Friday, December 30, 2011

Multiple SendOnBehalfTo in EMS

If you use the Exchange Management Shell to define the SendOnBehalfTo property of an Exchange 2010 mailbox then the user that you provide overwrites any existing users with SendOnBehalfTo permission. This happens because the list of users is stored as an array. When you provide a single user, you overwrite that list with the single user. Instead, you need to add a user.

This is not the most concise way to do it. I just find it understandable this way.

#Get current list of users
$mailbox=get-mailbox "HelpDesk"
$SendList=$mailbox.GrantSendOnBehalfTo

#Add to list of users
$newperson=get-user "NewPerson"
$SendList=$SendList + $newperson

#Set new list
Set-Mailbox "HelpDesk" -GrantSendonBehalfTo $SendList

For more details about why this works see my posting on adding additional managers to a distribution group at http://byronwright.blogspot.com/2011/08/adding-additional-distribution-group.html. It uses a similar process to modify the list of managers

Thursday, December 15, 2011

Messages Stuck in Submission Queue

Today we got a call from a client that messages were stuck in the Submission queue on an Exchange 2010 server with all roles. There were no specific error messages in the Application log.

A little bit of searching indicated that this can be caused by locally installed anti-virus/anti-spam software that has hooks into the transport service. So, we disabled GFI MailEssentials on the server and mail began to flow. When we re-enabled it, mail stopped immediately.

The client is now contacting GFI, but my best guess is that it is a bad update that got pushed out. We've seen similar things with other anti-virus products in the past. It will probably be fixed in the next update.

Wednesday, December 7, 2011

Exchange 2010 SP2 Released

Yesterday Microsoft released service pack 2 for Exchange 2010. I haven't had time to go through the details yet, but you can check it out on the Exchange team blog.
Due to the problems with rollup updates earlier this year (two of them were pulled and updated), I'd wait at least a month before considering implementation of SP2.

Update: Summary of New Features
Things I think will be useful to me:
  • Disable auto-mapping for mailboxes with full access. Auto-mapping automatically opens any mailbox to which you have full access when using Outlook 2010 (or 2007 with updates) and Exchange 2010 SP1. This is great if there are only a few shared mailboxes. There is a work around to stop this by editing an attribute with ADSIedit, but that is a bit clunky. Now there is an option to disable automapping when using the Add-MailboxPermission cmdlet.
  • Mini-version of Outlook Web App. I haven't tested this yet, but I'm hoping this actually works on my older BlackBerry device with a browser that isn't so good.
Things that I don't think will be very important for me:
  • Ability to disable or remove a mailbox with litigation hold enabled.
  • New multi-valued custom attributes for groups, contacts, mailboxes, and public folders.
  • Easier configuration of mailbox replication between forests
  • Address book policies to define the address lists presented to a user (including GAL)
  • Silent redirection to an alternate location for Outlook Web App
  • Simplified hybrid configuration wizard. This is useful when integrating with Office 365. I just reviewed the documentation for the pre-SP2 wizard and this appears much improved.
For more detailed information about new features see:

Thursday, December 1, 2011

Setting Message Size Limits in Exchange 2010

Exchange 2010 has multiple levels where you can configure message size limits. You need to be aware of where they are located to ensure they provide the message delivery infrastructure you want.

The most common places that you configure message sizes are:
  • User. The maximum send and receive sizes that you configure for a user override the settings configured for levels. The allows you to create exceptions for specific users that are larger or smaller. Configure in the Mail Flow Settings tab of the user.
  • Organization. This controls the maximum send and receive message sizes used by all Hub Transport servers in the organization. The default size is 10 MB. Configure in Organization Configuration > Hub Transport > Global Settings > Transport Settings > General tab.
  • Receive connector. Each Hub Transport server has receive connectors with a default maximum receive message size. This should match the setting for the organization unless you want a specific connector to be more restrictive than the organization. Modify on the General tab of the receive connector.
  • Send connector. Send connectors are used primarily for message delivery to external systems, including the Internet. This setting should match the setting for the organization unless you want a specific connector to be more restrictive than the organization. Modify on the General tab of the send connector.

