tag:blogger.com,1999:blog-75641859852548449302024-03-14T03:21:07.618+01:00Öberg's infraTe audire no possum. Musa sapientum fixa est in aure.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-7564185985254844930.post-11161557824489706552015-04-29T14:33:00.001+02:002015-06-05T08:54:12.506+02:00Windows Certificate Autoenrollment TriggersIt's been a while since my last post but today I'm back with a new post to clarify how certificate autoenrollment works in a Windows environment. To be more precise, what triggers this process and how does it work when you're using a client offline? As you know, the certificate autoenrollment feature is very handy to automatically request and renew both user and machine certificates for various reasons so sit back and read on.<br />
<br />
<a name='more'></a>First off, what triggers the certificate autoenrollment? This is defined in the Task Scheduler in the following location.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-TsBnXgX2h0Y/VUDHdmJh8YI/AAAAAAAAArA/BkZOfHs4og8/s1600/Tasks%2B1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/-TsBnXgX2h0Y/VUDHdmJh8YI/AAAAAAAAArA/BkZOfHs4og8/s1600/Tasks%2B1.PNG" width="299" /></a></div>
<br />
Browsing to CertificateServicesClient, the following tasks are defined by default.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-8rOTQbNWU9M/VUDHx2-3gWI/AAAAAAAAArI/fWKcZ8Lf3oE/s1600/Tasks%2B2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="http://2.bp.blogspot.com/-8rOTQbNWU9M/VUDHx2-3gWI/AAAAAAAAArI/fWKcZ8Lf3oE/s1600/Tasks%2B2.PNG" width="400" /></a></div>
<br />
One of the tasks (UserTask-Roam) is disabled by default so let's skip that one and have a look at the other ones. In principle, the two remaining tasks are the same. The one major thing that sets them apart is with what account they are executed. As the name suggests, SystemTask is executed with the System account and UserTask is executed with currently logged on user account. So, what triggers these tasks to execute?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-JTfvyV8V44M/VUDJ2K8jdjI/AAAAAAAAArU/DkowMAG_0xU/s1600/Tasks%2B3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="http://2.bp.blogspot.com/-JTfvyV8V44M/VUDJ2K8jdjI/AAAAAAAAArU/DkowMAG_0xU/s1600/Tasks%2B3.PNG" width="400" /></a></div>
<br />
As can be seen, there are three triggers configured for these tasks.<br />
<ol>
<li>On an event</li>
<li>At task creation/modification</li>
<li>At startup/At logon</li>
</ol>
Ignoring the second trigger as it's quite obvious when that one triggers, let's have a look at the third one. As it suggests, it executes at startup for the SystemTask and at logon for the UserTask and then repeats every 8 hours. This seems pretty straight forward but aren't we all told that updating group policies also triggers a certificate autoenrollment? This is where the first trigger comes into play.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-nB02okWebrw/VUDLsfY0QwI/AAAAAAAAArg/3A4AYl0sDlk/s1600/Tasks%2B4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://3.bp.blogspot.com/-nB02okWebrw/VUDLsfY0QwI/AAAAAAAAArg/3A4AYl0sDlk/s1600/Tasks%2B4.PNG" width="400" /></a></div>
<br />
As soon as event id 1503 from the source GroupPolicy is raised in the System eventlog, it will trigger the certificate autoenrollment. This is true for both user certificates (UserTask) and machine certificates (SystemTask). So when is this event raised? Normally, it is raised at startup, user login and every 90 minutes with a 30 minute offset (i.e. 90 +/- 30 minutes). Filtering the system log for event id 1503 shows that this event is raised quite often.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bQ3D4VfZvK4/VUDNagBIfsI/AAAAAAAAArs/agsO-_qftqU/s1600/Tasks%2B5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="http://3.bp.blogspot.com/-bQ3D4VfZvK4/VUDNagBIfsI/AAAAAAAAArs/agsO-_qftqU/s1600/Tasks%2B5.PNG" width="400" /></a></div>
<br />
So, what's the use of this information. Well, let's say you have a number of users who rarely comes into the office and you don't use DirectAccess (why wouldn't you?) but another third party VPN provider that uses certificates as a secondary factor for authentication. Are the certificates being processed for autoenrollment? That depends on how long the users stay connected to the VPN. An easy method for making sure that the certificates stay fresh is to execute something when the user connects to the VPN service that triggers the certificate autoenrollment. How about the command "gpupdate /force /wait:0"? Yes, adding the switch /force will indeed raise the event 1503 which in turn will trigger certificate autoenrollment. Brilliant!Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-53434959798533548552013-10-14T11:25:00.001+02:002013-10-14T11:25:28.609+02:00Fuzzy Windows 8.1I just upgraded to Windows 8.1 and noticed that all of my applications got fuzzy. Apparently, Windows has discovered that my display has a "very high resolution" (1920x1080) and tries to make everything better by scaling the fonts to a point where they get fuzzy. This was driving me mad as I thought my contact lenses were the cause. What resolved it for me was to disable scaling for each application.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-nc8Y5XHe0IE/Ulu38nEpHQI/AAAAAAAAAN8/wttYhn-EWog/s1600/Fuzzy.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-nc8Y5XHe0IE/Ulu38nEpHQI/AAAAAAAAAN8/wttYhn-EWog/s1600/Fuzzy.PNG" height="320" width="278" /></a></div>
