Let me publish my script which tests and gathers information directly from Exchange server 2010 (Windows 2008). It is my little helper in case of patching or troubleshooting. Basically it is nothing special, but let’s look at its help:

    Test-ExchangeServer2010.ps1 - filip.kasaj@tieto.com - v1.180714
    This script performs test cmdlets and gathers information from Exchange Server 2010 (Windows Server 2008) into own txt log.
    It can be used only directly on the Exchanger server (the server role is chosen automatically). 
    Only get and test cmdlets are used for this type of health check.
    Run-space: PowerShell 2.0 or Exchange Management Shell.
    Prerequisite: new-TestCasConnectivityUser.ps1
    Tests and information:
        - Get-WMIObject (Operating System, Volumes)
        - Get-ExchangeServer
        - GCM Exsetup
        - Test-ServiceHealth
        - Get-ExchangeCertificate
        - IIS Status
        - Test-PowerShellConnectivity
        - Test-FederationTrust
        - Server Services
        - Bad Application Events
        - Bad System Evenets
        - Top processes - CPU,MemorySize
        - Server Performance
      Mailbox role:
        - Get-MailboxDatabaseCopyStatus
        - Get-DatabaseAvailabilityGroup
        - Cluster /quorum
        - Cluster group /stat
        - Cluster /prop
        - Test-Mailflow
        - Test-MAPIConnectivity
        - Test-ReplicationHealth
      CAS role:
        - Test-OwaConnectivity
        - Test-ActiveSyncConnectivity
        - Test-WebServicesConnectivity
        - Test-OutlookWebServices
        - Test-OutlookWebServices
        - Test-OutlookConnectivity
        - Test-EcpConnectivity
        - Test-ImapConnectivity
        - Test-PopConnectivity
      HUB role:
        - Test-SmtpConnectivity
        - Get-Queue
    # It performs test cmdlets and gathers information into txt log generated in C:\temp.
    Test-ExchangeServer.ps1 -ShowOutputLog
    # It performs test cmdlets and gathers information into txt log generated in C:\temp and opens the log in notepad at the end.
    Test-ExchangeServer.ps1 -OutputLogPath "D:\Report\ExchangeServerLog.txt"
    # It performs test cmdlets and gathers information into the specified log file.
    Test-ExchangeServer.ps1 -ShowOutputLog -OutputLogPath "D:\Report\ExchangeServerLog.txt"
    # It performs test cmdlets and gathers information into the specified log file and opens the log in notepad at the end.

How to use it?

Just copy the script to your Exchange server and go ahead:

19- 7- 2014 13-07-58Output log as its result:

19- 7- 2014 13-17-56How to compare logs (i.e. check the state before/after patching)?

For example via Total Commander:

19- 7- 2014 12-50-56Download: Test-ExchangeServer2010.ps1 – http://1drv.ms/1wI2eS4


Dirsync errors nad solutions: Event ID 0: Invalid namespace while automatic Sync or Start-OnlineCoexistenceSync, Object not found on the server

I have been facing errors with one of my customers lately. There is hybrid deployment with Exchange on premise and Office 365 with ADFS.


  • Dirsync stopped to work, because automatic synchronization started to throw invalid namespace errors (Event ID 0)
  • DirSync cannot be run via Start-OnlineCoexistenceSync
  • Dirsync could run manually from GUI

invalid namespace


When DirSync is installed on the server, after its configuration DirSync installator creates a service, which by default run synchronization every 3 hours to populate changes of local AD´s objects to the cloud and if Hybrid deplouyment checkbox is ticked during configuration, it also updates few attributes in opposite direction (From Cloud -> On premise).

Behind the scenes this service also creates performance counters to WMI and this is also the problem! In my case CCM agent´s (installed by SCCM) old version has been uninstalled and during uninstallation of CCM agent the repository of WMI has been corrupted. This caused the FIM Synchronization service to fail to run.


The solution is not easy and here are the steps need to be run in the following order to make it work and make it work permanenty:

  • Fix MOF files – MOF files are used to register performance counters to WMI. These files can be registered once per product installation or everytime the product upgrades and this is problem. Dirsync Product has by default MOF files, which are registered only once and not during upgrades. This problems come up when CCM agent is uninstalled and MOF files are not re-registered. To prevent this to happen again add the following text to the first line of MOF files for dirsync product:

MOF file location:
%Program Files%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\Bin

MOF files name:

mmswmi-x.mof is used for product uninstallation. Do not change it.

