Home – ExchangeServerInfo

and More..

• Home
• What’s Your “Opinion”
• Questions n Answers

Remove Auto Accept from Outlook for all Room Mailbox

Hello All

One of the pain points during any legacy exchange to exchange 2010/2013 migration is around conference room mailboxes or resource mailboxes.

What’s the pain point?

With exchange 2007, Microsoft introduced feature named as Resource Booking Attendant a.k.a. Calendar Processing, Automatic Resource Booking, Calendar Attendant Processing, Automated Processing and Resource Booking Assistant which is a server-side calendar booking function allowing conference room to auto accept or decline a particular meeting invite based on various parameters configured for resource policy.

Prior to exchange 2007, we only had 2 ways to enable auto accept on conference rooms:

1. Using “Auto accept” agent where a mailbox was configured to auto accept and added as delegate to all conference rooms.
2. Using Outlook “Auto accept” setting on calendar option also known as Direct Booking

However with Exchange 2010/2013, the auto accept agent is no longer supported i.e. if you’ve auto accept mailbox configured as delegate of conference rooms, it will not function. You can clean up same using different powershell script/query accordingly. To query mailboxes having particular delegate, you can run below query for same:

Get-Mailbox -ResultSize Unlimited | Get-CalendarProcessing | Where-Object {$_.ResoureDelegates -like “*XYZ*”}

For the second and more common way i.e. direct booking configured, there was no good/clean/direct way to check conference rooms for that setting and to disable accordingly. If you’ve to even check if direct booking is enabled on a particular conference room, you’ve to first create Outlook profile for mailbox, go to Tools > Options > Calendar > Resource Scheduling and then check & disable accordingly:

In some environments, we were been asked questions “why not just leave it as it is?”, below is list of reasons why not to do so:

1. Outlook Web App (as well as any non-MAPI clients, like Exchange ActiveSync (EAS) devices) cannot use Direct Booking for automated resource scheduling. This is especially relevant for Outlook Web App-only environments where the users do not have Microsoft Outlook as a mail client.
2. Direct Booking capabilities are ignored or no longer valid with Outlook 2013 clients
3. The Resource Booking Attendant AutoAccept functionality is a server-side solution, eliminating the need for client-side logic in order to automatically process meeting requests
4. Direct Booking and Resource Booking Attendant are conflicting technologies, and if enabled together, unexpected behavior in calendar processing and item consistency can occur

Few years back, SetAA was launched which disabled these checkboxes using MFCMapi attributes. It was a command line script which helped a lot in last couple of years. However, people were still working on detect – report – remediate approach to remediate this limitation which increased overall migration effort & time.

As an update, Microsoft development team after their due diligence, Using Exchange Web Services (EWS) and PowerShell released Remove-DirectBooking.ps1 which automates the discovery of Direct Booking settings that are enabled, track the results, and even disable them,

How this script works:

• Uses EWS Application Impersonation to tap into a mailbox (or set of mailboxes) and read the three MAPI properties where the Direct Booking settings are stored. It does this by accessing the localfreebusy item sitting in the NON_IPM_SUBTREE\FreeBusy Data folder, which resides in the root of the Information Store in the mailbox. The three MAPI properties and their equivalent Outlook settings the script looks at are:
  • 0x686d       Automatically accept meeting requests and remove canceled meetings
  • 0x686f       Automatically decline meeting requests that conflict with an existing appointment or meeting
  • 0x686e       Automatically decline recurring meeting requests
• For mailboxes where Direct Booking settings were detected, it checks for conflicts by determining if the mailbox also has Resource Booking Attendant enabled with AutomateProcessing set to AutoAccept.
• Optionally, disables any enabled Direct Booking settings encountered.
• Writes a detailed runtime processing log to console and log file.
• Creates a simple output text file containing a list of mailboxes that can be later      leveraged as an input file to feed the script for disabling the Direct Booking functionality.

