.1, Download - Microsoft ( Non working download links) : www.microsoft.com/en-us/download/details.aspx?id=13480 http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c3342fb3-fbcc-4127-becf-872c746840e1\n","date":"25 February 2013","externalUrl":null,"permalink":"/2013/02/25/microsoft-exchange-web-services-managed-api-1.1-download/","section":"Posts","summary":"","title":"Microsoft Exchange Web Services Managed API 1.1 Download","type":"posts"},{"content":"Hi again,\nI\u0026rsquo;ve been using Ammyy Admin to support family members and friends for a while now, but since I\u0026rsquo;ve upgraded to Windows 8, the program seems to fail it\u0026rsquo;s initial connection to it\u0026rsquo;s public servers upon start up. It keeps popping out an error window:\nError {12007} occured while connecting to server \u0026ldquo;http://rl.ammyy.com\u0026rdquo; Would you like to change proxy settings?\nAmmy Admin Error 12007 Windows 8 To solve this, just open the Ammyy Admin setting menu and un-check the \u0026ldquo;Run under SYSTEM account on Windows Vista/7/2003/2008\u0026rdquo; check-box.\nUncheck Run under SYSTEM account hope you find this useful.\n","date":"29 January 2013","externalUrl":null,"permalink":"/2013/01/29/ammy-admin-error-12007-with-windows-8/","section":"Posts","summary":"","title":"Ammy Admin Error 12007 with Windows 8","type":"posts"},{"content":"","date":"29 January 2013","externalUrl":null,"permalink":"/categories/windows-8/","section":"Categories","summary":"","title":"Windows-8","type":"categories"},{"content":"Hello all,\nOn Monday, January 14th I\u0026rsquo;ve attended our local Unified Communications User Group at Microsoft and presented the upcoming changes and enhancements with Exchange 2013 HA and Site Resilience capabilities. This post is a follow up on some of the topics I\u0026rsquo;ve covered. Exchange 2013 simplifies deployments and operations greatly with a load of new features. One of the notable changes on my part is the server name no longer reflects a server name. In Exchange 2003,2007 the RPC endpoint used to be our actual server host-name or the clustered mailbox group name. With Exchange 2010 we had the CAS Array which was a logical name that enabled us to load balance CAS servers. traditional single Exchange 2010 host-name was also a possibility.\nWith Exchange 2013 \u0026ldquo;Outlook clients no longer connect to a server fully qualified domain name (FQDN) as they’ve done in all previous versions of Exchange. Using Autodiscover, Outlook finds a new connection point made up of the user’s mailbox GUID + @ + the domain portion of the user’s primary SMTP address. This change makes it much less likely that users will see the dreaded message “Your administrator has made a change to your mailbox. Please restart.”. Only Outlook 2007 and later versions are supported with Exchange 2013\u0026rdquo; (Taken from the Exchange 2013 help file - page 46 - Client Access Server\u0026quot; See for your self:\nMailbox GUID as server name Fetching Mailbox GUID Value From Powershell So without a namespace dependency ( server name or a CAS array) that affects our site resilience procedure or fail-over things gets easy - our Mailbox GUID will always remains intact no matter which server is running. Moreover, Exchange 2013 now restricts all client traffic to HTTP using the RPC over HTTP component and relies on the infamous AutoDiscover mechanism to supply the client with the correct HTTP proxy server to use, that\u0026rsquo;s why outlook 2003 is no longer supported\u0026hellip; Just to be clear here, this means that all Outlook clients will use \u0026ldquo;Outlook Anywhere\u0026rdquo; within the internal network and outside it, if allowed of course. It is also worth mentioning that it is now possible to have a single \u0026ldquo;global\u0026rdquo; host name for internal clients using Outlook, Outlook Web App, ActiveSync, EWS etc.\nOkay, great! But who does DNS has to with anything? Well, due to the changes within the product with Exchange 2013, DNS Round Robin is a great option for redundancy and will allow you to maintain it without any special requirements for external load balancers or WNLB for example. Although its a great option - it does not mean that load balances are not. DNS is not aware of server health, availability or server load which is just one of the attributes of a typical load balancer product.\nA quick recap on DNS Round Robin for those who are not familiar with it, its basically a single DNS host name record which resolves to multiple IP\u0026rsquo;s, where the first result will be randomized each time a client will query the DNS server. For example , within the DNS zone of the ilantz.com domain two records exist and this is the answer for the first query:\nMail = 192.168.100.1 Mail = 192.168.200.1\nWhile performing the query once again, the results change:\nMail = 192.168.200.1 Mail = 192.168.100.1\nIn my example the host name mail.ilantz.com will be configured within Exchange as the Outlook Anywhere proxy server for internal and also external access. Each server will be located in a different geographic site, which correlates to its subnet. 192.168.100.0/24 is the active HQ site and 192.168.200.0/24 is the passive DR site.\nNow, this should rise a relevant question within your mind\u0026hellip; How exactly would a client know to which proxy server he should connect to? You would not want your VIP users connecting to the DR site which is 1000km away right? To resolve this issues you will need a DNS solution that is referred as GeoDNS or Netmask Ordering (in Microsoft). The builtin mechanism within a Windows server DNS will allow you to use subnet masking to determine the closest IP it should return as the first answer. This is also a default behavior with Windows 7 and above.\nWhile determining the closest result based on the binary bits might work for some customers, for most \u0026ldquo;complex\u0026rdquo; networks it will not\u0026hellip; So here\u0026rsquo;s some points to consider when you implement DNS round robin with your Exchange 2013 namespace:\nYour current internal and external DNS solution supports your requirements for result prioritization. Make sure your Exchange topology will reflect your desired results Don\u0026rsquo;t confuse external load balances capabilities with DNS round robin Here\u0026rsquo;s some excellent additional reading links, specifically the first post from the Networking team blog.\nHope this clears some confusion, Ilantz\nDNS Round Robin and Destination IP address selection Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default Prioritizing local subnets Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS\n","date":"20 January 2013","externalUrl":null,"permalink":"/2013/01/20/exchange-2013-namespace-and-dns-round-robin-considerations/","section":"Posts","summary":"","title":"Exchange 2013 Namespace and DNS Round Robin Considerations","type":"posts"},{"content":"","date":"14 January 2013","externalUrl":null,"permalink":"/categories/forefront-isatmg/","section":"Categories","summary":"","title":"Forefront-Isatmg","type":"categories"},{"content":"","date":"14 January 2013","externalUrl":null,"permalink":"/categories/networking/","section":"Categories","summary":"","title":"Networking","type":"categories"},{"content":" Update June 21th, 2016 - following feedback and a (true golden) blog post by the Exchange Team - Checklist for troubleshooting Outlook connectivity in Exchange 2013 and 2016 (on-premises) I\u0026rsquo;ve updated the recommended values for the timeout settings, and shortened the article overall for better reading. Do read the post in general, and in topic - check the CAS \u0026amp; Load Balancer configuration paragraphs. Hi Again,\nThis post will spotlight networking considerations that are mostly overlooked. I\u0026rsquo;ve gathered a few of these issues that might brought you here searching for an answer:\nOutlook is retrieving data from the Microsoft Exchange Server The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action Sent items are stuck in Outbox or delayed Outlook freezes or stuck when sending a message Event ID 3033 regarding Exchange Server ActiveSync complaining about the most recent heartbeat intervals used by clients Other strange / weird issues \u0026ldquo;but PING works! / telnet to the port works great!\u0026rdquo; - my personal favorite The mentioned issues or symptoms could take place in any network environment, thus more common in complex network setups where multiple devices are protecting / route network traffic. Some typical configurations examples could be one of the following:\nOutlook Anywhere or RPC over HTTP is being used, servers are protected or published by ISA / TMG / UAG / F5 / Juniper or any other reverse proxy / publishing solutions Exchange servers are located behind a firewall, router or other network device Clients / Remote clients are located behind a firewall, router or other network device (just to be clear on that\u0026hellip;) Exchange servers are being load-balanced with an external physical / virtual appliance If you\u0026rsquo;ve read this post up until here and got disappointed because the above does not fit your issue, I\u0026rsquo;d like to suggest reviewing other RPC troubleshooting topics that might help Troubleshooting Outlook RPC dialog boxes - revisited or Outlook RPC Dialog Box Troubleshooting\nExchange Server traditionally (2000 to 2010) used MAPI over RPC to communicate \u0026ldquo;natively\u0026rdquo;, RPC is known to be \u0026ldquo;sensitive\u0026rdquo; and that\u0026rsquo;s why Exchange Server 2013 and beyond allows only Outlook Anywhere (RPC over HTTP) connections from clients which in my opinion is a great change that will simplify future deployments.\nClient\u0026lt;\u0026gt;Server connections in general remains active while data \u0026ldquo;flows\u0026rdquo; , mails are sent/received etc. but when the connection is Idle, we might have a situation that it will be terminated. Here comes the term KeepAlive - a \u0026ldquo;dummy\u0026rdquo; packet that makes sure the connection remain active while no data is flowing and idle.\nHere\u0026rsquo;s my \u0026ldquo;how-to\u0026rdquo; suggestion:\nConfigure the RPC timeout on Exchange servers to make sure that components which use RPC will trigger a keep alive signal within the time frame you would expect reg add \u0026quot;HKLM\\Software\\Policies\\Microsoft\\Windows NT\\RPC\u0026quot; -v \u0026quot;MinimumConnectionTimeout\u0026quot; -t REG_DWORD -d 120 Consider modifying the server TCP/IP KeepAlive to reduce the chance of \u0026ldquo;IDLE\u0026rdquo; connections being terminated - (Default is Two hours - The recommended value is 30 minutes , and no less then 15 minutes) - this controls the OS TCP behavior with idle connections, could greatly improve responsiveness and scalability - http://support.microsoft.com/kb/314053/EN-US Make sure that you are aware of any router, firewall or any other network device that is placed between your clients and your servers. Once you do - note their session timeout, session TTL or session ageing setting for the relevant protocol and port! (this could be tricky, so do not treat this lightly) The trick for success here is that timeout settings should be configured without overlapping one another while following the client access \u0026ldquo;path\u0026rdquo; - for example - Client \u0026gt; FW \u0026gt; Load Balancer \u0026gt; Server:\nFW timeout TCP/IP timeout - 40 minutes Load Balancer - TCP/IP timeout - 35 minutes Server - TCP/IP timeout - 30 minutes If additional network devices are placed between the server and your clients, make sure that session timeout settings continue to be configured accordingly. With today\u0026rsquo;s security measures, network security has become much more complex. A typical corporate network will implement many different network appliances or software based solutions to secure data, restrict access, prevent attacks and unwanted traffic. Bottom line - don\u0026rsquo;t think you are done with network considerations just because \u0026ldquo;ping works\u0026rdquo; or an email comes with a statement like \u0026ldquo;your port is now open\u0026rdquo;.\nI hope this post will benefit others as this issue was and will probably remain common with Exchange and other client / server services.\nDon\u0026rsquo;t get timed out :) Ilantz\nAdditional useful links and sources of data:\nChecklist for troubleshooting Outlook connectivity in Exchange 2013 and 2016 (on-premises) New Best Practice for RPC Timeouts in Exchange Outlook Anywhere Network Timeout Issue Sent Items delayed when publishing Outlook Anywhere through TMG Outlook getting Stuck/disconnected occassionally with Exchange The Microsoft Outlook’s requesting data problem — a detailed analysis TCP/IP and NBT configuration parameters RPC cancel request dialogue box due to session timeout triggered by the Network devices Troubleshooting Outlook RPC dialog boxes - revisited Outlook RPC Dialog Box Troubleshooting Direct Push - ActiveSync ","date":"14 January 2013","externalUrl":null,"permalink":"/2013/01/14/tcp/ip-keepalive-session-timeout-rpc-timeout-exchange-outlook-and-you/","section":"Posts","summary":"","title":"TCP/IP KeepAlive, Session Timeout, RPC Timeout, Exchange, Outlook and you","type":"posts"},{"content":"Hi Again,\nI\u0026rsquo;ve upgraded my desktop to windows 8 lately and since the upgrade I\u0026rsquo;ve noticed that each time the computer enters sleep mode or hibernation it keeps turning on my itself mysteriously and no apparent reason. Well\u0026hellip;no more!! Here\u0026rsquo;s the actual line of events that led me to the solution:\nWent through some event viewer entries, specifically looking at Power-Troubleshooter and Kerner-General source that did not provide me with anything\u0026hellip; Event ID 1 Source Power-Troubleshooter Wake Source Unknown Double checked that no one is touching the mouse or keyboard\u0026hellip; :) Made sure that the \u0026ldquo;Allow wake timers\u0026rdquo; option is not enabled for the active power scheme Allow Wake Timers Set To Disabled Disabled the \u0026ldquo;Allow this device to wake up the computer\u0026rdquo; option on the network card adapter Power Management settings tab - you can query all devices that are allowed using the following command (cmd not PowerShell): powercfg -devicequery wake_armedAllow This Device To Wake The Computer Disabled Only after being frustrated again from the computer still waking up with no apparent reason I\u0026rsquo;ve noticed that it keeps waking up at around specific times, which led me to the conclusion that it\u0026rsquo;s probably a schedule task that was waking the computer up ! Seems like there is a Media Center task names mcupdate_scheduled that was causing all the trouble !\nWake The Computer To Run This Task Enabled So, I\u0026rsquo;ve written a small PowerShell script to disable the \u0026ldquo;wake the computer to run this task\u0026rdquo; option from all scheduled tasks at once, and that did the trick! This script should work fine with Windows 8 or Server 2012 and might serve as an example for manipulating scheduled tasks with PowerShell.\nGet-ScheduledTask | ? { $_.Settings.WakeToRun -eq $true -and $_.State -ne \u0026#34;Disabled\u0026#34;} | % { $_.Settings.WakeToRun = $false; Set-ScheduledTask $_ } Now my computer sleeps and hibernates without waking up ! ZzzzzzzZzzzzZzzzz\nAdditional Links:\nhttp://superuser.com/questions/503786/windows-8-desktop-wakes-up-immediately-after-sleep-due-to-keyboard-mouse/522628\nhttp://www.howtogeek.com/127818/how-to-stop-windows-8-waking-up-your-pc-to-run-maintenance/\n","date":"21 December 2012","externalUrl":null,"permalink":"/2012/12/21/windows-8-wakes-up-from-sleep-or-hibernation-unexpectedly/","section":"Posts","summary":"","title":"Windows 8 Wakes Up From Sleep or Hibernation Unexpectedly","type":"posts"},{"content":"Hi Again, due to popular demand, here is my small RBAC “knowledge base”, this should apply just fine to Exchange 2010 and Exchange 2013.\nFast and Furious how-to and cool examples: http://www.mikepfeiffer.net/2010/11/7-useful-one-liners-when-managing-rbac-in-exchange-2010/\nhttp://blogs.technet.com/b/heyscriptingguy/archive/2012/01/13/use-powershell-and-rbac-to-control-access-to-exchange-server-cmdlets.aspx\nhttp://www.opsvault.com/how-to-create-custom-recipient-management-groups-using-exchange-2010-rbac/\nhttp://rbac.codeplex.com/ - a free GUI tool for managing RBAC\nLearn and Understand RBAC:\nhttp://blogs.technet.com/b/exchange/archive/2009/11/16/3408825.aspx - RBAC and the Triangle of Power\nhttp://technet.microsoft.com/en-us/library/dd298183.aspx - Understanding Role Based Access Control\nhttp://help.outlook.com/en-us/140/dd207272.aspx - Built-in RBAC Roles for Exchange Online\nHope you find this information useful !