Microsoft engineers & users have been exploring Windows 8 a lot since its release and we see major changes/upgrades in the UI with each update released for the Windows 8/Windows 8.1 Operating systems.
In June¬†2013, Microsoft released Windows 8.1 update¬†which brought lot of new features and familiar start button along with it. We discussed about its new features & quick look in depth back then.
Yesterday Microsoft released KB2919355, cumulative update for Windows 8.1 and Windows RT 8.1 systems that includes all previous released security updates and nonsecurity updates. In addition to previous updates, it includes improvements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management and improved hardware support.
What’s new in this update?
This updates provides following new features for you:
- Power and Search buttons on the Start screen. These buttons appear in the upper-right corner of the Start screen next to your account picture. You’ll be able to quickly and easily shut down your PC or search for things right from Start
- All open and pinned apps appear in the taskbar. If you like using the desktop, you’ll see both desktop apps and apps from the Windows Store in your taskbar when they’re running
- Access the taskbar from anywhere. When you’re using a mouse, you can see the taskbar from any screen, including Start or a Windows Store app.
- Go to the desktop when you sign in, instead of Start. If you spend more time in the desktop, you can sign in (boot) directly to the desktop instead of the Start screen.
- The Minimize button, Close button, and taskbar are more available with your mouse. Your mouse works more consistently anywhere in Windows. Move your mouse to the top of the screen to see Close and Minimize buttons in any app. Move your mouse down to the bottom of the screen to see the taskbar from anywhere in Windows
- Right-click an app tile to see more options. If you‚Äôre using a mouse and you right-click a tile on Start, you‚Äôll see a context menu next to the tile that shows what you can do with the tile.
- Discover apps in new ways. The Windows Store is pinned to Start and to your taskbar by default, so you can easily discover new apps.¬† When you use the Search charm, Bing Smart Search includes apps in the suggestions and the search results
- Remember what apps you recently installed. After¬† you install new apps, Start includes a message in the lower-left corner of the screen, pointing you to the Apps view so you can see what you recently installed.
Above were major features introduced with April 2014 cumulative update for Windows 8.1. Similar features have also been introduced in Windows 2012 R2 server as well along with necessary security enhancements & tightening.
Why you should install this update
We strongly recommend that you install¬† Windows 8.1 Update or¬† Windows RT 8.1 Update (KB 2919355). This is a critical update that is required for future updates to Windows. If you prevent it from installing or you uninstall it, you won‚Äôt get some future bug fixes, security updates, and new features. In some cases, if you uninstall this update from a new PC after signing in with a Microsoft account, OneDrive might not work as expected.
Hope you find above information helpful around this update and that you enjoy these new user friendly feature on your new OS. You can use reference links below to read more about how to use particular feature included with this update.
- Which Windows operating system am I running?
- Install the latest Windows 8.1 Update
- What‚Äôs new in¬† Windows 8.1 Update and¬† Windows RT 8.1 Update?
- Shut down (turn off), sleep, or hibernate your PC
- How to search
- How to use the taskbar
Over the weekend I was installing January 2014 Cumulative Update for Lync Server 2010¬†and I ran into an interesting issue. We followed all the steps correctly and it made me wonder “why the hell am I getting this error?”
As per process of installing Lync Server 2010 Cumulative Update:
- We installed the update on our Lync Servers successfully.
- From an updated Lync Server 2010 front end box, we ran below cmdlet using Lync management shell for updating the backend databases:
Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn <EEBE.Fqdn> -UseDefaultSqlPaths
When we were running above cmdlet, we were getting below error for RTCDyn database:
Error: Script failed (code “ERROR_RESTRICT_DATABASE_ACCESS”) when installing “BackendStore” on “ContosSQL.Contoso.com”. For details, see the following log file: “C:\Users\admin\AppData\Local\Temp\2\Create-BackendStore-ContosoSQL.contoso.com-[2014_03_22][00_23_56].log”
In the Create-BackendStore log file, we were seeing below lines/error:
Opened database rtc
Opened database rtcdyn
Error executing alter database [rtcdyn] set restricted_user with rollback immediate
Exit code: ERROR_RESTRICT_DATABASE_ACCESS (-21)
Subsequently other databases for the update were failing update with below error:
Error: Script failed (code “ERROR_OPEN_DB”) when installing “MonitoringStore” on “ContosoSQL.contoso.com”. For details, see the following log file: “C:\Users\admin\AppData\Local\Temp\2\Create-MonitoringStore-ContosoSQL.contoso.com-[2014_03_22][00_24_33].log”
Generally the error indicates:
- SQL server is inaccessible. – Logon to SQL server or SQL management studio and ensure you can access databases.
- You are not part of RTCUniversalServerAdmins group – Add your account to said group to resolve this issue.
- You do not have enough privileges on SQL server to access the database. – Add your account on SQL server as sysadmin to resolve this issue.
- You are not running Lync management shell or cmdlet as administrator. – Open Lync management shell or powershell using “run as administrator” option.