//*                                                      *
//*   Copyright (C) Microsoft. All rights reserved.      *
//*                                                      *
// mmswmi.MOF

  • Repair WMI repository permanently

To repair WMI you must run the following command from the same location as previous step and restart FIM Synchronization service. The result should be “Done!”

mofcomp mmswmi.mof
  • Re-Register FIM Sync Service DLL and restart win management service

From the same location under elevated permissions run:

regsvr32 /s mmswmi.dll
net stop winmgmt
net start winmgmt
  • Re-Run configuration of DirSync

From the location %Program Files%\Windows Azure Active Directory Sync run ConfigWizard.exe

If you receive the following error, move service accounts (MSOL* to OU=Users in root domain of your Onpremise AD)

No object on server

Exchange disk statistics

Here is a tip how to gather disk statistics such as
CapacityGB, FreeSpaceGB, FreeSpace% for all disks in your Exchange organization.

$vols = @()
Get-ExchangeServer | % { 
$comp = $_.Name
$vols += Get-WmiObject -computername $comp -query "select Name, DriveType, FileSystem, FreeSpace,   Capacity, Label from Win32_Volume where DriveType = 2 or DriveType = 3" | select @{Name='Server';Expression={$comp}},Label,Name,@{Name='CapacityGB';Expression={$_.Capacity/1GB}},@{Name='FreeSpaceGB';Expression={$_.FreeSpace/1GB}},@{Name='FreeSpace%';Expression={($_.FreeSpace*100)/$_.Capacity}}
$vols | Export-Csv -NoTypeInformation -Delimiter ";" -path "E:\ExchangeDiskreport.csv"


KPCS is finalist in Microsoft Awards 2014 wordwide!

I am proud to announce, that company I work for KPCS.CZ is second worldwide in Server platform implementation projects category. Besides this nice placement we won 3 categories in Czech Republic and once we are finalist.

So total 5 awards within 1 year! What the great success!

More here:






Log Search script

This is just a small easy script to search log content in defined location and time range for string value. If you know what to search in many log files, it can help you to narrow search.

#Author: Zbynek Salon
#Path to search
$path = "D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive"
#What to search (the best would be for example e-mail address for some SMTP log)
$str = "PRX5"
#Range (Start must be lower then end)
$start = "5/25/2014 8:00AM"
$end = "5/28/2014 9:00AM"
Get-ChildItem $path | where {($_.LastWriteTime -gt $Start) -and ($_.LastWriteTime -lt $End)} | foreach {$_
 $x = Get-Content -Path "$($path)\$_"
 if ($x -like "*$($str)*"){Write-Host "$_ contains $($str)" -ForegroundColor Green}

Script to gather FullAccess and SendAs permissions

I wrote this script to gather FullAccess and SendAs permissions to divide mailboxes into logical batches. May be somebody find it helpful.

#Purpose of this script is to gather full access and Send-As permissions of all mailboxes in organization
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
$out = @()
$path = "c:\temp\FASA.txt"
$out +="Identity-email;Full Access;Send AS"
set-adserversettings -ViewEntireForest $true
#gathering info
$list = Get-Mailbox -resultsize unlimited | select alias,displayname,primarysmtpaddress,userprincipalname,distinguishedname
$i = 0
Foreach ($line in $list){
$sa = $null
$fa = $null
$fa = get-mailbox "$($line.distinguishedname)" | get-mailboxpermission | where {($_.IsInherited -like $false) -and ($_.accessrights -like "*Full*") -and ($_.user -notlike "*SELF*")}
$sa = get-mailbox "$($line.distinguishedname)" | get-adpermission | where {($_.extendedrights -like "*Send*") -and ($_.IsInherited -like $false) -and ($_.Deny -like $false)  -and ($_.user -notlike "*SELF*")}
Write-host "°°°°°°°°°°°°°°$($line.alias)"
#Full Access section
write-host "Full Access $($line.displayname)"
if ($fa -ne $null){
$fapo = "FA:"
            foreach ($fap in $fa){
                #query object from AD using LDAP (translate SID to DN)
                $o = [adsi]"LDAP://<SID=$($fap.user.securityidentifier)>"
                #query needed properties of AD object (AD object is used to query for all object types
                $o2 = get-adobject "$($o.distinguishedname)" -properties * | select displayname,userprincipalname
                if($o2 -ne $null){
                    $fapo = $fapo + "|$($o2.displayname)*$($o2.userprincipalname)"
                else{$fapo = $fapo + "|NoExist*$($fap.user.securityidentifier)" }
#Send As section
write-host "Send - AS $($line.displayname)"
if ($sa -ne $null){
$sapo = "SA:"
            foreach ($sap in $sa){
                $u = [adsi]"LDAP://<SID=$($sap.user.securityidentifier)>"
                $u2 = get-adobject "$($u.distinguishedname)" -properties * | select displayname,userprincipalname
                if($u2 -ne $null){
                    $sapo = $sapo + "|$($u2.displayname)*$($u2.userprincipalname)"
                else{$sapo = $sapo + "|NoExist*$($fap.user.securityidentifier)" }
$out += "$($line.displayname)*$($line.userprincipalname);$($fapo);$($sapo)"