\n","date":"30 October 2012","externalUrl":null,"permalink":"/2012/10/30/exchange-rbac-knowledge-base/","section":"Posts","summary":"","title":"Exchange RBAC Knowledge base","type":"posts"},{"content":"Hello Everyone,\nA huge release by Microsoft, all client and server office products are out ! Login to your Technet / MSDN Subscriptions and start downloading :) Lync Server 2013\nExchange Server 2013\nOffice Web Apps 2013\nOffice Professional Plus 2013 (x64 and x86)\nSharePoint Server 2013\nVisio Professional (x64 and x86)\nProject Professional 2013 (x64 and x86)\nEnjoy !\n","date":"25 October 2012","externalUrl":null,"permalink":"/2012/10/25/office-client-and-office-server-2013-product-line-was-released/","section":"Posts","summary":"","title":"Office Client and Office Server 2013 product line was released!","type":"posts"},{"content":"Hi Again,\nI\u0026rsquo;ve recently had an unusual situation I wanted to share. A client of mine had a geographically stretched Exchange 2010 DAG cluster that crashed really bad, the original \u0026ldquo;active\u0026rdquo; servers had been lost beyond repair\u0026hellip; luckily the databases were replicated to another location, so the data was saved. In addition the client was in between a migration from Exchange 2007 to Exchange 2010 (the 2007 servers were not effected from the disaster..). Just for the sake of explaining a little more, the original \u0026ldquo;active\u0026rdquo; servers should have been restored with the setup.com /m:recoverserver , but due to the nature of the failure those servers and their names are gone and were no longer required. Those failed Exchange 2010 DAG member servers were completely deleted from Active Directory using ADSIEdit.\nTo recover the Exchange 2010 environment I\u0026rsquo;ve done a few steps, following which the Exchange DAG was online and service was restored.\nRestored the DAG to the DR site (evict nodes from the cluster, modify the quorum, leverage AlternativeWitnessServer): Restore-DatabaseAvailabilityGroup Created a new ClientAccessArray in the new AD site Modified all databases with Set-MailboxDatabase so the new CAS array is now the RpcClientAccessServer Made sure all databases are active within the our new site and on the correct servers with Move-ActiveMailboxDatabase Removed the lost database copies on the lost DAG members with Remove-MailboxDatabseCopy Forcibly removed the lost DAG members from the DAG: Remove-DatabaseAvailabilityGroupServer -ConfigurationOnly Following the actions above, service was restored, and all was good, until we encountered an issue with users located on the Exchange 2007, they reported that they could not retrieve any free/busy information from other users (which were all located on Exchange 2010 databases).\nA quick troubleshooting showed that configuration was fine (URL\u0026rsquo;s were set correctly, networking access was fine, permissions were okay etc..), so I\u0026rsquo;ve enabled the troubleshooting log on an outlook client while logged on as an 2007 user. Looking at the xxxx-xxx-AS.log (availability service logs) generated from outlook, I was able to extract the root cause:\n\u0026lt;FreeBusyResponse\u0026gt;\u0026lt;ResponseMessage ResponseClass=\u0026#34;Error\u0026#34;\u0026gt;\u0026lt;MessageText\u0026gt;Unable to find a Client Access server that can serve a request for an intraforest mailbox \u0026lt;Jhon Doe\u0026gt;;SMTP:Jhon.Doe@Contoso.com., inner exception: The server MBX2.contoso.com was not found in the topology.\u0026lt;/MessageText\u0026gt;\u0026lt;ResponseCode\u0026gt;ErrorServiceDiscoveryFailed\u0026lt;/ResponseCode\u0026gt;\u0026lt;DescriptiveLinkKey\u0026gt;0\u0026lt;/DescriptiveLinkKey\u0026gt;\u0026lt;MessageXml\u0026gt;\u0026lt;ExceptionType xmlns=\u0026#34;http://schemas.microsoft.com/exchange/services/2006/errors\u0026#34;\u0026gt;Microsoft.Exchange.InfoWorker.Common.Availability.ServiceDiscoveryFailedException\u0026lt;/ExceptionType\u0026gt;\u0026lt;ExceptionCode xmlns=\u0026#34;http://schemas.microsoft.com/exchange/services/2006/errors\u0026#34;\u0026gt;5021\u0026lt;/ExceptionCode\u0026gt;\u0026lt;/MessageXml\u0026gt;\u0026lt;/ResponseMessage\u0026gt;\u0026lt;FreeBusyView\u0026gt;\u0026lt;FreeBusyViewType xmlns=\u0026#34;http://schemas.microsoft.com/exchange/services/2006/types\u0026#34;\u0026gt;None\u0026lt;/FreeBusyViewType\u0026gt;\u0026lt;/FreeBusyView\u0026gt;\u0026lt;/FreeBusyResponse\u0026gt; The availability service on the Exchange 2007 server was trying to locate the users\u0026rsquo; using its msExchHomeServerName value which pointed to a deleted server, one of the original \u0026ldquo;active\u0026rdquo; DAG members that was lost ! Looking at the attributes values of John Doe (per my example above) reviles that the values of homeMTA and msExchHomeServerName were pointing to non existing values, the homeMTA clearly shows a deleted server value, and the msExchHomeServerName points to a server that no longer exists. here\u0026rsquo;s an example of what I saw:\nhomeMTA points to a deleted server value - CN=Microsoft MTA\\0DEL: msExchHomeServerName points to a deleted server I\u0026rsquo;ve wrote a small PowerShell script that helps update the values for all affected users using a LDAP filter and the Get-User cmdlet from the Active Directory Module and the Set-Mailbox -ConfigurationOnly cmdlet.\nUse this script on your own risk, make sure to always double check your self before running on a production environment.\n$filter = \u0026#34;(\u0026amp;(objectCategory=user)(objectClass=user)(msExchHomeServerName=/o=Contoso/ou=Exchange\\20Administrative\\20Group\\20\\28FYDIBOHF23SPDLT\\29/cn=Configuration/cn=Servers/cn=MBX2*))\u0026#34; $strAttributes = \u0026#34;msExchHomeServerName, homeMTA, homeMDB\u0026#34; $users = get-ADUser -LDAPFilter \u0026#34;$filter\u0026#34; -ResultSetSize $null -properties $strAttributes foreach ($user in $users) { $mbx = $null; $mbx = get-mailbox -Identity $user.DistinguishedName; write-host \u0026#34;working on user\u0026#34; $user.name write-host \u0026#34;working on mailbox\u0026#34; $mbx.name set-mailbox $mbx -Database $mbx.database -confirm:$false -force -verbose } Make sure you modify the LDAP filter $filter and the MBX2 per your configuration.\nThe conclusion from this case was very interesting to me, the scenario we had here was a \u0026ldquo;typical\u0026rdquo; cross site activation of an Exchange 2010 DAG, but due to the nature of the failure, we were forced to re-home the mailboxes as if we were using Database Portability! (excluding the actual database change of course). See the links below for more about Database Potability.\nHope you find this information useful, Ilantz\nDatacenter Switchovers\nMove a Mailbox Database Using Database Portability\n","date":"28 September 2012","externalUrl":null,"permalink":"/2012/09/28/exchange-2010-dag-failover-with-lost-members-and-homemta-and-msexchhomeservername-values/","section":"Posts","summary":"","title":"Exchange 2010 DAG failover with lost members and homeMTA and msExchHomeServerName values","type":"posts"},{"content":"Hi Everyone ! Ilantz.com will be the permanent location for my blog from now on :) Please, update your bookmarks / RSS and subscribe again to continue receiving updates by email.\nThanks for visiting !\n","date":"8 June 2012","externalUrl":null,"permalink":"/2012/06/08/ilantz.wordpress.com-is-now-ilantz.com/","section":"Posts","summary":"","title":"ilantz.wordpress.com is now ilantz.com","type":"posts"},{"content":"","date":"6 June 2012","externalUrl":null,"permalink":"/categories/hyper-v/","section":"Categories","summary":"","title":"Hyper-V","type":"categories"},{"content":" Hey Again, It seems like next year will keep me busy with visualization projects based on Hyper-V :) Many promising features are coming up with the next Windows Server version and I\u0026rsquo;m already excited ! Just take a look at tables below for a comparison between 2008 R2 and 2012 RC Hyper-V:\nProcessor and Memory Support\nProcessor/Memory Feature Windows Server 2008 R2 Windows Server 2012 Release Candidate Logical processors on hardware 64 320 Physical memory 1 TB 4 TB Virtual processors per host 512 2,048 Virtual processors per virtual machine 4 64 Me****mory per virtual machine 64 GB 1 TB Active virtual machines 384 1,024 Ma****ximum Cluster Nodes 16 64 Ma****ximum Cluster Virtual machines 1,000 4,000 Network\nNetwork Feature Windows Server 2008 R2 Windows Server 2012 Release Candidate NIC Teaming Yes, through partners Yes, Windows NIC teaming in box V****LAN Tagging Yes Yes M****AC Spoofing Protection Yes, with R2 SP1 Yes ARP Spoofing Protection Yes, with R2 SP1 Yes SR-IOV Networking No Yes Network QoS No Yes Network Metering No Yes Network Monitor Modes No Yes Ipsec Task Offload No Yes V****M Trunk Mode No Yes Storage\nS****torage Feature Windows Server 2008 R2 Windows Server 2012 Release Candidate Live storage migration No, quick storage migration through System Center Virtual Machine Manager Yes, with no limits (as many as the hardware will allow) Virtual machines on file storage No Yes, Server Message Block 3.0 (SMB3) Guest Fibre Channel No Yes Virtual disk format VHD up to 2 TB VHD up to 2 TB VHDX up to 64 TB Virtual machine guest clustering Yes, through iSCSI Yes, through iSCSI, Fibre Channel, or Fibre Channel over Ethernet (FCoE) Native 4 KB disk support No Yes Live virtual hard disk merge No, offline Yes Live new parent No Yes Secure offloaded data transfer No Yes Manageability\nManageabilit****y Feature Windows Server 2008 R2 Windows Server 2012 Release Candidate Hyper-V PowerShell No Yes Network PowerShell No Yes S****torage PowerShell No Yes REST APIs No Yes SCONFIG Yes Yes Enable/Disable shell No, server core at operating system setup Yes VMConnect support for RemoteFX No Yes Additional links for your reading:\nHyper-V Comparison Guide\nCompetitive Advantages of Windows Server 2012 RC Hyper-V\nWindows Server 2012 Release Candidate Server Virtualization\nWindows Server 2012 Release Candidate\n","date":"6 June 2012","externalUrl":null,"permalink":"/2012/06/06/mind-blowing-features-coming-with-windows-server-2012-hyper-v/","section":"Posts","summary":"","title":"Mind blowing features coming with Windows Server 2012 Hyper-v","type":"posts"},{"content":"Hey again,\nIf you you have any MAC users working against your Exchange 2007 or Exchange 2010 servers, you\u0026rsquo;ve probably already solved this issue, so this is just for future reference and general knowledge. Following the Microsoft reference on the subject: Set Message Size Limits for Exchange Web Services the below example is for Exchange 2007\nConfigure the application to receive requests 50 MB: Open CMD %windir%system32inetsrvappcmd set config \u0026ldquo;Default Web SiteEWS\u0026rdquo; -section:requestFiltering -requestLimits.maxAllowedContentLength:69905067 Edit web.config to allow 50 MB requests: Backup %ProgramFiles%MicrosoftExchange ServerV14ClientAccessexchwebewsweb.config Edit the web.config file , search for maxRequestLength Change the value from its default 13280 to 51200 IISReset to make sure configurations take place Notes:\nmaxAllowedContentLenght value is entered as Bytes, calculate 50MB Base64 encoded size: =((1024*50)*1024)*4/3 maxRequestLenght value is entered as Kilo Bytes, calculate 50MB =1024*50\nHope this post helped you\n","date":"6 May 2012","externalUrl":null,"permalink":"/2012/05/06/adjust-allowed-attachment-size-for-ews/","section":"Posts","summary":"","title":"Adjust allowed attachment size for EWS","type":"posts"},{"content":"Hey again,\nToday I wanted to share with you another field report regarding a troubleshooting case I\u0026rsquo;ve had with Exchange 2010. A while back in 2009 I\u0026rsquo;ve re-posted a blog post from the Exchange Team Blog- Troubleshooting Exchange 2003 and 2007 Store Log/Database growth issues - it included a link to Mike Lagase\u0026rsquo;s blog and massive troubleshooting guide on this matter.\nThis week I\u0026rsquo;ve been called to help with an Exchange server 2010 that was creating tremendous amounts of log files for a specific database, with regards to the blog post I\u0026rsquo;ve mentioned, ExMon - Exchange Server User Monitor came to the rescue, real fast.\nFired it up with an interval of 15 minutes, and located the user that is responsible for the issue, note the screen shot, sorting by \u0026ldquo;Log Bytes\u0026rdquo; the top user created 800 MB in 15 minutes !!\nExMon Screen Shot - Log Bytes Winner From this point forward it was easy to solve this issue, disabling both MAPI And Active Sync feature for the user, and detected the cause.\nCase closed :)\nUpdate - Apr-2013\nThe Exchange Team has a new post with lots of additions from the original post from 2009 - Troubleshooting Rapid Growth in Databases and Transaction Log Files in Exchange Server 2007 and 2010\n","date":"19 April 2012","externalUrl":null,"permalink":"/2012/04/19/50-gb-of-exchange-database-logs-are-filling-up-my-server/","section":"Posts","summary":"","title":"50 GB of Exchange database logs are filling up my server","type":"posts"},{"content":"Hi again,\nToday I\u0026rsquo;ve got a call from a client regarding a new Hyper-V 2008 R2 SP1 cluster, the create cluster wizard kept failing during the forming cluster step with a timeout.. Well, troubleshooting..\nRunning Cluster LOG /gen\nDoing some reading\u0026hellip;\nLocating the step and the error:\n[NODE] Node 1: New join with node2: stage: \u0026lsquo;Authenticate Initial Connection\u0026rsquo; status HrError(0x80090322) reason: \u0026lsquo;[SV] Authentication failed\u0026rsquo; DBG [CHANNEL 172.16.1.2:3343] Close(). WARN cxl::ConnectWorker::operator (): HrError(0x80090322)\u0026rsquo; because of \u0026lsquo;[SV] Authentication or Authorization Failed\u0026rsquo;\nLooking up 0x80090322 with ERR.EXE means SEC_E_WRONG_PRINCIPAL\nLazy me , doing google for 0x80090322 cluster authentication failed\nRead \u0026ldquo;2 node cluster windows 2008 R2 cluster won\u0026rsquo;t form\u0026rdquo;\nDelete two users that were created to manage the servers.. node1 and node2 :)\nRun create cluster wizard again - SUCCESS !\nRetrospective understand the error\u0026hellip; SEC_E_WRONG_PRINCIPAL seems like the wizard can\u0026rsquo;t tell the difference between the user accounts and the computer accounts. (\u0026ldquo;By Design\u0026rdquo;)\nNice ! I was shocked from the solution.. but hey.. it worked instantly.\n","date":"26 February 2012","externalUrl":null,"permalink":"/2012/02/26/cluster-creation-wizard-fails-with-0x80090322-error/","section":"Posts","summary":"","title":"Cluster Creation Wizard fails with 0x80090322 error","type":"posts"},{"content":"","date":"26 February 2012","externalUrl":null,"permalink":"/categories/windows-cluster/","section":"Categories","summary":"","title":"Windows-Cluster","type":"categories"},{"content":"Hi Again,\nI\u0026rsquo;ve encountered a funny situation the other day with a new Office 365 hybrid deployment with an initial install of ADFS 2.0 for Federation with Office 365 and SSO. The first attempt of running the \u0026ldquo;AD FS 2.0 Federation Server Configuration Wizard\u0026rdquo; ended with a failure:\nYou do not have sufficient privileges to create a container in Active Directory at location CN=46bd8c28-c299-475b-9853-8176010f4273,CN=ADFS,CN=Microsoft,CN=Program Data,DC=Domain,DC=com for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.\nCreate Active Directory container for sharing certificates - Error Well, I\u0026rsquo;ve double checked my logged on user credentials, the built-in Administrator - we have all the required permissions. I\u0026rsquo;ve opened ADSIedit and looked for the Program Data container under the domain partition, just to make sure no permissions issues are indeed preventing this wizard to complete.\nGuess what - no Program Data container !!?\nI had the feeling that the container was moved rather then deleted or removed completely.. so I decided made a little search, a custom search for containers with a description starting with the string \u0026ldquo;default\u0026rdquo;\nSearch Program Data Container Program Data Container Found Found it (!) and moved it to the root of the Domain tree, then I\u0026rsquo;ve started the the ADFS configuration wizard again.