<br />Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-76818794331910082412013-10-09T21:40:00.002+02:002013-10-09T21:41:36.424+02:00How to configure EAP-TLSFar too many times have I come across a wireless environment where it has been said that the authentication method in use is none other than EAP-TLS. This is good as EAP-TLS is not only the most secure method but also the easiest method from a user perspective, a rare combination in this day and age. Still, when looking over the configuration, it appears that most environments are using PEAP-MSCHAP v2 which isn't EAP-TLS at all. How can this be? Perhaps because PEAP-MSCHAP v2 is default. So, how does one configure EAP-TLS, then?<br />
<br />
<a name='more'></a><br />
There are a number of requirements for this particular authentication method. The most apparent one is an existing PKI environment. With that in place, it's time to move on to the Network Policy Server or RADIUS Server, if you will. The first step is to request a certificate from the CA Enterprise server based on the RAS and IAS Server certificate template. This one is important as this certificate will be used by the clients to not only secure the connection but also to identify the current wireless environment. Next step is to fire up the NPS console and configure EAP-TLS.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-qrAmG31Qg9s/UlWsMxigzpI/AAAAAAAAANA/v_OeCYQ0gc8/s1600/EAP-TLS+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-qrAmG31Qg9s/UlWsMxigzpI/AAAAAAAAANA/v_OeCYQ0gc8/s1600/EAP-TLS+1.PNG" height="225" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Using the standard configuration, select to configure a RADIUS server for 802.1X Wireless or Wired Connections.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-D4Td9S1MGwg/UlWsmGcpjdI/AAAAAAAAANI/GYYrqH_WHlw/s1600/EAP-TLS+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-D4Td9S1MGwg/UlWsmGcpjdI/AAAAAAAAANI/GYYrqH_WHlw/s1600/EAP-TLS+2.PNG" height="150" width="400" /></a></div>
<br />
In the following window, select Secure Wireless Connections and give it an appropriate name. The next step is to select a RADIUS client. This will be your preferred wireless access controller or the access point itself, it depends on the vendor. The only thing you'll need here is the IP Address of the device and the shared secret and you'll be all set. The next step in the wizard is to select the authentication method.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Cj3uk85Mx5Q/UlWs415AJoI/AAAAAAAAANQ/6DEe5GA0qFs/s1600/EAP-TLS+3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Cj3uk85Mx5Q/UlWs415AJoI/AAAAAAAAANQ/6DEe5GA0qFs/s1600/EAP-TLS+3.PNG" height="55" width="400" /></a></div>
<br />
EAP-TLS is Microsoft Smart Card or other certificate and nothing else. Don't be fooled by the name, as it may be confusing. Select it and configure the previously requested certificate based on the RAS and IAS Server certificate template. Next, you'll have the option to limit devices or users based on group membership but this isn't required. Go ahead and finish the wizard using default values and move on to configure the details of this newly created network policy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Xll-TrWZpOE/UlWvcaEN3qI/AAAAAAAAANc/HdhoAKa176I/s1600/EAP-TLS+4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-Xll-TrWZpOE/UlWvcaEN3qI/AAAAAAAAANc/HdhoAKa176I/s1600/EAP-TLS+4.PNG" height="80" width="400" /></a></div>
<br />
In the properties of the network policy, head on over to Constraints and remove all other less secure authentication methods.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ntNXWGMXCro/UlWwATS8JSI/AAAAAAAAANk/FkUOg6caLQQ/s1600/EAP-TLS+5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-ntNXWGMXCro/UlWwATS8JSI/AAAAAAAAANk/FkUOg6caLQQ/s1600/EAP-TLS+5.PNG" height="210" width="320" /></a></div>
<br />
Next step is to remove all encryption methods other than the strongest one in the Settings pane.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-JB3wiEzRQBc/UlWwcyD5jEI/AAAAAAAAANs/He05yKF7qZg/s1600/EAP-TLS+6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-JB3wiEzRQBc/UlWwcyD5jEI/AAAAAAAAANs/He05yKF7qZg/s1600/EAP-TLS+6.PNG" height="74" width="320" /></a></div>
<br />
There you have it. Devices and users now have the option of using a certificate for identification when connecting to the wireless network. There are many more options to configure but this will suffice for a basic, secure wireless network using EAP-TLS. Enjoy!Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-667864809010657202013-09-13T10:48:00.004+02:002013-09-13T11:31:09.473+02:00Error moving mailbox from Office 365In a Hybrid Exchange environment (On-Premises and Office 365) one might stumble upon problems moving mailboxes from Office 365 to On-Premises, known as offboarding with the following error message.<br />
