New Features Introduced with Windows 8.1 – April 2014

Hello All

Microsoft engineers & users have been exploring Windows 8 a lot since its release and we see major changes/upgrades in the UI with each update released for the Windows 8/Windows 8.1 Operating systems.

In June 2013, Microsoft released Windows 8.1 update which brought lot of new features and familiar start button along with it. We discussed about its new features & quick look in depth back then.

Yesterday Microsoft released KB2919355, cumulative update for Windows 8.1 and Windows RT 8.1 systems that includes all previous released security updates and nonsecurity updates. In addition to previous updates, it includes improvements such as improved Internet Explorer 11 compatibility for enterprise applications, usability improvements, extended mobile device management and improved hardware support.

What’s new in this update?

This updates provides following new features for you:

  • Power and Search buttons on the Start screen. These buttons appear in the upper-right corner of the Start screen next to your account picture. You’ll be able to quickly and easily shut down your PC or search for things right from Start

Power & Search Button

  • All open and pinned apps appear in the taskbar. If you like using the desktop, you’ll see both desktop apps and apps from the Windows Store in your taskbar when they’re running

Pinned Widgets

  • Access the taskbar from anywhere. When you’re using a mouse, you can see the taskbar from any screen, including Start or a Windows Store app.
  • Go to the desktop when you sign in, instead of Start. If you spend more time in the desktop, you can sign in (boot) directly to the desktop instead of the Start screen.
  • The Minimize button, Close button, and taskbar are more available with your mouse. Your mouse works more consistently anywhere in Windows. Move your mouse to the top of the screen to see Close and Minimize buttons in any app. Move your mouse down to the bottom of the screen to see the taskbar from anywhere in Windows

Mouse Controls

  • Right-click an app tile to see more options. If you‚Äôre using a mouse and you right-click a tile on Start, you‚Äôll see a context menu next to the tile that shows what you can do with the tile.

More Options

  • Discover apps in new ways. The Windows Store is pinned to Start and to your taskbar by default, so you can easily discover new apps.¬† When you use the Search charm, Bing Smart Search includes apps in the suggestions and the search results
  • Remember what apps you recently installed. After¬† you install new apps, Start includes a message in the lower-left corner of the screen, pointing you to the Apps view so you can see what you recently installed.

New Apps

Above were major features introduced with April 2014 cumulative update for Windows 8.1. Similar features have also been introduced in Windows 2012 R2 server as well along with necessary security enhancements & tightening.

Why you should install this update

We strongly recommend that you install  Windows 8.1 Update or  Windows RT 8.1 Update (KB 2919355). This is a critical update that is required for future updates to Windows. If you prevent it from installing or you uninstall it, you won’t get some future bug fixes, security updates, and new features. In some cases, if you uninstall this update from a new PC after signing in with a Microsoft account, OneDrive might not work as expected.

Hope you find above information helpful around this update and that you enjoy these new user friendly feature on your new OS. You can use reference links below to read more about how to use particular feature included with this update.

References:

April 11, 2014  Tags: , , , ,   Posted in: Windows OS  No Comments

Lync – Database Update Fails – ERROR_RESTRICT_DATABASE_ACCESS

Hello All

Over the weekend I was installing January 2014 Cumulative Update for Lync Server 2010¬†and I ran into an interesting issue. We followed all the steps correctly and it made me wonder “why the hell am I getting this error?”

As per process of installing Lync Server 2010 Cumulative Update:

  1. We installed the update on our Lync Servers successfully.
  2. From an updated Lync Server 2010 front end box, we ran below cmdlet using Lync management shell for updating the backend databases:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn <EEBE.Fqdn> -UseDefaultSqlPaths

When we were running above cmdlet, we were getting below error for RTCDyn database:
Error: Script failed (code “ERROR_RESTRICT_DATABASE_ACCESS”) when installing “BackendStore” on “ContosSQL.Contoso.com”. For details, see the following log file: “C:\Users\admin\AppData\Local\Temp\2\Create-BackendStore-ContosoSQL.contoso.com-[2014_03_22][00_23_56].log”

In the Create-BackendStore log file, we were seeing below lines/error:

Opened database rtc

Opened database rtcdyn

Error executing alter database [rtcdyn] set restricted_user with rollback immediate

—————

Exit code: ERROR_RESTRICT_DATABASE_ACCESS (-21)

—————

Subsequently other databases for the update were failing update with below error:

Error: Script failed (code “ERROR_OPEN_DB”) when installing “MonitoringStore” on “ContosoSQL.contoso.com”. For details, see the following log file: “C:\Users\admin\AppData\Local\Temp\2\Create-MonitoringStore-ContosoSQL.contoso.com-[2014_03_22][00_24_33].log”

Generally the error indicates:

  • SQL server is inaccessible. – Logon to SQL server or SQL management studio and ensure you can access databases.
  • You are not part of RTCUniversalServerAdmins group – Add your account to said group to resolve this issue.
  • You do not have enough privileges on SQL server to access the database. – Add your account on SQL server as sysadmin to resolve this issue.
  • You are not running Lync management shell or cmdlet as administrator. – Open Lync management shell or powershell using “run as administrator” option.