\nAdfs Configuration Successful Case closed :) happy ADFS and a working federation with Office 365\n","date":"21 February 2012","externalUrl":null,"permalink":"/2012/02/21/ad-fs-2.0-configuration-wizard-fails-or-where-is-my-program-data/","section":"Posts","summary":"","title":"AD FS 2.0 Configuration Wizard Fails - or where is my Program Data ?","type":"posts"},{"content":"Hey Again !\nI\u0026rsquo;ve blogged in the past about this issue - Certificate autoenrollment fails with RPC server is unavailable , but following a session today, we\u0026rsquo;ve encountered a new situation when trying to Auto-Enroll certificates, also with manual enrollment using MMC. The error code was 0x800706ba - The RPC server is unavailable If you read my previous blog, you\u0026rsquo;ll see I\u0026rsquo;ve explained a situation with Auto-Enrollment on domain controllers when the CA is installed on a DC. Solution was actually adding the \u0026ldquo;Domain Controllers\u0026rdquo; security group to the CERTSVC_DCOM_ACCESS security group, but what happens when the CERTSVC_DCOM_ACCESS was deleted ?\nWell, easy ( so it seems )\nCreate the CERTSVC_DCOM_ACCESS group - Domain Local, Security Group in the Users container Populate the group with \u0026ldquo;Domain Users\u0026rdquo; , \u0026ldquo;Domain Computers\u0026rdquo; , \u0026ldquo;Domain Controllers\u0026rdquo; Log on to the CA server and run the following commands: certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG net stop certsvc \u0026amp;\u0026amp; net start certsvc Restart your effected computers / DC\u0026rsquo;s , because they have a new computer group membership Successfully auto-enroll your certificate Have fun !\nReference links:\nhttp://support.microsoft.com/kb/927066\nAlso (Again): http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx\n","date":"2 February 2012","externalUrl":null,"permalink":"/2012/02/02/certificate-autoenrollment-fails-with-rpc-server-is-unavailable-again/","section":"Posts","summary":"","title":"Certificate autoenrollment fails with RPC server is unavailable - Again","type":"posts"},{"content":"","date":"2 February 2012","externalUrl":null,"permalink":"/categories/pki/","section":"Categories","summary":"","title":"Pki","type":"categories"},{"content":"Happy new year everyone !\nI\u0026rsquo;ve been very busy lately lots of work, especially with Office 365 Hybrid deployments, Office 365 is really a growing demand and presents new technical perspectives which comes down to know knowledge :) Well yeah I am a geek that likes to keep learning new stuff\u0026hellip;\nLong story short, you have deployed your Hybrid Office 365 topology to your current Exchange 2003, 2007 or 2010 organization and now you move a mailbox enabled user to the cloud (25 GB mailboxes rocks) , everyone is happy, then the CEO sends a \u0026ldquo;Happy New Year\u0026rdquo; email to \u0026ldquo;All Company\u0026rdquo; DL and for some reason the user which was moved to the cloud did not receive that memo\u0026hellip;.\nSo what happened ?\nMost \u0026ldquo;All Company\u0026rdquo; distribution lists are Dynamic Distribution Groups AKA Query Based Distribution Group , and as such they have a LDAP filter which populates the members auto-magically - most members are Users with Exchange Mailbox, but when you move a user mailbox to Office 365 the original user was transformed to Mail-Enabled user - With an external address !\nYeah, you will need to modify those groups now to have \u0026ldquo;Users with External e-mail addresses\u0026rdquo; also checked :)\nEnable Users With External E-Mail Addesses Problem solved - Happy new year !\n","date":"5 January 2012","externalUrl":null,"permalink":"/2012/01/05/dynamic-distribution-groups-in-a-hybrid-office-365-deployment/","section":"Posts","summary":"","title":"Dynamic Distribution Groups in a Hybrid Office 365 Deployment","type":"posts"},{"content":"This just in !!\nExchange Server 2010 Service Pack 2 is here ! :) I will do my best to show off some new features soon enough\u0026hellip; download what’s new release notes prerequisites To follow my excitement, here are the highlights of from the TechNet topic - What\u0026rsquo;s New in Exchange 2010 SP2\nHybrid Configuration Wizard # Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises and Office 365 Exchange organizations. Hybrid deployments provide the seamless look and feel of a single Exchange organization and offer administrators the ability to extend the feature-rich experience and administrative control of an on-premises organization to the cloud. For more information, see Understanding the Hybrid Configuration Wizard.\nAddress Book Policies\nExchange 2010 SP2 introduces the address book policy object which can be assigned to a mailbox user. The ABP determines the global address list (GAL), offline address book (OAB), room list, and address lists that are visible to the mailbox user that is assigned the policy. Address book policies provide a simpler mechanism to accomplish GAL separation for the on-premises organization that needs to run disparate GALs. For more information, see Understanding Address Book Policies.\nCross-Site Silent Redirection for Outlook Web App # With Exchange 2010 SP2, you can enable a silent redirection when a Client Access server receives a client request that is better serviced by a Client Access server located in another Active Directory site. This silent redirection can also provide a single sign-on experience when forms-based authentication is enabled on each Client Access server. For more information, see Understanding Proxying and Redirection.\nMini Version of Outlook Web App (OMA is back !) # The mini version of Outlook Web App is a lightweight browser-based client, similar to the Outlook Mobile Access client in Exchange 2003. It’s designed to be used on a mobile operating system. The mini version of Outlook Web App provides users with the following basic functionality:\nAccess to e-mail, calendar, contacts, tasks and the global address list. Access to e-mail subfolders. Compose, reply to, and forward e-mail messages. Create and edit calendar, contact, and task items. Handle meeting requests. Set the time zone and automatic reply messages. For more information, see Understanding the Mini Version of Outlook Web App.\nMailbox Replication Service # In Exchange 2010 SP1, if you wanted to move mailboxes from on-premises to Outlook.com or to another forest, you had to enable MRSProxy on the remote Client Access server. To do this, you had to manually configure the web.config file on every Client Access server. In Exchange 2010 SP2, two parameters have been added to the New-WebServicesVirtualDirectory and Set-WebServicesVirtualDirectory cmdlets so that you don\u0026rsquo;t have to perform the manual configuration: MRSProxyEnabled and MaxMRSProxyConnections. For more information, see Start the MRSProxy Service on a Remote Client Access Server.\nMailbox Auto-Mapping # In Exchange 2010 SP1, Office Outlook 2007 and Outlook 2010 clients can automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user\u0026rsquo;s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. However, if the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. Therefore, in Exchange 2010 SP2, administrators can turn off the auto-mapping feature by setting the value of the new Automapping parameter to $false on the Add-MailboxPermission cmdlets. For more information, see Disable Outlook Auto-Mapping with Full Access Mailboxes.\nMulti-Valued Custom Attributes # Exchange 2010 SP2 introduces five new multi-value custom attributes that you can use to store additional information for mail recipient objects. The ExtensionCustomAttribute1 to ExtensionCustomAttribute5 parameters can each hold up to 1,300 values. You can specify multiple values as a comma-delimited list.The following cmdlets support these new parameters:\nSet-DistributionGroup Set-DynamicDistributionGroup Set-Mailbox Set-MailContact Set-MailPublicFolder Set-RemoteMailbox Litigation Hold # In Exchange 2010 SP2, you can’t disable or remove a mailbox that has been placed on litigation hold. To bypass this restriction, you must either remove litigation hold from the mailbox, or use the new IgnoreLegalHold switch parameter when removing or disabling the mailbox. The IgnoreLegalHold parameter has been added to the following cmdlets:\nDisable-Mailbox Remove-Mailbox Disable-RemoteMailbox Remove-RemoteMailbox Disable-MailUser Remove-MailUser ","date":"6 December 2011","externalUrl":null,"permalink":"/2011/12/06/exchange-server-2010-sp2-is-out/","section":"Posts","summary":"","title":"Exchange Server 2010 SP2 is out!","type":"posts"},{"content":"Hey !\nGreat stuff coming with Exchange 2010 SP2, along with features already mentioned at the Exchange Team Blog - Announcing Exchange 2010 Service Pack 2 , a major schema update will support some new stuff. Quoting Michal smith\u0026rsquo;s blog, here\u0026rsquo;s some key points to mention:\nThe Mail-Recipient class has now gained the Company and Department attributes.\nThis means that Groups (both security groups and distribution groups) and Contacts (mail contacts) can now be assigned values to the Company and Department attributes.\nFrom a technical perspective, the Mail-Recipient class is a system auxiliary class, for both the Group and Contact classes, and all attributes present in Mail-Recipient are available in them.\nThe ms-Exch-Custom-Attributes class has gained 35 new custom attributes, from ms-Exch-Extension-Attribute-16 to ms-Exch-Extension-Attribute-45, and ms-Exch-Extension-Custom-Attribute-1 through ms-Exch-Extension-Custom-Attribute-5.\nThis means that Contacts, Groups, Users, Public Folders, Dynamic Distribution Lists, and Recipient Policies all now have a huge number of new attributes that can be assigned arbitrary values by an organization. This is welcome news to organizations who are using many or most of the current custom attributes and are wary to extend the schema themselves.\nFrom a technical perspective, the ms-Exch-Custom-Attributes class is an auxiliary class for all the named classes above.\nMany new attributes and classes were added to provide support for Address Book Policies and to enhance access to various address lists, global address lists, and offline address lists maintained by Exchange.\nThe master class is ms-Exch-Address-Book-Mailbox-Policy.\nThere are several new attributes and one new class (ms-Exch-Coexistence-Relationship) that are probably designed to support the Hybrid Coexistence Wizard and to overall simplify the process of configuring hybrid coexistence with Exchange Online.\nThere is a new class (ms-Exch-ActiveSync-Device-Autoblock-Threshold) and a number of new attributes that are within that class that appear to be designed to support automatic throttling of ActiveSync devices.\nRead on: A Somewhat Detailed Look at Exchange 2010 Service Pack 2 Schema Changes\nHave a great weekend!\n","date":"18 November 2011","externalUrl":null,"permalink":"/2011/11/18/schema-updates-docs-for-exchange-2010-sp2-are-here/","section":"Posts","summary":"","title":"Schema updates docs for Exchange 2010 SP2 are here !","type":"posts"},{"content":" Update 9/Jun/2015 - Thanks to Josh Davis for the feedback, I\u0026rsquo;ve added a note about making sure to include both drives (if EDB and LOG files are separated). Update 21/Oct/2013 - This article suggests that you cannot sustain downtime or interruption for your users while battling with deleting log files or restoring your working backup solution. If you can sustain a downtime (should be around minutes or so) the easiest method will be to enable Circular Logging on your database / storage group - see more here - http://technet.microsoft.com/en-us/library/bb331958%28v=exchg.141%29.aspx#UTL\nUpdate 01/May/2013 - The exchange team has written a script which helps troubleshoot and identity issues with Backups etc.. The script use the DiskShadow utility as well ! check it out @ http://blogs.technet.com/b/exchange/archive/2013/04/29/troubleshoot-your-exchange-2010-database-backup-functionality-with-vsstester-script.aspx\nHi Again !\nI often get calls and questions regarding backups and Exchange Server, since ever this issue is not always working as required or as you would expect, but that\u0026rsquo;s off-topic :)\nOne of the most common stories is that without a working Exchange Server backup when you perform massive mailbox moves, transaction logs will get piled and fill up the volume or disk that they reside in. and then panic starts, \u0026ldquo;hey my databases were dismounted\u0026hellip;\u0026rdquo; then of course the administrator realizes that the space on the log drive or volume has indeed ran out and now he needs to figure out what to delete.. and here\u0026rsquo;s where this post comes in\u0026hellip;\nSo how can you delete or purge Exchange server logs without any risk ? well, in simple - you cannot, because the whole idea of restoring an Exchange or for this matter any transactional database requires you to have a first - \u0026ldquo;full\u0026rdquo; backup of the database itself and all transaction logs that were generated since the the date of the database creation date, or the last \u0026ldquo;successful\u0026rdquo; \u0026ldquo;full backup\u0026rdquo;.\nNow here\u0026rsquo;s a nice method to \u0026ldquo;fake\u0026rdquo; a \u0026ldquo;full backup\u0026rdquo; or an on-demand transaction logs purge when you see you will be soon out of space, using the Exchange VSS writers and the diskshadow utility (available with Server 2008 or 2008 R2) . This procedure also \u0026ldquo;proves\u0026rdquo; that a VSS backup for your Exchange Server will work fine.\nnote: This method was tested on an Exchange server with Locally Attached Disks, not storage attached LUNs.\nUse this method on on your risk. You should preform a \u0026ldquo;Full Backup\u0026rdquo; right after this process is done.\nThis example will show you how to purge the logs for a database that is located on Drive D, the log files of the databases are also located in Drive D. we will \u0026ldquo;fake backup\u0026rdquo; drive D and this will trigger the logs to be purged.\nNote: If you have separated your log files and database file in different drives, or you want to include additional databases in the \u0026ldquo;backup\u0026rdquo; you must include the additional drives in the process, so in the example below, you will \u0026ldquo;Add volume e:\u0026rdquo; after \u0026ldquo;Add volume drive d:\u0026rdquo; and so on\u0026hellip;\nOpen Command prompt Launch Diskshadow Add volume d: (optional, add one line for each additional drive to include) Add volume X: Begin Backup Create End Backup At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted. Here\u0026rsquo;s some screenshots from the process:\nDiskshadow Commands The Diskshadow example screenshot.\nESE Event ID 2005 ESE - Event ID 2005 - Starting a Full Shadow Copy Backup\nMSExchangeIS Event ID 9811 MSexchangeIS - Exchange VSS Writer preparation.\nESE Event ID 224 - Logs being Purged ESE Event ID 224 - Logs are now purged :)\nMSExchangeIS Event ID 9780 - Backup complete MSExchangeIS Event ID 9780 - Backup is now complete.\nside note: although this example was tested against Exchange 2010, it should work just as fine with Exchange 2013 \u0026amp; 2007.\nHope this helps you !\n","date":"26 October 2011","externalUrl":null,"permalink":"/2011/10/26/how-to-manually-purge-exchange-server-logs-clean-and-easy/","section":"Posts","summary":"","title":"How to manually purge Exchange server logs - clean and easy","type":"posts"},{"content":"Update\nThe current \u0026ldquo;Best Practice\u0026rdquo; is to upgrade your Exchange Server to Service Pack 2 and apply Update Rollup 3 for Exchange Server 2010 Service Pack 2 (KB2685289), as this issue has been permanently solved. See Synchronization of an organizational forms library fails when you use Outlook in Cache mode in an Exchange Server 2010 for additional information.\nHello Everyone,\nSince the first migrations of Exchange 2003 to Exchange 2010 we\u0026rsquo;ve seen a really annoying error within Outlook 2003, 2007 and Outlook 2010 when trying to De-commission legacy servers, specifically when moving all public folders replicas including the EFORMS REGISTRY system folder and it\u0026rsquo;s children folders. once the organizational forms ( respectively you might see a different folder name within your organizatino ) is replicated only to the Exchange 2010 - a log / error message will be created in the Sync Issues upon an Outlook Send/Receive operation:\n11:56:54 Synchronizing Forms 11:56:54 Downloading from server \u0026lsquo;public folder server\u0026rsquo; 11:56:54 Error synchronizing folder 11:56:54 [80004005-501-4B9-560] 11:56:54 The client operation failed. 