<blockquote class="tr_bq">
<span style="color: red;">Cannot find a recipient that has mailbox GUID <many numbers></span></blockquote>
The reason for this error is that the mailbox has been created in Office 365 and lacks the proper attributes in the On-Premises environment. So, connect to Office 365 using PowerShell and run the following command.<br />
<blockquote class="tr_bq">
<span style="color: #351c75; font-family: Courier New, Courier, monospace;">Get-Mailbox john.doe@domain | fl ExchangeGuid</span></blockquote>
Next, verify that the remote mailbox On-Premises is lacking the proper attribute.<br />
<blockquote class="tr_bq">
<span style="color: #351c75; font-family: Courier New, Courier, monospace;">Get-RemoteMailbox john.doe@domain | fl ExchangeGuid</span></blockquote>
You'll notice that the On-Premises attribute are nothing but zeroes. Copy and paste the attribute from Office 365 on to you On-Premisies environment using the following command.<br />
<blockquote class="tr_bq">
<span style="color: #351c75; font-family: Courier New, Courier, monospace;">Get-RemoteMailbox john.doe@domain | Set-RemoteMailbox -ExchangeGuid <copied from Office 365></span></blockquote>
That's is. Moving the mailbox from Office 365 to you On-Premiese environment should now work just fine. Or will it? If your On-Premises environment is published by Forefront Threat Management Gateway (TMG) 2010 you might also stumble upon the following error in your move request logs.<br />
<blockquote class="tr_bq">
<span style="color: red;">Relinquishing job because the mailbox is locked</span></blockquote>
Or the following status of the request.<br />
<blockquote class="tr_bq">
<span style="color: red;">StalledDueToMailboxLock </span></blockquote>
This might by caused by server affinity of the published web farm or it could be as simple as flooding. If you're certain that affinity is working properly you'll have to do some work on your TMG server to fix the flooding issue. Check out the below link for detailed instructions of what to do.<br />
<blockquote class="tr_bq">
<a href="http://support.microsoft.com/kb/2654376/en-us" target="_blank">http://support.microsoft.com/kb/2654376/en-us</a></blockquote>
Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com3tag:blogger.com,1999:blog-7564185985254844930.post-59940378615955295472013-06-28T22:07:00.001+02:002013-06-28T22:08:04.998+02:00Installation of Remote Desktop Web Access failedIf, for reasons unknown to me you stumble upon problems installing Remote Desktop Web Access on Windows Server 2012 in the shape of Error 0x800f0922, the following solution might just be your knight in shining armor. Firstly, locate any certificate bound to a site that doesn't show up in IIS with the following command...<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">netsh http show sslcert</span></blockquote>
If anything shows up, delete it with the following command for IPv4...<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">netsh http delete sslcert ipport=0.0.0.0:443</span></blockquote>
And for IPv6, the following...<br />
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace;">netsh http delete sslcert ipport=[::]:443</span></blockquote>
That's it for now. Your Remote Desktop Web Access role should now install just fine.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com3tag:blogger.com,1999:blog-7564185985254844930.post-1102162164031424082013-05-15T13:42:00.000+02:002013-07-22T22:34:28.224+02:00Changes in Exchange 2013There are many changes in Exchange 2013. Some of them are major changes but most are minor. However, some changes aren't mentioned anywhere. A couple of days ago, I noticed a few changes that really doesn't make any sense at all. I was attempting to transition an Exchange 2003 environment to 2013. Granted, this transition isn't supported and indeed not possible in a normal sense. Still, when transitioning from one Active Directory to another, this doesn't matter as we'll be using PST-files to copy mail content.<br />
<br />
Using the trusted, old ExMerge tool, I began extracting all mailboxes below 2GB. After copying the files to the Exchange 2013 server, I then ran the command to import the PST-files to the appropriate mailboxes. Lucky for me, I decided to start with just one mailbox and see how it went. The new mailbox was of course riddled with gibberish causing much distress to the user in question. After some research, it appears that Exchange 2013 as opposed to its predecessors cannot handle PST-files in Ansi format. A rather strange feature to remove in my opinion.<br />
<br />
Well, it doesn't end there. Once I was able to import the PST-files after converting them to Unicode, it would appear that the localized names of the folders have been changed. For instance, instead of just using the old name "Sent", this has now been changed to "Sent objects". What was wrong with the old folder names that have been used since... Well, since forever.<br />
<br />
