Apr 07

How to: Delete and re-create the Exchange ECP Virtual Directory

To delete the ECP virtual directory of your Exchange server and re-create it from scratch, you can use the below to get the identity of the virtual directory.

get-EcpVirtualDirectory |fl

Use this to remove the virtual directory in question

Remove-EcpVirtualDirectory -identity "MYSERVER\ecp (Exchange Back End)"

Create the new virtual directory use the below

New-EcpVirtualDirectory -externalurl "https://outlook.mydomain.com/ecp" -internalurl "https://myserver/ecp" -Server "myserver.mydomain.local"
(108)

Apr 07

Fix: Error 500 when loading Shell or ECP on Exchange 2013 SP1

After installing Exchange 2013 with SP1 you might notice that when you open the Management Shell, you will get a bunch of errors with mainly the error 500: Internal Server Error. This can also be seen when you try to access the ECP or OWA on the server in question. This issue is only on Exchange 2013 with SP1 and with Client Access role installed.

The culprit can be the following three:

#1 Time synchronization

On the Primary Domain Controller (PDC) do the below

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org
w32tm /config /reliable:yes
net start w32time

On the other DCs and servers do the following

net stop w32time
w32tm /config /syncfromflags:domhier /reliable:no /update
net start w32time


#2 Kerberos issues

Do the following on the effected servers to re-create the Powershell virtual directory.

Get-PowerShellVirtualDirectory -Server | Remove-PowerShellVirtualDirectory
New-PowerShellVirtualDirectory -Server -Name PowerShell
Get-PowerShellVirtualDirectory -Server | Set-PowerShellVirtualDirectory -BasicAuthentication:$false
IISReset

After virtual directory re-creation I have checked its modules in IIS and made sure, that Kerberos module is native and the path to its DLL is correct.

#3 WinRM Extensions

The feature might be missing, do the below to add the feature

Get-WindowsFeature *IIS* #to check if it is installed
Add-WindowsFeature Winrm-IIS-Ext # to install
(201)

Apr 07

How to: Remove Arbitration mailboxes from Exchange Mailbox servers

Sometimes you would like to uninstall a mailbox server or un-install a mailbox server but when you make the Get-Mailbox -Arbitration -Database DataBase1 you see some mailboxes there. These are there to prevent you from deleting the mailbox database or server. These are used by the Exchange server. You can either move or delete these mailboxes. If this is not the last mailbox server in your setup I would suggest you move them, otherwise delete them or you will not be able to uninstall the server.

Moving the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| New-MoveRequest -TargetDatabase EXCHDB2

Disabling the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| Disable-Mailbox -Arbitration

Deleting the mailboxes
Get-Mailbox -Arbitration -Database EXCHDB1| Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

If you would like to re-create them, I would suggest the below

Setup.com /PrepareAD /IAcceptExchangeServerLicenseTerms
or
.\Setup /PrepareAD /IAcceptExchangeServerLicenseTerms (47)

Mar 27

How to: Uninstall an application with Powershell using GPO

Sometimes you would need to automate an uninstall of an application through Group Policies (GPO). This can be done by running a PowerShell script. Firstly create a PowerShell script as below:

$appplication = Get-WmiObject -Class Win32_Product | Where-Object
{$_.Name -match "My Application Name"}
$application.Uninstall()

Save the file and create a new GPO and set the script to load by setting up the Computer Configuration/ Policies/ Windows Settings/ Scripts/ Startup.
(47)

Mar 27

How to: Set PowerShell execution policy to unrestricted using GPO

Most often when you have to execute some PowerShell scripts through the GPO and you end up with an error on execution saying that the Execution Policy does not allow you to run un-signed script.

So you would need to create a new GPO to set the Execution Policy. Create a new  GPO and edit it.

Goto Computer Configuration/ Policies/ Administrative Templates/ Windows Components/ Windows PowerShell

Double-click on Turn on Script Execution
Click on Enabled
Select Allow All Scripts

Move the GPO onto the respective OU, wait until the refresh or simple run gpupdate /force on the computers. (72)

Mar 18

Fix: Missing Server Configuration in Exchange 2010 management console

When opening the Management Console in your Exchange 2010 you might noticed the Server Configuration node missing. Also you might notice that when you open a mailbox you will not see the size and other information and you will get the yellow lock and no data is shown.

In most cases it would be because you have Outlook installed and you logged in with another user in Outlook. The credentials will be saved in the vault and it will try to log into the Management Console with that user. In fact when you launch the Management Console and click on the Microsoft Exchange On-Premises node, while loading you will notice it uses the user.

You would need to do the following:

- Open a command prompt using “Run as Administrator”
- Run the command “control keymgr.dll”
- Click “Back up vault” and follow the prompts to back everything up
- Remove any credentials related to the other user

After this, try to open the Management Console, if the problem persists a quick restart of the server will do the job. (86)

Mar 13

How to: Remove duplicate items from Exchange Mailboxes using Powershell

During an Exchange migration you sometimes have the issues where users complain that there are duplicate entries of their calendar items. This is normal to happen and can be done directly from the server using Powershell . You will need to download the script here and then install Managed API 1.2 or later which can be downloaded here.