• Creates a CSV file containing statistics of the list of mailboxes processed with detailed information, such as what was discovered, any errors encountered, and optionally what was disabled. This is useful for performing analysis in the discovery phase and can also be used as another source to create an input file to feed into the script for disabling the Direct Booking functionality

Script’s Pre-requisites:

1. Application Impersonation rights and minimum Exchange Admin rights must be used
   • For Exchange 2007, see Configuring Exchange Impersonation (Exchange Web Services)
   • For Exchange 2010/2013, see Configuring Exchange Impersonation (uses RBAC)
2. Exchange Web Services Managed API 1.2 or later must be installed on the machine running the script
3. Exchange management tools must be installed on the machine running the script
4. Script must be executed from within the Exchange Management Shell
5. The Shell session must have the appropriate execution policy to allow the scriptto be executed (by default, you can’t execute unsigned scripts).
6. AutoDiscover must be configured correctly (unless the EWS URL is entered manually)
7. Exchange 2003-based mailboxes cannot be targeted due to lack of EWS capabilities
8. In an Exchange 2010/2013 environment that also has Exchange 2007 mailboxes present, the script should be executed from a machine running Exchange 2010/2013 management tools due to changes in the cmdlets in those versions

Different steps while running the script

1. Generate Report or Detect Mailboxes: To run script in report mode and generate list of mailboxes in txt file which have this setting enabled, you can run script with following parameters: .\Remove-DirectBooking.ps1 –identity * -UseDefaultCredentials
2. Review Report: You can review the txt file and csv file generated in step 1 to ensure you want to disable direct booking for all detected mailboxes. If for any business reason you don’t want to disable on any particular mailbox, you can remove that address from txt file accordingly. Also ensure that all detected mailboxes have resource booking attendant configured, otherwise the auto accept feature will disable altogether, causing issue on end user side.
3. Disable Direct Booking: Once you’ve reviewed the txt file generated in step 1, you can run script with following parameters to disable direct booking on detected mailboxes accordingly: .\Remove-DirectBooking.ps1 –InputFile ‘.\’ -RemoveDirectBooking

Please see the script’s help section (via “get-help .\remove-DirectBooking.ps1 -full”) for full information on all the available parameters.

The discovery and removal of Direct Booking settings can be a tedious and costly process to perform manually, but you can avoid and automate it using current functions and features via PowerShell and EWS in Microsoft Exchange Server 2007, 2010, & 2013.

Download – Remove-DirectBooking.ps1 After you’ve downloaded it, rename the file and remove the .txt extension

References:

• Use Exchange Web Services and PowerShell to Discover and Remove Direct Booking Settings
• SetAA – Tweak Auto Accept Settings Across Mailboxes
• The EnableDirectBooking registry value is not used by Outlook 2013
• Resources in Exchange do not respond to meeting requests

Till Next Time !

May 11, 2013  Tags: auto_accept, calendar_processing, direct_booking, outlook_auto_accept, powershell, room_mailbox  Posted in: Exchange Server, Exchange Server 2010, Exchange Server General  One Comment

Database Copy Fails after failover – Exchange 2010 SP3

Hello All

Microsoft released public document KB2837926 which determines issue with Exchange 2010 SP3 where passive copy of database goes into failed state after database failover

Problem Scenario: You’ve a DAG environment with multiple copies of database, for sake of simplicity one database Database01 with two copies Copy A and Copy B on Server A and Server B respectively. Database01 is active on Server A and passive on Server B with healthy copy.

For some reason you’ve to failover Database01 from Server A to Server B. During operation, Copy A will dismount fine, Copy B will mount fine but after Copy A is initializing as passive copy, it goes into failed state. Copy B is still mounted i.e. no outage for end users.

Workaround: As mentioned with KB, workaround is to delete Emn.log where mn is the base number for log file of Database01. This will bring Copy A back into healthy state.

Kindly refer to KB2837926 for more details around this issue. Unfortunately I was not able to replicate the issue in test lab but am sure some customers are facing issue in production due to same.

Update (04/22/2013): As an update, Microsoft has completed root cause analysis of this issue and has determined that issue only occurs if you’re using 8DOT3 name creation on volumes that are currently storing Exchange transaction logs. Kindly refer to KB2837926 for appropriate details and updates in this direction.

One more reason to wait for Exchange 2010 SP3 RU1 release before implementing SP3 in environment, other reason being issue with soft deleting emails detailed here.

Rule of thumb is to review list of issues being addressed with any particular update and if you’re facing any of those issue in environment only then to upgrade the Exchange 2010 version. Else to leave it alone unless there is major functionality change needed for any xyz business reason.

Till Next Time !

April 10, 2013   Posted in: Exchange Server 2010  No Comments

Users unable to soft delete emails – Exchange 2010 SP3

Hello All

Thinking to deploy or install Exchange 2010 SP2 RU6 or Exchange 2010 SP3 in environment? This is one important known or discovered issue you  should know about with these platforms before you make decision in this direction.

Problem Statement: Recent reports indicate that users are getting ‘Unknown Error” when trying to soft delete emails from their Inbox folder when accessing same via either Outlook or online mode or OWA. Shift + Delete works without any issue plus no issues seen when soft deleting emails from Outlook cached mode either. Once user get that error, emails stay in inbox and do not delete.