11:56:54 Microsoft Exchange Information Store\nNotice: Use this method at your own risk ! This method is for organizations that do not use Forms !\nMany posts and different resolutions were recommended, my original \u0026ldquo;fix\u0026rdquo; for this issue was to not replicate the organizational forms folder to the new Exchange 2010 public folder when starting to De-commission the Exchange 2003 server, practically \u0026ldquo;leaving it behind\u0026rdquo;.\nI recently handled a situation where the Exchange 2003 server was already removed, and the forms folder was already replicated to Exchange 2010, and the error was already in place. I could not use Exchange 2003 System Manager to remove the replica, Exchange Management Shell or EXFolders. You cannot really leave an empty replica list within the tools.\nMFCMapi to the rescue :)\nOpen MFCMapi, click the session menu, select the logon and display store table option. Double click public folders, expend the public root tree, expend NON_IPM_SUBTREE, expand EFORMS REGISTRY. Locate and select the organizational forms folder. Scroll the property list to find the PR_REPLICA_LIST entry - double click it and clear the value inside - clear means delete the values inside the property. Setting PR_REPLICA_LIST to NULL actually leaves us with an empty replica list - which \u0026ldquo;solves\u0026rdquo; this issue. Note that when you click to apply the change of the PR_REPLICA_LIST the property list will immediately shrink, this is normal :) Exit Outlook, wait and see that indeed the Sync Issues folder does not include a new log with the 80004005-501-4B9-560 error. Use this method at your own risk ! and again - this method is for organizations that do not use Forms !\nSome references for you usage:\nTroubleshooting: Error synchronizing folder Synchronizing Forms 80004005-501-4B9-560\nOutlook synchronization error [80004005-501-4B9-560] with a Microsoft Exchange Server 2010 mailbox\n\u0026ldquo;80004005-501-4B9-560\u0026rdquo; synchronization error logs are generated in the Sync Issues folder in Outlook in a Business Productivity Online Suite Dedicated environment\n","date":"20 September 2011","externalUrl":null,"permalink":"/2011/09/20/solving-sync-issues-error-80004005-501-4b9-560-in-exchange-2010-rtm-and-sp1/","section":"Posts","summary":"","title":"Solving Sync Issues Error 80004005-501-4B9-560 in Exchange 2010 RTM and SP1","type":"posts"},{"content":"Hey again,\nI tend to always spend some time looking up the latest Office / Outlook updates, and found this following link from the office center on TechNet to be much useful. It has a nice table of the latest Service Pack, Latest Public Update and Latest Cumulative Update for Office 2003 / Office 2007 / Office 2010\nhttp://technet.microsoft.com/en-us/office/ee748587 - Update Center.\nEnjoy !\n","date":"19 July 2011","externalUrl":null,"permalink":"/2011/07/19/office-suite-latest-updates/","section":"Posts","summary":"","title":"Office Suite - Latest Updates","type":"posts"},{"content":" So you want to use the Calendar Repair Assistant (CRA) with Exchange 2010 SP1, you\u0026rsquo;ve ran a few powershell commands, but nothing happens ? You\u0026rsquo;ve missed a change Exchange 2010 SP1 introduced two new settings for Set-MailboxServer related to the Calendar Repair Assistant:\n-CalendarRepairWorkCycle and -CalendarRepairWorkCycleCheckpoint These parameters work together. The CalendarRepairWorkCycle parameter specifies the time span in which all mailboxes on the specified server will be scanned by the CRA. For example, if you specify seven days for this parameter, the CRA will process all mailboxes on this server every seven days. Calendars that have inconsistencies will be flagged and repaired according to the interval specified by the CalendarRepairWorkCycleCheckpoint parameter. For example, if you specify one day for this parameter, the CRA will query every day for new mailboxes that require processing.\nTo have you exchange server schedule a daily repair schedule at 23:00 PM, while making sure this task runs each day (Cycle), and searches for new mailboxes to process every 12 hours (CycleCheckpoint) run the following:\nSet-MailboxServer -Identity MBX2 -CalendarRepairSchedule 1.22:00-1.23:00, 2.22:00-2.23:00, 3.22:00-3.23:00, 4.22:00-4.23:00, 5.22:00-5.23:00, 6.22:00-6.23:00, 7.22:00-7.23:00 -CalendarRepairWorkCycle 1.00:00:00 -CalendarRepairWorkCycleCheckpoint 12:00:00\nNow it will actually run ;)\nEnjoy !\n","date":"23 June 2011","externalUrl":null,"permalink":"/2011/06/23/exchange-2010-sp1-calendar-repair-assistant-does-not-run/","section":"Posts","summary":"","title":"Exchange 2010 SP1 Calendar Repair Assistant - Does not run?","type":"posts"},{"content":"Hey !\nJust got promoted ;)\nhttp://www.forefrontsecurity.org/Home/MVPExpertZone.aspx http://forums.forefrontsecurity.org/default.aspx?g=posts\u0026amp;m=2458#post245\n","date":"12 April 2011","externalUrl":null,"permalink":"/2011/04/12/newsflash-ilantz-is-now-a-moderator-at-forefrontsecurity.org/","section":"Posts","summary":"","title":"Newsflash - Ilantz is now a moderator at forefrontsecurity.org","type":"posts"},{"content":"Hi again,\nWanted to share with you a situation I\u0026rsquo;ve encountered with Exchange 2010 SP1. The subject mail system suffered from an extensive downtime. The mailbox server role had it\u0026rsquo;s databases unavailable due to a storage outage, but as any major mail system - SMTP does not just \u0026ldquo;stop\u0026rdquo;.. and after a long 24+ hours of downtime, there were quite a few messages that were waiting to be delivered to the system\u0026rsquo;s recipients\u0026hellip; counted ruffly around 5000+\nOnce the storage system issue was solved, and the mailbox databases were back up, the queue viewer showed that all 20 databases had around 100+ messages to deliver, which triggered the Exchange 2010 SP1 Store Driver throttling, more \u0026ldquo;verbose\u0026rdquo; information was also found at the Hub Transport connectivity log @ TransportRolesLogsConnectivity directory showing the exact error is:\n432-4.3.2 STOREDRV; mailbox server is too busy\nIn a few words, throttling makes sure that a single client or a \u0026ldquo;specific issue\u0026rdquo; could effect the whole mail system, and it works in several aspects with Exchange 2010, some might be client, protocol and server role throttling.\nIn our case, the Mailbox Store engine throttling was triggered due the overwhelming messages per seconds, per recipient and the connection the hub transport servers was issuing to the mailbox server role.\nNow, we could have \u0026ldquo;accept\u0026rdquo; this by-design behavior, but once the service was backup, it\u0026rsquo;s expected to have all queues zeroed-out, that is \u0026ldquo;where\u0026rsquo;s all the emails from today??!\u0026rdquo;\nSo, the goal was - let\u0026rsquo;s turn the throttling off , in regards to the Hub Transport \u0026lt;\u0026gt; Mailbox Server connections and once all queues are empty we will turn it on, sounds logical ? well, after quite a few searches I\u0026rsquo;ve noticed that the documentation is missing\u0026hellip;\nThe Hub Transport throttling ( advanced ) settings are controlled in the throttling configuration on the edgetransport.exe.config file under the Bin directory, but the setting to disable the throttling all together is nowhere to be found.. the only references found were: \u0026lt;add key=\u0026quot;RecipientThreadLimit\u0026quot; value=\u0026quot;2\u0026quot; /\u0026gt; \u0026lt;add key=\u0026quot;MaxMailboxDeliveryPerMdbConnections\u0026quot; value=\u0026quot;3\u0026quot; /\u0026gt;\neven setting these values to ridicules numbers did not help, we still had 100+ messages waiting at each database delivery queue.\nOnly after a more furious search I\u0026rsquo;ve stumbled upon the following \u0026ldquo;hidden\u0026rdquo; magic setting: \u0026lt;add key=\u0026quot;MailboxDeliveryThrottlingEnabled\u0026quot; value=\u0026quot;False\u0026quot; /\u0026gt;\nRestarted the Hub Transport service, waited a few seconds and\u0026hellip; here\u0026rsquo;s the result:\nHub-Transport-Throttling-Disabled :)\nOf course, once all queues were zeroed-out, took around 5 minutes, I\u0026rsquo;ve enabled throttling to the original value \u0026ldquo;True\u0026rdquo; and restarted the Hub Transport services again.\nHope this helps you out!\nLinks for the enthusiasts:\nExchange 2010 SP1 Store Driver throttling - Tony Redmond\u0026rsquo;s blog\nUnderstanding Message Throttling - Technet\nUnderstanding the EdgeTransport.exe.Config File - Technet\n","date":"10 April 2011","externalUrl":null,"permalink":"/2011/04/10/432-4.3.2-storedrv-and-store-driver-throttling/","section":"Posts","summary":"","title":"432-4.3.2 STOREDRV and Store Driver throttling","type":"posts"},{"content":" This week Microsoft has made the iSCSI Software Target available for free download ! These are obviously great news for all cluster / shared-storage-in-need people like me :) read all about it at Jose Barreto\u0026rsquo;s Blog post:\nMicrosoft iSCSI Software Target 3.3 for Windows Server 2008 R2 available for public download\nMore quick links:\nConfiguring the Microsoft iSCSI Software Target Step-by-step: Using the Microsoft iSCSI Software Target with Hyper-V (Standalone, Full, VHD) PowerShell cmdlets for the Microsoft iSCSI Target 3.3 (included in Windows Storage Server 2008 R2) Using PowerShell and the the iSCSI Target 3.3 WMI classes to create a differencing VHD for OS boot New white paper: Windows Storage Server 2008 R2 Architecture and Deployment Enjoy !!\n","date":"7 April 2011","externalUrl":null,"permalink":"/2011/04/07/microsoft-iscsi-software-target-3.3-is-now-available-freely/","section":"Posts","summary":"","title":"Microsoft iSCSI Software Target 3.3 is now available freely!","type":"posts"},{"content":" To follow my previous blog \u0026ldquo;Watch out from latest outlook updates !\u0026rdquo; the Exchange team has announced that the Office 2007 Cumulative Update for February 2011 is now available.\nThe update adds Personal Archives support in Outlook 2007. For more details about the hotfix, see KBA 2475891: Description of the Office Outlook 2007 hotfix package (Outlook-x-none.msp): February 22, 2011. and also fixes quite a lot of issues that were presented from the original outlook December hotfix, Autodiscover issues, POP3 Authentication issues and few more..\nAs always ! test your hotfix !\nHappy Archiving :)\n","date":"1 March 2011","externalUrl":null,"permalink":"/2011/03/01/office-2007-cumulative-update-for-february-2011-is-now-released/","section":"Posts","summary":"","title":"Office 2007 Cumulative Update for February 2011 is now released","type":"posts"},{"content":"Hi again,\nThis issue has came up too much, so I wanted to blog something short about this. Prerequisites:\nUpdate (Added June 29th 2013) - If using Exchange 2013, check out Exchange 2013 Outlook Anywhere Considerations for some additional specific Exchange 2013 issues. Exchange 2007 or 2010 Outlook 2003 / 2007 / 2010 Windows XP / 7 / etc.. Outlook Anywhere ( RPC over HTTP ) enabled - with Basic Authentication or NTLM Authentication Autodiscover - working correctly ;) So, you\u0026rsquo;ve got it all configured, you enabled Outlook Anywhere, configured ISA 2006 / TMG / UAG to publish the Outlook Anywhere (or not), you published Autodiscover records an all is working great !\nBUT ! you have this annoying user credentials pop ups, and users are going nuts ! and so do you !@ ( enough sarcasm ) it may work for a while, and then you are prompted again for user and password, or even worse - it might not work at all\u0026hellip;\nHere\u0026rsquo;s what can go wrong in bullets because we have a few different issues that might cause troubles..\nOutlook Anywhere is configured to use NTLM authentication: Solution 1 - Configure MSSTD or the Certificate Principle Name correctly (see below) Solution 2 - Configure your clients local security policy, in specific - LmCompatiblilityLevel to 2 or 3 Solution 3 - If you try to pull NTLM with ISA / TMG / UAG, either configure \u0026ldquo;Kerberos Constrained Delegation\u0026rdquo; - check links below for the white-paper from Microsoft\u0026quot; or change the publishing rule to apply to \u0026ldquo;All Users\u0026rdquo; and in the Authentication Delegation tab choose the option \u0026ldquo;No delegation, but client may authenticate directly\u0026rdquo; SSL Certificates issues Outlook Anywhere was enabled for - mail.company.com (ExternalHostName), but you have a wildcard certificate or the certificate subject name does not match mail.company.com Solution - Configure MSSTD or the Certificate Principle Name correctly (see below) Outlook Anywhere continuously keep being configured automatically !% Solution - Lucky for you I have already blogged about this :) Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover Update (Added June 29th 2013) - If you\u0026rsquo;re going to deploy Exchange 2013 anytime soon - work your way to adapt autodiscover and don\u0026rsquo;t go in this path.. So what\u0026rsquo;s that MSSTD or Certificate Principle Name ? well it\u0026rsquo;s a method Outlook can verify that the server you are connecting to indeed holds the correct SSL certificate subject name before sending credentials to.. well yeah it ain\u0026rsquo;t that secure.\nMicrosoft Exchange Proxy Settings This setting is actually being configured automatically since Exchange 2007 and continue to be with Exchange 2010.\nSo here\u0026rsquo;s what you can do with it - all examples follow the Set Outlook Provider cmdlet syntax:CertPrincipalName\nYou have a wildcard certificate - Run this command: Set-OutlookProvider EXPR -CertPrincipalName msstd:*.company.com You have a differnet subject name on your SSL certificate then the ExternalHostName you configured for Outlook anywhere on your CAS server Set-OutlookProvider EXPR -CertPrincipalName msstd:correctsubject.company.com You don\u0026rsquo;t want that \u0026ldquo;only connect to proxy servers that have this principle name in their certificate\u0026rdquo; check box marked at all ! :) Set-OutlookProvider EXPR -CertPrincipalName none\nNew feature with Exchange 2010 - The Set-OutlookProvider cmdlet now allows Outlook 2010 clients to connect exclusively through RPC over HTTP (Outlook Anywhere) before trying RPC over TCP connections when connecting over the Internet. !\nThis means you can control the check box \u0026ldquo;On fast network, connect using HTTP first, then connect using TCP/IP\u0026rdquo;, here\u0026rsquo;s the two options:\nAlways connect using HTTP (mark \u0026ldquo;on fast networks\u0026rdquo;) : Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect User TCP/IP first then HTTP (default): Set-OutlookProvider EXPR -OutlookProviderFlags:None This should cover it, no more pop ups and hopefully Outlook Anywhere and you will be friends again !\nCredits (or links) :\nWhen, if and how do you modify Outlook Providers?\nSet-OutlookProvider\nPublishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG\nExchange 2013 Outlook Anywhere Considerations\n","date":"8 February 2011","externalUrl":null,"permalink":"/2011/02/08/authentication-pop-ups-and-annoyances-with-exchange-2007-/-2010-and-outlook-anywhere/","section":"Posts","summary":"","title":"Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere","type":"posts"},{"content":"Hey everyone,\nThere has been a growing concern about the issues from latest Outlook 2007 / 2010 updates: http://blogs.office.com/b/microsoft-outlook/archive/2010/12/17/issues-with-the-recent-update-for-outlook-2007.aspx\nMicrosoft has released the updated http://support.microsoft.com/kb/2412171 KB, but seems not all trouble were solved, mainly the AutoDiscover issue, since http://support.microsoft.com/kb/2479671 was released followed by the \u0026ldquo;original\u0026rdquo; 2412171KB numerous issues have been identified with outlook features.\nI\u0026rsquo;d advice to stay away from these updates until all is clear.\nUpdate - Office 2007 Cumulative Update for February 2011 is now released\n","date":"26 January 2011","externalUrl":null,"permalink":"/2011/01/26/watch-out-from-latest-outlook-updates/","section":"Posts","summary":"","title":"Watch out from latest outlook updates !","type":"posts"},{"content":"Hi everyone !