For more detailed information about message size limits in Exchange 2010 see Understanding Message Size Limits in the Exchange 2010 SP1 help at http://technet.microsoft.com/en-us/library/bb124345.aspx.

Tuesday, November 29, 2011

Offer Remote Assistance

We do a lot of remote support for clients and the ability to see what the user sees is essential when troubleshooting. There are a few third party tools out there that allow remote control such as Mikogo and Team Viewer, but most of these have a cost associated with them for commercial use.

If you have remote access to a Windows server, you can use that server to connect to users within the site. The standard Remote Desktop works great for you to log on, but does not allow you to collaborate with the user. For that you need Windows Remote Assistance.Windows Remote Assistance allows you connect to a remote computer while the user is logged on and see exactly what they see. You can also take control if the user lets you.

In Windows Server 2008 R2, you need to install the Remote Assistance feature. In SBS 2011, it is automatically installed. After it is installed, you can run it from the Start menu or by running msra.exe. I tend to use the command-line. The options in the graphic below are for Windows Server 2008 R2.

Depending on the version of Windows that you are running, the graphical interface offers different options. Most of the same options are there between versions. Here are the ways you can use it:
  • User initiated - Invitation file. This method requires the user to create an invitation from remote assistance on their computer and then deliver it to you, typically via email. Generally, too complex for users to understand.
  • Helper initiated - Offer remote assistance. This method requires you to enter the IP address of the remote computer. It is also dependent on DCOM. Make sure that the firewall of the remote computer is configured correctly. SBS creates a Group Policy that opens up these ports. In a non-SBS environment, you'll need to do that manually. This is the option we use most often because the user does not need to initiate it.
  • User initiated - Easy Connect. This method generates a password when the user request is made. This password is entered in by the help to access the system. Unlike the above options, this method works over the Internet. However, it requires the firewalls on both sides to support Peer Name Resolution Protocol. This method also requires Windows 7 on both computers. Test your router support by using the Internet Connectivity Evaluation Tool at http://www.microsoft.com/windows/using/tools/igd/default.mspx.
Additional Remote Assistance information, including firewall configuration:

Thursday, November 24, 2011

Corrupt OST File, Don't Repair It!

I recently had my personal system freeze up on me and I shut it down hard with the power button. When I restarted the system, Outlook complained about a corrupt OST file and recommended using the inbox repair tool to fix it. Silly me, I followed instructions. The end result was 1.5 hours of waiting and a still corrupted 7 GB OST file that wouldn't open.

An OST file is a local cache of your mailbox. It is redundant data that is already held on the server. It is not worth your time to fix it unless your connectivity to the server is very slow. Which may be relevant for remote users. I, on the other hand, can reach over and touch the server in my office.

After the failed OST repair, I got smart and removed the corrupted OST file. When I started Outlook, it recreated the missing OST file and synced everything to my desktop. Total time to resync was less than 30 minutes. Much faster than the repair attempt.

Your only potential risk in deleting the OST file is a small chance that there is a message in the Outbox that has not yet been synced to the server. This message would be lost.

For reference the OST file is located in: C:\Users\username\AppData\Local\Microsoft\Outlook

Wednesday, November 23, 2011

Exchange Management Console Won't Close

If you have installed IE 9 on your Exchange 2010 server (possibly also Exchange 2007) then you may get an error when you attempt to close the Exchange Management Console. The error is dependent on what you've looked at in EMC while you had it open. The error is:
You must close all dialog boxes before you can close Exchange Management Console
This error appears even though you don't have any dialog boxes open. It has also been reported in some other management tools. A fix has finally been released.