In our case all above were satisfied and it wasn’t making sense why would database not open properly for upgrade if it is accessible manually using SSMS. At this time since the upgrade was struck in middle, we were in outage scenario where Lync clients were unable to access contact lists, presence information & conferencing data. Touch wood it was during off business hours and impact wasn’t huge but clock was ticking. (And I needed to get back to my weekend as well !)

Now the error did say that it was unable to alter Restricted_User property for RTCDyn database. So I ran below SQL query using SSMS against RTC Database:

ALTER
DATABASE rtc SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
GO
ALTER
DATABASE rtc SET MULTI_USER;
GO

Once the query altered the database successfully and I ran the backend upgrade using below cmdlet again, voila it ran successfully !

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn <EEBE.Fqdn> -UseDefaultSqlPaths

Took me some time to figure this one out, hopefully using above information it doesn’t takes long for you guys in case you run into similar situation.

Hope you find above information helpful. Thanks for reading ! Till Next Post !

Thanks !

March 24, 2014  Tags: , , , , , , , ,   Posted in: Lync 2013, Lync Server 2010  No Comments

Exchange – Lock Down Open SMTP Relay

Hello All

Few months back we wrote about Microsoft ExRAP program where Microsoft comes into your environment and evaluates the health, configuration & best practices implementation within your environment.

Now one major security flaw within my Exchange environment was that we had an open relay from years. This open SMTP relay was used by hundreds of application servers to send relayed SMTP email i.e. using anonymous authentication. The reason this was security flaw being anyone with a computer/system on network can run an executable which searches for this open relay and starts sending emails in bulk to our users. It can take us a while to trace down this computer while our Exchange email environment has been compromised.

Harmful Open Relay

So I tightened my belt and took up the task to lock down the SMTP relay connectors such that only pre-configured list of services/application can relay email using same. The task can be broadly divided into below steps:

  1. Modify load balancer to send original client IP to HUB Service if needed.
  2. Create/Configure a SMTP connector on HUB servers.
  3. Identify the application sending email using open relay.
  4. Add existing list of applications to the new locked down SMTP relay connector.
  5. Change the DNS entries if necessary to point to new SMTP connector.
  6. Disable the open relay connector and monitor for situation.
  7. Perform necessary cleanup and  create a process for new applications.

Let’s discuss each of the above steps in detail now.

Step 1 – Modify load balancer to send original client IP to HUB Service if needed.

In most environments, load balancer acting as entry point for SMTP relay are configured to NOT send original client IP connection information to Exchange servers i.e. the Exchange services see the SMTP connection coming from load balancer only.

Load Balancer SMTP TrafficThis configuration will not work in this scenario where you’re locking down the Exchange receive connector. Consider you add the load balancer’s IP address to receive connector’s allowed IP list, you still haven’t controlled which clients are connecting to load balancer itself ! So basically you’re still in open relay mode.

For making locked receive connector to work, you’ll need clients sending their original connection details to Exchange service rather than terminating that information at load balancer itself.

To read more about issues in different load balancing configuration for SMTP service, please refer to article below:

http://exchangeserverpro.com/issues-with-load-balancing-smtp-traffic/

Step 2 – Create & Configure a locked SMTP Receive Connector on HUB Servers

When I say locked SMTP receive connector, it basically means a receive connector with pre-configured list of allowed IP addresses that can connect to SMTP service using that particular receive connector. For my environment I used Applications Mail Relay as it’s name (NOTE Important for later discussion) and gave it a namespace mailrelay.contoso.com.

Receive Connector To read about more on how to create receive connector in Exchange environment. Please refer to below articles for step by step process:

Keep the name of connector same on all your HUB servers and keep note of it as it’ll be useful in step 3 and 5 of this post.

Once the SMTP relay connector is configured after same or in parallel of same you can start identifying the existing application servers which are leveraging open SMTP relay.

Step 3 – Identify the application sending email using open relay.

We used Log Parser Studio (LPS) to identify the existing application servers connecting to the open SMTP relay.¬† Log Parser Studio allows those who use Log Parser 2.2 (and even those who don‚Äôt due to lack of an interface) to work faster and more efficiently to get to the data they need with less ‚Äúfiddling‚ÄĚ with scripts and folders full of queries.

You can download and read more about Log Parser studio at link below:

http://blogs.technet.com/b/exchange/archive/2012/03/07/introducing-log-parser-studio.aspx

Log Parser Studio¬†Now we had two open relay in our environment, one using Exchange 2010 open relay connector named “SMTP Applications Relay” and other using Windows 2003 IIS SMTP service. For both services we used below queries respectively to generate the results:

  • Windows 2003:

SELECT c-ip,cs-username,Count(*) as Hits FROM ‘[LOGFILEPATH]‘ Group By c-ip,cs-username Order By Hits Desc

  • Exchange 2010:

SELECT¬† Client-IP as c-ip,Client-HostName as c-user,Count(*) as Receives INTO ‘[OUTFILEPATH]\Output.CSV’¬† FROM ‘[LOGFILEPATH]‘ WHERE ConnectorID LIKE ‘%SMTP Application%’ GROUP BY c-ip,c-user ORDER BY Receives DESC

Once we had the result with IP addresses and server names in an excel csv format, it was time to clean up this existing list i.e. remove any unwanted entries and add them in bulk to locked down receive connectors we created on each HUB server.