\nMy good friend podlisk has finally got his blog up and running, check out the script for this highly required task for Exchange 2007 / 2010 :) http://podlisk.wordpress.com/2011/01/13/enable-or-disable-pop3-and-imap4-by-group-membership-in-exchange-2007\nEnjoy !\n","date":"17 January 2011","externalUrl":null,"permalink":"/2011/01/17/enable-or-disable-pop3-and-imap4-by-group-membership-in-exchange-2007/","section":"Posts","summary":"","title":"Enable or disable POP3 and IMAP4 by group membership in Exchange 2007","type":"posts"},{"content":"Hi !\nThis came up with a request to \u0026ldquo;fake\u0026rdquo; exchange server names, which are actually old DE-commissioned servers. users are using RPC over HTTP , and the exchange profile they use had those server names as the actual mailbox server. This issue might show up when performing cross forest migration or removing servers, while manipulating name resolving using DNS CNAME records, etc..\nWith Exchange 2010 and Exchange 2007 Outlook Anywhere settings are applied automatically when you enable the outlook anywhere feature on a CAS server, proxy names in the registry ( HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxy) are automatically entered, that is all back-end servers that were enabled for RPC over HTTP (2003) and all mailbox servers 2007 / 2010.\nSo by default RpcProxy will only answer for existing mailbox servers, we want to add our own \u0026ldquo;old\u0026rdquo; , \u0026ldquo;fake\u0026rdquo; exchange server names.\nHere\u0026rsquo;s how to manipulate the RpcProxy entry in the Exchange server make it stick.\nUse at your own risk!\nUnder each CAS you will enable for Outlook Anywhere follow these steps:\nConfigure \u0026ldquo;PeriodicPollingMinutes\u0026rdquo; to 0 , this will stop automatic settings overwrite - removing the static entries you will add later.Locate the value PeriodicPollingMinutes, under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMSExchangeServiceHostRpcHttpConfigurator 2. Configure the \u0026ldquo;fake\u0026rdquo; names, for example \u0026ldquo;email2.fake.com\u0026rdquo; will be the fake mailbox server we will add. Append \u0026ldquo;;email2.fake.com:6001-6002;email2.fake.com:6004\u0026rdquo; to the value of \u0026ldquo;ValidPorts_AutoConfig_Exchange\u0026rdquo; The String Value is under : HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxyFor example: EX2010:6001-6002;EX2010:6004;EX2010.test.lab:6001-6002; EX2010.test.lab:6004;ex2k3:6001-6002;ex2k3:6004; ex2k3.test.lab:6001-6002;ex2k3.test.lab:6004; email2.fake.com:6001-6002;email2.fake.com:6004 3. Restart the services: MSExchangeServiceHost and MSExchangeProtectedServiceHost 4. IISReset Done !\nNow configure outlook to use the email2.fake.com server and configure Outlook Anywhere to verify it works.\n","date":"12 January 2011","externalUrl":null,"permalink":"/2011/01/12/configure-static-fake-server-names-for-rpc-over-https/","section":"Posts","summary":"","title":"Configure Static \"fake\" server names for RPC over HTTPS","type":"posts"},{"content":"","date":"22 December 2010","externalUrl":null,"permalink":"/categories/forefront-protection/","section":"Categories","summary":"","title":"Forefront-Protection","type":"categories"},{"content":" Forefront Protection Server Managment Console 2010 was latly been released, see the FSS blog entry So a quick install, reveled some issues with the Deplay Agent task on some servers.. failing with this error:\nFailed to deploy the Agent. Could not connect to net.tcp://ex-cas.contoso.com:8816/PushInstaller. The connection attempt lasted for a time span of 00:00:21.0157595. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.5.20:8816.\nQuick workaround, just configure the Firewall State for the specific failed servers for the domain profile to off :) or, configure the inbound port 8816 from the FPSMC consle server to that server..\nJust a heads up for anyone who sees this.\nHappy holidays !\n","date":"22 December 2010","externalUrl":null,"permalink":"/2010/12/22/fpsmc-agent-installation-error/","section":"Posts","summary":"","title":"FPSMC Agent Installation Error","type":"posts"},{"content":"","date":"20 December 2010","externalUrl":null,"permalink":"/categories/dst/","section":"Categories","summary":"","title":"Dst","type":"categories"},{"content":" Every year at December, we at Israel ( and at some other points of the year, over the world.. ) have to rebase some calendar appointments.. This entry is not about daylight saving bashing ;) but just a note to anyone that will use the Exchange Calendar Update Tool against Exchange 2010 mailboxes and servers.\nI did not had enough time to actually find out why and what is the appropriate fix for this, but here\u0026rsquo;s a workaround for the error and the empty result when extracting the mailboxes from the servers..\nIf you will examine the logs in the msextmz extract log, when trying to search for the mailboxes on the required servers, you will notice that the output will be empty, and zero mailboxes will be reported.\nneedless to say that this obviously eliminates the possibility for extracting timezones from the mailboxes - i will not cover this issue, because in Israel we need to rebase the appointments just to reflect the current daylight saving durations..\nAny way here\u0026rsquo;s the error:\n[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Please log on to a profile with administrator privileges. [20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Unable open mailbox table for server /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EX-2010. Error 0x80004005. [20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Returning Error 0x80004005\nYou can easily report the mailboxes from powershell using:\nGet-mailbox -ResultSize:unlimited -RecipientTypeDetails usermailbox | select ServerLegacyDN, LegacyExchangeDN | Export-Csv mailboxes.csv\nThen use excel to export the data and match it with the format for the update tool which should be like this:\nServerLegacyDN LegacyExchangeDN TimeZone\nSave that to a TXT, watch the formatting and tabs ! remove all the csv hyphens,commas etc..\nHope this will be fixed anytime soon, or a clarification will be published..\nuntil then, good luck !\nand Happy Holidays !\nSome Links:\nUsing the Exchange Calendar Update Tool to address daylight saving time changes for Exchange Server\nDecember 2010 DST Cumulative Update for Windows operating systems\n","date":"20 December 2010","externalUrl":null,"permalink":"/2010/12/20/exchange-calendar-update-tool-extract-mailboxes-from-exchange-2010-fails/","section":"Posts","summary":"","title":"Exchange Calendar Update Tool - Extract Mailboxes from Exchange 2010 fails","type":"posts"},{"content":" Shay Levi (MVP) has posted yet another great PowerShell tip, this time he blogged about how to modify the EmailAddresses property ( which is actually a MultiValuedProperty ) with powershell 2.0 new capabilities, making adding an additional or removing an email address from a recipient a snap!\ncheck it out\nManaging email addresses in Exchange 2010\n","date":"30 November 2010","externalUrl":null,"permalink":"/2010/11/30/managing-email-addresses-in-exchange-2010-and-2007/","section":"Posts","summary":"","title":"Managing email addresses in Exchange 2010 and 2007","type":"posts"},{"content":"Hi again,\nSince Exchange 2010 was released I always run into this request from administrators and help desk personnel: \u0026ldquo;I want full access to all mailboxes, and also to all future mailboxes too ! uh and new mailboxes in new mailbox databases too !\u0026rdquo;\n:)\nThe following commands will do the trick, copy the first row separately- Exchange 2010 only:\n$user = Read-Host -Prompt:\u0026#34;Enter UserName to grant permissions\u0026#34;; $organization = Get-OrganizationConfig;` `$databasesContainer = \u0026#34;CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,\u0026#34; + $organization.DistinguishedName;` `Add-ADPermission -User:$user -AccessRights ExtendedRight -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin -Identity:$databasesContainer; And remember with Active Directory permissions an explicit allow overwrites an inherited deny. so this will work even if you do this to an admin user / group.\nHope this helps !\n","date":"17 November 2010","externalUrl":null,"permalink":"/2010/11/17/grant-full-access-to-all-mailboxes-in-exchange-2010-even-for-new-databases/","section":"Posts","summary":"","title":"Grant Full Access to All Mailboxes in Exchange 2010 - even for new databases","type":"posts"},{"content":"Hi,\nI was asked today to add a permission to the Exchange Auditing log which is included with Exchange 2007 SP2 installations to simplify auditing, after activating Mailbox Access Auditing , I was requested to allow read only permissions to the IT Security group. What seemed to be quite straight forward, was soon to be changed with SDDL ACL format\u0026hellip;.\nHere\u0026rsquo;s the quick how-to:\n- Note, this was done on a Windows 2008 server\nIdentify the SID of the user/group you wish to allow access. Using powershell you can easily find it e.g: Get-User | Select SID Get-Group | Select SID Then following this KB - Which was the most simple and self-explained, add the appropriate permissions. http://support.microsoft.com/kb/2028427In-Short - each event log is located in the registry at: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLog the Exchange Auditing log is also located there, and in that key you will find an existing CustomSD string value with the ACL\u0026rsquo;s in the SDDL format ( more info in the links I added below ) I was required to add read-only permissions to the IT Audit group, which is a \u0026ldquo;regular\u0026rdquo; group, without special domain / enterprise rights, so in my case i used the following: (A;;0x1;;; [Your Group Name/user account SID]) so appended that to the existing CustomSD value. Restart the server. Now the user/group can access the Exchange Auditing log from any computer :) Links:\nhttp://technet.microsoft.com/en-us/library/ee331009%28EXCHG.80%29.aspx - White Paper: Configuration and Mailbox Access Auditing for Exchange 2007 Organizations http://support.microsoft.com/kb/2028427 - Writing to the Windows Event Log from an ASP.NET or ASP application fails. http://support.microsoft.com/kb/323076 - How to set event log security locally or by using Group Policy in Windows Server 2003 - Also useful if you\u0026rsquo;d like to set this via GPO http://blogs.technet.com/b/askds/archive/2008/05/07/the-security-descriptor-definition-language-of-love-part-1.aspx http://blogs.technet.com/b/askds/archive/2008/05/07/the-security-descriptor-definition-language-of-love-part-2.aspx http://blogs.technet.com/b/askds/archive/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista.aspx\nHappy Auditing !\n","date":"26 October 2010","externalUrl":null,"permalink":"/2010/10/26/adding-read-only-permissions-to-exchange-2007-auditing-logs/","section":"Posts","summary":"","title":"Adding Read-only permissions to Exchange 2007 Auditing Logs","type":"posts"},{"content":" Woke up today to read that Exchange 2010 SP1 is available ! no hassles ! go grab it ! download what\u0026rsquo;s new release notes prerequisites\nRead the official announcement at:\nhttp://msexchangeteam.com/archive/2010/08/25/455861.aspx\n","date":"27 August 2010","externalUrl":null,"permalink":"/2010/08/27/exchange-server-2010-sp1-is-now-available/","section":"Posts","summary":"","title":"Exchange Server 2010 SP1 Is Now Available!","type":"posts"},{"content":" Wanted to share with an experience I\u0026rsquo;ve had with installing Exchange 2010 SP1 on Windows Server 2008 R2 in Hyper-V 2008 R2 environment. When I i tried to install a fresh server for testing Exchange 2010 SP1 Beta, the setup failed when installing the Hub Transport Role:\nError: The execution of: \u0026ldquo;$error.Clear(); install-ExsetdataAtom -AtomName SMTP -DomainController $RoleDomainController\u0026rdquo;, generated the following error: \u0026ldquo;An error occurred with error code \u0026lsquo;2147504141\u0026rsquo; and message \u0026lsquo;The property cannot be found in the cache.\u0026rsquo;.\u0026rdquo;.\nAn error occurred with error code \u0026lsquo;2147504141\u0026rsquo; and message \u0026lsquo;The property cannot be found in the cache.\u0026rsquo;.\nThis issue is not \u0026ldquo;new\u0026rdquo;, as IPV6 is tend to be disabled as default by many customers, and installations of Exchange 2007 and Exchange 2010 fails with the exact same error if IPV6 is Disabled.\nMy virtual machine was clean and did not had IPV6 disabled, so I\u0026rsquo;ve searched this up to the following thread in the Technet Social Forums : Hub Transport Role Install Fail error # 2147504141\nA comment from Scott Landry gave a new solution for this, and seems it\u0026rsquo;s now also been related to Hyper-V, as the suggested KB http://support.microsoft.com/kb/980050 - Error message when the Exchange Server 2010 setup on a Hyper-V virtual machine fails:“2147504141”\nAnyhow, disabling the \u0026quot; Time synchronization \u0026quot; from the Integration Services settings on the Virtual Machine solved this !\nJust a heads up for all of you that might encounter this.\n","date":"20 July 2010","externalUrl":null,"permalink":"/2010/07/20/hub-transport-role-install-failed-with-error-2147504141/","section":"Posts","summary":"","title":"Hub Transport Role Install Failed with error 2147504141","type":"posts"},{"content":" As i ran into this issue this week, I\u0026rsquo;ve stumbled upon this thread: http://social.technet.microsoft.com/Forums/en-US/exchangesoftwareupdate/thread/eca3bbf7-ee9f-41bd-89e8-47a81780292b Seems the cause for these errors, are because SMBv2 introduces status caching into the LanManWorkstation service\u0026hellip;read more at SMB2 Client Redirector Cache\nSo to fix it I\u0026rsquo;ve added these registry keys under :\nHKLM\\System\\CurrentControlSet\\Services\\Lanmanworkstation\\Parameters FileInfoCacheLifetime [DWORD] = 0 FileNotFoundCacheLifetime [DWORD] = 0 DirectoryCacheLifetime [DWORD] = 0 My errors on the server were:\nEvent ID : 2147 Raw Event ID : 2147 Source : MSExchangeRepl Type : Error Machine : SERVER Message : There was a problem with \u0026#39;ActiveNode\u0026#39;, which is an alternate name for \u0026#39;ActiveNode\u0026#39;. The list of aliases is now \u0026#39;ActiveNode\u0026#39;, and the alias \u0026#39;was\u0026#39; removed from the list. The specific problem is \u0026#39;CreateFile([\\\\ActiveNodeStorageGroupGuid$LogFile.log](///)) = 2\u0026#39;. ID: 2127 Level: Information Provider: MSExchangeRepl Machine: SERVER Message: The system has detected a change in the available replication networks. The system is now using network \u0026#39;ActiveNode\u0026#39; instead of network \u0026#39;ActiveNode\u0026#39; for log copying from node ActiveNode. Thanks a lot for JR on sharing this, check out Tim McMichael with more info on this:\nhttp://blogs.technet.com/b/timmcmic/archive/2010/07/11/msexchangerepl-2147-msexchangerepl-2104-msexchangerepl-2127-occurring-on-windows-2008-or-windows-2008-r2-with-exchange-2007-cluster-continuous-replication-ccr.aspx\n","date":"12 July 2010","externalUrl":null,"permalink":"/2010/07/12/msexchangerepl-2147-/-msexchangerepl-2104-/-msexchangerepl-2127-occurring-on-windows-2008-or-windows-2008-r2-with-exchange-2007-cluster-continuous-replication-ccr/","section":"Posts","summary":"","title":"MSExchangeRepl 2147 / MSExchangeRepl 2104 / MSExchangeRepl 2127 occurring on Windows 2008 or Windows 2008 R2 with Exchange 2007 Cluster Continuous Replication (CCR)","type":"posts"},{"content":"At last !\nExchange Server 2007 Service Pack 3 was released this week ! What\u0026rsquo;s New ?\nTop requested Support for Windows Server 2008 R2 server installations Windows 7 - for Exchange 2007 Management Tools Improved Password Reset Functionality - Enable the Exchange 2007 SP3 Password Reset Tool Updated Search Functionality - mailbox server side indexing Support for Right-to-Left Disclaimer Text And of course\u0026hellip; Active Directory Schema Changes, although with only a few changes but still take that into account. Don\u0026rsquo;t forget the installation path to success :\nPrepare your environment - Forest changes.. Upgrade Client Access servers (Internet Facing first\u0026hellip;) Upgrade Unified Messaging servers Upgrade Hub Transport servers Upgrade Edge Transport servers Upgrade Mailbox servers Enjoy !