Tuesday, November 22, 2011

iDRAC Problem on Dell Server

We've starting ordering iDRAC Enterprise cards for all of our new servers. We do a lot of remote support for clients, and these cards give us complete remote control for the server via a dedicated network interface. With this, we can control all of the BIOS level stuff that we used to go onsite for. When some clients are an hour or two away, this saves a ton of time for us and clients.

Yesterday, I got a new server in and the iDRAC was behaving oddly. When I plugged in the network cable to the iDRAC network interface, the link light came on and it blinked for packets as it should. However, I couldn't connect to the default IP addresses of the iDRAC. In the status for the iDRAC, it was configured to use the dedicated network interface but said "No Active LOM".

Thinking that this might be an issue with the card not being seated correctly, I reseated the card. After reseating the card I had no link light on the network interface at all. Then I configured it to use one of the onboard network interfaces and it worked fine. So, at this point, the problem appears to be the dedicated network interface.

I popped it open again to take a look. It turns out that the dedicated network interface for the iDRAC is a small card that plugs into the motherboard. On this server, it was loose. After reseating the dedicated network interface, all was good.

I found a couple other references on the internet to fixing this by having Dell replace the motherboard or by changing firmware on the iDRAC. This reference provides documentation in case reseating doesn't fix it for you:

Thursday, November 10, 2011

Adding 64-bit Printer Drivers to 32-bit Windows 2003

As more of our clients are adding 64-bit client computers a common concern is printer drivers with older Windows 2003 servers. The printers are installed on Windows 2003 and shared with clients. When 32-bit clients are connected to the printer, the driver from the server is downloaded to the client and installed automatically. Unfortunately, 64-bit clients cannot use the same driver and 32-bit Windows 2003 does not have an interface to add a 64-bit driver.

The solution is to use a 64-bit Windows 7 client to add the printer driver as follows:
  • Start the Print Management administrative tool (printmanagement.msc)
  • Add the Windows 2003 file server as a print server
  • Add the 64-bit driver
You can also browse to the shared printer over the network from the 64-bit client and add the 64-bit driver in the properties of the printer.

Please note that the 32-bit and 64-bit drivers need to be named the same. So, with different version of the driver, you may have issues.

Saturday, November 5, 2011

SANs Make Me Nervous

Exchange 2010 has been optimized for inexpensive direct attached storage. The idea being that you replicate data among multiple inexpensive servers instead of introducing an expensive SAN. Many organizations are uncomfortable with this because they have bought into the idea that a SAN is much more reliable and faster than local disk ever could be.

However, SANs make me nervous because they become a single point of failure. It is not unheard of for a SAN to go down or experience performances issues. A couple of examples that students have given me over the last while:
  • A SAN firmware update (installed by the vendor while the vendor is onsite) wiped an entire SAN. Restore of all the SAN data from backup took 3 days.
  • A SAN with unreliable cache disks. This results in downtime while the cache disks are replaced and poor performance until they are replaced. This has been an ongoing issue for this SAN.
And, just for fun, disk in general can be influenced by vibration. Which makes sense when you think about it, but just your shouting can influence disk performance. Imagine construction vibration when piles are being set for a building next door.

Monday, October 24, 2011

Modify Windows 7 Default Profile

Many organizations are still in the process of figuring out Windows 7 deployment. One thing that can come into play with a new Windows 7 deployment is the default profile. When a user logs on to Windows 7 for the first time their profile is created from the default profile. If the default profile is configured as you want it to be for the users then there is not need to modify the user profile after log on. Sounds good right?

The problem with modifying the default profile as a method of standardizing user profiles is maintenance. After desktop computers have been deployed it is very awkward to modify the default profile. The officially supported method of configuring the default profiles is:
  1. Create a blank install of Windows 7
  2. Install applications
  3. Log on as a local administrator and customize the profile
  4. Sysprep the system using an unattend.txt file with the copyprofile tag
  5. Take image of sysprepped system and deploy
Note: When you run sysprep, ensure that there is only one administrative user on the system. If there are multiple administrative users there is no way to guarantee that the correct administrative user is selected for the profile copy.
As you can see, this method is ok for new systems, but not already deployed systems. You can manually copy files and modify files in the default profile. You can also edit the ntuser.dat registry file that is part of the default profile, but it is pretty awkward. Also, modifying the default profile does not modify the profile of any existing user profiles.

