quarta-feira, outubro 20, 2010

Manage DNS Server (Windows 2008) from Windows XP/2003

If you can manage 2008 R2 DNS fine from RSAT on Windows 7, but accessing from DNS Management mmc on Server 2003 returns “access is denied”. If I install the 2003 R2 Admin Pack on an XP Pro PC it the symptom is the same, Access Denied.

This is expected behavior, starting with Windows Server 2008 a few years ago. RPC Integrity required by W2K8 R2 DNS Servers is not supported by the Win2000 and Win2003 versions of DNSMGMT.MSC (or DNSCMD.EXE). For the most secure experience, W2K8 R2 DNS servers should be administered from operating systems that can execute the Windows Server 2008 or later versions of DNSMGMT.MSC. So Vista RSAT, Win 7 RSAT, Win 2008, Win 2008 R2 – all running DNSMGMT.MSC.

If you wanted to de-secure your Win2008/R2 DNS servers though – obviously this is highly discouraged – you can run the following command on your Win2008 R2 DNS servers to allow down-level connectivity:

dnscmd.exe /Config /RpcAuthLevel 0

If you do this you are exposing your Win2008/Win2008 R2 DNS servers to same kind of named-pipe sniffing ‘man in the middle’ attacks that Win2003/2000 DNS administration are vulnerable to. Ideally for security, all of your DNS servers would be instead upgraded to Win2008 R2. 

To return the security to default level run: dnscmd.exe /Config /RpcAuthLevel 1

To verify the current level run: dnscmd.exe /info /RpcAuthLevel

Related site:

segunda-feira, outubro 18, 2010

How to Rebuild the Full-Text Index Catalog on DAG Environment

If you cannot search e-mails neither fom Outlook or OWA then you have problems in the database's index catalog. To fix it on a single server you can use the following article: http://technet.microsoft.com/en-us/library/aa995966(EXCHG.80).aspx

But if you have databases in a DAG you have to do something else:

1- Suspend all replica databases;
2- Follow the directions described on http://technet.microsoft.com/en-us/library/aa995966(EXCHG.80).aspx;
3- Delete the Index Catalog on Replica databases;
4- Resume the replica databases.

To check how the process is going do the following:

1- Open Reliability and Performance Monitor (perfmon.exe).
2- In the console tree, under Monitoring Tools, click Performance Monitor.
3- In the Performance Monitor pane, click Add (green plus sign).
4- In Add Counters, in the Select counters from computer list, select the server on which the mailbox database you want to monitor is located.
5- In the unlabeled box below the Select counters from computer list, select Full Crawl Mode Status in the MSExchange Search Indices performance object.
6- In the Instances of selected object box, select the instance for the user's mailbox database.
7- Click Add, and then click OK.
8- To make easier to monitor the Full Crawl Mode Status, right-click on graph screen then Properties.
9- Select Graph tab.
10- On View Combo box select Histogram bar and Maximum Vertical Scale insert 2, click OK.

When you see a bar for a database it means that the index catalog is been created (value 1), if you don't see a bar meens the indexing has finished for that database.

Related sites:

quarta-feira, setembro 01, 2010

Installing SCCM 2007 SP2 on Windows 2008 R2

If after installing SCCM 2007 SP2 on Windows 2008 R2 you get the following error on SMS_MP_CONTROL_MANAGER "SMS Site Component Manager faild to install component SMS_MP_CONTROL_MANAGER on server" you have to enable the webdav and configure it properly.

1- Open IIS Manager > Sites > Default Web Sites > WebDAV Authoring Rules;
2- Click Enable WebDAV on Action Pane;
3- Open WebDAV Settings and set the options like below:
         Allow property queries with infinite depth - TRUE
         Allow Custom Properties - FALSE
         Allow anonymous property queries - TRUE
         Click Apply;
4- On Action Pane click Add Authoring Rule dialog box, create a rule like below
         For Allow access to, select All content
         For Allow access to this content to, select All users
         For Permissions, select Read, and then click OK;
5- Restart the service SMS_SITE_COMPONENT_MANAGE

To check if SMS_MP_CONTROL_MANAGER was installed sucessfully open \Logs\mpsetup.log and look for an OK status.

Related sites:

terça-feira, junho 22, 2010

How to add a Subject Alternative Name to a secure LDAP certificate

This post describes how to add a Subject Alternative Name (SAN) to a secure Lightweight Directory Access Protocol (LDAP) certificate. The LDAP certificate is submitted to a certification authority (CA) that is configured on a Microsoft Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. This article includes information about how to add SAN attributes to a certification request that is submitted to an enterprise CA, a stand-alone CA, or a third-party CA.