In our case all above were satisfied and it wasn’t making sense why would database not open properly for upgrade if it is accessible manually using SSMS. At this time since the upgrade was struck in middle, we were in outage scenario where Lync clients were unable to access contact lists, presence information & conferencing data. Touch wood it was during off business hours and impact wasn’t huge but clock was ticking. (And I needed to get back to my weekend as well !)
Now the error did say that it was unable to alter Restricted_User property for RTCDyn database. So I ran below SQL query using SSMS against RTC Database:
DATABASE rtc SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
DATABASE rtc SET MULTI_USER;
Once the query altered the database successfully and I ran the backend upgrade using below cmdlet again, voila it ran successfully !
Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn <EEBE.Fqdn> -UseDefaultSqlPaths
Took me some time to figure this one out, hopefully using above information it doesn’t takes long for you guys in case you run into similar situation.
Hope you find above information helpful. Thanks for reading ! Till Next Post !
March 24, 2014 Tags: Lync 2010, lync backend, lync backend update, lync server 2010, lync server 2010 update, lync server update, lync sql update, lync update, lync-server Posted in: Lync 2013, Lync Server 2010 No Comments
Recently I ran into issue in our environment where Lync Server Application Sharing on one of our front end servers crashed / stopped unknowingly.
Issue: Lync Server Application Sharing service stopped/crashed.
While digging through our logs, we found below error which indicated that the service was running at it’s maximum capacity right before it crashed:
Log Name:¬†¬†¬†¬†¬† Lync Server
Source:¬†¬†¬†¬†¬†¬†¬† LS ApplicationSharing Conferencing Server
Date:¬†¬†¬†¬†¬†¬†¬†¬†¬† 4/16/2014 9:50:06 AM
Event ID:¬†¬†¬†¬†¬† 32033
Task Category: (1304)
Internal Application Sharing Server health monitoring has detected that Application Sharing Server is operating at maximum capacity.
Application Sharing Server Health State: Full
Cause: The Application Sharing Server has reached maximum capacity.
Check that the number of active conferences, number of active users, and the allocated bandwidth correspond to the expected usage model.¬†
Cause: On further digging, we found that there was a conference running with 270 participants on it and the service crashed when they initiated application sharing on same conference.
Our environment doesn‚Äôt frequently hosts meetings with such large audience, hence the issue seen was for first time.
As per Lync virtualization best practices guidelines, we had MaxBandwidthPerAppSharingServiceMb set to 150, whereas the default value for same parameter is 375. Since the bandwidth used by this application sharing session crossed the limit of 150, the application sharing service crashed with given error.
Resolution: Since our virtual servers are designed to meet performance similar to what’s been delivered on Lync physical servers, we increased the value of MaxBandwidthPerAppSharingServiceMb to 375, setting it to default value for given parameters
In your environment, you can set value for this parameter depending on performance of your Lync servers and business/meeting requirements.
You can calculate value for this parameter by determine AppSharingServiceMb used per user and then multiplying it by 250 or number of maximum participants in single meeting within your organization.
Conclusion: Above being said, its important to understand each parameter that we change from its default value and determine a value based on best practices & business usage models
Hope you find above quick post of use and helps you plan your Lync infrastructure accordingly.
- Lync 2010 virtualization guide – http://www.microsoft.com/en-us/download/details.aspx?id=22746
- Lync 2013 virtualization guide – http://www.microsoft.com/en-us/download/details.aspx?id=41936
- Set-CsConferencingConfiguration ¬†¬†¬†¬† – http://technet.microsoft.com/en-us/library/gg412969.aspx
Few months back we wrote about Microsoft ExRAP program where Microsoft comes into your environment and evaluates the health, configuration & best practices implementation within your environment.
Now one major security flaw within my Exchange environment was that we had an open relay from years. This open SMTP relay was used by hundreds of application servers to send relayed SMTP email i.e. using anonymous authentication. The reason this was security flaw being anyone with a computer/system on network can run an executable which searches for this open relay and starts sending emails in bulk to our users. It can take us a while to trace down this computer while our Exchange email environment has been compromised.
So I tightened my belt and took up the task to lock down the SMTP relay connectors such that only pre-configured list of services/application can relay email using same. The task can be broadly divided into below steps:
- Modify load balancer to send¬†original client IP to HUB Service if needed.
- Create/Configure a SMTP¬†connector on HUB servers.
- Identify the application¬†sending email using open relay.
- Add existing list of¬†applications to the new locked down SMTP relay connector.
- Change the DNS entries if¬†necessary to point to new SMTP connector.
- Disable the open relay¬†connector and monitor for situation.
- Perform necessary cleanup and¬†¬†create a process for new applications.
Let’s discuss each of the above steps in detail now.
Step 1 – Modify load balancer to send original client IP to HUB Service if needed.
In most environments, load balancer acting as entry point for SMTP relay are configured to NOT send original client IP connection information to Exchange servers i.e. the Exchange services see the SMTP connection coming from load balancer only.