Step 4 – Add existing list of applications to the new locked down SMTP relay connector.

Now to allow an IP address in receive connector properties, we have to open the connector in GUI – add the IP address – repeat same steps for all HUB servers which have that connector.

Myself being a lazy admin cannot see myself doing it. Other way was to create a variable with all IP addresses collected using Step 3 in it and then run powershell cmdlet below to set the list of IP address on each receive connector within environment i.e. on each server

  • $IPAddress = Import-csv <location of csv> | Select-Object IPAddress
  • Set-ReceiveConnector “Server01\Applications Mail Relay” -RemoteIPRanges:$IPAddress

Still, if you have like 5 to 10 servers, I cannot see myself repeating same steps more than twice. So I come up with following scripts:

Manage-IPAddresses

  • Add-IPAddressToConnector: This script adds a specific¬† IP address or range of IP addresses to all receive connector named Applications¬†Mail Relay using¬†either manual input or input using txt or a csv file. The script also¬†generates a HTML report which is or can be emailed to¬†administrator(s)¬† for reference if¬†required. It also generates a log file and a backup data file so if at any¬†point anything goes wrong, you’ve the list of IP addresses already added to connectors in a txt/log format.

.\Add-IPAddressToConnector.ps1 -IPAddress 10.0.0.2

New IP Address

For more details about how this script works, please refer to help using below cmdlet.

Get-Help .\Add-IPAddressToConnector.ps1 -Detailed

  • Remove-IPAddressToConnector:¬†This script is twin brother of first one except it removes the IP address from receive¬†connector named Applications Mail Relay instead of adding them using¬†either manual input or input using txt or a csv file.

.\Remove-IPAddressToConnector.ps1 -IPAddress 10.0.0.2

Remove IP Address For more details about how this script works, please refer to help using below cmdlet.

Get-Help .\Remove-IPAddressToConnector.ps1 -Detailed

  • Check-IPAddressToConnector: Now that you’ve added/removed the IP addresses, you have to sometimes check if particular IP address exits in receive connector or not as well. For same purpose,¬† you use this script it checks if in the long list of allowed IP addresses¬†if one particular address exists or not.

.\Check-IPAddressToConnector.ps1 -IPAddress 10.0.0.2

For more details about how this script works, please refer to help using below cmdlet.

Get-Help .\Check-IPAddressToConnector.ps1 -Detailed

Step 5 – Change the DNS entries if necessary to point to new SMTP connector.

Now that exchange part is almost setup, you need to ensure emails start flowing through this new connector.

In our scenario, we had few DNS entries pointing to old Windows 2003 based IIS SMTP relay as well so we pointed them to the Exchange HUB VIP to ensure all SMTP traffic is going via VIP.

Step 6 – Disable the open relay connector and monitor for situation.

At this point, if you’re certain that all IP addresses have been added to the locked receive connector, you can disable the open relay connectors to force traffic to flow through the locked down receive connector accordingly.

Once you disable the open relay connector, you might have to face following setbacks in large organizations:

  • There might be some IP addresses which do not connect that frequently and didn’t show up in logs when you were gathering the list of applications in Step 3. These¬†application will not be able to send relayed emails using relay connector¬†now that they’re closed. You’ll have to use Add-IPAddresstoConnector¬†script to add their IP addresses to allowed list quickly and get them back¬†in action.
  • Application owners have been¬†used to just use the open relay whenever they want without any extra step or action. They’ll be bit frustrated with this change, you will have to¬†phase them in with the new process that you setup for managing locked down¬†receive connectors and weighing advantages of having it against keeping¬†open relay in environment.

Step 7 – Perform necessary cleanup and create a process for new applications.

Once the transition is over, you can put some processes in place like how application owners can request for access to locked down SMTP relay, how administrators will add same and how you’ll keep track of the additions & removals.

For example, you can create a request form for application owners to submit the request and excel sheet for administrators so they can update the new application IP addresses that get added or removed by them accordingly.

You can also delete the old open relay connectors from the environment to reduce footprint of your environment.

Conclusion:

Once all is said & done, you’ll have a strange feeling of relief, feeling of having more secure environment, more controlled & centralized environment. More happy environment for end users.

Hope you find above information helpful. You can find the required links and downloads below. Till next time !

References:

Downloads

March 13, 2014  Tags: , , , , , ,   Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Exchange Server General  No Comments

Windows Server 2012 – Implementing DNSSEC – Part 1

Hello All

I have been exploring new features introduced with Windows Server 2012 and Windows Server 2012 R2 in depth recently and one feature which intrigued me a lot is DNSSEC.