Problem Scope:

• Exchange 2010 SP2 RU6
• Exchange 2010 SP3
• Outlook Online Mode/OWA
• Soft deletion

Workaround: If you’re administering a large organization, we recommend deploying Outlook in cached mode by default due to extra overhead associated with online mode. If your users are using cached mode mostly, they should be good.

Beside same, they can try to either:

• Shift + Delete items
• Move items to deleted items folder manually. (Still testing, couple reports indicated that didn’t work either)

Resolution: Currently no word out  by MS to resolve this issue, hopefully it’ll be addressed with RU6v2 or RU1 for SP3 as needed. Will updated as we find more in this direction.

Update (13/3/2013): Some reports suggest that issue is also impacting Outlook in cached mode when users are trying to delete different class of messages like meeting accept or decline. We were not able to replicate in test lab but there’ve been reports from different customers. MS working on drafting a public communication for this issue.

Update (14/3/2013): Microsoft released public facing document around this issue KB2822208 covering some additional details in this direction.

Thanks !

March 12, 2013  Tags: Outlook, soft-delete  Posted in: Exchange Server 2010  One Comment

Stop 0xc000000e startup error – Windows 2008 R2

Hello All

For those who have already undergone monthly or weekly patching cycle via WSUS might be aware of issue faced with Windows 2008 R2 servers not coming back up after applying security updates and fails with below error:

“Windows failed to start. A Recent hardware or software change might be the cause. To fix the problem, To do this, follow these steps”

The issue is due to security update which was included with KB2823324 which is now being removed from download link to prevent more customers facing this issue.

Microsoft has acknowledged the issue and recommends customers who have already installed the update to un-install the update and bring system back to clean state. Detailed steps on how to accomplish same can be found with KB2839011

As recommended with KB, for customers or organizations who have not applied security updates yet in their environment, please exclude the security update KB2823324 from security patching accordingly.

More updates will be provided as developers work towards resolving the issue and re-providing updated security package for KB2823324.

Thank You !

March 12, 2013  Tags: security_update, windows_crash  Posted in: Windows OS, Windows7  No Comments

Hardware Load Balancer Requirements – Lync Server

Hello All

Few months back we discussed New Lync Server 2013 features that you can find helpful in decision making on whether to go for upgrade from Lync 2010 to 2013.

This post, we’ll be focusing Hardware load balancer requirements for Lync. In later section of this post, we’ll also discuss how hardware load balancing requirements are evolved with Lync 2013 that you might find useful for new / existing deployments.

The major change from previous versions of office communications and Lync for load balancer requirements is support of DNS Load Balancing, software solution that can greatly reduce the administration overhead for load balancing on your network. DNS load balancing balances the network traffic that is unique to Lync Server, such as SIP traffic and media traffic.

DNS load balancing offers simpler administration, efficient troubleshooting and isolating complex issues from any potential Hardware load balancer issue.

If we’ve support of DNS load balancing – Why do we need to discuss Hardware load balancing requirements?

Even though DNS load balancing is supported for majority of SIP traffic, you’ll still need hardware load balancer to balance HTTP traffic to Lync environment. DNS load balancing does not work with client to server web traffic. However administration of Hardware load balancer with HTTP traffic only is much easier & streamlined compared to SIP traffic load balanced using Hardware load balancer.

So in nutshell, to load balance any Lync web service traffic – internal or external within a Lync enterprise edition deployment, we’ll need hardware load balancer accordingly.

Now, the question arises, How do I configure hardware load balancer? When you reach to your load balancer administrator with requirement for setting up Lync web services load balancing, the important question you’ll face is “What kind of affinity you need to configure?”

Now answer to above questions are very simple but bit lengthy,

if you’ve Lync 2010 environment or Lync 2013/2010 environment in hybrid (i.e. front end pool / director pool is Lync 2010) you’ll need Cookie based affinity on per port basis 4443 and 8080 for external clients or external Lync web services. This affinity ensures that multiple connections coming from single client are been sent to single server. However few points that need to be taken into consideration:

• Cookies must NOT be marked as HttpOnly. The cookies should be passed as HTTPS itself. When cookie-based affinity is used to load balance requests to Lync Web Services from external clients, each packet is decrypted and inspected for the presence of an HTTP cookie, or an arbitrary piece of data that uniquely identifies a client to a given web server. If an HTTP cookie is detected by the load balancer, the packet is re-encrypted and sent to the web server that originally generated the cookie.
• Cookies must be named MS-WSMAN. Development limitation.
• SSL decryption and re-encryption must be enabled for cookie persistence. Because the load balancer must decrypt and re-encrypt SSL traffic to use cookies for maintaining session state, any certificate assigned to the external Web Services fully qualified domain name (FQDN) must also be assigned the 4443 VIP of the hardware load balancer
• If your load balancer optimizes the use of cookies such that a cookie is inserted only once per TCP connection, ensure that you do not use this optimization. Cookie must be inserted for every incoming HTTP response if HTTP request did not include cookie already.
• Cookies should not have expiry time set.