This configuration will not work in this scenario where you’re locking down the Exchange receive connector. Consider you add the load balancer’s IP address to receive connector’s allowed IP list, you still haven’t controlled which clients are connecting to load balancer itself ! So basically you’re still in open relay mode.
For making locked receive connector to work, you’ll need clients sending their original connection details to Exchange service rather than terminating that information at load balancer itself.
To read more about issues in different load balancing configuration for SMTP service, please refer to article below:
Step 2 – Create & Configure a locked SMTP Receive Connector on HUB Servers
When I say locked SMTP receive connector, it basically means a receive connector with pre-configured list of allowed IP addresses that can connect to SMTP service using that particular receive connector. For my environment I used Applications Mail Relay as it’s name (NOTE Important for later discussion) and gave it a namespace mailrelay.contoso.com.
- Exchange 2010 – http://technet.microsoft.com/en-us/library/bb125159(v=EXCHG.141).aspx
- Exchange 2013 – http://technet.microsoft.com/en-us/library/jj657467(v=exchg.150).aspx
Keep the name of connector same on all your HUB servers and keep note of it as it’ll be useful in step 3 and 5 of this post.
Once the SMTP relay connector is configured after same or in parallel of same you can start identifying the existing application servers which are leveraging open SMTP relay.
Step 3 – Identify the application sending email using open relay.
We used Log Parser Studio (LPS) to identify the existing application servers connecting to the open SMTP relay.¬† Log Parser Studio allows those who use Log Parser 2.2 (and even those who don‚Äôt due to lack of an interface) to work faster and more efficiently to get to the data they need with less ‚Äúfiddling‚ÄĚ with scripts and folders full of queries.
You can download and read more about Log Parser studio at link below:
¬†Now we had two open relay in our environment, one using Exchange 2010 open relay connector named “SMTP Applications Relay” and other using Windows 2003 IIS SMTP service. For both services we used below queries respectively to generate the results:
- Windows 2003:
SELECT c-ip,cs-username,Count(*) as Hits FROM ‘[LOGFILEPATH]‘ Group By c-ip,cs-username Order By Hits Desc
- Exchange 2010:
SELECT¬† Client-IP as c-ip,Client-HostName as c-user,Count(*) as Receives INTO ‘[OUTFILEPATH]\Output.CSV’¬† FROM ‘[LOGFILEPATH]‘ WHERE ConnectorID LIKE ‘%SMTP Application%’ GROUP BY c-ip,c-user ORDER BY Receives DESC
Once we had the result with IP addresses and server names in an excel csv format, it was time to clean up this existing list i.e. remove any unwanted entries and add them in bulk to locked down receive connectors we created on each HUB server.
Step 4 – Add existing list of applications to the new locked down SMTP relay connector.
Now to allow an IP address in receive connector properties, we have to open the connector in GUI – add the IP address – repeat same steps for all HUB servers which have that connector.
Myself being a lazy admin cannot see myself doing it. Other way was to create a variable with all IP addresses collected using Step 3 in it and then run powershell cmdlet below to set the list of IP address on each receive connector within environment i.e. on each server
- $IPAddress = Import-csv <location of csv> | Select-Object IPAddress
- Set-ReceiveConnector “Server01\Applications Mail Relay” -RemoteIPRanges:$IPAddress
Still, if you have like 5 to 10 servers, I cannot see myself repeating same steps more than twice. So I come up with following scripts:
- Add-IPAddressToConnector: This script adds a specific¬† IP address or range of IP addresses to all receive connector named Applications¬†Mail Relay using¬†either manual input or input using txt or a csv file. The script also¬†generates a HTML report which is or can be emailed to¬†administrator(s)¬† for reference if¬†required. It also generates a log file and a backup data file so if at any¬†point anything goes wrong, you’ve the list of IP addresses already added to connectors in a txt/log format.
.\Add-IPAddressToConnector.ps1 -IPAddress 10.0.0.2
For more details about how this script works, please refer to help using below cmdlet.
Get-Help .\Add-IPAddressToConnector.ps1 -Detailed
- Remove-IPAddressToConnector:¬†This script is twin brother of first one except it removes the IP address from receive¬†connector named Applications Mail Relay instead of adding them using¬†either manual input or input using txt or a csv file.
.\Remove-IPAddressToConnector.ps1 -IPAddress 10.0.0.2
Get-Help .\Remove-IPAddressToConnector.ps1 -Detailed
- Check-IPAddressToConnector: Now that you’ve added/removed the IP addresses, you have to sometimes check if particular IP address exits in receive connector or not as well. For same purpose,¬† you use this script it checks if in the long list of allowed IP addresses¬†if one particular address exists or not.
.\Check-IPAddressToConnector.ps1 -IPAddress 10.0.0.2
For more details about how this script works, please refer to help using below cmdlet.
Get-Help .\Check-IPAddressToConnector.ps1 -Detailed
Step 5 – Change the DNS entries if necessary to point to new SMTP connector.
Now that exchange part is almost setup, you need to ensure emails start flowing through this new connector.
In our scenario, we had few DNS entries pointing to old Windows 2003 based IIS SMTP relay as well so we pointed them to the Exchange HUB VIP to ensure all SMTP traffic is going via VIP.
