Connect-Mailbox and AllowLagacyDNMismatch

I have solved a one case where we wanted to connect (Use the Connect-Mailbox cmdlet to connect a disconnected mailbox to an Active Directory user object.) an archive mailbox to a linked mailbox in Exchange 2013.

Error from EMS:

[PS] C:\>Connect-Mailbox -Identity "Personal Archive - Jan Novak" -Archive -User JanNovak2 -Database "EXDAG1-DB03"
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance
 of an object.
Object reference not set to an instance of an object.
    + CategoryInfo          : NotSpecified: (:) [Connect-Mailbox], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.MapiTasks.ConnectMailbox
    + PSComputerName        : server1.contoso.com

Error from GUI:

The LegacyDN "/o=CONTOSO/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Jan Novak" of "cb67270a-ada2-472e-94cc-eb7140f3520f" is in use by the following user in Active Directory: "Pepa Novak (new)". The value for LegacyDN must be unique to each user.

Obviously, the LegacyDN attribute was not unique and defended to connect the mailbox.

[PS] C:\> # disconnected archive
[PS] C:\>(Get-mailboxdatabase|Get-Mailboxstatistics|?{$_.DisconnectReason -ne $null -and $_.DisplayName -like "*Jan*"}).LegacyDN
/o=CONTOSO /ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Jan Novak

[PS] C:\># linked mailbox
[PS] C:\>(Get-mailbox JanNovak2).LegacyDN
/o=contoso/ou=exchange administrative group (fydibohf23spdlt)/cn=recipients/cn=Jan Novak

How to connect mailbox in case this case? According to Technet and Connect-Mailbox (Exchange 2013) there is available a switch:

Well, we have available the switch for similar scenario (i.e. AllowLagacyDNMismatch), but it is reserved only for MS use. I do not know why is it so (let me know if you a clue), but it worked for me without problem:

[PS] C:\> Connect-Mailbox -Identity "Personal Archive - Jan Novak" -Archive -User JanNovak2 -Database "EXDAG1-DB03" -AllowLegacyDNMismatch

[PS] C:\> Test-ArchiveConnectivity jan.novak@contoso.com

RunspaceId               : 7df20326-4fc0-4ca3-877f-5273aea0d5b7
Identity                 : jan.novak@contoso.com
PrimaryMRMConfiguration  :
PrimaryLastProcessedTime :
ArchiveDomain            :
ArchiveDatabase          : EXDAG1-DB03
ArchiveMRMConfiguration  :
ArchiveLastProcessedTime :
ComplianceConfiguration  : ElcV2
ItemMRMProperties        :
Result                   : Successfully logged on to the users Archive mailbox.
Error                    :
IsValid                  : True
ObjectState              : New

Test-ExchangeServer2010.ps1

Let me publish my script which tests and gathers information directly from Exchange server 2010 (Windows 2008). It is my little helper in case of patching or troubleshooting. Basically it is nothing special, but let’s look at its help:

.DESCRIPTION
    Test-ExchangeServer2010.ps1 - filip.kasaj@tieto.com - v1.180714
    This script performs test cmdlets and gathers information from Exchange Server 2010 (Windows Server 2008) into own txt log.
    It can be used only directly on the Exchanger server (the server role is chosen automatically). 
    Only get and test cmdlets are used for this type of health check.
    Run-space: PowerShell 2.0 or Exchange Management Shell.
    Prerequisite: new-TestCasConnectivityUser.ps1
    