In addition to above, if you’re supporting Lync mobility in your environment. Load balancer should’ve capability to load balance multiple requests within single TCP connection. This feature is available with F5 load balancer under name OneConnect.

For internal Lync web services, you’ll need Source affinity configured on your load balancer. This affinity ensures that multiple connections from single address are sent to single server.

If you’re using reverse proxy in between, you need to configure Forward host header as True. If not, load balancer will see traffic coming from single address & client which is internal interface of your reverse proxy environment and all connections will pass to single server without any load balancing occurring.

Now if you noticed, I mentioned “If you’ve Lync 2010 in environment” before going on answering the requirements. Reason I did same is because if you’ve ONLY Lync 2013 environment, you do not need cookie based affinity for external Lync web services, you’ll be able to use source affinity for external Lync web services as well given your environment is only Lync 2013. Although, configuring cookie based affinity will not cause any negative impact even if configured.

Few common points you need to keep in consideration for any HLB deployment for Lync environment:

• The internal Edge interface and external Edge interface must use the same type of load balancing. You cannot use DNS load balancing on one interface and hardware load balancing on the other.
• Turn off TCP nagling for both internal and external ports 443 of A/V Edge server. Nagling is the process of combining several small packets into a single, larger packet for more efficient transmission.
• Turn off TCP nagling for external port range 50,000 – 59,999 of A/V Edge server.
• Do not use NAT on the internal or external firewall.
• The edge internal interface must be on a different network than the Edge Server external interface and routing between them must be disabled.
• The external interface of the Edge Server running the A/V Edge Service must use publically routable IP addresses and no NAT or port translation on any of the edge external IP addresses.
• On the firewall between the reverse proxy and the next hop pool’s hardware load balancer, create a rule to allow https: traffic on port 4443, from the reverse proxy to the hardware load balancer. The hardware load balancer must be configured to listen on ports 80, 443, and 4443.

For more details in this direction, you can refer to below articles:

• Load Balancing Requirements – Lync 2010
• Load Balancing Requirements – Lync 2013
• Hardware Load Balancer Requirements for Lync Server 2010

Hope you find above useful during your own Lync deployments. Till Next Time !

 

March 4, 2013  Tags: microsoft-lync  Posted in: Lync 2013  No Comments

Daily Mail Flow Summary Report

Hello All

Thanks to one of user on Microsoft Exchange 2010 forum who requested a way to generate details of emails processed by each HUB server deployed in environment, that I am getting chance to write & share this script with all.

DailyMailFlowSummary

Based on the request and some customization, this script generates email message statistics processed per HUB server in last 24 hours, generates output in HTML format, sends HTML email from output file. The statistics include:

1. Total Message Count Processed
2. Total Message Size in GB
3. Average Message Size Processed MB
4. Total Message Count from External Domains
5. Total External Message size from External Domains in GB
6. Average Message Size from External Domains in MB
7. Total Message Count from Application Relay
8. Total Message Size from Applications in GB
9. Average Message Size from Applications in MB.

Based on your requirements, you can remove some of parameters or add more parameters to same script and generate appropriate output for your environment

How this script works: I will lay down some important points of script that you should be aware about:

1. $fileName = “C:\Test\MessageSummaryReport.htm” – This is the name of HTML output file along with full local path on server.
2. $startdate = $enddate.Add(-24).Date – This line defines to script that we’re looking for processing data in past 24 hours. If you want to process more data, you can change 24 accordingly, for example for processing 10 days worth of data, 24 will be replaced by 240 accordingly.
3. $messages = Get-MessageTrackingLog -Server $serverName -start $startdate -end $enddate -ResultSize Unlimited | where-object {$_.EventID -eq ‘Receive’} – Core of script where it generates the required statistics from each server for data processing.
4. $Externalmessages = $Messages | where-object {$_.EventID -eq ‘Receive’ -and $_.ClientHostName -like “*Edge*”} – Secondary line for filtering emails which are being sent via Exchange 2010 Edge servers. In our environment, edge server names have keyword “Edge” in them and hence that’s the filter I used. Based on your environment configuration, you can change the filter to use receive connector name or different keyword accordingly.
5. $Relayedmessages = $Messages | where-object {$_.EventID -eq ‘Receive’ -and $_.ConnectorID -like “*Applications*”} – Same principle as above only this time we’re looking for traffic at receive connector level which has keywords “Applications” in its name. Based on your environment configuration, you can filter on another parameter or different keyword accordingly
6. sendEmail Reporting@Contoso.com Administrator@contoso.com “Contoso Daily Mail Flow Summary” 10.0.0.1 $filename – This generates email to your needed recipients. The format of command is SendEmail <from address> <to address 1,<to address 2> “<Message Subject>” “<SMTP Server FQDN OR IP Address>” “<HTML file>”