A step-by-step is on following site: http://support.microsoft.com/kb/931351

quinta-feira, maio 27, 2010

Disable conversation view on OWA 2010

Not like Outlook 2010 when the conversation view comes disabled by default, on OWA 2010 it comes enebled. 

To disable the way the e-mails are arranged you need just uncheck the highlighted checkbox.

DAG FSW is empty - Getting "The cluster resource could not be found" when try to manage Failover Clustering

I couldn't find way of make the DAG to recreate the files on its File Share Witness, every trying was unsuccessful.

When I tried to remove the servers from DAG to recreate it I recieved an error because the cluster couldn't find the quorum. I decided to try a not good way to solve the problem, but using the following steps I could have the DAG working fine.

1- Removed every server from DAG using Remove-DatabaseAvailabilityGroupServer -Identity -MailboxServer -ConfigurationOnly
2- Cleaned the cluster using this command to every DAG member cluster node /forcecleanup

Done, now you can delete the DAG and recreate it.

Related sources

terça-feira, abril 13, 2010

Outlook 2003 doesn't connect to Exchenge 2010

Basicly we just need to remove the encryption requirement from the RPCClientAccess runnig the following command:

Get-RPCClientAccess | Set-RPCClientAccess –EncryptionRequired $false

Source and more ways to fix it:

terça-feira, abril 06, 2010

Unable to mount Exchange 2007 database

After restoring an Exchange 2007 server from a backup to a test ESXi VM I was unable to mount the Exchange mailbox database:
Failed to mount database ‘Mailbox Store’.
Exchange is unable to mount the database that you specified. Specified database: SERVER1\First Storage Group\Mailbox Store; Error code: MapiExceptionJetErrorAttachedDatabaseMismatch: Unable to mount database. (hr=0x80004005, ec=-1216)
To fix this I used:
eseutil -p “Mailbox Store.edb” 
eseutil /r E02 /i
(in the directory that contains the database)

!The first command is said to be able to cause the loss of data. So only run this on a backup database!


terça-feira, fevereiro 02, 2010

Mailbox doesn't appear on Disconnected Mailbox after disabling it

Sometimes when you disable a mailbox you click o Disconnected Mailbox and can't see the mailbox that you've just disabled.

To see the hidden disconnected mailbox run the following cmdlet on the mailbox server that hosts the mailbox:

Clean-MailboxDatabase “Database Name”

After running the cmdlet return to EMC and refresh Disconnected Mailbox, then you'll see the mailbox there.


Using Import/Export-Mailbox on Exchange 2010

By default you cannot see the cmdlets import-mailbox either export-mailbox. To enable the Exchange Management Shell to use these cmdlets you need to run this command to allow a specific user:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User “Rodrigo”

or you can enable a group:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –Group “MailboxAccessGroup”

After running one of these cmdlets restart the Exchange Management Shell to use the "hidden" cmdlets.


Related sites:


segunda-feira, janeiro 25, 2010

Exchange Server hung on "applying security policy to the system" screen after restart

This issue can be solved running [Exchange Installation Dir] setup.com /PrepareAllDomains on any server. After it finishes restart the Exchange Server again.

Increasing the number of simultaneous Remote/Local Move Request on Exchange 2010

By default Exchange 2010 just move 5 mailboxes simultaneously, it can make a migration of about 1500 mailboxes take 3 or more days.

To increase it you have to change a configuration file for Mailbox Replication Service. 

1. Open the file C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe.config;
2. Increase the blue values to a number of simultaneous active moves that you want.

    MaxRetries = "60"
    RetryDelay = "00:00:30"
    MaxMoveHistoryLength = "2" 
    MaxActiveMovesPerSourceMDB = "50"
    MaxActiveMovesPerTargetMDB = "50"
    MaxActiveMovesPerSourceServer = "50"
    MaxActiveMovesPerTargetServer = "50"
    MaxTotalMovesPerMRS = "100"
    FullScanMoveJobsPollingPeriod = "00:10:00"
    MinimumTimeBeforePickingJobsFromSameDatabase = "00:00:04"
    ServerCountsNotOlderThan = "00:10:00"
    MRSAbandonedMoveJobDetectionTime = "01:00:00"
    BackoffIntervalForProxyConnectionLimitReached = "00:30:00"
    DataGuaranteeCheckPeriod = "00:05:00"
    EnableDataGuaranteeCheck = "true"
    DisableMrsProxyCompression = "false"
    DisableMrsProxyBuffering = "false"
    MinBatchSize = "100"
    MinBatchSizeKB = "256" ;