Still, it was worth it in the end as Exchange 2013 is just so much better than 2003.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-16389649970819035852012-10-15T21:04:00.000+02:002012-10-16T10:47:33.280+02:002013 went RTMA couple of days ago, both Exchange and Lync 2013 went RTM. What kind of impact this will have on the industry is yet to be unfolded. What we do know is that Microsoft is pushing towards the cloud with a closer integration and a seemingly seamless experience (pun intended). In my book, the biggest news will have to be the offline feature of Outlook Web App in Exchange 2013 which just turns the table upside-down.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-YHT5HfhRfng/UHxc77DfYRI/AAAAAAAAAK8/az6UnsQ_uiQ/s1600/Exchange_2013.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-YHT5HfhRfng/UHxc77DfYRI/AAAAAAAAAK8/az6UnsQ_uiQ/s200/Exchange_2013.png" width="200" /></a><a href="http://2.bp.blogspot.com/-UUS6oGfDSSc/UHxdLaAJyeI/AAAAAAAAALE/zr-nQzOtaFY/s1600/Microsoft-Lync-2013-Logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://2.bp.blogspot.com/-UUS6oGfDSSc/UHxdLaAJyeI/AAAAAAAAALE/zr-nQzOtaFY/s200/Microsoft-Lync-2013-Logo.png" width="200" /></a></div>
<br />
Oh, there's Sharepoint and Office too but I'll leave that for others to mention...Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-37093838488390235102012-10-04T22:26:00.000+02:002012-10-04T22:26:28.023+02:00Windows Server 2012 LaunchJust came back from the <a href="http://windowslaunch.se/">Windows Server 2012 Launch</a> at a packed Rival in Stockholm. Lots of interesting topics were covered and indeed a few surprises too. Overall, a well organized event by the people at <a href="http://www.truesec.se/">TrueSec</a>. One of the surprises was the fact that Hyper-V now have the ability to allow virtual machines to use hardware accelerated SSL offloading. Another interesting point was the power of the new PowerShell 3.0 (pun intended) which seem to open up endless opportunities with new workflow feature. Great stuff!Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-67406078633277855632012-09-26T15:43:00.002+02:002012-09-26T15:44:20.573+02:00Direct Access Teredo PingJust noticed today that when a Direct Access client connected with Teredo is attempting to make contact with a host on the inside, it will first send an ICMP Echo request (i.e. Ping) to the host. If this fails, it will not be able to establish a connection. This could be relevant in complex environments with firewalls protecting various zones, such as the DMZ. Good to know...Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-56141898655125824252012-08-23T21:51:00.003+02:002012-08-23T21:51:33.517+02:00Microsoft extreme makeoverYes, that's right. Microsoft has indeed decided to throw away the old logo and replace it with a new one. Or is it really a new logo? Does it look any better? Will it change life as we know it?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZieLzqvfZDI/UDaJtqLdymI/AAAAAAAAAIY/4d34s-Kuj7M/s1600/Microsoft.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="85" src="http://2.bp.blogspot.com/-ZieLzqvfZDI/UDaJtqLdymI/AAAAAAAAAIY/4d34s-Kuj7M/s320/Microsoft.PNG" width="320" /></a></div>
<br />Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-22683692619958011662012-08-02T12:19:00.002+02:002012-08-02T12:19:29.442+02:00Windows Server 2012 availabilityI missed that the <a href="http://blogs.technet.com/b/windowsserver/archive/2012/08/01/windows-server-2012-released-to-manufacturing.aspx">Windows Server Blog</a> also informed us that Windows Server 2012 is complete (RTM) and will be available within the next couple of weeks. One could assume that both the client and server version will be available on technet the very same day. And there was much rejoicing!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-V0_T6RxZJbs/UBpUGpPaJDI/AAAAAAAAAII/r6RTSikW9cU/s1600/winsrv2012.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="http://4.bp.blogspot.com/-V0_T6RxZJbs/UBpUGpPaJDI/AAAAAAAAAII/r6RTSikW9cU/s320/winsrv2012.JPG" width="320" /></a></div>Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-61494791381151697422012-08-01T21:47:00.002+02:002012-08-01T21:47:29.402+02:00Windows 8 availabilityFresh information from <a href="http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/08/01/windows-8-has-reached-the-rtm-milestone.aspx">Blogging Windows</a> tells us that Windows 8 will be available in a couple of weeks. MSDN and Technet subscribers will be first in line followed by SA customers and partners the day after. Consumers will have to wait until the last week in October. This is excellent news as I'm about to lay my paws on a new laptop which indeed will be blessed with Windows 8. I'll take that with Hyper-V, thank you!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-FgMHiujAxmw/UBmHWFI9hUI/AAAAAAAAAH4/TF1TpUDuqpE/s1600/win8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="http://3.bp.blogspot.com/-FgMHiujAxmw/UBmHWFI9hUI/AAAAAAAAAH4/TF1TpUDuqpE/s320/win8.JPG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
No official word about Server 2012, though. What's up with that?</div>