\nReference: Ask and you shall receive - Exchange 2007 SP3 w/support for Windows Server 2008 R2 Now Available What\u0026rsquo;s New in Exchange Server 2007 SP3\nExchange 2007 SP3 Release Notes\nDownload Exchange 2007 SP3 here\n","date":"22 June 2010","externalUrl":null,"permalink":"/2010/06/22/exchange-2007-sp3-is-out/","section":"Posts","summary":"","title":"Exchange 2007 SP3 is out !","type":"posts"},{"content":" I\u0026rsquo;d like to share with all of you one of best effective sites I use to \u0026ldquo;track\u0026rdquo; hotfixes for Microsoft products.. http://kbupdate.info\nThe nice thing about this website is that it sorts, yeah ! sorts the products and list the updates by date also :) simply amazing.\nFor example, the list of KB\u0026rsquo;s that were written for Exchange 2010 in the year 2010.\nEnjoy !\n","date":"9 May 2010","externalUrl":null,"permalink":"/2010/05/09/microsoft-knowledge-base-monitoring/","section":"Posts","summary":"","title":"Microsoft Knowledge Base monitoring","type":"posts"},{"content":" So you\u0026rsquo;ve plugged a harddrive / disk-on-key or any other hot plugged device, and oops BSOD :( or, you want to install a new driver for a device that you have removed, but windows magic plug-and-play installed the driver automatically\u0026hellip;. but you don\u0026rsquo;t want that do you ?\nAnyway there\u0026rsquo;s an old method that works great.\nYou open device management, and click , view \u0026ldquo;show hidden devices\u0026rdquo;\u0026hellip; but you fail to see your disconnected devices\u0026hellip;\nFIX - Show all disconnected devices, open System Properties, click Environment Variables and click to add a New System Variable.\nConfigure a New System Variable After this you will be able to launch Device Manager again and when you\u0026rsquo;ll click to Show Hidden Devices, you will see all those removed or disconnected device drivers !\nDevice Manger Before-After That\u0026rsquo;s it ! Enjoy\n","date":"11 April 2010","externalUrl":null,"permalink":"/2010/04/11/delete-old-removed-or-disconnected-device-drivers/","section":"Posts","summary":"","title":"Delete old removed or disconnected device drivers","type":"posts"},{"content":" Thanks to Jeff - The EXPTA {blog}, you can have full how-to \u0026quot; use telnet to send SMTP email\u0026quot; for some basic testing and such. I\u0026rsquo;ve ran into A lot of issues when migrating to Exchange 2007 / Exchange 2010 , due to the strict RFC compliance that Microsoft has implemented with the new transport (SMTP) stack.\nanyways, enjoy this fine how-to:\nhttp://www.expta.com/2010/03/how-to-use-telnet-to-send-smtp-email-to.html\n","date":"7 April 2010","externalUrl":null,"permalink":"/2010/04/07/how-to-use-telnet-to-send-smtp-email-to-exchange-2007-and-2010/","section":"Posts","summary":"","title":"How to Use Telnet to Send SMTP Email to Exchange 2007 and 2010","type":"posts"},{"content":"Hi again,\nSome of my work with Certification Authority or ADCS involves enrolling certificates for many usages, sometimes autoenrollment does not work as it should\u0026hellip; and you get some weird errors like: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from CA.domain.localDomain-CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).\nalso along with some KDC certificate errors because the domain controller does not hold a valid domain controller certificate:\nThe Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.\nThis happens when you create your CA on a Domain Controller and the \u0026ldquo;Domain Controllers\u0026rdquo; security group is missing from the \u0026ldquo;CERTSVC_DCOM_ACCESS\u0026rdquo; Domain Local Security Group.\nhave a look in the following post for more autoenrollment issues and how to fix\u0026rsquo;em: http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx\nThe KDC error reference: http://technet.microsoft.com/en-us/library/cc734096%28WS.10%29.aspx\n","date":"16 March 2010","externalUrl":null,"permalink":"/2010/03/16/certificate-autoenrollment-fails-with-rpc-server-is-unavailable/","section":"Posts","summary":"","title":"Certificate autoenrollment fails with RPC server is unavailable","type":"posts"},{"content":"Hi,\nFirst Step-By-Step !\nThis guide will show you how to configure ISA 2006 for coexistence of Exchange 2003 with Exchange 2010 remote connectivity services, including: Outlook Web Access \u0026amp; Outlook WebApp Microsoft ActiveSync RPCoverHTTP - Outlook Anywhere Publishing Exchange 2010 FARM - two client access servers This guide assumes that:\nISA 2006 is configured to publish OWA 2003 and all additional services\nSSL is configured for the Exchange 2003 server\nWindows Integrated Authentication is enabled on the ActiveSync Vdir in the Exchange 2003 Back-End server ( http://support.microsoft.com/?kbid=937031 )\nRPC-over-HTTP was working for for 2003 mailboxes, and the 2003 back-end is configured as an RPC-over-HTTP\nThe current configuration works ;)\nThis guide will not cover scenarios when exchange is directly exposed to the internet. which I personally do not recommend in generally\u0026hellip;.\nOkay here we go:\nConfigure redirection for Exchange 2003 OWA: Exchange 2010 will redirect a user that holds a mailbox in exchange 2003, this will be possible when the following cmdlet will be run on the Exchange 2010 Client Access server: Get-OwaVirtualDirectory -server cas01-2010 | Set-OwaVirtualDirectory -Exchange2003Url https://owa.ext.com/exchange Publish Exchange 2010 client access web farm with ISA 2006, OWA first: New OWA 2010 Publishing Rule Outlook Web Access Publishing - Notice ISA 2006 does not provide a wizard (or the new form) for OWA 2010 - for that you need TMG\nPublish 2010 Client Access Farm Choose SSL bridging options to CAS farm Enter one of the CAS server internal name - Now we need to create the Web Farm and select it as the target for the publishing rule\nName the new Web Farm Choose Web Farm connectivity verification method Confirm isa system rule for verification Select the created Web Farm - Configure the web listener and authentication delegation option\n- The web listener should be already configured for Form Authentication and a valid SSL certificate\nEnter the Public DNS name for the rule Select the Listener ( should be already configured for 2003 publishing ) Select Basic Authentication for Credentials Delegation Leave All Authenticated Users for Web Publishing ( ISA authenticates our users ) - The publishing rule for the Web Farm is now complete.\n- Two additional configurations are now required:\nEdit the new \u0026ldquo;exchange2010\u0026rdquo; Rule: Remove the legacy virtual directory\u0026rsquo;s - /Exchange, /Exchweb and /Public they will continue to be published to your original 2003 rule. Add /ecp/* as this is the new \u0026ldquo;options\u0026rdquo; applications for users, and a powerful administration web console with Exchange 2010. Edit the new rule - remove all OWA 2003 vdir\u0026rsquo;s Edit the original OWA 2003 publishing rule and remove Microsoft-Server-ActiveSync path, we will next create ActiveSync publishing rule for Exchange 2010. Edit the original OWA 2003 publishing rule and remove Microsoft-Server-ActiveSync vdir Now we have three last steps to finish our Exchange 2010 publishing:\nCreate a new Exchange Web Client Access rule - and select ActiveSync - Repeat most of part 1 except we select ActiveSync, publish the webfarm, enter the same info, and select the same listener. Now as same for ActiveSync, we need to move the RPCoverHTTP (Outlook Anywhere) from the 2003 publishing rule to 2010 publishing rule. Delete the existing rule. Next you we will create a new publishing rule for Outlook Anywhere based on Exchange 2010. Create a new Exchange Web Client Access rule - and select Outlook Anywhere - Repeat most of part 1 except we select Outlook Anywhere, publish the webfarm, enter the same info, and select the same listener. That\u0026rsquo;s it :)\nif you kept up with all the requirements, all should be fine and you are now able to migrate your 2003 users to 2010 with ease, while both systems are allowed for external connectivity.\nEnjoy!\nMore relevant links on the subject:\nUpgrading Outlook Web App to Exchange 2010\nTransitioning Client Access to Exchange Server 2010\n","date":"12 March 2010","externalUrl":null,"permalink":"/2010/03/12/how-to-publish-exchange-2003-and-exchange-2010-with-isa-2006/","section":"Posts","summary":"","title":"How to publish Exchange 2003 and Exchange 2010 with ISA 2006","type":"posts"},{"content":" Well the topic explains this quite enough.. but I\u0026rsquo;d like to share little more.\nA typical Exchange 2010 deployment based on Server 2008 R2, we used IBM Blade Center HS22 this time with a QLogic HBA to connect to an EMC Symmetrix storage with FC \u0026hellip; okay, enough hardware talk. :)\nThe \u0026ldquo;symptom\u0026rdquo; was that after connecting the LUN\u0026rsquo;s to the and creating the partitions, well the next reboot to the server was .. unsuccessful\u0026hellip; shocked as we were, after some quite tryouts: Drivers, Firmware upgrades, disable that and disable that \u0026hellip; and when all failed \u0026hellip;some searching, we came up with a few links\u0026hellip; all seem to be quite \u0026ldquo;close but no cigar\u0026rdquo;.\nLocal operating system boot fails when external storage is attached - IBM System x3550 M2, x3650 M2 and BladeCenter HS22\nUEFI-aware OS doesn\u0026rsquo;t boot after load defaults or deployment - IBM BladeCenter and System x\nThe system becomes unbootable after you add raw disks to a Windows Server 2008 R2-based computer that has EFI enabled - http://support.microsoft.com/kb/975535\nFirst real world experiences with IBM’s x3650 M2\nThe last link includes a comment by \u0026ldquo;Rudi\u0026rdquo; , which gave us a good idea. lets try it again\u0026hellip;\nwell, we did ! and guess what ?? IT WORKED.\nQuick wrap up:\nHS22 BladeCenter - Server boots from local raid-1 SAS disks with a GUID Partition Table (GPT) - Server 2008 R2 EFI boot loader.\n21 LUN\u0026rsquo;s attached with FC from a EMC Symmetrix storage (MBR).\nSolution:\nMake sure you initialize all drives with GPT - Guid Partition Table. that\u0026rsquo;s it ! Smile :)\n** quick notice. to sum all the other links, if you use a non uefi aware OS (basically only server 2008+ is uefi aware) you need to make sure to use the \u0026ldquo;Legacy Only\u0026rdquo; method.\nHope this helps, we spent quite some time around this issue.\n","date":"14 February 2010","externalUrl":null,"permalink":"/2010/02/14/local-operating-system-boot-fails-when-external-storage-is-attached/","section":"Posts","summary":"","title":"Local operating system boot fails when external storage is attached","type":"posts"},{"content":" Wanted to share this nice little app I\u0026rsquo;ve found.. it will allow you to easily \u0026quot; Customizing HTML Forms in ISA Server 2006 \u0026quot; (or TMG) , instead of editing strings.txt and customize html stuff , go GUI :) A free community utility by Kay Sellenrode - FBA Editor v1 Just visit the page, or check out this youtube video showing off this great utility.\nEnjoy\n","date":"13 February 2010","externalUrl":null,"permalink":"/2010/02/13/edit-isa-/-tmg-login-form-easily/","section":"Posts","summary":"","title":"Edit ISA / TMG login form - Easily !","type":"posts"},{"content":" Error: You must update your Windows Small Business Server 2008 settings both before and after you install Exchange Server 2007 Service Pack 2 (SP2). Before installing SP2 for Exchange Server 2007, read the detailed information at http://go.microsoft.com/fwlink/?LinkId=155135.\nhttp://support.microsoft.com/?kbid=974271\nAt last, a installation too for easy install of Exchange 2007 SP2 for SBS 2008, no more \u0026ldquo;hacking\u0026rdquo; the sbs 2008 server\u0026hellip;\nGreat News, Enjoy !\n","date":"6 January 2010","externalUrl":null,"permalink":"/2010/01/06/exchange-2007-sp2-for-sbs-2008-installation-tool-available/","section":"Posts","summary":"","title":"Exchange 2007 SP2 for SBS 2008 installation tool available !","type":"posts"},{"content":" Mark posted a great post about this ancient urban legend, \u0026ldquo;The Machine SID Duplication Myth\u0026rdquo; For the record, just remember that NewSID was never the solution for imaging a computer as a template. And i\u0026rsquo;ll quote some of mark\u0026rsquo;s post and leave you to read the rest on his blog..\nOn November 3 2009, Sysinternals retired NewSID, a utility that changes a computers machine Security Identifier (machine SID). I wrote NewSID in 1997 (its original name was NTSID) because the only tool available at the time for changing machine SIDs was the Microsoft Sysprep tool, and Sysprep doesn’t support changing the SIDs of computers that have applications installed. A machine SID is a unique identifier generated by Windows Setup that Windows uses as the basis for the SIDs for administrator-defined local accounts and groups. After a user logs on to a system, they are represented by their account and group SIDs with respect to object authorization (permissions checks). If two machines have the same machine SID, then accounts or groups on those systems might have the same SID. It’s therefore obvious that having multiple computers with the same machine SID on a network poses a security risk, right? At least that’s been the conventional wisdom.\n\u0026hellip;.I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that - with one exception - Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft\u0026rsquo;s support policy will still require cloned systems to be made unique with Sysprep.\nhttp://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx\nEnjoy !\nThanks mark for the clarification.\n","date":"18 December 2009","externalUrl":null,"permalink":"/2009/12/18/where-did-newsid-go-seems-mark-got-the-answer/","section":"Posts","summary":"","title":"Where did \"newsid\" go ? seems mark got the answer","type":"posts"},{"content":" Recently, I\u0026rsquo;ve encountered a situation where users that have been migrated to Exchange 2007 could not send mail to certain public folders. It seems that the selected recipients were members of a security group that had inheritance disabled, and which had only few specific ACL\u0026rsquo;s for Admins and such. but the \u0026quot; Exchange Servers \u0026quot; group were not included in the DACL.\nThe NDR reported back the recipients tried to send the email to the public folder was:\n#550 5.2.0 STOREDRV.Deliver: The Microsoft Exchange Information Store service reported an error. The following information should help identify the cause of this error: \u0026ldquo;MapiExceptionNotAuthorized\nTo resolve this i\u0026rsquo;ve added Read Permissions - Allow for the Exchange Servers group, with inheritance to all child objects.\nHope this will be useful !\n","date":"2 December 2009","externalUrl":null,"permalink":"/2009/12/02/exchange-servers-permissions-are-needed-on-security-groups/","section":"Posts","summary":"","title":"Exchange Servers Permissions are needed on Security Groups","type":"posts"},{"content":" Super fun for all questions like: \u0026ldquo;i need your \u0026hellip;\u0026rdquo; http://www.lmgtfy.com/?q=RTFM\nHave fun ;)\n","date":"2 December 2009","externalUrl":null,"permalink":"/2009/12/02/let-me-google-that-for-you/","section":"Posts","summary":"","title":"Let me google that for you","type":"posts"},{"content":" Finally, a long term solution to a problem that have been annoying quite a while\u0026hellip; Outlook 2007 + Plain Text replies , that uses Right to Left languages , in my case Hebrew, were received reversed in order .. that is the words in the sentences were displayed literally reversed.\nA quite annoying word issue actually\u0026hellip; A workaround for this was making sure that users were sending out Rich Text (RTF) email\u0026rsquo;s. then the replies were displayed correctly.\nLong story short. to solve this, request and install the following patch http://support.microsoft.com/kb/973401 - Description of the Word 2007 hotfix package (Word-x-none.msp, Wordconv-x-none.msp): August 25, 2009\nAdditional configuration to align the text to the right could be done by following daniel\u0026rsquo;s petri post regarding this :\nhttp://www.petri.co.il/correcting-email-display-direction-in-outlook.htm\nThis solved my issue on the spot.