In this series of blogs, we’ll see what DNSSEC, how it works, how it helps making your environment secure and how to implement it in an environment & related considerations

Before we begin, some key terms you should be familiar with:

  • DNS: The Domain Name System (DNS) is a service designed to resolve host names to IP address and vice-versa
  • DNS Server: Any computer providing domain name services is a DNS name server. Any DNS server implementing support for Service Location Resource Record and Dynamic Updates is sufficient to provide the name service for any operating system.
  • Authoritative¬†Server: Any DNS server that contains a complete copy of the domain’s zone file is considered to be authoritative for that domain
  • Non-Authoritative Server: Non Authoritative servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups they have performed in the past for which they have gotten an authoritative response
  • DNS Query: A query is request for¬†information sent to DNS server. Three types of queries are recursive,¬†inverse and iterative.
  • DNS Client: A DNS client is any machine that issues queries to a DNS server. The client host name may or may not¬†be registered in DNS database.
  • Resolver: Resolvers are software processes that handle the actual process of finding the answer to queries for DNS data. They can be client computers or DNS server itself trying to resolve address on behalf of client for a given query.

So What is DNSSEC?

Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the Domain Name System (DNS) protocol by enabling DNS responses to be validated. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks, particularly DNS spoofing attacks.

I guess before we go into deep dive of DNSSEC, we can discuss how DNS Spoofing works in brief.

How DNS Spoofing Works?

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker’s).

Consider a scenario where a client sends query to a recursive DNS server or a forwarder (non-authoritative DNS server)

However an attacker is listening on network between client & recursive server OR between recursive & authoritative server

DNS Attack

If the attacker successfully beats one of two responses in above diagram i.e. either it provides spoofed DNS response to recursive server OR spoofed DNS response to the DNS client and since none of the query clients are checking for validity or authenticity of response, the attacker successfully redirects the client/user to basically whichever destination he/she wants.

DNSSEC provides security in above scenarios by signing the responses with a key such that DNS clients can validate the response for its authenticity before considering them as valid response.

How DNSSEC Works?

A DNS zone can be secured with DNSSEC using a process called zone signing. Signing a zone with DNSSEC adds validation support to a zone without changing the basic mechanism of a DNS query and response.

Validation of DNS responses occurs through the use of digital signatures that are included with DNS responses. These digital signatures are contained in new, DNSSEC-related resource records that are generated and added to the zone during zone signing.

Zone Signing

DNSSEC Validation

Consider scenario that Adam tries to reach an internal website www.JustForTest.Contoso.com. Adam’s computer sends the query for Justfortest.Contoso.com domain to a recursive DNS server. Since the server doesn’t has response in its cache, it’ll go to authoritative server for said domain for response.

Now, since the zone is signed, rather than just providing ‘A’ record as response to recursive server, authoritative server will also send the DNSSEC records to recursive server. Basically sending response locked in a box and key to open it separately.

The recursive DNS server uses the DNSKEY resource record to validate responses from the authoritative DNS server by decrypting digital signatures that are contained in DNSSEC-related resource records, and then by computing and comparing hash values. If hash values are the same, box opens and it provides a reply to the Adam’s workstation with the DNS data that it requested. If hash values are not the same, box doesn’t opens and¬† it replies with a SERVFAIL message. In this way, a DNSSEC-capable, resolving DNS server with a valid trust anchor installed protects against DNS spoofing attacks whether or not DNS clients are DNSSEC-aware.

DNS Validation

DNSKEYs are used to compute hash values and decrypt RRSIG records. The figure does not display all validation processes that are performed. Additional validation is also carried out to ensure the DNSKEYs are valid and that DS records are valid, if they exist (not shown above).

DNSSEC Related Resource Records:

Resource record type Description
Resource record   signature (RRSIG) Signatures that   are generated with DNSSEC are contained in RRSIG records. Each RRSIG record   is matched to another record in the zone for which it provides a digital   signature
Next Secure (NSEC) An NSEC record is   used to prove nonexistence of a DNS name. NSEC records prevent spoofing   attacks that are intended to fool a DNS client into believing that a DNS name   does not exist
Next Secure 3 ¬† (NSEC3) NSEC3 is a ¬† replacement or alternative to NSEC that has the additional benefit of ¬† preventing “zone walking” which is the process of repeating NSEC ¬† queries in order to retrieve all the names in a zone
Next Secure 3   Parameter (NSEC3PARAM) The NSEC3PARAM   record is used to determine which NSEC3 records to include in responses for   non-existing DNS names.
DNS Key (DNSKEY) A DNSKEY resource   record stores a public cryptographic key that is used to verify a signature.   The DNSKEY record is used by a DNS server during the validation process.
Delegation Signer   (DS) A DS record is a   DNSSEC record type that is used to secure a delegation. DS records are used   to build authentication chains to child zones.

Trust anchors

DNSKEY and DS resource records are also called trust anchors or trust points. A trust anchor must be distributed to all nonauthoritative DNS servers that will perform DNSSEC validation of DNS responses for a signed zone. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns. A DNS server running Windows Server 2012 or a later operating system also displays configured trust anchors in the DNS Manager console tree in the Trust Points container

Conclusion

DNSSEC helps validating responses sent back by authoritative and non-authoritative servers to DNS clients and protect your environment by major threat present in DNS for DNS Spoofing attack.