Hope above script helps you monitor or report on your environment more closely and in automated fashion. Hence reducing your efforts and keeping Exchange environment healthy.

Please add any additional ideas to comment section.

Thank You !

March 3, 2013   Posted in: Exchange Server 2010  No Comments

Remove old Active sync Partnerships from Environment

Hello All

Recently we had a request to setup or draft a process such that any active sync device partnership which is older than 30 days will be removed on nightly basis.

Now first thing that would come to mind is run powershell cmdlet manually on nightly basis while changing the date parameter in filter of cmdlet but as my name suggests, that’s not me.

So we put together a quick script which will look for all ActiveSync device partnerships and remove those which are older than 30 days. The script will also generate details of user & device partnership which it deleted based on different parameters. Once completed, we setup a bat file and put it in task scheduler to run on nightly basis and voila we’re all set.

ActiveSyncDevicePartnership

Based on your requirements, you can tweak the script and include more features as needed. To change the number of days for which you need to purge active sync device partnership can be changed or modified in below line within script:

$isdeviceold -ge ’30′

For other parameters, kindly refer below:

• Restrict AD logical container where script should run – Set-Adserversettings -ViewEntireForest $true
• HTML file location for email – $fileName = “C:\Daily_Jobs\HTML\ActiveSyncReport.htm”
• Email parameters – sendEmail Operations@contoso.com “Administrator@contoso.com” “Contoso Old Active Sync Device Report” 10.0.0.2 $FileName
• In above, we follow following format: sendEmail <from address> “<to address 1>,<to address 2>” “<subject line>” <email relay server address> $FileName

Please let us know if any queries in attached script. Hope you find this helpful and it helps to keep your exchange environment clean & healthy

For any script ideas or requirements please post in comment section and we’ll try to get one for you. !

Thank You

March 1, 2013  Tags: active-sync, Exchange, powershell  Posted in: Active Directory, Exchange Server 2010  No Comments

Lync – Unable to save conversation history in Outlook

Hello All

Recently we were being notified of an issue where Lync stops saving conversation history for user into outlook folder. Now there could be many reason behind this but we’ll be focusing on one typical reason behind this behavior between Lync and Outlook.

Symptoms:

• Conversation history does not appear in the Conversation History folder within Outlook 2010 or OWA.
• Issuing an “outlook.exe / resetfolders”, does open Outlook and around 10 messages from the conversation history from Lync is sync’d (and this is replicated up to OWA), but no further are moved.
• Using Lync on OWA results in the same symptoms.

Before we deep dive into issue, we need to know that Many of the features offered within Lync 2010 have dependencies on connectivity to a Microsoft Exchange mailbox.  For example, the conversation environment feature leverages both Exchange Web Services (EWS) and MAPI to manage Conversation History items. Unlike previous versions of Lync, EWS is now the primary method used to provide Microsoft Exchange integration features for the Lync client.  MAPI will be used if EWS is unavailable, but only in a limited capacity. For more details, we encourage you to read resource kit chapter Understanding & Troubleshooting Exchange server integration

For those who want to check on EWS & MAPI on their own client, can hold CTRL + Right Click on the Lync icon on the tool tray and select “Configuration Information”.  That will give you a screen shot of the status and settings for your Lync client

Troubleshooting:

1. Now EWS information being covered, we checked that EWS status in client was OK. We parsed through IIS logs in CAS and also captured Fiddler from client for checking if there’s any issue with EWS integration but all came up clean.
2. Next we dig into Lync 2010 client logs to see why the issue is happening. To know more about how to enable Lync logging on client and how to analyze log files please refer here.
3. The Lync client stores the conversation history in a spooler located in %userprofile%\AppData\Local\Microsoft\Communicator\sip_myuser@contoso.com\History Spooler.   The files themselves have a .hist file extension.  Checking there I could see that there were many waiting to be sent to the exchange server for archiving. The clients configuration information reported EWS status OK in step 1 – at this point my mind was narrating “what the heck is going on !”
4. Then I bumped into article written by office 365 folks around same issue and provided details on why it’s happening. Basically user had more than 1000 folders in his or her Outlook. If you look at EWS extract below, you’ll see there’s a policy which is restricting number of folders to be returned before error is thrown. To determine if user is having more than 1000 folders, you can use the VB macro created by MS (shared below) OR you can use below cmdlet on Exchange management shell:

 

Exchange management shell cmdlet: (Get-Mailbox <user name> | Get-MailboxFolderStatistics).Count

To download VB macro – VB Macro for Outlook

Workaround: But the blog didn’t provide any information about workaround. It ended with note that issue will be resolved with upcoming versions of Lync 2010 with no ETA and un-fortunately that answer is not acceptable by users in our environment :S. So based on extract above, we tweaked the EWS throttling policy on Exchange side to increase the number of folders to be returned before an error is thrown. To do same, we used below cmdlet and voila users started reporting that conversation history folder is now getting up to date

Set-ThrottlingPolicy -Identity <Policy Name> -EWSFindCountLimit 2000

You need to be careful with how much you increase this limit too as the EWS query call for searching more than 1000 items will stay in memory of your CAS server causing memory overhead for storing that many results at a given time. For details about syntax of Set-ThrottlingPolicy cmdlet, please refer here.

What is EWS Find Count Limit: The EWSFindCountLimit parameter specifies the maximum result size of FindItem or FindFolder calls that can exist in memory on the Client Access server at the same time for this user in this current process. If an attempt is made to find more items or folders than your policy limit allows, an error is returned.

Hopefully this helps you to resolve this issue in your environment if there’re certain users who’ve more than 1000 folders in their Outlook client or mailbox.

 In case any further details required in this direction. Please let us know.

February 25, 2013  Tags: conversation history, Lync, Outlook  Posted in: Exchange Server 2010, Exchange Server 2013, Lync 2013  No Comments

SCOM – Health State of server Grey / Dimmed

Hello All

Recently while adding some exchange servers in environment, we were adding them in SCOM 2007 R2 environment for monitoring as well, however for some reason – no matter what we did, the health state of servers under “Agent Managed” section were not coming into green check mark state, there was check mark but grey and dimmed out.

We tried basic troubleshooting like:

1. Restarted System center management service on target server
2. Made sure appropriate firewall ports were open (well in our case we made sure firewall service is disabled on windows)
3. Un-installed and re-installed SCOM 2007 R2 agent using account which has local admin access on target machines.

But no luck, the status remained same as shown below:

 

Resolution: To resolve this issue, we

1. exported following registry from one of working server or machine: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HealthService\Parameters\Management Groups\<Management group name>
2. Stopped System center management service on problem machine
3. Imported registry file exported in step 1
4. Started the System center management service on problem machine and voila ! the agent health state came as green.

Note: Above procedure includes manually modifying registry. Please make sure you’ve system state and registry backup of machine before making any changes.

There’re some other blogs by System manager team on how to troubleshoot & diagnose similar issue. Above was just one of them we can say. For further details please refer to below blogs:

• Which servers are DOWN in my company, and which just have a heartbeat failure, RIGHT NOW?
• Grayed out healthy agent icon

Hope you find above information helpful if you run into same scenario somewhere sometime.

Thanks !

February 25, 2013   Posted in: Tit-Bits, Windows OS  No Comments

How Kerberos Authentication Works

Hello All

Recently while addressing a conference around new features with Lync, an interesting question came up around “How Kerberos authentication works and why it is better than NTLM?” and while it was interesting to answer that query, I thought about writing something about same as well.

Role of Kerberos authentication: The Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server before a network connection is opened between them.

Now above is basic definition or work that Kerberos protocol do on any network, but how exactly it works is explained in brief below. Before same as well, since I am fan of Greek Mythology, I have to mention that word Kerberos was taken from Greek god “Cerberus”, three headed creature responsible for protecting the underworld (Greek mythology always gives me goose bumps

Getting into how it works, we’ll take an example of restricted library with many categories of books.