3. Save and close the file;
4. Restart the Microsoft Exchange Mailbox Replication service.

I've used the above configuration to migrate about 1400 mailboxes (its average size was 200MB) and it took 12hs to finish, using gigabit ethernet.

terça-feira, janeiro 19, 2010

Mapi session "/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=username" exceeded the maximum of 16 objects of type "session"

Event ID 9646 is logged in the application event log of your Exchange Server 2010 computer when a client opens many MAPI sessions

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
3.If the
Maximum Allowed Services Sessions Per User entry does not exist, do the following:
     a. On the
Edit menu, point to New, and then click DWORD Value.
     b. Type
Maximum Allowed Services Sessions Per User as the entry name, and then press ENTER.
4. Right-click the
Maximum Allowed Services Sessions Per User entry, and then click Modify.
5. Click
Decimal, type the value that you want to set in the Value data box, and then click OK.
6. Exit Registry Editor.
7. Click
Start, click Run, type services.msc in the Open box, and then click OK.
8. Click the
MSExchange Information Store service, and then click Restart Service.

You can find a solution to earlier versions of Exchange but it doen's work on Exchange 2010. The difference is Maximum Allowed SERVICES Sessions Per User instead of Maximum Allowed Sessions Per User.

IIS 7.0 - Create a SSL Certificate for Multiple Names

Create a configuration certificate file (request.inf)

Subject = "CN=FQDN, OU=Organizational Unit, O=Company, L=City, S=State, C=Country"
KeySpec = 1
KeyLength = 2048
HashAlgorithm = SHA256
Exportable = FALSE
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = PKCS10
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
FriendlyName = ""

OID= ; Server Authentication

CertificateTemplate = WebServer

[Extensions] = "{text}"
_continue_ = "DNS=example.com&"
_continue_ = "DNS=www.example.com&"
_continue_ = "DNS=secure.example.com"

The process

Once you have the above information saved. Follow these steps:

1. Open a command prompt and cd to the directory where you saved request.inf.
2. Run
certreq -new request.inf request.req
3. Submiting
a. Submit the request.req file to your CA. They will process it and approve/decline it.
b. To submit the request file to your internal CA:
certreq –submit request.req
4. When they approve it they should send you back your public key in a .cer file.
5. Run
certreq -accept file-from-ca.cer (or request.req) to finish setting up the key.


How to Use Nslookup to Verify MX record configuration


Default Server: contoso.com

> set q=MX
> microsoft.com --> domain to be searched
Server: contoso.com

Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = mail.messaging.microsoft.com

mail.messaging.microsoft.com internet address =

Remote Desktop Application - RD Tabs

Windows Remote Desktop is great, except when you have to connect to dozens of them and it fills up your taskbar! Enter RD Tabs: the ultimate tabbed Remote Desktop Client. Not only does it provide all the expected features of "tabbed" applications like FireFox, Opera, and IE7, but it takes Remote Desktop to the next level with features such as favorites with advanced editing, command line scripting, connection thumbnails, encrypted passwords, detached connection windows, remote desktop screen capture, remote terminal server information/management, RDP 6.0 support, and much more!

Download here the latest version of RD Tabs:

Exchange services do not start, and event IDs 2114 and 2112 are logged in the Application log in Exchange Server 2003 or in Exchange 2000 Server

Após instalar no domínio com DCs 2003 R2 com Exchange 2010 RTM e Exchange 2003 SP2 dois DCs 2008 R2 e remover os DCs 2003 R2 (o nível funcional continuou 2003) o Exchange 2010 não conseguia mais contactar os DCs e o serviço System Attendant do Exchange 2003 não conseguia iniciar, apresentando os seguintes erros no event viewer:

Event ID : 2114
Event Category : Topology
Event Source : MSExchangeDSAccess

Event ID : 2112
Event Category : Topology
Event Source : MSExchangeDSAccess

Solução para o Exchange 2010:

If you receive the error “An error caused a change in the current set of domain controllers” in Exchange 2010 the simple fix is to run the “Collect Organizational Health Data” option from the actions plane.


Solução para o Exchange 2003:

a. Start the Active Directory Users and Computers snap-in.

b. Right-click the Domain Controllers container, and then click Properties.

c. Click the Group Policy tab, click Default Domain Controllers Policy in the Group Policy Object Links box, and then click Edit.

d. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.

e. In the right pane, double-click Manage auditing and security log, click Add, click Browse, and then add the Exchange Enterprise Servers group.

f. In the Add user or group dialog box, click OK, and then click OK again.

g. Exit the Group Policy snap-in, and then click OK in the Domain Controllers Properties dialog box.

h. Restart the Exchange server.