In next part of post, we’ll see how to implement DNSSEC on a Windows 2012 R2 Server and What’s new in DNSSEC with Windows 2012 R2. Meanwhile, for further details of DNSSEC, please refer to the articles in reference section below.

References:

 

March 12, 2014  Tags: , , , , , , ,   Posted in: Active Directory, Windows OS  No Comments

Unread emails not updating correctly in Shared Mailbox

Hello All

Recently I came across an interesting issue where user had shared mailbox open in their Outlook profiles, however when they were reading the emails within shared mailbox, they were not changing or showing as being read emails. It threw my head off wandering for a while so writing quickly about it such that it can help you save some time troubleshooting same. :-)

Summary of issue: Unread emails not changing status to read in shared mailboxes.

Environment:

  • Outlook 2007/2010/2013 in Online Mode
  • Exchange 2010 SP3 UR3 and above
  • Shared mailboxes in online¬†mode within cached Outlook profile.
  • Outlook profile in online mode.

What’s the issue: When user has sorted emails within shared mailbox using Categories, he/she then reads email like usual, however the un-read emails do not change or show as being read. If user goes back to his/her primary mailbox and then comes back into shared mailbox, emails show as read then. User also is able to send read receipts for the emails in concern, but email do not show as read within shared mailbox.

Cause of issue: The issue seems to be a bug introduced with Exchange 2010 SP3 RU3 which hasn’t been resolved yet¬†in RU5 (released February 2014) where when user sorts email using categories within shared mailbox, the read/unread flag doesn’t updates correctly.

Workaround: If user sorts email using date or name (anything beside category), the read/unread flag should start updating correctly within shared mailbox. We don’t have many users in our environment sorting emails using categories within environment and one who were are ok sorting by name/date OR setting up rules to move them into separate folders fulfilling¬†similar purpose which categories does.

Alternatively, you can ask user to go back into their primary mailbox and then come back into shared mailbox, which should update the read/unread flag. Not an alternative recommended from my side as it makes Outlook look harder, but depends on each individual/administrator. ;-)

Update: KB2925273¬†details about this issue and workaround as well. Thanks to Chris for sharing KB2925273 in comment section, I must’ve missed it originally.

Resolution: Currently there are no plans that I’ve heard of regarding fixing this bug. Hopefully with next roll-up update the issue should be resolved. Will keep you posted if we hear back something on same.

Hope you find above information helpful. Thanks for reading !

March 11, 2014  Tags: , , , , , , , ,   Posted in: Exchange Server, Exchange Server 2010, Exchange Server General, Outlook  2 Comments

Microsoft Updates Released – February 2014

Hello All

February 2014 seems to have been a major updates month for Microsoft office services products. In this blog we’ll be listing the updates released and major features provided with these updates for office & office services world.

Major updates released includes:

  1. Microsoft Office 2013 Service Pack 1
  2. February 2014 update for Lync Desktop Client
  3. Exchange Server 2013 Service Pack 1
  4. Exchange Server 2010 Service Pack 3 Roll-Up 5
  5. Exchange Server 2007 Service Pack 3 Roll-Up 13
  6. Office for Mac 2011 14.2 Update

Let’s discuss above updates 1 by 1 briefly with key improvements with each update:

Microsoft Office 2013 Service Pack 1

Version – 15.0.4569.1506 or higher

The following are the key areas of improvement that are offered by this SP1:

  • Improves compatibility with Windows 8.1.
  • Improves compatibility with Internet Explorer 11.
  • Improves compatibility with modern hardware, such as high-DPI devices and the precision touchpad.
  • Provides new apps for Office capabilities and APIs for third-party developers.

February 2014 Update for Lync Desktop Client

Features included with this update:

  • Toggle pictures of sender/receiver
  • Support of high-resolution monitors (200% scaling mode)
  • Transfer files and pictures in a Persistent Chat room

Exchange Server 2013 Service Pack 1

Version – 15.00.0847.032 or higher

The following are the key areas of improvement that are offered by this SP1:

  • Windows Server 2012 R2¬†support
  • Edge Transport servers return
  • OWA Junk Email reporting
  • S/MIME for Message Signing and Encryption
  • SSL Offloading Support
  • Exchange oAuth authentication protocol
  • DAG without and Administrative access Point

Exchange Server 2010 Service Pack 3 Roll-Up 5

This Rollup includes the following fixes:

  • 2887459 Public folder expiry time is set incorrectly in Exchange Server 2010 SP3
  • 2892257 Email items are lost¬†when you move items between shared folders by using EWS delegate access
  • 2897935 ‚ÄúCannot save the¬†object ‚Äė\FolderName‚Äô‚ÄĚ error message when you try to replicate Exchange Server 2010 public folders
  • 2898908 EdgeTransport.exe crashes if the From field is empty in an email message
  • 2903831 Only a single character is allowed in the disclaimer content in ECP
  • 2904459 RPC Client Access service crashes if you add ‚ÄúSigned By‚ÄĚ or ‚ÄúSend From‚ÄĚ column in Outlook online mode
  • 2913413 RPC Client Access service crashes with an exception in Exchange Server 2010
  • 2913999¬†Meeting request body and instructions are lost in delegate‚Äôs auto-forwarded meeting request
  • 2916836 EdgeTransport.exe crashes when a transport rule sends a rejection message to an empty address
  • 2919513 Memory leak or memory corruption occurs in Exchange Server 2010
  • 2924971 RPC Client Access ¬†¬†¬†¬† service stops when you select an inactive search folder in Outlook 2007 in ¬†¬†¬†¬† an Exchange Server 2010 SP3 environment
  • 2926057 EdgeTransport.exe ¬†¬†¬†¬† crashes if seek operation failed in Exchange Server 2010
  • 2927856 Incorrect recurring ¬†¬†¬†¬† meeting if disclaimer transport rule is enabled in Exchange Server 2010

Exchange Server 2007 Service Pack 3 Roll-Up 13

This Rollup introduces the following fix:

  • 2926397 An Edge Subscription ¬†¬†¬†¬† file from an Exchange 2013 Edge Transport server is rejected by an ¬†¬†¬†¬† Exchange 2007 Hub Transport server

Office for Mac 2011 14.2 Update

Improvements for Microsoft Outlook for Mac 2011

  • The database and the rebuild utility are improved.
  • Outlook for Mac performance¬†in key scenarios is improved.
    • General responsiveness during syncing
    • Deleting multiple records
    • Displaying email message content
    • Sending email messages
  • Exchange email message sync is improved.
  • Support for calendar scheduling resources is improved.
  • Week numbers are added to the calendar display.
  • Distribution list expansion functionality is included.

In the coming days we’ll be discussing each update in detail within their respective blog. Hope you found above information helpful !

References:

Thanks for reading !

March 7, 2014  Tags: , , , , , , , , , ,   Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Lync 2013, Outlook  No Comments

Lync – Automate updating SIP Domain Changes

Hello All

Recently I had requirement of modifying Lync sign-in address (SIP address/domain) for multiple users. This required me to notify user of what they need after the change of sign-in address as well which included:

  1. Use new Sign-in address for signing in to Lync.
  2. Their email address is not changed, just the Lync sign-in address.
  3. They need to update Lync meetings created by them as organizer with new meet URL and re-send them as the old URLs will not work post the change.

In addition toe the SIP domain change, we needed to assign some new policies to user accounts as well.

Now I being the lazy admin, I couldn’t see myself doing this for individual user accounts by using Lync management shell and definitely not Lync control panel.

To achieve same, I recently finished with quick shell script Update-CsSipAddress which basically:

  1. Takes backup of existing Lync account properties for user accounts in csv format.
  2. Logs erroneous account in a separate csv file.
  3. Checks if user’s Lync account exists and if it already has the new SIP domain assigned to it.
  4. Make appropriate changes in the SIP domain and policies as per requirement.
  5. Notifies administrator for any error encountered while modifying the attributes via email.
  6. Notify individual user as their SIP address changes about the change and detailed instructions on what to do next.
  7. Generate a HTML report for administrators to review which highlights how many accounts were touched, how many skipped and details of changes made.

To see details about how script works, please refer to the help using below cmdlet:

Get-Help .\Update-CsSipAddress.ps1 -Detailed

You can also download the script from -> http://1drv.ms/1hAUO18

Hopefully you find this script helpful and it makes you a Rock Star Administrator for your Lync environment. :-)

In the coming days, we’ll be uploading few other scripts like monitoring Lync performance counters, monitoring Lync SQL database failover status and monitoring same in proactive fashion.

Thanks for reading !

February 21, 2014  Tags: , , , , , ,   Posted in: Lync 2013, Lync Server 2010, Uncategorized  No Comments

Outlook – Calendar issues due to Meeting Corruption

Hello All

For most exchange environment & exchange administrators, the majority of typical & complicated issues that come from end user perspective are around their calendars. Every now and then you’ll see one of several issues listed below:

  • Meeting has disappeared from¬†¬†calendar
  • Unable to send updates or¬†¬†cancellation for meeting
  • Calendar items not¬†synchronized properly to iPhone/Smartphone
  • Unable to track meeting¬†¬†responses

And above are just tip of iceberg, I am sure you’ve seen variety of calendar issues and each one comes with good level of difficulty while troubleshooting.

In this post we’ll be discussing issues caused mainly due to internal meeting corruption and how to address them using MFCMapi.

What do you mean by internal corruption?

With the release of Exchange 2010 and Single item recovery, there are scenarios in which meeting attaches itself within meeting multiple times most probably due to “Copy on Write” operation associated with Single item recovery & Litigation hold. There’re multiple factors that can cause this issue, but basically those attachments of meetings within meeting is internal corruption of meeting. It happens in background completely unknown to end user and causes issues described later in this blog.¬†¬†The issue is mostly seen with recurring meeting invites.