Step 6 – Disable the open relay connector and monitor for situation.
At this point, if you’re certain that all IP addresses have been added to the locked receive connector, you can disable the open relay connectors to force traffic to flow through the locked down receive connector accordingly.
Once you disable the open relay connector, you might have to face following setbacks in large organizations:
- There might be some IP addresses which do not connect that frequently and didn’t show up in logs when you were gathering the list of applications in Step 3. These¬†application will not be able to send relayed emails using relay connector¬†now that they’re closed. You’ll have to use Add-IPAddresstoConnector¬†script to add their IP addresses to allowed list quickly and get them back¬†in action.
- Application owners have been¬†used to just use the open relay whenever they want without any extra step or action. They’ll be bit frustrated with this change, you will have to¬†phase them in with the new process that you setup for managing locked down¬†receive connectors and weighing advantages of having it against keeping¬†open relay in environment.
Step 7 – Perform necessary cleanup and create a process for new applications.
Once the transition is over, you can put some processes in place like how application owners can request for access to locked down SMTP relay, how administrators will add same and how you’ll keep track of the additions & removals.
For example, you can create a request form for application owners to submit the request and excel sheet for administrators so they can update the new application IP addresses that get added or removed by them accordingly.
You can also delete the old open relay connectors from the environment to reduce footprint of your environment.
Once all is said & done, you’ll have a strange feeling of relief, feeling of having more secure environment, more controlled & centralized environment. More happy environment for end users.
Hope you find above information helpful. You can find the required links and downloads below. Till next time !
- Load balancing SMTP Traffic -¬†http://exchangeserverpro.com/issues-with-load-balancing-smtp-traffic/
- Creating receive connector in¬†Exchange 2010 – http://technet.microsoft.com/en-us/library/bb125159(v=EXCHG.141).aspx
- Creating receive connector in¬†Exchange 2013 – http://technet.microsoft.com/en-us/library/jj657467(v=exchg.150).aspx
- Log Parser studio – http://blogs.technet.com/b/exchange/archive/2012/03/07/introducing-log-parser-studio.aspx
March 13, 2014 Tags: Exchange HUB, Exchange HUB Open Relay, Exchange Open Relay, Exchange receive connector, Exchange SMTP Open Relay, Open Relay, SMTP Open Relay Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Exchange Server General No Comments
I have been exploring new features introduced with Windows Server 2012 and Windows Server 2012 R2 in depth recently and one feature which intrigued me a lot is DNSSEC.
In this series of blogs, we’ll see what DNSSEC, how it works, how it helps making your environment secure and how to implement it in an environment & related considerations
Before we begin, some key terms you should be familiar with:
- DNS: The Domain Name System (DNS) is a service designed to resolve host names to IP address and vice-versa
- DNS Server: Any computer providing domain name services is a DNS name server. Any DNS server implementing support for Service Location Resource Record and Dynamic Updates is sufficient to provide the name service for any operating system.
- Authoritative¬†Server: Any DNS server that contains a complete copy of the domain’s zone file is considered to be authoritative for that domain
- Non-Authoritative Server: Non Authoritative servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups they have performed in the past for which they have gotten an authoritative response
- DNS Query: A query is request for¬†information sent to DNS server. Three types of queries are recursive,¬†inverse and iterative.
- DNS Client: A DNS client is any machine that issues queries to a DNS server. The client host name may or may not¬†be registered in DNS database.
- Resolver: Resolvers are software processes that handle the actual process of finding the answer to queries for DNS data. They can be client computers or DNS server itself trying to resolve address on behalf of client for a given query.
So What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks, particularly DNS spoofing attacks.
I guess before we go into deep dive of DNSSEC, we can discuss how DNS Spoofing works in brief.
How DNS Spoofing Works?
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker’s).
Consider a scenario where a client sends query to a recursive DNS server or a forwarder (non-authoritative DNS server)
However an attacker is listening on network between client & recursive server OR between recursive & authoritative server
If the attacker successfully beats one of two responses in above diagram i.e. either it provides spoofed DNS response to recursive server OR spoofed DNS response to the DNS client and since none of the query clients are checking for validity or authenticity of response, the attacker successfully redirects the client/user to basically whichever destination he/she wants.
DNSSEC provides security in above scenarios by signing the responses with a key such that DNS clients can validate the response for its authenticity before considering them as valid response.
How DNSSEC Works?
A DNS zone can be secured with DNSSEC using a process called zone signing. Signing a zone with DNSSEC adds validation support to a zone without changing the basic mechanism of a DNS query and response.
Validation of DNS responses occurs through the use of digital signatures that are included with DNS responses. These digital signatures are contained in new, DNSSEC-related resource records that are generated and added to the zone during zone signing.
Consider scenario that Adam tries to reach an internal website www.JustForTest.Contoso.com. Adam’s computer sends the query for Justfortest.Contoso.com domain to a recursive DNS server. Since the server doesn’t has response in its cache, it’ll go to authoritative server for said domain for response.