<br />Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-68456461580674810032012-07-26T16:29:00.001+02:002012-07-26T16:33:39.763+02:00A brief look at Exchange 2013I've managed to get my hands on a proper lab environment to install the preview of Exchange 2013. It is still limited so unfortunately both roles will have to installed on the same server but that's no problem since this will never be a production environment.<br />
<br />
The first noticeable change is the lack of the Exchange Management Console (EMC). The only tools available is the Exchange Management Shell (EMS) and the Exchange Toolbox.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-c60WnuUxpaw/UBFM9VvPpcI/AAAAAAAAAF8/rd2hnGAmLiY/s1600/Preview+01.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-c60WnuUxpaw/UBFM9VvPpcI/AAAAAAAAAF8/rd2hnGAmLiY/s1600/Preview+01.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<a name='more'></a><br />
<div class="separator" style="clear: both; text-align: left;">
There are no major changes with the Shell apart for the commandlets as this tool is already perfected. The items available in the Toolbox are limited to Details Templates Editor, Queue Viewer, Tracking Log Explorer and the external Remote Connectivity Analyzer.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Y0j0ncxu9M4/UBFNdbKGpQI/AAAAAAAAAGE/zgQNcjGD8_4/s1600/Preview+02.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://2.bp.blogspot.com/-Y0j0ncxu9M4/UBFNdbKGpQI/AAAAAAAAAGE/zgQNcjGD8_4/s320/Preview+02.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Diving into the file structure one will notice a few changes. The FrontEnd folder is new and is probably connected to the Client Access role that handles the authentication, redirection and proxy requests.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-2f8JVatwurM/UBFOAdNNZaI/AAAAAAAAAGM/9rNJt__8pHM/s1600/Preview+05.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="http://4.bp.blogspot.com/-2f8JVatwurM/UBFOAdNNZaI/AAAAAAAAAGM/9rNJt__8pHM/s320/Preview+05.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
IIS reveals the split between the Mailbox and Client Access roles and also tells us the behind the scenes name of the Mailbox role, namely the Exchange Back End. Also note how the listening ports have been changed on the Back End site to accommodate the dual role configuration.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-vt8YVEExDUc/UBFOgcpFMFI/AAAAAAAAAGU/XHKdva0gtlM/s1600/Preview+03.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/-vt8YVEExDUc/UBFOgcpFMFI/AAAAAAAAAGU/XHKdva0gtlM/s320/Preview+03.PNG" width="163" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-gi-pw7CH67Q/UBFPb1I43MI/AAAAAAAAAGc/UjAOSz3-Y_U/s1600/Preview+04.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="44" src="http://4.bp.blogspot.com/-gi-pw7CH67Q/UBFPb1I43MI/AAAAAAAAAGc/UjAOSz3-Y_U/s320/Preview+04.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The replacement for the EMC is called Exchange Admin Center and can be accessed with a suitable browser. Speaking of browsers, many possible combinations of OS and browsers are available but only Windows and Mac OSX are available in premium mode.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ew9a0DgcPCY/UBFQQsZsYZI/AAAAAAAAAGk/vlm-vbZ9iw0/s1600/EAC+Browsers.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="103" src="http://4.bp.blogspot.com/-ew9a0DgcPCY/UBFQQsZsYZI/AAAAAAAAAGk/vlm-vbZ9iw0/s320/EAC+Browsers.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once logged on the EAC, a menu is displayed in a slick, clean interface. Most features from previous versions are left in place but some are moved and others are new. It's fairly easy to navigate and the general feeling is a snappy experience.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8N0gvYFczbI/UBFRJ6y4QTI/AAAAAAAAAGs/N3BQN3LF4PY/s1600/Preview+06.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="http://1.bp.blogspot.com/-8N0gvYFczbI/UBFRJ6y4QTI/AAAAAAAAAGs/N3BQN3LF4PY/s320/Preview+06.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In the Recipients menu there are options to create and manage all types of recipients including users, groups and resources. There is also finally a way to manage shared mailboxes without going into the Shell which will please many administrators who are still not comfortable with the command line.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One of the new features found in the Organization menu is Apps that includes Bing Maps for instance. I'm not sure what this will be used for but surely it must be awesome.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Y55-VYVXysI/UBFSf59xw4I/AAAAAAAAAG0/lv9AYlQLLSA/s1600/Preview+08.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="http://3.bp.blogspot.com/-Y55-VYVXysI/UBFSf59xw4I/AAAAAAAAAG0/lv9AYlQLLSA/s320/Preview+08.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Another new feature is the Malware settings found in the Protection menu that enables various options of how Exchange should handle detected malware. There are also options to notify users and administrators of any actions taken by Exchange.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-wPssjZTP8Hk/UBFTEq13poI/AAAAAAAAAG8/LkhkMNDLU5U/s1600/Preview+09.