Attachments

What are issues caused by internal corruption?

Following are few of the top issues that you’ll notice because of this corruption:

  • User¬†unable to send update or cancellation to meeting: Because of these internal attachments or corruption, user receive below error while trying to send update or cancellation for these meetings stating that message size is too¬†large to be sent out.

Attachment Size

Its basically caused due to fact that internal corruption has increased the size of meeting to an extent where it is crossing the transport send/receive limits configured in your environment.

  • User¬† updates the meeting details, it updates on attendee calendar but not on organizer calendar: Another commonly seen issue which is caused by this corruption where user for example updates the time of meeting invite, it updates it properly on attendee calendars but not on his/her own calendar.

Once you fix the meeting invite using steps mentioned in later section of this post and then user updates the meeting invite, it goes out fine or updates properly.

  • Synchronization with your iPhone failed for 1 items: Once the size of meeting grows exponentially large due¬†to corruption, the item fails to synchronize to users ActiveSync device¬†and iDevice users start getting these synchronization failure for same¬†meeting:

Sync Failed iPhone

Same issue, but this one is caused due to throttling policy and fact that devices are not able to process such large HTTP packets/requests in given duration of time due to which they start throwing above error for given meeting invite. ¬† You’ll also see other minor issues like outlook reminder not stopping for said meeting, outlook crashes while trying to open the meeting series etc.

Possible causes of this issue: Now that we know what’s the issue and how it impacts end user, we can discuss possible causes of this issue in order of probability such that we can avoid it in pre-emptive fashion:

  • Long¬†running recurring series: The most common cause of this issue and also impact are long running recurring meeting series. Users have bad habit of keeping “no end date” on meeting recurring series and inviting lot of attendees to same. To top it all, they keep on updating same series¬†frequently and there are attendees who respond to these meetings using¬†variety of smartphones. This causes the meeting corruption to occur¬†discussed above.
  • As per Microsoft’s best practices, end users should not extend recurrence of meeting beyond three months or a quarter. They should create new series every three months or at worst every six months to avoid this issue.
  • Calendar Repair & Logging: Not enough diagnostic logs to support this theory yet but the¬†corruption is probably caused by Exchange calendar repair assistant which tries to repair the meeting or scan the meetings that might have dropped of other user calendars. Not really sure about this one but at times disabling calendar repair & logging for set of user mailboxes have¬†helped reduce frequency with this this issue is seen for them.
  • Single¬†item recovery & Legal hold: With single item recovery copy-on-write operation,¬†Outlook auto saves the meeting & attachment every 3 seconds.¬†Theoretically (not enough logs to show it), COW operation causes the auto¬†saved meeting to attach within meeting itself and cause the internal¬†corruption. Not really sure about this one but at times disabling single¬†item recovery for set of user mailboxes have helped reduce frequency with¬†this this issue is seen for them.

How to fix this issue: Well the first obvious way is to open the recurring meeting series using Outlook – delete attachments and save the meeting series. However, there are only few times when you’ll see partial attachments in the meeting using Outlook. The attachments are well hidden and can only be accessed using MFCMapi.

MFCMAPI provides access to MAPI stores to facilitate investigation of Exchange and Outlook issues and to provide developers with a sample for MAPI development. You can download MFCMapi from URL – http://mfcmapi.codeplex.com/

MFCMapi

MFCMapi is standalone exe file which doesn’t requires any installation.

Step 1 – Create Outlook profile in Online Mode: For opening the mailbox store using MFCMapi, you need to create a new Outlook profile in online mode.

Step 2 – Open MFCMapi using Run as administrator: Next you need to open the profile created above using MFCMapi. To do same:

  1. Right click on MFCMapi.exe¬†and choose Run as administrator. If you’ve UAC enabled, select yes to run¬†the application.
  2. Click on Session РLogon -  Select the outlook profile created in step 1

1

  1. Double click the mailbox and  expand root container Рtop of information store РRight click on calendar  & select open content table as shown below:

3

  1. Sort the table using subject line and look for the problematic meeting. Right click РSelect attachments РDisplay attachment table. Note that Second column named Att?(Attachments?) will have value of True:

4

  1. The attachments of corruption will look like below. Make sure they are not legitimate attachments before you delete them using MFCMapi:

5

  1. Once you’ve ensured that these are weird looking attachments and not legitimate attachments like¬†doc/jpeg, you can close the attachment table and repeat step 4 above again¬†and select Delete attachments

6

  1. Once MFCMapi finishes deleting the attachments, it changes the value of Att? Column to false as all attachments for given meeting have been deleted successfully.

7

  1. Once cleared, you can check PR_Creation_Time property of same message¬†using MFCMapi and make sure meeting is not older than 3 to 6 months as¬†it’ll indicate user is keeping recurring running forever and hence thee issue.
  2. You can also share calendar  best practices document (referred at end of this post) with end user to make sure common tasks/operation end user perform that can cause these issues are avoided in future.