1. Now student named Alice enters the library, she shows her identity card to librarian Bob. Bob verifies the identity card and provide appropriate access to different section of library to her. Here, Alice was our client who authenticated to a network using windows credentials and Bob was our KDC (Key distribution center) who provided client with a short lived TGT (ticket granting ticket). The TGT is saved in client cache (volatile, not hard disk) which is then further used by client to get access to particular set of services.
2. Alice now takes that access card given by Bob to literature section of library. She requests the section administrator Charles for particular book. Here our client generated a request TGS (ticket granting service) using TGT generated in step 1. The client requests this service using particular header, which are referred to as SPN (Service Principal Name), which identifies a particular service that is requested by client. That’s why you have to have proper SPN created when implementing Kerberos authentication for given application else your clients will not be able to reach that service using Kerberos (or book in our case) and fail over to NTLM protocol.
3. Charles take the TGS, decrypts and reads it. Based on the SPN value given in TGS, it provides Alice with particular book she is looking for.

Above was very high level explanation of how Kerberos authentication works, for more details on how it works, please refer here.

Now that we’ve how Kerberos authentication works covered, we go to second part of question “Why it is preferred over NTLM‘, to explain same I’ll take example of Exchange 2010 environment where a user launches his/her Outlook, I’ll use same example we used above in parallel as well.

1. Alice logs in to computer (or library) using windows credentials. Librarian Bob authenticates her accordingly.
2. The user launches Outlook. OR Alice enters literature section.
3. The user’s computer sends traffic to the server (load-balanced namespace) specified in the Outlook profile. This traffic includes the user’s integrated authentication information (in other words, NTLM authentication).
4. The load balancer directs the traffic to a specific CAS member (Charles) within the load-balanced array.
5. The CAS member (Charles)needs to verify the user’s credentials. It does this by sending traffic to a specific domain controller, the one which it has an associated secure channel binding, requesting a verification of the user’s credentials. OR Charles keeps Alice waiting and goes to Bob for verifying her identity card again.
6. The domain controller (Bob) responds to the CAS member (Charles) with the information on the user’s credentials.
7. The CAS member generates an access token and services the request. OR Charles provides Alice with the book accordingly.

Now, if you observe, the steps needed by Alice were shorter & efficient using Kerberos authentication compared to NTLM for getting to same book OR NTLM caused more traffic packet flow compared to Kerberos when authenticating a client to particular service, beside same:

1. The CAS member (Charles) only uses a single domain controller (Bob) for all authentication requests. In addition, there is no load distribution mechanism across the CAS members in the load balanced array to ensure that each CAS is using a different domain controller for its secure channel binding.  i.e. all library section administrators come to same librarian Bob for authentication purposes.
2. Windows limits the number of concurrent secure channel calls.  There are a specific number of threads that can handle NTLM authentication (controlled by MaxConcurrentAPI value. OR Bob can only handle n number of Charles for verifying authentication requests which can delay Alice’s request for particular book.

Hope above clarifies minor details around how Kerberos authentication works and why it is preferred or recommended over NTLM authentication. Please feel free to leave any follow up questions or any note in comment section.

For more details around how to implement Kerberos account for Exchange 2010, please refer here. In addition to same, we’ve provided with a quick script which helps you with monitoring password replication of Kerberos account which can be downloaded from below location:

Monitoring Kerberos account update

Join the Forum discussion on this post

February 22, 2013  Tags: Kerberos  Posted in: Active Directory  No Comments

• « Older Entries

• Top Posts & Pages

  • Lync - Unable to save conversation history in Outlook
  • Exchange 2010–Public Folder RPC Connections not stable
  • Users unable to soft delete emails - Exchange 2010 SP3
  • SMTP 550 5.7.1 Unable to relay
  • Working with Address Book in Microsoft Lync 2010

• Subscribe to Blog via Email

  Enter your email address to subscribe to this blog and receive notifications of new posts by email.

• Search This Site

• Recent Posts

  • Remove Auto Accept from Outlook for all Room Mailbox
  • Database Copy Fails after failover – Exchange 2010 SP3
  • Users unable to soft delete emails – Exchange 2010 SP3
  • Stop 0xc000000e startup error – Windows 2008 R2
  • Hardware Load Balancer Requirements – Lync Server
  • Daily Mail Flow Summary Report
  • Remove old Active sync Partnerships from Environment
  • Lync – Unable to save conversation history in Outlook

• Tags

  Address Book Android Calendaring CAS CAS Array Configure Outlook Anywhere Converting LDAP filters to OPATH filters DAC Mode DAG DAG Failover Deleted Public Folder Disaster Recovery Edge Encription Exchange Exchange 2010 Exchange Server 2003 Exchange Server 2010 Exchange Server 2013 Freebusy Tool Items Kerberos LDAP Lync Lync 2010 Lync 2013 Lync Client Migration Monitoring OPath Filters Outlook Outlook Anywhere Out Of Office powershell Public Folder Public Folders Remote Shell Connection SP3 SQL Database Sub-Folder Tips Transition Update Windows 8 Windows 8 Phone