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="http://4.bp.blogspot.com/-wPssjZTP8Hk/UBFTEq13poI/AAAAAAAAAG8/LkhkMNDLU5U/s320/Preview+09.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Well, that's it for this brief look at what's up with Exchange 2013. Check back for more in the not so distant future.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-30860586378038459842012-07-25T15:18:00.002+02:002012-07-26T09:17:40.155+02:00Exchange 2013 installation previewA point of interest concerning the new version of Exchange is the change to the installation process. One of these changes is the role selection screen. Only two roles are up for grabs, the Mailbox and the Client Access role. This might seem like the old Frontend and Backend scenario but digging deeper in the documentation around these roles reveals that this is not the whole truth. The Mailbox role is more or less all previous roles from Exchange 2010 combined and the new Client Access role handles authentication, redirection and proxy requests.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-MtNF9eWk-4E/UA_vZj3O51I/AAAAAAAAAFg/XdYn0ZqdsLo/s1600/Install+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="http://4.bp.blogspot.com/-MtNF9eWk-4E/UA_vZj3O51I/AAAAAAAAAFg/XdYn0ZqdsLo/s400/Install+1.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next change of interest is the option to include malware protection. This adds an extra layer of security which might come as a welcomed feature to most of us.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-zcEVu_zklJ8/UA_wDRsEIuI/AAAAAAAAAFo/7zZZ6vdhvF4/s1600/Install+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://2.bp.blogspot.com/-zcEVu_zklJ8/UA_wDRsEIuI/AAAAAAAAAFo/7zZZ6vdhvF4/s400/Install+2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Not much else has changed apart from the visual experience but I couldn't help but notice the small but apparent logo in bottom left of the installation window which indicates a closer relationship with the Office team at Microsoft.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-dVDQdcfche8/UA_w2vSSp-I/AAAAAAAAAFw/P1WKB6yw29k/s1600/Install+0.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="http://3.bp.blogspot.com/-dVDQdcfche8/UA_w2vSSp-I/AAAAAAAAAFw/P1WKB6yw29k/s200/Install+0.PNG" width="200" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One should also note that Windows Server 2012 with Exchange Server 2013 demands more resources than previous versions. This is true in the current build but might change when the products goes gold. Still, don't expect these machines to start with anything less than 4GB of memory for each server and plenty of IOPS to spare in your storage solution. My lab consisting of a laptop with 6GB of memory and a single 5400 rpm disk simply couldn't hack it but your mileage may vary.</div>
<br />Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-32393244374921239122012-07-23T16:17:00.000+02:002012-07-24T10:58:15.990+02:00Invalid canary in cookieWell, no angry birds but it appears that there are one or two invalid canaries lurking in Exchange 2010. One might think that a stork could be useful but apparently a canary is sufficient for this particular purpose. Go figure...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-faf2XTrA-fc/UA1bqHlgWZI/AAAAAAAAAFU/G6QJZMpH-vo/s1600/Invalid+Canary.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="47" src="http://4.bp.blogspot.com/-faf2XTrA-fc/UA1bqHlgWZI/AAAAAAAAAFU/G6QJZMpH-vo/s400/Invalid+Canary.PNG" width="400" /></a></div>
<br />
Note that this "feature" is related to SCOM and is no longer present in Service Pack 2. Some of us will miss the canaries...Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-66984311681030438432012-06-28T14:14:00.001+02:002012-06-28T14:14:10.942+02:00No habla MAPIIt has been brought to my attention that Outlook 2011 for Mac doesn't speak MAPI. I noticed an extreme growth of IIS logs on a Client Access Server and further inspection pointed towards a single Outlook 2011 for Mac user. What appeared to be a DDOS attack was in fact normal Outlook 2011 EWS usage. If this is the result of a single user, one can only imagine the size of the IIS logs when thousands of Outlook 2011 clients are connecting. The horror...Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-88487880008369975462012-06-04T10:24:00.003+02:002012-06-07T00:04:20.394+02:00Delegated mail stuck in outboxThere seem to be a problem with Outlook 2010 regarding the option to send as a delegated mailbox when running in online mode. Apparently, the mail is sent but it seem to be stuck in the outbox folder of the main mailbox. This only happens in the following scenario.<br />
<ul>
<li>Outlook is running in online mode</li>
<li>A mail is sent from a delegated mailbox</li>
<li>The registry tweak to move sent mail to the appropriate sent items folder is activated</li>
</ul>
<div>