Remove-DuplicateItems.ps1 [-Mailbox] <String> [[-Type] <String>] [-Server <String>] [-Impersonation] [-DeleteMode <String>] [-Mode <String>][-WhatIf] [-Confirm] [<CommonParameters>]

The syntax is below:

-Mailbox is the name of the mailbox to process;
-Type determines what folders are checked for duplicates. Valid options are Mail, Calendar, Contacts, Tasks, Notes or All (Default);
-Server is the name of the Client Access Server to access for Exchange Web Services. When omitted, the script will attempt to use Autodiscover;
-When the Impersonation switch is specified, impersonation will be used for mailbox access, otherwise the current user context will be used;
-DeleteMode specifies how to remove messages. Possible values are HardDelete (permanently deleted), SoftDelete (use dumpster, default) or MoveToDeletedItems (move to Deleted Items folder).
-Mode determines how items are matched. Options are Quick, which uses PidTagSearchKey and is the default mode, or Full which uses a predefined set of attributes to match items, depending on the item class.

For this to work you need to setup the impersonation of the user which you will be running the script. This can be done as below for Exchange 2010

New-ManagementRoleAssignment -Name ImpersonationRole -Role ApplicationImpersonation -User administrator

-Name : Can be anything you put in, it’s just a name
-User: Is the user you will be impersonating as

On Exchange 2007 you can use the below command:

Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity User1 | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}

More info on the script here (129)

Feb 03

Fix: Lync fails to connect with Exchange for calendar

On Exchange servers with Lync, when using Lync from outside the site using Lync Edge, you might have the problem that it works in case of instant messaging, but it will not connect to your Exchange setup to get the calendar or in some cases it will keep re-asking your credentials with no success.

This might be an issue of authentication which can easily be solved by changing the authentication method on the AutoDiscover folder on IIS.

Log into the Exchange server
Open IIS Manager
Expand the [Server Name]/Sites/Default Website
Click on AutoDiscover application
Click on Authentication
Right-Click on Digest Authentication and select Enable (747)

Jan 07

Fix: ESXi health status showing unknown and cannot reset sensors

When ESXI 5.1 in vSphere is launched,  you click on the configuration tab and click the system health, you will get all gray question marks on the items and when you click the reset sensors you get the below error.

Call “HostHealthStatusSystem.ResetSystemHealthInfo” for object “healthStatusSystem” on ESXi “esxi_srv01″ failed.

To solve this issue you must go on the Configuration, click on the Security profile, click on the Firewall and click on Properties.

Find the CIM-SERVER entry, click on the Options and Restart the service.

Close the vSphere and re-open it. Try to reset the Sensors. (360)

Jan 07

Fix: The Certificate Status could not be determined because the revocation check failed

Recently I came across a CAS server that was rebuilt. Think of it as a new server you are introducing in your environment. Everything looked good except certificate that we imported. The certificate looked good when looking at validity, issuing authority certificate and other dependencies.

However, Exchange Management Console complained:

“The certificate status could not be determined because the revocation checked failed.”

Since the error seemed clear enough, we checked and verified that we can reach CRL. We could successfully access it and download CRL. We also ensured that there was no proxy servers configured or required, which they weren’t.

However, the server had its own mind.

KB979694 wasn’t applicable since there was no proxy in the environment.

The only logical thinking here was, why is “Local System” account (which the service uses to get the revocation status) unable to get to CRL. To get to the answer, we needed to check proxy settings of Local System account. How do you do that? You can’t simply start IE as different user!

That exactly is the purpose of this post. I found bits and pieces of information that helped me resolve the issue but not a one step document. In this post, I am trying to put it all together so you have one stop solution.

Here’s how you can fix the issue:

Open up command prompt as Administrator
Run “sc create testsvc binpath= “cmd /K start” type= own type= interact”
This creates testsvc service which will run as local system and allow interaction with desktop
Run “sc start testsvc”
The error “[SC] StartService failed 1053” is expected and can be ignored safely
Locate “Interactive Services Detection” icon blinking in the taskbar and click “view message”
You are now in a command prompt window running as Local System and you will not see your desktop. The only other visible window is “Interactive Services Detection” window.
Launch Internet Explorer using the following command:
“c:\Program Files (x86)\Internet Explorer\iexplore.exe”
Internet Explorer may present Set up window. If it does, click “Ask me later”.
We will now check proxy settings. Go to Tools -> Internet options -> Connections -> Lan Settings.
Verify proxy and automatic configuration options and change them to match your environment. In my case we cleared all checkboxes since no proxy existed in environment.
In our case, either server build process or a setting from or a GPO was populating incorrect proxy settings.
Close Internet Explorer window and return to command prompt.
We will now clean certutil caches.
Run “certutil -urlcache ocsp delete”
Run “certutil -urlcache crl delete”
We’re almost done here. We now have to close and exit out of service.
Type “exit” and press enter to close command prompt that is running as Local System.
Now you should have only one “Interactive Services Detection” window.
Click “Return Now”.

You are now back to your desktop and we have corrected Internet Explorer settings for Local System (removing proxy configuration that was incorrect). After this, we restarted Exchange Management Console and verified certificate on CAS server in question. Certificate was no longer issuing the warning and we proceeded with assigning the certificate to appropriate services.

It is important to note that refresh time varies from immediate to more than few minutes so don’t fret over certificate still showing the same error. If, however, it takes more than 15 minutes, I would check if all steps were followed as mentioned above and configuration is correct for your environment.

Yet another issue put to bed. On to another. (197)

Older posts «