    Tests and information:
    ----------------------
      Always:
        - Get-WMIObject (Operating System, Volumes)
        - Get-ExchangeServer
        - GCM Exsetup
        - Test-ServiceHealth
        - Get-ExchangeCertificate
        - IIS Status
        - Test-PowerShellConnectivity
        - Test-FederationTrust
        - Server Services
        - Bad Application Events
        - Bad System Evenets
        - Top processes - CPU,MemorySize
        - Server Performance
      Mailbox role:
        - Get-MailboxDatabaseCopyStatus
        - Get-DatabaseAvailabilityGroup
        - Cluster /quorum
        - Cluster group /stat
        - Cluster /prop
        - Test-Mailflow
        - Test-MAPIConnectivity
        - Test-ReplicationHealth
      CAS role:
        - Test-OwaConnectivity
        - Test-ActiveSyncConnectivity
        - Test-WebServicesConnectivity
        - Test-OutlookWebServices
        - Test-OutlookWebServices
        - Test-OutlookConnectivity
        - Test-EcpConnectivity
        - Test-ImapConnectivity
        - Test-PopConnectivity
      HUB role:
        - Test-SmtpConnectivity
        - Get-Queue
    
    .EXAMPLE
    Test-ExchangeServer.ps1 
    # It performs test cmdlets and gathers information into txt log generated in C:\temp.
    
    .EXAMPLE
    Test-ExchangeServer.ps1 -ShowOutputLog
    # It performs test cmdlets and gathers information into txt log generated in C:\temp and opens the log in notepad at the end.
    
    .EXAMPLE
    Test-ExchangeServer.ps1 -OutputLogPath "D:\Report\ExchangeServerLog.txt"
    # It performs test cmdlets and gathers information into the specified log file.
    
    .EXAMPLE
    Test-ExchangeServer.ps1 -ShowOutputLog -OutputLogPath "D:\Report\ExchangeServerLog.txt"
    # It performs test cmdlets and gathers information into the specified log file and opens the log in notepad at the end.

How to use it?

Just copy the script to your Exchange server and go ahead:

Output log as its result:

How to compare logs (i.e. check the state before/after patching)?

For example via Total Commander:

Download: Test-ExchangeServer2010.ps1 – http://1drv.ms/1wI2eS4

 

Exchange 2013 SP1 – problem #1 – Powershell virtual directory malfunction – HTTP error (500)

This is known issue, but to remember myself for next versions: If you run EMS for Exchange 2013 SP1. Error comes out:

It has 3 possible issues. Here are solutions:

Root cause 1:

Exchange server is out of sync with time of DC. You should always have the following hierarchy of time sync in your domain: Reliable time source -> PDC -> Other DCs -> Servers and clients

• Disable windows time sync from physical host if it is virtual machine
• Enable time sync with domain by the following commands:
• On PDC

net stop w32time 
w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org 
w32tm /config /reliable:yes 
net start w32time

On other DCs and Servers:

net stop w32time
w32tm /config /syncfromflags:domhier /reliable:no /update
net start w32time

Root cause 2:

Exchange server path to kerbauth.dll is wrong / Powershell virtual directory is misconfigured. I have re-created virtual directory for Powershell on affected server:

Get-PowerShellVirtualDirectory -Server <AffectedServer> | Remove-PowerShellVirtualDirectory
New-PowerShellVirtualDirectory -Server <AffectedServer> -Name PowerShell
Get-PowerShellVirtualDirectory -Server <AffectedServer> | Set-PowerShellVirtualDirectory -BasicAuthentication:$false
IISReset

After virtual directory re-creation I have checked its modules in IIS and made sure, that Kerberos module is native and the path to its DLL is correct:

Root cause 3:

There is a missing Windows feature WinRM IIS extension.The full description is here: http://technet.microsoft.com/en-us/library/dd759166.aspx This was the case in my lab and I feel it is the side effect of in-place upgrade of OS from Windows server 2012 to Windows Server 2012 R2 on Exchange server (Yes I know it is not good idea, but how to learn non standard issues in other way). Here is simple solution: Install this windows feature:

Get-WindowsFeature *IIS* #to check if it is installed
Add-WindowsFeature Winrm-IIS-Ext # to install

5.7.1 Submission has been disabled for this account

Nice to see another Exchange bug (not confirmed with Microsoft) in practice. An user could not send message and accept invitations only with two internal recipients (all users from Exchange 2010 SP1). All mentioned messages were bounced with NDR:

5.7.1 Submission has been disabled for this account

It seems to be known issue reported for example by Nuno Mota here. Thx for that!