According to a certain Fiona Liao, this is a <a href="http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/30950dca-07a7-4fe2-ba10-1da72ff43c85">known issue within Microsoft</a> and will not be fixed until Outlook 2012. Also, the same problem seem to be present in Outlook 2011 for Mac OS X.</div>Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-38363031417369476192012-05-25T10:36:00.000+02:002012-05-25T23:56:30.309+02:00Problems with Exchange 2010 updatesIn a recent post, I mentioned a problem with an endpoint mapper (RPC) after the installation of Service Pack 2 for Exchange 2010. It has come to my attention that the reason for this problem is due to a problem with the initial installation. The problem happened again in the same Exchange environment during a Rollup 2 installation which lead me to investigate the Exchange Setup logs further. In the file UpdateCAS.log the following entry was logged.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-x6Kbm35AX2M/T79CG1UeTTI/AAAAAAAAAE4/PGFu6SlpL_8/s1600/temp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="http://4.bp.blogspot.com/-x6Kbm35AX2M/T79CG1UeTTI/AAAAAAAAAE4/PGFu6SlpL_8/s400/temp1.png" width="400" /></a></div>
<br />
The line reads "Error updating OWA/ECP: The term 'Get-ExchangeServer' is not..." which indicated a problem with the Exchange Management Shell (PowerShell) commands. After browsing around the configuration I noticed that some entries were missing from the registry compared to another Exchange server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-T4d3lRy6jgE/T79DVbgYmZI/AAAAAAAAAFA/-Ml42k7mxq4/s1600/temp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="http://3.bp.blogspot.com/-T4d3lRy6jgE/T79DVbgYmZI/AAAAAAAAAFA/-Ml42k7mxq4/s320/temp2.png" width="320" /></a></div>
<br />
A quick fix for this problem was simply to export the PowerShellSnapIns key from a working Exchange server and import the difference to the faulty one. The question to why these keys are missing in the first place still remains unanswered. However, we're one step closer to the truth.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-47414209908009776412012-05-21T20:14:00.000+02:002012-05-21T20:14:14.620+02:00Excessive login time in Windows 7I recently stumbled upon a client where the login time could be classified as not of this world. For me, any login time exceeding 10 seconds is to be considered too long. I'm not talking about boot-up time but the time it takes for the desktop to appear after username and password has been entered. After the usual investigation relating to the network, DNS and Group Policies, the problem was found in the event logs.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-BTnNJZlBR_A/T7qCzHS9JdI/AAAAAAAAAEs/nV_hSk1RDNg/s1600/Capture.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="97" src="http://2.bp.blogspot.com/-BTnNJZlBR_A/T7qCzHS9JdI/AAAAAAAAAEs/nV_hSk1RDNg/s400/Capture.PNG" width="400" /></a></div>
<br />
Say hello to nearly 4 minutes of Folder Redirection processing. As it turned out, the user had made its entire home folder available offline which caused these dramatic effects to the login time as the number of files exceeded too many to be mentioned here. The solution was simply to not make the files available offline and clear the temporary cache which decreased the login time to a respectable 5 seconds.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-45340360525060697262012-05-18T19:44:00.001+02:002012-05-18T19:44:46.555+02:00Certificate request from an OS X Lion clientIt appears that Apple has made it quite convenient to request a certificate from a Windows Certificate Authority using the <a href="http://support.apple.com/kb/HT4784">AD Certificate Payload Plugin</a>. There are a number of issues that needs to be addressed however but in the whole it seems to work fine. This method actually makes it possible for the OS X client to acquire a computer certificate used for 802.1x authentication in a very slick procedure without the usual hands-on intervention by a network technician. My next quest is to develop a similar method for the not so domain-joined devices known as iPads/iPhones. I'm leaning towards a solution involving the old NDES/SCEP service to bring clarity and justice for all.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-7871482308992737082012-05-08T09:27:00.000+02:002012-05-08T09:27:47.996+02:00The shell of the youthSo what shell are the kids of today using. Bash? Well, not according to my 4-year old son. Lo and behold...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-s3MbIBxJSeE/T6jKjvZmh-I/AAAAAAAAAD4/YNc4RLPHVJ4/s1600/IMAG0184.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://2.bp.blogspot.com/-s3MbIBxJSeE/T6jKjvZmh-I/AAAAAAAAAD4/YNc4RLPHVJ4/s320/IMAG0184.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
Yes, that's right. PowerShell is the shell of the youth and the future. At least in my part of the universe.</div>
