AD FS 2.0 Configuration Wizard Fails – or where is my Program Data ?

Hi Again,

I’ve encountered a funny situation the other day with a new Office 365 hybrid deployment with an initial install of ADFS 2.0 for Federation with Office 365 and SSO.

The first attempt of running the “AD FS 2.0 Federation Server Configuration Wizard” ended with a failure:

You do not have sufficient privileges to create a container in Active Directory at location CN=46bd8c28-c299-475b-9853-8176010f4273,CN=ADFS,CN=Microsoft,CN=Program Data,DC=Domain,DC=com for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.

Create Active Directory container for sharing certificates - Error

Well, I’ve double checked my logged on user credentials, the built-in Administrator – we have all the required permissions. I’ve opened ADSIedit and looked for the Program Data container under the domain partition, just to make sure no permissions issues are indeed preventing this wizard to complete.

Guess what – no Program Data container !!?

I had the feeling that the container was moved rather then deleted or removed completely.. so I decided made a little search, a custom search for containers with a description starting with the string “default”

Search Program Data Container

Program Data Container Found

Found it (!) and moved it to the root of the Domain tree, then I’ve started the the ADFS configuration wizard again.

Adfs Configuration Successful

Case closed 🙂 happy ADFS and a working federation with Office 365

Certificate autoenrollment fails with RPC server is unavailable – Again

Hey Again !

I’ve blogged in the past about this issue – Certificate autoenrollment fails with RPC server is unavailable , but following a session today, we’ve encountered a new situation when trying to Auto-Enroll certificates, also with manual enrollment using MMC. The error code was 0x800706ba –  The RPC server is unavailable

If you read my previous blog, you’ll see I’ve explained a situation with Auto-Enrollment on domain controllers when the CA is installed on a DC. Solution was actually adding the “Domain Controllers” security group to the CERTSVC_DCOM_ACCESS security group, but what happens when the CERTSVC_DCOM_ACCESS was deleted ?

Well, easy ( so it seems )

  1. Create the CERTSVC_DCOM_ACCESS group – Domain Local, Security Group in the Users container
  2. Populate the group with “Domain Users” , “Domain Computers” , “Domain Controllers”
  3. Log on to the CA server and run the following commands:
    1. certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
    2. net stop certsvc && net start certsvc
  4. Restart your effected computers / DC’s , because they have a new computer group membership
  5. Successfully auto-enroll your certificate

Have fun !

Reference links:

http://support.microsoft.com/kb/927066

Also (Again):
http://blogs.technet.com/instan/archive/2009/12/07/troubleshooting-autoenrollment.aspx

 

Dynamic Distribution Groups in a Hybrid Office 365 Deployment

Happy new year everyone !

I’ve been very busy lately lots of work, especially with Office 365 Hybrid deployments, Office 365 is really a growing demand and presents new technical perspectives which comes down to know knowledge 🙂

Well yeah I am a geek that likes to keep learning new stuff…

Long story short, you have deployed your Hybrid Office 365 topology to your current Exchange 2003, 2007 or 2010 organization and now you move a mailbox enabled user to the cloud (25 GB mailboxes rocks) , everyone is happy, then the CEO sends a “Happy New Year” email to “All Company” DL and for some reason the user which was moved to the cloud did not receive that memo….

So what happened ?

Most “All Company” distribution lists are Dynamic Distribution Groups AKA Query Based Distribution Group , and as such they have a LDAP filter which populates the members auto-magically – most members are Users with Exchange Mailbox, but when you move a user mailbox to Office 365 the original user was transformed to Mail-Enabled user – With an external address !

Yeah, you will need to modify those groups now to have “Users with External e-mail addresses” also checked 🙂

Enable Users With External E-Mail Addesses

Problem solved – Happy new year !

ilantz

Exchange Server 2010 SP2 is out!

This just in !!

Exchange Server 2010 Service Pack 2 is here ! 🙂
I will do my best to show off some new features soon enough…

To follow my excitement, here are the highlights of from the TechNet topic – What’s New in Exchange 2010 SP2

Hybrid Configuration Wizard

Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises and Office 365 Exchange organizations. Hybrid deployments provide the seamless look and feel of a single Exchange organization and offer administrators the ability to extend the feature-rich experience and administrative control of an on-premises organization to the cloud. For more information, see Understanding the Hybrid Configuration Wizard.

Address Book Policies

Exchange 2010 SP2 introduces the address book policy object which can be assigned to a mailbox user. The ABP determines the global address list (GAL), offline address book (OAB), room list, and address lists that are visible to the mailbox user that is assigned the policy. Address book policies provide a simpler mechanism to accomplish GAL separation for the on-premises organization that needs to run disparate GALs. For more information, see Understanding Address Book Policies.

Cross-Site Silent Redirection for Outlook Web App

With Exchange 2010 SP2, you can enable a silent redirection when a Client Access server receives a client request that is better serviced by a Client Access server located in another Active Directory site. This silent redirection can also provide a single sign-on experience when forms-based authentication is enabled on each Client Access server. For more information, see Understanding Proxying and Redirection.

Mini Version of Outlook Web App (OMA is back !)

The mini version of Outlook Web App is a lightweight browser-based client, similar to the Outlook Mobile Access client in Exchange 2003. It’s designed to be used on a mobile operating system. The mini version of Outlook Web App provides users with the following basic functionality:

  • Access to e-mail, calendar, contacts, tasks and the global address list.
  • Access to e-mail subfolders.
  • Compose, reply to, and forward e-mail messages.
  • Create and edit calendar, contact, and task items.
  • Handle meeting requests.
  • Set the time zone and automatic reply messages.