Basically, it is caused by value 0 KB applied on mailbox quotas despite of using the database quota defaults.

ProhibitSendQuota : 0 B (0 bytes)
ProhibitSendReceiveQuota : 0 B (0 bytes)
IssueWarningQuota : 0 B (0 bytes)
UseDatabaseQuotaDefaults : True

The correction is simple and can be achieved by one cmdlet:

Set-Mailbox alias -IssueWarningQuota unlimited -ProhibitSendQuota unlimited -ProhibitSendReceiveQuota unlimited

Exchange 2010 – AcceptMessagesOnlyFromSendersOrMembers and multivalued property syntax

I would like to show you one experience with multivalued property syntax.

My colleague was not able to modify the Message Delivery Restriction, concretely the Accept Messages From of a MailUniversalSecurityGroup. He added an user, applied settings and faced error below:

 

 

 

 

 

 

 

 

--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
The following error(s) occurred while saving changes:

Set-DistributionGroup
Failed
Error:
Couldn't find object "<identity>". Please make sure that it was spelled correctly or specify a different object.
--------------------------------------------------------
OK
--------------------------------------------------------

It is known issue which could occur for more mailbox attributes declaring security boundaries regarding users or groups. Basically it means that we cannot extend the Access Control till it contains an invalid object (e.g. mail-disabled group). In our case the invalid object is <identity> from the error above and its removing is necessary. The invalid object is not visible via Exchange Management Console and we has to use Exchange Management Shell. The invalid object is gathered in AcceptMessagesOnlyFrom or AcceptMessagesOnlyFromDLMembers multivalued attributes or certainly in AcceptMessagesOnlyFromSendersOrMembers (because it contains all values from both previous attributes) – more Set-DistributionGroup.

I wanted to remove the invalid object by action @{Remove=”<value1>”, “<value2>”} (remove one or more values from a multivalued property) – more Modifying Multivalued Properties. But as can be seen below the action was not supported for AcceptMessagesOnlyFromSendersOrMembers attribute (possible bug) and it removed all existing values (hopefully only one) without warning (tested Exchange 2010 SP2, SP3)! The modification of multivalued attributes AcceptMessagesOnlyFrom and AcceptMessagesOnlyFromDLMembers seemed to work properly. So be careful to use the multivalued property syntax every time.

I had a few affected MailUniversalSecurityGroups and I wanted to change = remove invalid objects Obj1-2 from AcceptMessagesOnlyFromSendersOrMembers attribute anyway so here is my procedure.

$groups = Get-Distribution MojeSkupiny*
foreach ($group in $groups){ 
 $ValidObjects = $Group | %{$_.AcceptMessagesOnlyFromSendersOrMembers}|?{$_.name -notlike "*Obj1*" -and $_.name -notlike "*Obj2*"}
 $Group | Set-DistributionGroup -AcceptMessagesOnlyFromSendersOrMembers $ValidObjects
}

Exchange 2010 – OABGen skipped users (Event ID: 9325)

I fixed OAB errors (Event ID: 9325) on generation server and I wanted to get OABGen skipped users from Application Event log.

Error

Log Name: ApplicationSource: MSExchangeSA
Date: 2/19/2013 5:07:36 AM
Event ID: 9325
Task Category: (13)
Level: Error
Keywords: Classic
User: N/A
Computer: s01.contoso.com
Description:
OABGen will skip user entry 'Filip' in address list '\Global Address List' because the SMTP address '' is invalid. 
- \Default Offline Address Book NEW

How to filter skipped users from event log?