<br />Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-65205649429420859532012-04-23T11:15:00.000+02:002012-04-23T11:15:15.276+02:00Exchange 2010 Test-MAPIConnectivity FailureThe cause to why the command Test-MAPIConnectivity result in a failure relating to Public Folders is likely due to an empty Servers container from an old Exchange 2003 environment. The remedy is simply to delete the empty Servers container in the old Exchange 2003 administrative group. This issue usually originates from an alert from Operations Manager but it could be nice to know the real source of the problem. My understanding is that a bug in the command is the real culprit here but your guess is as good as mine.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-23565463396024194802012-04-19T11:25:00.000+02:002012-04-19T11:28:18.653+02:00Bulk import thumbnail photosIn these days of increasing messaging and collaboration using such excellent services as Exchange, Lync and Sharepoint, the need to import thumbnail photos into the Active Directory is in high demand. There are many options to perform this task but I prefer the one tool that will eventually rule them all, PowerShell. Gather all user pictures and place them in a folder with the following prerequisites.<br />
<br />
<ul>
<li>The files must have names that corresponds to unique user attributes such as SamAccountName</li>
<li>The files must not exceed 10kb in size</li>
<li>The dimensions of the pictures should be the recommended 96x96 pixels but this isn't required</li>
<li>All files must be JPEG images (*.jpg)</li>
</ul>
<br />
<div>
Once the folder with above mentioned prerequisites have been established, the following script imports them to the Active Directory.<br />
<div>
<div>
<br /></div>
<div>
<span style="color: #073763;">Path = 'C:\Temp\ImportThumbnails\Photos'</span></div>
<div>
<span style="color: #073763;">import-module ActiveDirectory</span></div>
<div>
<span style="color: #073763;">ForEach ($File in Get-ChildItem $Path | Where-Object { $_.Extension -eq ".jpg" } )</span></div>
<div>
<span style="color: #073763;">{</span></div>
<div>
<span style="color: #073763;"> $UserName = $File.Name.substring(0, $File.Name.Length - 4)</span></div>
<div>
<span style="color: #073763;"> Write-Host $UserName -NoNewLine</span></div>
<div>
<span style="color: #073763;"> $Photo = [byte[]](Get-Content -Path $File.Fullname -Encoding byte)</span></div>
<div>
<span style="color: #073763;"> Set-ADUser $UserName -Replace @{thumbnailPhoto=$Photo}</span></div>
<div>
<span style="color: #073763;"> Write-Host " [Done]" -ForeGroundColor Green</span></div>
<div>
<span style="color: #073763;">}</span></div>
</div>
<div>
<br /></div>
<div>
Don't forget to make sure that the thumbnailPhoto attribute is replicated to the Global Catalog in the Active Directory Schema.</div>
</div>Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-69984850590429570282012-04-10T00:22:00.001+02:002012-04-10T00:22:44.049+02:00Active Directory Schema updateToo many times have I seen how people update the Active Directory schema without taking precautions. A problem during the update could lead to a catastrophic event with no way out other than a forest wide restore. Devoting a couple of minutes to take the safe road is always worth it. These are the simple steps required to perform a safe schema update.<br />
<br />
<ul>
<li>Make sure the current state of the Active Directory is healthy. Verify that all replication is working as expected.</li>
<li>Introduce a new virtual domain controller and make sure everything is replicated.</li>
<li>Transfer the FSMO Schema Master to the new domain controller and isolate it from the rest but running the following commands.</li>
</ul>
<blockquote class="tr_bq">
<span style="color: #38761d;">Repadmin /options <DC> +DISABLE_INBOUND_REPL<br />Repadmin /options <DC> +DISABLE_OUTBOUND_REPL</span></blockquote>
<ul>
<li>Update the schema and make sure there are no problems.</li>
<li>Enable replication by running the following commands.</li>
</ul>
<blockquote class="tr_bq">
<span style="color: #38761d;">Repadmin /options <DC> -DISABLE_INBOUND_REPL<br />Repadmin /options <DC> -DISABLE_OUTBOUND_REPL</span></blockquote>
<div>
<ul>
<li>Wait for replication, transfer the FSMO Schema Master to the original domain controller and remove the newly introduced domain controller from the Active Directory (dcpromo).</li>
</ul>
<br />
<div>
Easy as pie and totally worth it.</div>
<div>
<br /></div>
</div>Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0tag:blogger.com,1999:blog-7564185985254844930.post-83675872101843183262012-03-31T10:13:00.000+02:002012-03-31T10:13:06.296+02:00Exchange 2010 RPC issuesDuring my latest Exchange 2010 transition, a problem related to RPC connectivity arose. Apparently, one of the Client Access servers refused to accept RPC connections on the Address Book Service UUID. This problem occured after the Service Pack 2 installation but wasn't detected until some time after due to the nature of the problem. As some of the clients worked fine, others seemed to work fine and a few had issues with a login prompt appearing sporadically during the day, it was quite a feat to narrow down the problem to a faulty RPC End-point connector on one of the Client Access servers. The quick resolution was to reapply Service Pack 2 but I'm sure there is a way to repair these connectors with some other method. Still, when facing issues after a Service Pack installation, reapply it a few times and things will in all likelihood turn out just great.Thomas Öberghttp://www.blogger.com/profile/06820338598356976610noreply@blogger.com0