Now, since the zone is signed, rather than just providing ‘A’ record as response to recursive server, authoritative server will also send the DNSSEC records to recursive server. Basically sending response locked in a box and key to open it separately.
The recursive DNS server uses the DNSKEY resource record to validate responses from the authoritative DNS server by decrypting digital signatures that are contained in DNSSEC-related resource records, and then by computing and comparing hash values. If hash values are the same, box opens and it provides a reply to the Adam’s workstation with the DNS data that it requested. If hash values are not the same, box doesn’t opens and¬† it replies with a SERVFAIL message. In this way, a DNSSEC-capable, resolving DNS server with a valid trust anchor installed protects against DNS spoofing attacks whether or not DNS clients are DNSSEC-aware.
DNSKEYs are used to compute hash values and decrypt RRSIG records. The figure does not display all validation processes that are performed. Additional validation is also carried out to ensure the DNSKEYs are valid and that DS records are valid, if they exist (not shown above).
DNSSEC Related Resource Records:
|Resource record type||Description|
|Resource record ¬† signature (RRSIG)||Signatures that ¬† are generated with DNSSEC are contained in RRSIG records. Each RRSIG record ¬† is matched to another record in the zone for which it provides a digital ¬† signature|
|Next Secure (NSEC)||An NSEC record is ¬† used to prove nonexistence of a DNS name. NSEC records prevent spoofing ¬† attacks that are intended to fool a DNS client into believing that a DNS name ¬† does not exist|
|Next Secure 3 ¬† (NSEC3)||NSEC3 is a ¬† replacement or alternative to NSEC that has the additional benefit of ¬† preventing “zone walking” which is the process of repeating NSEC ¬† queries in order to retrieve all the names in a zone|
|Next Secure 3 ¬† Parameter (NSEC3PARAM)||The NSEC3PARAM ¬† record is used to determine which NSEC3 records to include in responses for ¬† non-existing DNS names.|
|DNS Key (DNSKEY)||A DNSKEY resource ¬† record stores a public cryptographic key that is used to verify a signature. ¬† The DNSKEY record is used by a DNS server during the validation process.|
|Delegation Signer ¬† (DS)||A DS record is a ¬† DNSSEC record type that is used to secure a delegation. DS records are used ¬† to build authentication chains to child zones.|
DNSKEY and DS resource records are also called trust anchors or trust points. A trust anchor must be distributed to all nonauthoritative DNS servers that will perform DNSSEC validation of DNS responses for a signed zone. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns. A DNS server running Windows Server 2012 or a later operating system also displays configured trust anchors in the DNS Manager console tree in the Trust Points container
DNSSEC helps validating responses sent back by authoritative and non-authoritative servers to DNS clients and protect your environment by major threat present in DNS for DNS Spoofing attack.
In next part of post, we’ll see how to implement DNSSEC on a Windows 2012 R2 Server and What’s new in DNSSEC with Windows 2012 R2. Meanwhile, for further details of DNSSEC, please refer to the articles in reference section below.
- Overview of DNSSEC – http://technet.microsoft.com/library/jj200221.aspx
- DNS Spoofing – http://en.wikipedia.org/wiki/DNS_Spoofing
Recently I came across an interesting issue where user had shared mailbox open in their Outlook profiles, however when they were reading the emails within shared mailbox, they were not changing or showing as being read emails. It¬†threw my head off wandering for a while so¬†writing quickly about it such that it can help you save some time troubleshooting same.
Summary of issue: Unread emails not changing status to read in shared mailboxes.
- Outlook 2007/2010/2013 in Online Mode
- Exchange 2010 SP3 UR3 and above
- Shared mailboxes in online¬†mode within cached Outlook profile.
- Outlook profile in online mode.
What’s the issue: When user has sorted emails within shared mailbox using Categories, he/she then reads email like usual, however the un-read emails do not change or show as being read. If user goes back to his/her primary mailbox and then comes back into shared mailbox, emails show as read then. User also is able to send read receipts for the emails in concern, but email do not show as read within shared mailbox.
Cause of issue: The issue seems to be a bug introduced with Exchange 2010 SP3 RU3 which hasn’t been resolved yet¬†in RU5 (released February 2014) where when user sorts email using categories within shared mailbox, the read/unread flag doesn’t updates correctly.
Workaround: If user sorts email using date or name (anything beside category), the read/unread flag should start updating correctly within shared mailbox. We don’t have many users in our environment sorting emails using categories within environment and one who were are ok sorting by name/date OR setting up rules to move them into separate folders fulfilling¬†similar purpose which categories does.
Alternatively, you can ask user to go back into their primary mailbox and then come back into shared mailbox, which should update the read/unread flag. Not an alternative recommended from my side as it makes Outlook look harder, but depends on each individual/administrator.
Resolution: Currently there are no plans that I’ve heard of regarding fixing this bug. Hopefully with next roll-up update the issue should be resolved. Will keep you posted if we hear back something on same.
Hope you find above information helpful. Thanks for reading !