Run EMS on generation server and use the following cmdlets. It will update and distribute the OAB to the CAS servers (do not forget to use also $date variable, it is needed for further action):

$date = get-date

Get-OfflineAddressBook | Update-OfflineAddressBook

Get-ClientAccessServer | Update-FileDistributionService

All errors related to OABGen should be written to the event log. After that you can use cmdlets below, it will find/count all OAB errors ($OABerrors) and  take out names of skipped users ($OABerrorsUser).

$OABerrors = Get-EventLog -LogName Application -EntryType error -Source MSExchangeSA | ?{$_.TimeGenerated -gt $date}  | select Message
Write-Host "Count of OAB errors:" ($OABerrors| Measure-Object).count
$OABerrorsUser = $OABerrors | % {$_.Message.Substring($_.Message.IndexOf(" '")+2,($_.Message.IndexOf("' ")-$_.Message.IndexOf(" '"))-2)}

Solution

Variable $OABerrorsUser could be used for another loop based on your needs of repairs.

Event ID: 9325 basically occurs because the recipient’s primary SMTP address (PrimarySmtpAddress) was changed without updating the Mail attribute (WindowsEmailAddress). If the Mail attribute does not match the primary SMTP address, the recipient will be dropped when the offline address book is generated. Description how to solve this issue is shown here: Using Powershell to Correct 9325 Events in Exchange 2007

The event could occur also for mail-disabled users if ShowInAddressBook attribute is not clear <not set>. All mail-enabled objects have this attribute always filled in (including users, contacts, groups, public-folders). The attribute can be erased via ADSI Edit or Active Directory Module for Windows PowerShell.

Get-ADuser GlenJohn -Properties showInAddressBook | Set-ADUser -Clear showInAddressBook

Notes

• OALGen will skip user entry ‘Nikie Goldman’ in address list ‘\Global Address List’ because the SMTP address ” is invalid.
• Event ID 9325 and 9327 OAL Generator Error

Cisco Labs – Redundant and Resilient networks (1) – BGP confederations

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test First Hop Redundancy Protocols (FHRP) , Any Transport over MPLS (AToM) and Border Gateway Protocol (BGP) on Cisco platform. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Skydrive

ZIP file contains:

• *.HTML file – complete step by step guide how to perform the task
• *.PNG – pictures with topology and others
• *_preconf.txt – file with basic configuration of topology to be able to focus on task goal (IP addresses, interfaces and so on)
• *_end.txt – file with complete configuration. Once put to the routers, you will get working task
• *.dia – Topology in free DIA editor
• *.XML – topology in XML format

To complete the task:

• Connect your environment accorrding the topology
• open the file *_preconf.txt from ZIP file with complete task and configure your environment with basic settings so you can start with the task.

BGP – confederations 

Title: BGP – confederations

Goal:

• Configure BGP confederations on topology with preconfigured OSPF,RIP routing inside sub-ASes of the confederation AS.

Required time: 120 minutes

Theoretical background:

Theoretical introduction into BGP:

Configuration and command reference for BGP,OSPF and EIGRP:

• BGP Configuration guide IOS 12.4T – Cisco.com
• Cisco IOS IP Routing Protocols Configuration Guide
• BGP confederation example

Topology:

Configuration:

1) Check pre-configured settings

Before starting the configuration of BGP, make sure that routers configuration and network operation are correct. Topology is pre-configured so that every sub-AS has its own interior routing protocol configured
(OSPF, RIP) with passive interface between sub-ASes to prevent IGP connection. Use pingcommand to test connectivity. You should be able to ping all networks inside particular BGP sub-AS.

2) Perform step 1 of function test

3) Configure BGP

Router RA:

Pay attention! BGP sessions must be full-meshed inside sub-AS, as shown in sub-AS 65101 configuration.