$out | out-file "$($path)"

DirSync to Office 365 synchronization failed – Event ID:6126, Event ID:109, Event ID:6801, Event ID:6803, Event ID:6110

I have faced problems with Dirsync synchronization with the following Event IDs:6126,0,109,6801,6803,6110,0


Password reset for Dirsync cloud account and its configuration in MIIS client.


Here is, what I have found in the event log

1. Event ID 6126

Synchronization has beedo done but changes of the rules occured

2. Event ID 109

Error statest, that synchronization didn´t perform and that change password might help

3. Event IDs 6801,6803

States the same as Event ID 109. Authentication failure and final state that error has occued.

4. Event ID 6110

Watermark of delta synchronization was not saved.

5. Password needs to be changed in the cloud

Just logon to the cloud and change password via WEB interface

6. Password never expires

As additional stem I have set password to never expire to prevent these problems to occur again
010-password change

7. Set new password in DirSync

In the Windows Azure Active Directory connector you should set new password.

8. OK


Office 365 – Adding SMTP addresses while DirSync without ADFS/Hybrid


There are limitations, when you deploy Office 365 without ADFS/Hybrid. In this article I would like to write about SMTP addresses.

  • This attribute is synchronized to Office 365
  • You cannot add SMTP addresses on the cloud side, so you have to use attribute editor or Powershell On-Premise instead
  • To use Powershell you need to import module for Server manager and one of the methods to add / remove or replace SMTP addresses is to use Set-ADUser cmdlet, where you add string values to multivalue property “ProxyAddresses”
  • More proxy addresses can be added at the time
get-aduser -identity "stokurev" | set-aduser -add @{'ProxyAddresses'=@("SMTP:anatolij.stokurev@domain.com","smtp:stokurev@domain.com")}


As an example here is the script to double existing aliases with another domain suffix

#Purpose of this script is to double aliases of domain.suffix to domain.suffix2 as secondary SMTP addresses
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
#gathering and adding aliases
$x = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $x){
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){
                $addr = $addr.replace("DOMAIN.SUFFIX","DOMAIN.SUFFIX2")
                $addr = $addr.replace("SMTP:","")
                $addr = $addr.replace("smtp:","")
                get-aduser -identity "$($line.samaccountname)" | set-aduser -add @{'ProxyAddresses'=@("smtp:$($addr)")}

#check results
$y = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $y){
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){

Cisco Labs – Network Security (14) – ASA as transparent firewall


During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 8.3.3 ASA task definition

ASA as transparent firewall


  • Configure ASA as transparent firewall.
  • Generate a test message thru HTTP, FTP and ICMP.
  • Apply access list and recheck configuration.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.





ifconfig int3 netmask							;set IP address
route add default gw dev int3								;set default gw


R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections


1) Firewall settings

ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent                          					;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside              
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address               			        ;set management IP address for Firewall device
ASA1(config)# debug icmp trace                          					;turn on debug for icmp traffic thru firewall

Check connection as you can see in Function test before applying access lists.

2)Apply access lists

ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www 
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp 

ASA1(config)# access-group FWRULEIN in interface outside

Function test

Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.

F1) Before access lists

outside -> inside

ASA1(config)# debug icmp trace									;turn on debugging for icmp
PC1#ping										;ping firewall MGMT address
PC1#ping										;ping server
PC1#lynx									;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx									;iniciate ftp connection with server

Pictures shows result of these commands.



inside -> outside

SERVER#ping										;ping PC1 from server

Picture shows result of this command.


F2) After access lists application

outside -> inside

PC1#ping										;ping firewall MGMT address
PC1#ping										;ping server
PC1#lynx									;iniciate http connection with server
PC1#lynx									;iniciate ftp connection with server

Pictures shows result of these commands.



inside -> outside

SERVER#ping										;ping PC1 from server

Picture shows result of this command.


Optional tasks

  • Try to configure different types of access lists denying and permitting different types of traffic.