March 11, 2014 Tags: Exchange 2010 bug, exchange 2010 sp3, Outlook 2007, Outlook 2010, Outlook 2013, Outlook bug, Outlook read email issue, Read/unread email flag, Shared mailbox read email Posted in: Exchange Server, Exchange Server 2010, Exchange Server General, Outlook 3 Comments
February 2014 seems to have been a major updates month for Microsoft office services products. In this blog we’ll be listing the updates released and major features provided with these updates for office & office services world.
Major updates released includes:
- Microsoft Office 2013 Service¬†Pack 1
- February 2014 update for Lync Desktop Client
- Exchange Server 2013 Service Pack 1
- Exchange Server 2010 Service Pack 3 Roll-Up 5
- Exchange Server 2007 Service Pack 3 Roll-Up 13
- Office for Mac 2011 14.2 Update
Let’s discuss above updates 1 by 1 briefly with key improvements with each update:
Microsoft Office 2013 Service Pack 1
Version – 15.0.4569.1506 or higher
The following are the key areas of improvement that are offered by this SP1:
- Improves compatibility with Windows 8.1.
- Improves compatibility with Internet Explorer 11.
- Improves compatibility with modern hardware, such as high-DPI devices and the precision touchpad.
- Provides new apps for Office capabilities and APIs for third-party developers.
February 2014 Update for Lync Desktop Client
Features included with this update:
- Toggle pictures of sender/receiver
- Support of high-resolution monitors (200% scaling mode)
- Transfer files and pictures in a Persistent Chat room
Exchange Server 2013 Service Pack 1
Version – 15.00.0847.032 or higher
The following are the key areas of improvement that are offered by this SP1:
- Windows Server 2012 R2¬†support
- Edge Transport servers return
- OWA Junk Email reporting
- S/MIME for Message Signing and Encryption
- SSL Offloading Support
- Exchange oAuth authentication protocol
- DAG without and Administrative access Point
Exchange Server 2010 Service Pack 3 Roll-Up 5
This Rollup includes the following fixes:
- 2887459 Public folder expiry time is set incorrectly in Exchange Server 2010 SP3
- 2892257 Email items are lost¬†when you move items between shared folders by using EWS delegate access
- 2897935 ‚ÄúCannot save the¬†object ‚Äė\FolderName‚Äô‚ÄĚ error message when you try to replicate Exchange Server 2010 public folders
- 2898908 EdgeTransport.exe crashes if the From field is empty in an email message
- 2903831 Only a single character is allowed in the disclaimer content in ECP
- 2904459 RPC Client Access service crashes if you add ‚ÄúSigned By‚ÄĚ or ‚ÄúSend From‚ÄĚ column in Outlook online mode
- 2913413 RPC Client Access service crashes with an exception in Exchange Server 2010
- 2913999¬†Meeting request body and instructions are lost in delegate‚Äôs auto-forwarded meeting request
- 2916836 EdgeTransport.exe crashes when a transport rule sends a rejection message to an empty address
- 2919513 Memory leak or memory corruption occurs in Exchange Server 2010
- 2924971 RPC Client Access ¬†¬†¬†¬† service stops when you select an inactive search folder in Outlook 2007 in ¬†¬†¬†¬† an Exchange Server 2010 SP3 environment
- 2926057 EdgeTransport.exe ¬†¬†¬†¬† crashes if seek operation failed in Exchange Server 2010
- 2927856 Incorrect recurring ¬†¬†¬†¬† meeting if disclaimer transport rule is enabled in Exchange Server 2010
Exchange Server 2007 Service Pack 3 Roll-Up 13
This Rollup introduces the following fix:
- 2926397 An Edge Subscription ¬†¬†¬†¬† file from an Exchange 2013 Edge Transport server is rejected by an ¬†¬†¬†¬† Exchange 2007 Hub Transport server
Office for Mac 2011 14.2 Update
Improvements for Microsoft Outlook for Mac 2011
- The database and the rebuild utility are improved.
- Outlook for Mac performance¬†in key scenarios is improved.
- General responsiveness during syncing
- Deleting multiple records
- Displaying email message content
- Sending email messages
- Exchange email message sync is improved.
- Support for calendar scheduling resources is improved.
- Week numbers are added to the calendar display.
- Distribution list expansion functionality is included.
In the coming days we’ll be discussing each update in detail within their respective blog. Hope you found above information helpful !
- Exchange 2007 SP3 Rollup 13
- Exchange 2010 SP3 Rollup 5
- Released: Exchange Server 2013 Service Pack 1
- February 2014 Update for the Lync Desktop Client
Thanks for reading !
March 7, 2014 Tags: Exchange, Exchange 2007, Exchange 2010, exchange 2013, exchange update, Lync, lync update, office, office 2011, office 2013, office update Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Lync 2013, Outlook No Comments
Recently I had requirement of modifying Lync sign-in address (SIP address/domain) for multiple users. This required me to notify user of what they need after the change of sign-in address as well which included:
- Use new Sign-in address for signing in to Lync.