      RA(config)#router bgp 65101; set confederation sub-AS number and start BGP process
      RA(config-router)#no synchronization ; disable synchronization between BGP and IGP
      RA(config-router)#bgp router-id 2.0.0.3; set unique BGP router ID
      RA(config-router)#bgp log-neighbor-changes; log neighbor changes
      RA(config-router)#redistribute connected; redistribute interior networks via BGP to other ASes
      RA(config-router)#bgp confederation identifier 100; set sub-AS 65101 as part of confederation 100
      RA(config-router)#bgp confederation peers 65102; set another sub AS 65102 to be a peer in confederation 100
      RA(config-router)#neighbor 10.1.0.2 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement
      RA(config-router)#neighbor 10.2.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement
      RA(config-router)#no auto-summary; do not summarize networks

Router RB:

      RB(config)#router bgp 65101
      RB(config-router)#no synchronization
      RB(config-router)#bgp router-id 2.0.0.1
      RB(config-router)#bgp log-neighbor-changes
      RB(config-router)#redistribute connected
      RB(config-router)#bgp confederation identifier 100
      RB(config-router)#bgp confederation peers 65102
      RB(config-router)#neighbor 11.0.0.2 remote-as 200; set BGP neighbor in external AS 200
      RB(config-router)#neighbor 10.1.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement
      RB(config-router)#neighbor 10.2.0.1 remote-as 65101; set BGP neighbor to be part of the same sub AS to fulfill full mesh requirement
      RB(config-router)#no auto-summary

Similarly RC:

      RC(config)#router bgp 65101
      RC(config-router)#no synchronization
      RC(config-router)#bgp router-id 2.0.0.2
      RC(config-router)#bgp log-neighbor-changes
      RC(config-router)#redistribute connected
      RC(config-router)#bgp confederation identifier 100
      RC(config-router)#bgp confederation peers 65102
      RC(config-router)#neighbor 10.3.0.1 remote-as 65102
      RC(config-router)#neighbor 10.1.0.2 remote-as 65101
      RC(config-router)#neighbor 10.2.0.2 remote-as 65101
      RC(config-router)#no auto-summary

Similarly for AS65201

Router RD:

      RD(config)#router bgp 65201
      RD(config-router)#no synchronization 
      RD(config-router)#bgp router-id 5.0.0.2
      RD(config-router)#bgp log-neighbor-changes
      RD(config-router)#redistribute connected
      RD(config-router)#bgp confederation identifier 200
      RD(config-router)#bgp confederation peers 65202
      RD(config-router)#neighbor 11.0.0.1 remote-as 100
      RD(config-router)#neighbor 100.23.0.2 remote-as 65202
      RD(config-router)#no auto-summary

Similarly for AS65202

Router RE:

      RE(config)#router bgp 65202
      RE(config-router)#no synchronization
      RE(config-router)#bgp router-id 6.0.0.2
      RE(config-router)#bgp log-neighbor-changes
      RE(config-router)#redistribute connected
      RE(config-router)#bgp confederation identifier 200
      RE(config-router)#bgp confederation peers 65201
      RE(config-router)#neighbor 12.0.0.2 remote-as 100
      RE(config-router)#neighbor 100.23.0.1 remote-as 65201
      RE(config-router)#no auto-summary

Similarly for AS65102

Router RF:

      RF(config)#router bgp 65102
      RF(config-router)#no synchronization
      RF(config-router)#bgp router-id 4.0.0.1
      RF(config-router)#bgp log-neighbor-changes
      RF(config-router)#redistribute connected
      RF(config-router)#bgp confederation identifier 100
      RF(config-router)#bgp confederation peers 65101
      RF(config-router)#neighbor 12.0.0.1 remote-as 200
      RF(config-router)#neighbor 10.4.0.2 remote-as 65102
      RF(config-router)#no auto-summary

Router RG:

      RG(config)#router bgp 65102
      RG(config-router)#no synchronization
      RG(config-router)#bgp router-id 4.0.0.2
      RG(config-router)#bgp log-neighbor-changes
      RG(config-router)#bgp confederation identifier 100
      RG(config-router)#bgp confederation peers 65101
      RG(config-router)#redistribute connected
      RG(config-router)#neighbor 10.3.0.2 remote-as 65101
      RG(config-router)#neighbor 10.4.0.1 remote-as 65102
      RG(config-router)# auto-summary

Function test:

1) Display routing information before you configure BGP

Verify routing tables on all routers of the network using sh ip route command.
Verify BGP using sh ip bgp neighbor and sh ip bgp on RA and RD.