\nBetter later then never :)\n","date":"24 November 2009","externalUrl":null,"permalink":"/2009/11/24/rtl-plain-text-emails-with-outlook-2007-fixed/","section":"Posts","summary":"","title":"RTL Plain Text emails with Outlook 2007 - fixed","type":"posts"},{"content":" Well, I know\u0026hellip; there\u0026rsquo;s tons of links on the net for this.. here\u0026rsquo;s my top selected keyboard shortcuts. Some are mostly all Windows 7 specific, and includes a few Aero shortcuts\u0026hellip;but some are old school ones.\nStart Clicking !\nWin+UP Arrow :- Maximize the current window\nWin+Down Arrow :- If the current window is maximized, restore it; if the current window is restored, minimize it\nWin+Left Arrow :- Dock the current window to the left half of the screen\nWin+Right Arrrow :- Dock the current window to the right half of the screen\nWin+Home :- Minimize all but the current window\nWin+P :- Open the projection menu (generally used for laptops connected to projectors)\nWin+X :- Open Windows Mobility (For Laptops)\nAlt+F4 :- Close the active window\nAlt+Tab :- Switch to previous active window\nAlt+Esc :- Cycle through all open windows\nWin+Tab :- Flip 3D\nCtrl+Win+Tab :- Persistent Flip 3D\nWin+T :- Cycle through applications on taskbar (showing its live preview)\nWin+M :- Minimize all open windows\nWin+Shift+M :- Undo all window minimization\nWin+D :- Show Desktop\nWin+Space :- Preview Desktop (Aero Peek)\nWin + “+”:- Zoom in Desktop (Full Screen) - This is by far the best addition for windows desktop on my part.\nWin + “-”:- Zoom out Desktop (Full Screen) - \u0026ldquo;-\u0026rdquo;\nWin + 1-9 :- Launch Pinned Applications on Taskbar by their locations\nA Few More Handy Shortcuts:\nCTRL + SHIFT + N :- Create a new folder\nF2 :- Rename on mostly any parameter (yeah.. well not anyone knows this handy one) Try the TAB key with this too.\nCTRL + SHIFT + ENTER :- While in the Search bar on Start menu - Run a program as Administrator (When UAC enabled)\nSHIFT + Right Mouse Button :- In an Folder window - allows \u0026ldquo;Open A Command Prompt Here\u0026rdquo;\nSHIFT + Right Mouse Button (on a file / folder) :- \u0026ldquo;Copy as Path\u0026rdquo; for the selected file / folder\nCTRL + SHIFT + ESC :- Open Task Manager\nF7 :- While in Command Prompt / Powershell - Shows recent commands\nLinks:\nWindows 7 Shortcut keys on blogsdna.com\n\u0026ldquo;The IO Guy\u0026rdquo; blog on TechNet - this is by far the most comprehensive list I\u0026rsquo;ve encountered.\nWindows 7 Keyboard Shortcuts – the complete list\nFeel free to comment and add more handy stuff, I\u0026rsquo;ll be happy to include more \u0026ldquo;must have\u0026rdquo; shortcuts.\nEnjoy\n","date":"21 November 2009","externalUrl":null,"permalink":"/2009/11/21/ultimate-list-of-keyboard-shotcuts-for-windows-7/","section":"Posts","summary":"","title":"Ultimate list of keyboard shotcuts for Windows (7)","type":"posts"},{"content":"Hey there Mobile admins..\nRecently, I\u0026rsquo;ve did some troubleshooting with Fortinet and ActiveSync timeout, also known as Event ID 3030 Source: Server ActiveSync with the following being output to the Application Log on an Exchange Server 2003 and 2007. Event Type: Warning Event Source: Server ActiveSync Event Category: None Event ID: 3033 Description: The average of the most recent [200] heartbeat intervals used by clients is less than or equal to [9]. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed.\nRead more on the Direct Push in Technet : Understanding Direct Push , typically you will need to adjust your session TTL to no less then 12 minutes.\nFortinet lists the official help on the subject in http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC\u0026amp;externalId=FD31862 - FD31862 - Customizing Session TTL in FortiOS 4.0 , FortiOS 4 also allows this in Per rule ! so for all those with FortiOS 3 , use the mentioned KB from Fortinet try the FortiOS CLI Reference..\nUsually i set this time out to no less the 15 minutes or 900 seconds.. you\u0026rsquo;r call :)\n-updated the link to Fortinet KB\nFortiOS CLI Reference # ","date":"23 July 2009","externalUrl":null,"permalink":"/2009/07/23/configure-session-ttl-/-timeout-in-fortinet/","section":"Posts","summary":"","title":"Configure Session TTL / Timeout in Fortinet","type":"posts"},{"content":" Issues like these always come up with various customers, I\u0026rsquo;d thought it might be good to share with you all. As posted also in the official Microsoft Exchange Team blog:\nMike Lagase has just posted a very detailed troubleshooting guide for these problems on his blog - Troubleshooting Exchange 2007 Store Log/Database growth issues\nThis is one of the most comprehensive collection of information on how to troubleshot those issues. Read it !\n","date":"18 July 2009","externalUrl":null,"permalink":"/2009/07/18/troubleshooting-exchange-2003-and-2007-store-log/database-growth-issues/","section":"Posts","summary":"","title":"Troubleshooting Exchange 2003 and 2007 Store Log/Database growth issues","type":"posts"},{"content":"Update #2 - July 28th 2014 -\nRemoving the EXPR while Autodiscover is being utilized (which is probably the case in most deployments) will achieve preventing Outlook Anywhere from being used. With that being said, a few commentators stated that they would like to continue using Outlook Anywhere and with Autodiscover enabled and the EXPR removed this will result in constant \u0026ldquo;removal\u0026rdquo; of the Outlook Anywhere settings that were statically configured.\nIf you want only specific users to be able to use Outlook Anywhere while others don’t I would advice considering the Set-CasMailbox -MAPIBlockOutlookRpcHttp:$true cmdlet to allow/block specific users.\nUpdate - June 29th 2013 -\nIf you\u0026rsquo;re going to deploy Exchange 2013 anytime soon - work your way to adapt autodiscover, and bring back the EXPR value. See Exchange 2013 Outlook Anywhere Considerations for more.\nThis is an unsupported method, use at your own risk!\nOnce “Outlook Anywhere” is configured on a client access server an EXPR entry is created. Then the autodiscover application picks up the change and publish it, along with the url’s for OAB,EWS \u0026amp; Availability. This basically “force” the automatic propagation of settings into the profile, including the checkbox for “Connect to Microsoft Exchange using HTTP” and filling the information for the HTTP proxy and authentication methods.\nMicrosoft documented Deployment Considerations for the Autodiscover Service in:\nhttp://technet.microsoft.com/en-us/library/aa997633(EXCHG.80).aspx - Where only Site Affinity is can be configured.\nThe Outlook provider setting and autodiscover relation are referenced quite good in the Exchange team blog:\nhttp://msexchangeteam.com/archive/2008/09/26/449908.aspx\nA client of mine needed the possibility to disable the automatic propagation of the \u0026ldquo;Connect to Microsoft Exchange using HTTP\u0026rdquo; setting in an Exchange 2007 environment . he did of course wanted to keep the ability to connect using \u0026ldquo;Outlook Anywhere\u0026rdquo; if desired when configuring that manually.\nBecause autodiscover was made to auto-configure clients that are inside \u0026amp; outside the corporate network disabling this feature disables the ability for external outlook clients, that not domain joined to automatically connect using “Outlook Anywhere” . it does, however does not affect the configuration of a profile.\nWithin the exchange shell: Get-outlookprovider –identity EXPR | remove-outlookprovider Once this is done, recycle the application pool of AutoDiscover in IIS.\nThis solution will keep the outlook clients from automatically propagate the settings for “Outlook Anywhere” , but retains the possibility for configuring it manually. All web services and autodiscover information other then the proxy information itself are intact.\nUpdates (Thanks for all commentators)\nI\u0026rsquo;ve written another article related on the subject, highly recommended reading: Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere The above applies also for Exchange 2010 To restore the EXPR provider, run the following: New-OutlookProvider -Name:EXPR\nI have done the required testing to make sure this solution works.\nThis is an unsupported method, use at your own risk!\n","date":"18 June 2009","externalUrl":null,"permalink":"/2009/06/18/prevent-outlook-anywhere-aka-rpc-over-http-from-being-automatically-configured-in-exchange-2007-with-autodiscover/","section":"Posts","summary":"","title":"Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2007 with autodiscover","type":"posts"},{"content":" From a thread I\u0026rsquo;ve took part in, there are currently no settings in the official office 2003/2007 ADM packs to control this setting. Here\u0026rsquo;s the registry how to:\nFor Outlook 2003:\nhttp://support.microsoft.com/kb/948894 1, Click Start, click Run, type regedit, and then click OK. 2, Locate and then click the following registry subkey: HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0OutlookOptionsFolders 3, On the Edit menu, point to New, and then click DWORD Value. 4, Type DisableEditPermissions, and then press ENTER. 5, Right-click DisableEditPermissions, and then click Modify. 6, In the Value data box, type 1, and then click OK. 7, Exit Registry Editor.\nFor Outlook 2007, that is HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0OutlookOptionsFolders\nManual creation of the ADM is required, i might post it later on.\n","date":"3 June 2009","externalUrl":null,"permalink":"/2009/06/03/prevent-users-from-changing-the-permissions-settings-on-their-mailbox-folders-in-outlook-2003/2007/","section":"Posts","summary":"","title":"Prevent users from changing the permissions settings on their mailbox folders in Outlook 2003/2007","type":"posts"},{"content":" Thought I should post this to share some info and maybe even provide a simple FAQ and some basic info on how to fight the world\u0026rsquo;s true evil. unsolicited bulk e-mail messages\u0026hellip; SPAM\nfor start if you want some background and some basic info on what/how/why and such..i would reference you to spamfaq.net (archive) , once you are familiar with some basics terms and such, you would probably want to start and impalement (if not already) some anti-spam methods , either choose a 3rd party application for this, an hardware based relay all-in-on solution etc..\nmost simple solutions are rather a mail relay , with some kind of software which does a bunch of tests and lookups about the incoming message and content to measure its validity.. and so on .. my anti-spam ninja skills are mostly based with some exchange servers that either didn\u0026rsquo;t implement anything other then an exchange server which is receiving mail directly from the internet, running an anti-virus solution of some kind..\nI usually follow these few steps and the outcome is less SPAM being processed by the mail server , that is blocked on session connect.\n1. Whois information about each and every domain which is being used for outbound email is valid and as possible updated with relevant internal contact.\n2. Add SPF information about each and every domain which is being used for outbound email. (i define that a Fail response = reject message)\n3. Register your domains with Sender-ID , the microsoft \u0026ldquo;spf\u0026rdquo; framework. (i define that a Fail response = reject message)\n4. Enable the use of DNS RBL (real time block list) provider as a first method to filter out the bad guys. this will drop most evil right here.\n5. Add SURBL, suppress sending out NDR/Out-of-Office \u0026amp; any other method / product you may want to use.. anti-spam is not a set-and-forget matter. you will need to take care of every solution you might choose , find dropped messages and troubleshoot false-positives and etc.. don\u0026rsquo;t do any short cuts.\nDNS RBL\u0026rsquo;s\nChoose carefully the provider which suites you and of course make sure your mail system supports using a DNS RBL look-up, most mail gateways allow this built in or either with a 3rd party add-on, for instance exchange 2003 sp2/2007 supports this built-in, so make sure you verify this. also make sure you are setting the correct RBL with the correct response code from him. that is of course so you will not just turn on blocking all your incoming email traffic :) a great compare of the major DNS RBL providers is updated weekly @ http://www.sdsc.edu/~jeff/spam/cbc.html\nSURBL\nanother great method to even more enhance your blocking of spam is by using SURBL - \u0026ldquo;..SURBLs list web sites found in unsolicited message bodies. Those domains can be used to detect future unsolicited messages advertising the same sites. In contrast, most other lists have the IP addresses or domain names of unsolicited message senders, open relays, open proxies, etc. \u0026quot; http://www.surbl.org/\nbecause I cannot really cover it all here , here\u0026rsquo;s some links to further info, utils and more..\nThe anti-spam portal - Super site. all over.\nDNSBL Resource News,info,rating\u0026rsquo;s of DNSBL\u0026rsquo;s and more.\nORFilter freeware , allowing microsoft smtp server to use RBLs and more.\n","date":"4 March 2009","externalUrl":null,"permalink":"/2009/03/04/a-bite-of-spam/","section":"Posts","summary":"","title":"A bite of spam","type":"posts"},{"content":" sorry for the huge gaps , but it\u0026rsquo;s been very busy and messed up lately\u0026hellip; well anywayz A CCR implementation, along with 2 HUB/CAS \u0026amp; 2 ISA servers to serve.\non the legacy side , an Exchange 2003 cluster based windows w2k \u0026amp; 2 front ends.\nall seems to be working great , except that when it all came to start testing connectivity and co-existence with the 2003 backend cluster\nusing the new CAS servers to replace the frontend servers things went bad.\ni\u0026rsquo;ve had error 500 when accessing 2007 mailboxes with /exchange, 404 errors when accessing /exchange and using 2003 Mailboxes.\nalso , event id 1000 , with source EPROX was logged in the CAS application log, the description doesn\u0026rsquo;t make much sense..except that it wrote the Backend cluster 2003 name.. \u0026quot; The description for Event ID 1000 from source EXPROX cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. \u0026quot; If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: CLUSTER\nSolving.. :)\nthe error 500 was solved when i double checked that all the CCR mailbox role features were installed, web-ISAPI-ext was missing, and now the 2007 mailboxes works with /exchange.\nnow, if you\u0026rsquo;ll read some in technet you\u0026rsquo;ll find out on the hows and why and so on\u0026hellip; BUT ! you should keep in mind that if you work with a Clustered backend , and you want to support any front end/cas\nyou should also follow the following KB:\n\u0026ldquo;How to configure host header and authentication information in Exchange 2000 Server or Exchange Server 2003 Outlook Web Access on a Windows Server 2003 or Windows 2000 server cluster\u0026rdquo;\nlong story short now - to make this legacy proxy support , you should first check that navigating to your CAS mailboxes with /exchange WORKS to 2007 mailboxes first. rather use the default Form auth and dont change nothing to test it.\nthen , make sure you\u0026rsquo;ve added ALL the host headers you will use (eg; owa.company.com, owa.local.dom etc..) on your clustered backend 2003/2000 exchange servers.\nonce this works , you should not see any EPROX errors in applications log , nor Availability service errors that actually say that the CAS server cannot find your backend servers.\nthen you should be able to test with 2003 mailboxes through the CAS servers , and decommission any front end servers you might have.\nHope this helps!\n","date":"1 March 2009","externalUrl":null,"permalink":"/2009/03/01/exchange-2007-exchange-2003-coexistence-cas-proxy-issues/","section":"Posts","summary":"","title":"Exchange 2007 \u0026 Exchange 2003 Coexistence - CAS Proxy issues","type":"posts"},{"content":" Well.. I really like checkpoint products.. with that being said it , and by the title of this post i\u0026rsquo;ll rather go to business :) For the record, I\u0026rsquo;m using Vista x86 with sp1 on my laptop , and mostly happy with the OS behavior.. anyways, the thing is that i have VPN-1 SecuRemote / SecureClient NGX R60 HFA2 installed on my laptop since I\u0026rsquo;ve installed the OS, i\u0026rsquo;m installing only SecuRemote during setup \u0026amp; using it a lot to connect to costumers and such .\nso far os good , then comes this time when I had to connect to a client and for some reason, I had been persuaded to install the SecuClient because we had some issues to connect\u0026hellip;!