- Their email address is not changed, just the Lync sign-in address.
- They need to update Lync meetings created by them as organizer with new meet URL and re-send them as the old URLs will not work post the change.
In addition toe the SIP domain change, we needed to assign some new policies to user accounts as well.
Now I being the lazy admin, I couldn’t see myself doing this for individual user accounts by using Lync management shell and definitely not Lync control panel.
To achieve same, I recently finished with quick shell script Update-CsSipAddress which basically:
- Takes backup of existing Lync account properties for user accounts in csv format.
- Logs erroneous account in a separate csv file.
- Checks if user’s Lync account exists and if it already has the new SIP domain assigned to it.
- Make appropriate changes in the SIP domain and policies as per requirement.
- Notifies administrator for any error encountered while modifying the attributes via email.
- Notify individual user as their SIP address changes about the change and detailed instructions on what to do next.
- Generate a HTML report for administrators to review which highlights how many accounts were touched, how many skipped and details of changes made.
To see details about how script works, please refer to the help using below cmdlet:
Get-Help .\Update-CsSipAddress.ps1 -Detailed
You can also download the script from -> http://1drv.ms/1hAUO18
Hopefully you find this script helpful and it makes you a Rock Star Administrator for your Lync environment.
In the coming days, we‚Äôll be uploading few other scripts like monitoring Lync performance counters, monitoring Lync SQL database failover status and monitoring same in proactive fashion.
Thanks for reading !
February 21, 2014 Tags: lync address, lync sign-in, lync sign-in address, sign-in address, sip address, sip domain, update sip address Posted in: Lync 2013, Lync Server 2010, Uncategorized No Comments
For most exchange environment & exchange administrators, the majority of typical & complicated issues that come from end user perspective are around their calendars. Every now and then you’ll see one of several issues listed below:
- Meeting has disappeared from¬†¬†calendar
- Unable to send updates or¬†¬†cancellation for meeting
- Calendar items not¬†synchronized properly to iPhone/Smartphone
- Unable to track meeting¬†¬†responses
And above are just tip of iceberg, I am sure you’ve seen variety of calendar issues and each one comes with good level of difficulty while troubleshooting.
In this post we’ll be discussing issues caused mainly due to internal meeting corruption and how to address them using MFCMapi.
What do you mean by internal corruption?
With the release of Exchange 2010 and Single item recovery, there are scenarios in which meeting attaches itself within meeting multiple times most probably due to “Copy on Write” operation associated with Single item recovery & Litigation hold. There’re multiple factors that can cause this issue, but basically those attachments of meetings within meeting is internal corruption of meeting. It happens in background completely unknown to end user and causes issues described later in this blog.¬†¬†The issue is mostly seen with recurring meeting invites.
What are issues caused by internal corruption?
Following are few of the top issues that you’ll notice because of this corruption:
- User¬†unable to send update or cancellation to meeting: Because of these internal attachments or corruption, user receive below error while trying to send update or cancellation for these meetings stating that message size is too¬†large to be sent out.
Its basically caused due to fact that internal corruption has increased the size of meeting to an extent where it is crossing the transport send/receive limits configured in your environment.
- User¬† updates the meeting details, it updates on attendee calendar but not on organizer calendar: Another commonly seen issue which is caused by this corruption where user for example updates the time of meeting invite, it updates it properly on attendee calendars but not on his/her own calendar.
Once you fix the meeting invite using steps mentioned in later section of this post and then user updates the meeting invite, it goes out fine or updates properly.
- Synchronization with your iPhone failed for 1 items: Once the size of meeting grows exponentially large due¬†to corruption, the item fails to synchronize to users ActiveSync device¬†and iDevice users start getting these synchronization failure for same¬†meeting:
Same issue, but this one is caused due to throttling policy and fact that devices are not able to process such large HTTP packets/requests in given duration of time due to which they start throwing above error for given meeting invite. ¬† You’ll also see other minor issues like outlook reminder not stopping for said meeting, outlook crashes while trying to open the meeting series etc.
Possible causes of this issue: Now that we know what’s the issue and how it impacts end user, we can discuss possible causes of this issue in order of probability such that we can avoid it in pre-emptive fashion:
- Long¬†running recurring series: The most common cause of this issue and also impact are long running recurring meeting series. Users have bad habit of keeping “no end date” on meeting recurring series and inviting lot of attendees to same. To top it all, they keep on updating same series¬†frequently and there are attendees who respond to these meetings using¬†variety of smartphones. This causes the meeting corruption to occur¬†discussed above.
- As per Microsoft’s best practices, end users should not extend recurrence of meeting beyond three months or a quarter. They should create new series every three months or at worst every six months to avoid this issue.
- Calendar Repair & Logging: Not enough diagnostic logs to support this theory yet but the¬†corruption is probably caused by Exchange calendar repair assistant which tries to repair the meeting or scan the meetings that might have dropped of other user calendars. Not really sure about this one but at times disabling calendar repair & logging for set of user mailboxes have¬†helped reduce frequency with this this issue is seen for them.