• Sponsors

  
  

• Top Microsoft Exchange Solutions from Microsoft Support

  • Cluster database hangs, resulting in quorum loss in the failover cluster
  • Retry errors and Exchange Server 2007 Client Access server appears to hang when users try to synchronize Exchange ActiveSync devices
  • Mail flow issues if Send Connectors are configured incorrectly
  • Mail flow issues if Receive Connectors are configured incorrectly
  • Exchange 2010 may fail with -1018 errors or suffer performance issues if File-level scanners are configured incorrectly
  • Use the Mailbox Server Role Requirements Calculator to help you lay out your database copies correctly
  • Inbound or outbound e-mail messages are stuck in queues on Edge Transport Servers
  • How to troubleshoot Client Access Servers (CAS) on Exchange Server 2010 SP1
  • Client connections dropping in Outlook or other MAPI applications with Event ID: 25 and Event ID: 26
  • Mailbox Store cannot mount due to running out of disk space on the transaction log drive

• Recent Comments

  • LazyAdmin on Remove Auto Accept from Outlook for all Room Mailbox
  • Neeharika on Drag and Drop in Outlook 2010/OWA doesn’t work
  • Home – ExchangeServerInfo » Hardware Load Balancer Requirements – Lync Server on New Lync Server 2013 Features
  • Home – ExchangeServerInfo » Database Copy Fails after failover – Exchange 2010 SP3 on Users unable to soft delete emails – Exchange 2010 SP3
  • Chris Hartwig on Drag and Drop in Outlook 2010/OWA doesn’t work

• Sponsors

  
  

• Most Recent KBs for Exchange Server 2010

  • User can't view free/busy information for a remote user in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365
  • Outlook client applications cannot connect to public folders after you install Exchange Server 2010 SP1
  • "Free/Busy information couldn’t be retrieved because the attendee's Mailbox server is busy" error in a hybrid deployment or a cross-premises environment
  • "Federation certificate with the thumbprint cannot be found" error when you try to set up the federation trust to use the next certificate in Office 365
  • Error when you run the Hybrid Configuration Wizard: "Updating hybrid configuration failed with error 'Subtask CheckPrereqs execution failed: Check Prerequisites'"
  • Error message when you try to move mailboxes from an on-premises Exchange Server environment to Office 365 in a hybrid deployment: "The call to https://<path>/mrsproxy.svc failed"
  • The move operation reaches 95 percent and then fails when you try to move a mailbox from Office 365 back to the on-premises environment in a hybrid deployment
  • Error message when you try to move mailboxes to or from Office 365 in a hybrid deployment: "Exception has been thrown by the target"
  • "Exception has been thrown by the target" error in a hybrid deployment of Office 365 and your on-premises environment
  • Error message when you run the Set-FederatedOrganizationIdentifier cmdlet to set up a hybrid deployment: "InvalidUri: Passed URI is not valid"

• Calendar

  May 2013

  M	T	W	T	F	S	S
  « Apr
  		1	2	3	4	5
  6	7	8	9	10	11	12
  13	14	15	16	17	18	19
  20	21	22	23	24	25	26
  27	28	29	30	31

• Most Recent KBs for Windows Server 2008 R2

  • MS13-046: Description of the security update for Windows Kernel-Mode drivers: May 14, 2013
  • MS13-046: Vulnerabilities in Kernel-Mode drivers could allow elevation of privilege: May 14, 2013
  • MS13-046: Description of the security update for Windows Kernel-Mode drivers: May 14, 2013
  • Microsoft Security Advisory: Update Rollup for ActiveX Kill Bits: May 14, 2013
  • FIX: "Send to Mail Recipient" function fails when you try to send a note or signature through Windows Journal if a 32-bit version of Outlook is installed on a 64-bit version of Windows 7 or of Windows Server 2008 R2
  • An update is available that adds support for DTLS in Windows 7 SP1 and Windows Server 2008 R2 SP1
  • List of currently available hotfixes for the File Services technologies in Windows Server 2008 and in Windows Server 2008 R2
  • List of currently available hotfixes for Distributed File System (DFS) technologies in Windows Server 2008 and in Windows Server 2008 R2
  • MS12-081: Vulnerability in Windows file handling component could allow remote code execution: December 11, 2012
  • "Delayed write failed" error message when .pst files are stored on a network file server that is running Windows Server 2008 R2