The end solution is to avoid using default profiles as much as possible for configuration. Instead use Group Policy to push out as much of the configuration as you can. Group Policy can push out files, folders, and registry keys. However, you'll need to put some extra time into learning how to do it.

Here is a link to more discussion on how to do the sysprep and also how to edit the default user registry files:

Monday, October 17, 2011

SBS 2011 Exchange Not Installing

We have done several migrations from SBS 2003 to SBS 2011 without any significant incidents. This week we had a bit of hassle with Exchange 2010 not installing during the installation. No errors were reported by any of the premigration tools.

In the Exchangesetup.log and SBSSetup.log we got the following error:
[REQUIRED] A reboot from a previous installation is pending. Please restart the system and rerun setup.
Based on some quick research, the general recommendation seems to be that you should reinstall SBS 2011 rather than trying to add Exchange 2010 after the fact. So, to recover, we restored the system state to the old SBS 2003 server (which we cleverly created just before starting the installation).

At this point, we figured that maybe there was something weird because we had selected to download and install updates as part of the install. So, for attempt number two we did not install the updates and got a different error about being unable to find a domain controller. This one turns out to be an error that can occur if you have restored system state on Windows 2003. Apparently the file replication service gets confused. And although the KB for the hotfix below appears completely unrelated it seemed to resolve the issue. See the following:

Onward with further attempts and the original error continued. More searching and there were a fair number of references to registry keys specifying the restart was required, but we checked those and they did not exist on our server. However, for your reference:
We also found a few references to automatic printer installation causing this issue. This client does have a GPO that automatically installs printers. So, we disabled that and still no fix.

We think the problem was that DHCP was not configured on the source server. This client has an IP-based phone system that provides DHCP. This was configured by the phone provider to ensure that the necessary options are pushed out to the phones. When you configure the answer file for SBS 2011 installation there is a checkbox asking you to select whether DHCP is installed on the source server. However, the documentation explicitly states that DHCP must be installed and configured on the source server.

When DHCP was installed on the SBS 2003 server, it would not run because it conflicted with the DHCP on the phone system. So, finally, SBS 2003 and the new SBS 2011 were isolated off the main network. Then installation proceeded as normal.

Just for the record, my business partner Darrin is the one who finally figured this out.

Tuesday, October 11, 2011

Resolving an External DNS Record to an Alternate IP Internally

In some cases, you'd like a single externally hosted DNS record to resolve to a different IP internally than externally. For example, you may have an hostname such as webapp.domain.com to a valid external IP when on the Internet but an internal IP when on the internal network. The key here is that you want the same name to resolve to two different addresses depending on whether they are internal or external.

Let's also assume that domain.com is hosted externally on Internet accessible DNS servers that are different from your internal DNS servers. For example, domain.com is hosted by GoDaddy or your ISP. So, on GoDaddy, you would have webapp.domain.com resolve to an external IP address such as 1.1.1.1.

Now, you can't create domain.com on your internal DNS servers. If you do, you'll need to manually synchronize all external DNS names to your internal DNS server. This can quite the pain to keep track of. We have several clients where the web hosting company is in control of the externally hosted DNS and change the Web site address without notice based on their infrastructure changing.

To resolve only webapp.domain.com differently, you create the webapp.domain.com as a forward lookup zone on your internal DNS. Then create a host record for the domain in that zone that resolves to the internal IP address, such as 192.168.1.100. When you are creating the record, it should look something like the graphic below.



While I'd like to say I'm the first person to think of this, I'm sure many have in the past. However, I learned this from the installation of SBS 2011 which does this by default for the remote.domain.com record that is used for accessing Exchange Web services and SharePoint.