Conclusion: Calendar issues come in various forms due to various causes and are not easy generally to troubleshoot or give answer form. Above post describes one common cause of issue that causes few widely seen calendar issues however there are more common causes that causes different sort of issues and need to be diagnosed on case by case basis. MFCMapi is very useful tool specially when it comes to troubleshooting calendar issues, restoring items, troubleshooting Blackberry/ActiveSync/Reminders issue and you should explore this tool a lot & familiarize yourself with it, I can assure you this tool will add a feather to your Rockstar Cap ! Hope you find above information helpful and we’ll catch up with you in our next post ! References:

 

February 16, 2014  Tags: , , , , , , ,   Posted in: Exchange Server, Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, Exchange Server General, Outlook  No Comments

EXHCANGE 2013 QUICK BITES – 1

It’s the Holiday time. Let’s have some quick holiday cookies. Here you go with the first set:

1. Exchange/Outlook is smart enough to only download the changes to the OAB instead of the entire thing every day.

2. You do not need to add all the Exchange 2013 CAS servers in the OAB virtual directory. Exchange 2013 OAB does *not* copy the oab files to each server. They remain on the mailbox server where the arbitration mailbox resides. Adding the CAS servers only determines which servers will be provided to clients by Autodiscover.

3. Exchange 2013 answers Autodiscover query for Exchange 2007 user.

4. The Outlook Delegate settings gets moved too when you move a mailbox from Exchange 2007/2010 to Exchange 2013. The Delegate will still have access to the mailbox with the permissions set to the Delegate using Outlook. It means A Manager mailbox on Exchange 2013 and the Delegate mailbox on Exchange 2007 will have no issues until they both are using same Outlook version. The Delegate may not be able to open the Managers’ folder(s) if the Outlook versions are different.

5. When you introduce Exchange 2013 CAS servers to an AD site which already has Exchange 2007 servers including a CAS array, the Exchange 2013 server gets added as a member of the CAS array. All CAS servers are automatically added to the CAS array in an AD site. Exchange 2013 servers has no impact on this.

December 23, 2013   Posted in: Exchange Server 2013  No Comments

Exchange 2013 : 1309 ASP.NET Warning Web Event Logs

Hi Folks,.

You may see a lot of ASP.NET 4.0 1309 warnings filling up the App logs on the Exchange 2013 servers after CU2 or later. Now these logs can be so frequent that there could be 1309 warnings upto 10 or 30 logs every minute. Exchange 2013 may work fine but you never know which functionality is failing to work and when until the users complain. An example of this event is listed below:

Log Name:      Application

Source:        ASP.NET 4.0.30319.0

Date:

Event ID:      1309

Task Category: Web Event

Level:         Warning

Keywords:      Classic

User:          N/A

Computer:      XXXXXXXXXXXXXXXXXXXXX

Description:

Event code: 3005

Event message: An unhandled exception has occurred.

Event time: XXXXXXXXXXXX

Event time (UTC): XXXXXXXXXXXXXXX

Event ID: XXXXXXXXXX

Event sequence: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Event occurrence: XX

Event detail code: 0

Application information:     Application

domain: XXXXXXXXXXXXXXXXx

Trust level: Full     Application

Virtual Path: /OAB

Application Path: C:\Program Files\Microsoft\Exchange Server\ClientAccess\OWA\

Machine name: SERVERXXX

Process information:

Process ID: 49088

Process name: w3wp.exe

Account name: NT AUTHORITY\SYSTEM

Exception information:

Exception type: FileNotFoundException

Exception message: Could not load file or assembly ‘Microsoft.Exchange.Net, Version=15.0.0.0, Culture=neutral, PublicKeyToken=XXXXXXXXXXXXXXXX’ or one of its dependencies. The system cannot find the file specified.

CAUSE:

As the Microsoft support article KB2020789 says, the error cause is “It could not load the assembly Microsoft.Exchange.Diagnostics due to incorrect entry in the application web.config file.” This could happen when you install the Exchange in a non-default path and then apply the CU update on top of the same but the web.config file did not recognize the customized path and just copies the web.config file.

Note that there would be web.config files seperate for OAB, OWA, Autodiscover, ecp and ews. Always look for the Application Path in the event description to see which particular directory path this warning is occurring. It can be the path to the Owa, Oab, autodiscover, ews etc.

RESOLUTION STEPS:

STEP 1: Take a backup and save the web.config file whichever directory the Application path shows in the error. If it is happening for all then take the web.config file backup for OAB, OWA, Autodiscover, ecp and ews. You will see these files by default in C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess.

STEP 2: Open the web.config file in notepad.

STEP 3: Replace all “file:///%ExchangeInstallDir%” with “file:///C:\Program Files\Microsoft\Exchange Server\” where C is the drive where Exchange is installed. Replace all instances of %ExchangeInstallDir% with the actual path of the Exchange installation folder. You can do once by ‘Copy and Replace’ in notepad as it would be very difficult to do each one manually as there are more than 500 entries.

STEP 4: Save the file.

STEP 5: Open an Administrator command prompt and run IISreset /noforce

STEP 6: Monitor the Application logs. The logs will be gone.

December 23, 2013   Posted in: Uncategorized  No Comments