      Rx# sh ip route

2) Display routing information with BGP configured

Verify routing tables on all routers of the network using sh ip route command.
Verify BGP using sh ip bgp neighbor and sh ip bgp on RA and RD.

      Rx# sh ip route; x represents every router in topology
      Rx# sh ip bgp summary
      Rx# sh ip bgp neighbor
      Rx# sh ip bgp
      Rx# sh ip ospf neighbors

3) Test connectivity

Test connectivity between AS100 and AS200. For example use ping command from RA to one of the interfaces on router RG. Also test connectivity to other routers.

      RA# ping 100.23.0.2
      RA# traceroute 100.23.0.2

4) Compare routing tables in AS100 and AS200

BGP path in routing table will show confederation AS number instead of sub-AS numbers.

Exchnage 2010 SP3 and Exchange 2013 RTM coexistence issue

I know it is not supported to coexist Exchange 2010 SP3 and Exchange 2013 RTM, but I wanted to do some tests and see some issues. After installation of Exchange 2010 SP3 on my old Exchange server in LAB and then Exchange 2013 RTM servers in DAG with HAProxy load balancer in front of them, I have realized that everything works just fine.

After that I started to write article about federation trust (http://ficility.net/2013/02/08/exchange-federation-trust-part-1/) and problem started to raise.

Symptoms

I have configured federation trust according to article in the link on Exchange 2013 server and it was suppose to distribute Exchange certificate used for federation trust accross the organization, however Exchange 2013 server was not able to contact Exchange 2010 server and distribution failed.

On the other side Exchange 2010 server gathered information from AD about new Exchange certificate for federation which it was not able to find in local certification store. The result was, that MSExchangeServiceHost crashed with errors as seen in Pictures below.

Test-ServiceHealth
Role                    : Mailbox Server Role RequiredServicesRunning : False 
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeIS, MSExchangeMailboxAssistants, MSExchangeMailSubmission, MSExchangeRepl, MSExchangeRPC, MSExchangeSA, MSExchangeSearch, MSExchangeThrottling, MSExchangeTransportLogSearch, W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeServiceHost}

Role                    : Client Access Server Role RequiredServicesRunning : False 
ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeFBA, MSExchangeProtectedServiceHost, MSExchangeRPC , W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeAB, MSExchangeFDS, MSExchangeMailboxReplication, MSExchangeServiceHost}

Role                    : Hub Transport Server Role RequiredServicesRunning : False ServicesRunning         : {IISAdmin, MSExchangeADTopology, MSExchangeTransport, MSExchangeTransportLogSearch, W3Svc, WinRM} 
ServicesNotRunning      : {MSExchangeEdgeSync, MSExchangeServiceHost}
Get-ExchangeCertificate -Server Frontend1
The target server isn't running a supported version of Exchange Server.     + CategoryInfo          : InvalidArgument: (:) [Get-ExchangeCertificate], 
ArgumentException     + FullyQualifiedErrorId : 75222B43,Microsoft.Exchange.Management.SystemConfigurationTasks.GetExchangeCertificate   

Event log sequence caused by error Event ID: 2003 followed by Event ID: 4999

Solution

Very simple. Export certificate for federation from Exchange 2013 RTM server and import it to Personal certificates of the local computer account on Exchange 2010 SP3 server.

After the certificate import MSExchangeServiceHost service started to run normally.