- Single¬†item recovery & Legal hold: With single item recovery copy-on-write operation,¬†Outlook auto saves the meeting & attachment every 3 seconds.¬†Theoretically (not enough logs to show it), COW operation causes the auto¬†saved meeting to attach within meeting itself and cause the internal¬†corruption. Not really sure about this one but at times disabling single¬†item recovery for set of user mailboxes have helped reduce frequency with¬†this this issue is seen for them.
How to fix this issue: Well the first obvious way is to open the recurring meeting series using Outlook – delete attachments and save the meeting series. However, there are only few times when you’ll see partial attachments in the meeting using Outlook. The attachments are well hidden and can only be accessed using MFCMapi.
MFCMAPI provides access to MAPI stores to facilitate investigation of Exchange and Outlook issues and to provide developers with a sample for MAPI development. You can download MFCMapi from URL – http://mfcmapi.codeplex.com/
MFCMapi is standalone exe file which doesn’t requires any installation.
Step 1 – Create Outlook profile in Online Mode: For opening the mailbox store using MFCMapi, you need to create a new Outlook profile in online mode.
Step 2 – Open MFCMapi using Run as administrator: Next you need to open the profile created above using MFCMapi. To do same:
- Right click on MFCMapi.exe¬†and choose Run as administrator. If you’ve UAC enabled, select yes to run¬†the application.
- Click on Session – Logon -¬†¬†Select the outlook profile created in step 1
- Double click the mailbox and¬†¬†expand root container – top of information store – Right click on calendar¬† & select open content table as shown below:
- Sort the table using subject line and look for the problematic meeting. Right click – Select¬†attachments – Display attachment table. Note that Second column named Att?(Attachments?) will have value of True:
- The attachments of corruption¬†will look like below. Make sure they are not legitimate attachments before you delete them using MFCMapi:
- Once you’ve ensured that these are weird looking attachments and not legitimate attachments like¬†doc/jpeg, you can close the attachment table and repeat step 4 above again¬†and select Delete attachments
- Once MFCMapi finishes deleting the attachments, it changes the value of Att? Column to false as¬†all attachments for given meeting have been deleted successfully.
- Once cleared, you can check PR_Creation_Time property of same message¬†using MFCMapi and make sure meeting is not older than 3 to 6 months as¬†it’ll indicate user is keeping recurring running forever and hence thee issue.
- You can also share calendar¬† best practices document (referred at end of this post) with end user to¬†make sure common tasks/operation end user perform that can cause these¬†issues are avoided in future.
Conclusion: Calendar issues come in various forms due to various causes and are not easy generally to troubleshoot or give answer form. Above post describes one common cause of issue that causes few widely seen calendar issues however there are more common causes that causes different sort of issues and need to be diagnosed on case by case basis. MFCMapi is very useful tool specially when it comes to troubleshooting calendar issues, restoring items, troubleshooting Blackberry/ActiveSync/Reminders issue and you should explore this tool a lot & familiarize yourself with it, I can assure you this tool will add a feather to your Rockstar Cap ! Hope you find above information helpful and we’ll catch up with you in our next post ! References:
- Outlook calendar best¬†practices – http://office.microsoft.com/en-us/outlook-help/best-practices-when-using-the-outlook-calendar-HA104004449.aspx
- MFCMapi – http://mfcmapi.codeplex.com/
- Changes to COW (Copy On Write) – http://blogs.technet.com/b/exchange/archive/2012/06/01/holy-cow-changes-to-recoverable-items-versioning-in-exchange-2010-sp2-ru3.aspx
February 16, 2014 Tags: Exchange calendar issue, iPhone calendar sync issue, Meeting corruption, Meeting issue, Meeting update issue, mfcmapi, Outlook calendar issue, outlook meeting corruption Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Exchange Server General, Outlook No Comments
It’s the Holiday time. Let’s have some quick holiday cookies. Here you go with the first set:
1. Exchange/Outlook is smart enough to only download the changes to the OAB instead of the entire thing every day.
2. You do not need to add all the Exchange 2013 CAS servers in the OAB virtual directory. Exchange 2013 OAB does *not* copy the oab files to each server. They remain on the mailbox server where the arbitration mailbox resides. Adding the CAS servers only determines which servers will be provided to clients by Autodiscover.
3. Exchange 2013 answers Autodiscover query for Exchange 2007 user.
4. The Outlook Delegate settings gets moved too when you move a mailbox from Exchange 2007/2010 to Exchange 2013. The Delegate will still have access to the mailbox with the permissions set to the Delegate using Outlook. It means A Manager mailbox on Exchange 2013 and the Delegate mailbox on Exchange 2007 will have no issues until they both are using same Outlook version. The Delegate may not be able to open the Managers’ folder(s) if the Outlook versions are different.
5. When you introduce Exchange 2013 CAS servers to an AD site which already has Exchange 2007 servers including a CAS array, the Exchange 2013 server gets added as a member of the CAS array. All CAS servers are automatically added to the CAS array in an AD site. Exchange 2013 servers has no impact on this.