@$@\nyea , from this point things went bad !\nhumm.. well for starts I\u0026rsquo;ve uninstalled , restarted \u0026amp; re-installed the SecuClient this time, setup got stuck.. in the part where it configures additional components or something (that gui with the wheels \u0026hellip;) then on the reboot\u0026hellip; hum well the desktop fail to show up , it was pitch black with the mouse cursor only !!? so obviously something went wrong.\nlong story short , after battling with the install over and over again, the quick fix to the black screen is manually delete fw.sys from system32drivers each time, this fastlly broke the service binding on the network adapters \u0026amp; made me able to boot normally to windows and uninstall the secure client software and drivers.\nfinally what fixed the issue is actually binding back IPV6 which i\u0026rsquo;ve disabled \u0026hellip;added the binding to the network adapters \u0026amp; removedthe registry key for info on that to: http://support.microsoft.com/kb/929852 after that , all went great.. regarding the install of the client - securemote only !! :)\nokay, now what \u0026hellip; some more fun to the end ! I\u0026rsquo;m lately using internet connection sharing on my laptop , so that it shares wireless to the lan adapter.. humm that got broke , unbinding the checkpoint service from the network adapter did the trick on that one.\nThere. nuff rumbling.\n","date":"8 December 2008","externalUrl":null,"permalink":"/2008/12/08/my-cup-of-checkpoint-securemote-/-secuclient/","section":"Posts","summary":"","title":"my cup of checkpoint SecuRemote / SecuClient","type":"posts"},{"content":" all of them ! :) ","date":"12 November 2008","externalUrl":null,"permalink":"/2008/11/12/microsoft-best-practices-analyzers/","section":"Posts","summary":"","title":"Microsoft Best Practices Analyzers","type":"posts"},{"content":" I was asked to figure this out, took me a while but i found quite a nice approach to make it super easy. The official Technet on the matter, explains the how to phrase the stssync link correctly , after fighting with it..unicode etc.. i finally though of something easy.\n1. Locate the list you want to connect to.\n2. Press \u0026ldquo;connect to outlook\u0026rdquo; button.\n3. Approve in outlook\u0026hellip;\n4. Right click the newly added list \u0026amp; choose share \u0026ldquo;List name\u0026rdquo;\n5. Mail the share offer to yourself .. then check out the message headers.\n6. Notice the \u0026ldquo;x-sharing-config-url\u0026rdquo; , this is the exact syssync reference link that you need :) clean and easy \u0026amp; without any hassle or unicode stuff\u0026hellip;\n7. Enjoy distributing this , you can use outlook.exe /share stssync://url , or use a Link in a webpage to make the users add the lists to their outlook.\nThat\u0026rsquo;s it :)\n","date":"2 November 2008","externalUrl":null,"permalink":"/2008/11/02/scripting-sharepoint-lists-connect-to-outlook-stssync-links/","section":"Posts","summary":"","title":"Scripting sharepoint lists \"Connect to Outlook\" stssync links","type":"posts"},{"content":"","date":"2 November 2008","externalUrl":null,"permalink":"/categories/sharepoint/","section":"Categories","summary":"","title":"Sharepoint","type":"categories"},{"content":" Well , i\u0026rsquo;ve had some experience in the past as for moving windows installations to different hardware / storage controllers .. my new computer was installed too quickly and i\u0026rsquo;ve done it with Legacy IDE mode as far as my southbrige sata controller, blah blah anyways , if anyone might be doing it here\u0026rsquo;s a fair nicly made guide with how to enable it quickly for a variaty of chipsets works very good , check this forum link.\nhttp://forums.hexus.net/hexus-hardware/112584-how-enable-ahci-raid-mode-without-reinstalling-windows-p35-ich9-ich9r.html\n","date":"21 October 2008","externalUrl":null,"permalink":"/2008/10/21/enable-sata-ahci-/-raid-ich8/ich8r/ich9/ich9r/ich10/","section":"Posts","summary":"","title":"Enable sata AHCI / RAID (ICH8/ICH8R/ICH9/ICH9R/ICH10)","type":"posts"},{"content":" http://www.portforward.com/english/routers/port_forwarding/routerindex.htm this site is whack ! it got a ultimate archive of a full how-to portforward for tons of software \u0026amp; routers.. they even wrote a program (non free) to configure a router automaticly.\nanyways , next time you get a \u0026ldquo;dude my xyz program doesn\u0026rsquo;t connect\u0026rdquo; you can help those friends with this huge selection.\n(just dont call me on this :) )\n","date":"28 September 2008","externalUrl":null,"permalink":"/2008/09/28/noob-friends-with-routers-no-probs-link-this/","section":"Posts","summary":"","title":"noob friends with routers ? no probs \u003e link this","type":"posts"},{"content":" Had a nice issue with this, a few tasks were set to run on a server, running .bat files. okay so ? all simple till now ;)\nhere\u0026rsquo;s what i found:\n1 - the task was set to run under a specific user.\n2 - that user was given \u0026ldquo;Log on as a batch job\u0026rdquo; security assignment on that server.\n3 - the bat was failing to start in task scheduler.\n4 - there were other jobs , running VBS and running okay !\nnow .. i\u0026rsquo;ve scratched my head a bit a found this great article about how to toubleshoot:\nhttp://www.shijaz.com/windows/taskscheduler.htm a great article , check it out ! the site also has some great stuff for ISA Server \u0026amp; Exchange if you into it..\nin section 2.b it referenced my Part 1 solution, the bat file had a reference to a MAPPED drive ! running non-interactive = no mapped drives.\nPart 2 solution\ngoing back to point 4 , i\u0026rsquo;ve figured its a security issue , although the user had the \u0026ldquo;log on as batch job\u0026rdquo; right .. CMD.EXE was manually edited with security permissions, BUILTINBATCH group was missing the read/execute security permission on it.\nThere .. now it works :)\n","date":"28 September 2008","externalUrl":null,"permalink":"/2008/09/28/troubleshooting-windows-task-scheduler/","section":"Posts","summary":"","title":"Troubleshooting Windows Task Scheduler","type":"posts"},{"content":" I was requested to do this the other day.. so I use the amazing MFCMAPI tool which opens wide mailboxes and thier raw content.. Be aware that i am really deleting an appointment ! the reminder will be gone with it. (Thanks for Steve for correcting me here.)\nto do so we have a few steps:\n1. Launch MFCMAPI tool on the user’s client.\n2. Go to Session -\u0026gt; Logon and Display Store Table\n3. Select the outlook profile of the user and double-click “Mailbox - your user name”\n4. Expand \u0026ldquo;Root Container\u0026rdquo;\n5. Expand \u0026ldquo;Top of Information Store\u0026rdquo;\n6. Now its the tricky part , we need to find the specific reminder that does the troubles, there might be a few directory\u0026rsquo;s of reminders (maybe in more then one language\u0026hellip;).\n7. Double click the folder \u0026amp; start looking for the specific reminder (really the appointment)..\n8. When you find the appointment or a few together even , right click and choose \u0026ldquo;Delete Message\u0026rdquo; , in the options select “permanent deletion (deletes to deleted item retention if supported)”.\n9. close MFCMAPI \u0026amp; re-check in outlook.\nyou can use this method to delete problematic appointments, messages \u0026amp; all other MAPI data inside your exchange mailbox. BUT ! be careful , you can mess your mailbox up if you do something wrong \u0026hellip;\nReference for steps and example \u0026hellip;\nDownload MFCMAPI Latest version:\nhttp://www.codeplex.com/MFCMAPI\nhttp://exchangeshare.wordpress.com/2008/04/10/delete-corrupted-hidden-or-stale-rules-from-mailbox-with-mfcmapi/\nhttp://support.microsoft.com/kb/924297\n","date":"16 September 2008","externalUrl":null,"permalink":"/2008/09/16/remove-zombi-reminders-using-mfcmapi/","section":"Posts","summary":"","title":"Remove \"Zombi\" reminders using MFCMAPI","type":"posts"},{"content":" Well , not much to say here, read the awesome tool. you need to distribute your SSL root chain , which some times more then one certificate ,and make sure your mobile likes this ..\nyou can use this tool to save the whole ssl chain , and verify if the chain is indeed presented by the web site correctly , this might some an issue too, because sometimes the server does not hold the whole chain but just the main ROOT CA public key..this helps very easy to troubleshoot it. and distribute your files easly.\nhttp://blogs.msdn.com/windowsmobile/archive/2008/05/18/sslchainsaver-v2-released.aspx\nThe tool can detect a common name mismatch on the cert but it doesn\u0026rsquo;t parse the \u0026ldquo;SubjectAltNames\u0026rdquo; extension. If your certificates are using SubjectAltNames, the tool will report a name mismatch but the certs will really work fine. i dont find that super problematic thu :) i just wanna save it.\n","date":"7 September 2008","externalUrl":null,"permalink":"/2008/09/07/sslchainsaver-v2-save-root-certificate-and-chain-the-super-easy-way./","section":"Posts","summary":"","title":"SSLChainSaver v2 - Save root certificate (and chain), the super easy way.","type":"posts"},{"content":" Well, as far as deployments , it\u0026rsquo;s seems that \u0026ldquo;most\u0026rdquo; implementations are rather normally okay, there\u0026rsquo;s times when memory issues did rise and troubleshooting this might be a real pain.. Mostly, i\u0026rsquo;d deal with a mail server that has no less then 16gb and is an all-in-one configuration, running 64bit Server 2003 sp2 with extra special care for all drivers , updates , prerequisites \u0026amp; page file configurations.\nUsually, even if they run All roles + an Anti Virus product , while carefully setting backup \u0026amp; maintenance times, things go smooth.\nYet, there are times when the server is having issues, while troubleshooting is necessary of course, i\u0026rsquo;d rather go with the future spirit \u0026amp; just think my way up to Server 2008 . Check out the Blog from mike in the Exchange Team blog it has some great links and more deep explanations..\nserver 2008 manages this issues out of box and the applications are far more compatible, easier life for all of us. really.\nuh and yea i\u0026rsquo;m running vista sp1.\n","date":"16 August 2008","externalUrl":null,"permalink":"/2008/08/16/memory-exchange-x64-bit-technology/","section":"Posts","summary":"","title":"Memory \u0026 Exchange x64 bit Technology","type":"posts"},{"content":" So, yet another implamentation of exchange, this time i\u0026rsquo;ve encounted the following error while installing the CAS role on the server. Setup exited with the following error:\nThe process does not possess the \u0026lsquo;SeSecurityPrivilege\u0026rsquo; privilege which is required for this operation.\nSearching the privilege showed that \u0026ldquo;Exchange Servers\u0026rdquo; \u0026amp; more accurate in our situation , the \u0026ldquo;Domain Administrators**\u0026rdquo;** were not configured in the \u0026ldquo;Manage auditing and security log\u0026rdquo; , because the Default Domain Policy \u0026amp; Default Domain Controllers Policy GPO\u0026rsquo;s was re-created and the default ones were left with the link set to off.\nEasy to monitor those privileges with whoami.exe from the support tools, i love it that the server 2008 installs them all as dependencies !\nOnce we\u0026rsquo;ve added the DomainAdministrators , DomainExchange Servers to the policy , setup ran okay :)\n","date":"12 August 2008","externalUrl":null,"permalink":"/2008/08/12/sesecurityprivilege-issues-while-running-setup-for-exchange-2007/","section":"Posts","summary":"","title":"SeSecurityPrivilege issues while running setup for Exchange 2007","type":"posts"},{"content":"Hi,\nSo i\u0026rsquo;ve got to troubleshoot this issue in a very complex multi-domain \u0026amp; multiple exchange organizations \u0026amp; servers.. Internal Messages from Server A in ExchangeORG A , were failing in the categorizer while being processed to be sent to Server B in ExchangeORG B.\nFollowing kb884996 , resolution 2 was valid in my situation, Allow inheritable permissions from parent to propagate to this object check box on Server A object, was missing a Tick..\nI set this via ADSIEDIT , noticed of course that the \u0026ldquo;Exchange Domain Servers\u0026rdquo; ACE entries , from the other domain were added, and allowed for replication.\nAfter verifying that the ACE\u0026rsquo;s were propegated \u0026amp; fully replicated, I did a quick restart to MTA, Routing \u0026amp; SMTP services on both servers , and operation was succesfully restored.\nJust for extra , this could be also issues with Event Sink that might have been registered and inproperly removed / integrated.. using the smtpreg.vbs , \u0026ldquo;cscript smtpreg.vbs /enum \u0026gt; Output.txt\u0026rdquo; i was able to verify that no 3rd party Event Sink were installed or any of Exchange Event Sinks were disabled\u0026hellip;\nMore Links on the Subject:\nTroubleshooting messages stuck in \u0026lsquo;Messages awaiting directory lookup\u0026rsquo; queue http://msexchangeteam.com/archive/2006/06/23/428114.aspx\nHow to troubleshoot messages that remain in the \u0026ldquo;Messages awaiting directory lookup\u0026rdquo; queue in Exchange Server 2003 and in Exchange 2000 Server http://support.microsoft.com/kb/251746\nDirectory service server detection and DSAccess usage http://support.microsoft.com/kb/250570\n","date":"12 August 2008","externalUrl":null,"permalink":"/2008/08/12/troubleshooting-messages-stuck-in-messages-awaiting-directory-lookup-queue/","section":"Posts","summary":"","title":"Troubleshooting messages stuck in 'Messages awaiting directory lookup' queue","type":"posts"},{"content":" while testing yet another ex2k7 implantation , i\u0026rsquo;ve encountered an error while trying to export mailboxs to pst with the Export-mailbox cmdlet. I\u0026rsquo;ve verified full mailbox access permissions and 2007 32bit tools on xp sp2 with outlook 2007.\nyet, still failed with the following error:\nExport-Mailbox : Error was found for user01 (user01@mydomain.com)\nbecause: Error occurred in the step: Approving object. An unknown error has occurred., error code: -2147221241\nWith some filtering of search results i\u0026rsquo;ve find a suggestion to run the cmd fixmapi in cmd.. if your not femiliar with this utility (like i was) , this util exists in your %systemroot%system32 , along with the mapi32.dll files .. besides that 3 notes for you:\nFixMAPI does not replace the current mapi32.dll file if the file is marked as read-only. FixMAPI does not replace the current mapi32.dll if Microsoft Exchange Server is installed on the computer. When FixMAPI makes a backup copy of the current copy of mapi32.dll on the computer, it assigns the backup copy a name different from \u0026ldquo;mapi32.dll\u0026rdquo;. It then directs subsequent calls intended for that assembly to the backup copy. oh yea, closeing all applications and running fixmapi in cmd , just like that fixed the issue.\nIlan.\n","date":"10 August 2008","externalUrl":null,"permalink":"/2008/08/10/export-mailbox-fails-with-error/","section":"Posts","summary":"","title":"Export-mailbox fails with error","type":"posts"},{"content":" IT Systems Architect // Cybersecurity Marketer // Techno-Trance Producer // Family man. Welcome to my blog! I\u0026rsquo;m Ilan Lanz, a technology enthusiast, systems architect, and cybersecurity professional with over two decades of experience.\nAbout This Blog # I started publishing my posts on this blog in 2008. My goal was to share my experience and knowledge with the community. I typically blog about topics and issues that I\u0026rsquo;ve found hard to find answers to, had to figure out myself through trial and error, and believed that others might benefit from my findings.\nCheck out my professional profile at LinkedIn.\nMy music project # When I\u0026rsquo;m not immersed in the world of cybersecurity, you\u0026rsquo;ll find me in the studio. I am one half of Triac, a techno-trance musical project which debuted back in 2000 and was started in 1999 along with my friend Michael Reznik.\nVisit https://bio.site/triac to listen to our music and find links to all streaming platforms.\nThanks for stopping by!\n","date":"7 August 2008","externalUrl":null,"permalink":"/about/","section":"Pages","summary":"","title":"About","type":"pages"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"}]