For more information, see Understanding the Mini Version of Outlook Web App.

Mailbox Replication Service

In Exchange 2010 SP1, if you wanted to move mailboxes from on-premises to Outlook.com or to another forest, you had to enable MRSProxy on the remote Client Access server. To do this, you had to manually configure the web.config file on every Client Access server. In Exchange 2010 SP2, two parameters have been added to the New-WebServicesVirtualDirectory and Set-WebServicesVirtualDirectory cmdlets so that you don’t have to perform the manual configuration: MRSProxyEnabled and MaxMRSProxyConnections. For more information, see Start the MRSProxy Service on a Remote Client Access Server.

Mailbox Auto-Mapping

In Exchange 2010 SP1, Office Outlook 2007 and Outlook 2010 clients can automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user’s mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. However, if the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. Therefore, in Exchange 2010 SP2, administrators can turn off the auto-mapping feature by setting the value of the new Automapping parameter to $false on the Add-MailboxPermission cmdlets. For more information, see Disable Outlook Auto-Mapping with Full Access Mailboxes.

Multi-Valued Custom Attributes

Exchange 2010 SP2 introduces five new multi-value custom attributes that you can use to store additional information for mail recipient objects. The ExtensionCustomAttribute1 to ExtensionCustomAttribute5 parameters can each hold up to 1,300 values. You can specify multiple values as a comma-delimited list.The following cmdlets support these new parameters:

  • Set-DistributionGroup
  • Set-DynamicDistributionGroup
  • Set-Mailbox
  • Set-MailContact
  • Set-MailPublicFolder
  • Set-RemoteMailbox

Litigation Hold

In Exchange 2010 SP2, you can’t disable or remove a mailbox that has been placed on litigation hold. To bypass this restriction, you must either remove litigation hold from the mailbox, or use the new IgnoreLegalHold switch parameter when removing or disabling the mailbox. The IgnoreLegalHold parameter has been added to the following cmdlets:

  • Disable-Mailbox
  • Remove-Mailbox
  • Disable-RemoteMailbox
  • Remove-RemoteMailbox
  • Disable-MailUser
  • Remove-MailUser

Schema updates docs for Exchange 2010 SP2 are here !

Hey !

Great stuff coming with Exchange 2010 SP2, along with features already mentioned at the Exchange Team Blog – Announcing Exchange 2010 Service Pack 2 , a major schema update will support some new stuff.

Quoting Michal smith’s blog, here’s some key points to mention:

  1. The Mail-Recipient class has now gained the Company and Department attributes.

    This means that Groups (both security groups and distribution groups) and Contacts (mail contacts) can now be assigned values to the Company and Department attributes.

    From a technical perspective, the Mail-Recipient class is a system auxiliary class, for both the Group and Contact classes, and all attributes present in Mail-Recipient are available in them.

  2. The ms-Exch-Custom-Attributes class has gained 35 new custom attributes, from ms-Exch-Extension-Attribute-16 to ms-Exch-Extension-Attribute-45, and ms-Exch-Extension-Custom-Attribute-1 through ms-Exch-Extension-Custom-Attribute-5.

    This means that Contacts, Groups, Users, Public Folders, Dynamic Distribution Lists, and Recipient Policies all now have a huge number of new attributes that can be assigned arbitrary values by an organization. This is welcome news to organizations who are using many or most of the current custom attributes and are wary to extend the schema themselves.

    From a technical perspective, the ms-Exch-Custom-Attributes class is an auxiliary class for all the named classes above.

  3. Many new attributes and classes were added to provide support for Address Book Policies and to enhance access to various address lists, global address lists, and offline address lists maintained by Exchange.

    The master class is ms-Exch-Address-Book-Mailbox-Policy.

  4. There are several new attributes and one new class (ms-Exch-Coexistence-Relationship) that are probably designed to support the Hybrid Coexistence Wizard and to overall simplify the process of configuring hybrid coexistence with Exchange Online.
  5. There is a new class (ms-Exch-ActiveSync-Device-Autoblock-Threshold) and a number of new attributes that are within that class that appear to be designed to support automatic throttling of ActiveSync devices.

Read on: A Somewhat Detailed Look at Exchange 2010 Service Pack 2 Schema Changes

Have a great weekend!

ilantz

How to manually purge Exchange server logs – clean and easy

Update 9/Jun/2015 – Thanks to Josh Davis for the feedback, I’ve added a note about making sure to include both drives (if EDB and LOG files are separated).

Update 21/Oct/2013 – This article suggests that you cannot sustain downtime or interruption for your users while battling with deleting log files or restoring your working backup solution. If you can sustain a downtime (should be around minutes or so) the easiest method will be to enable Circular Logging on your database / storage group – see more here – http://technet.microsoft.com/en-us/library/bb331958%28v=exchg.141%29.aspx#UTL

Update 01/May/2013 – The exchange team has written a script which helps troubleshoot and identity issues with Backups etc.. The script use the DiskShadow utility as well ! check it out @ http://blogs.technet.com/b/exchange/archive/2013/04/29/troubleshoot-your-exchange-2010-database-backup-functionality-with-vsstester-script.aspx

Hi Again !

I often get calls and questions regarding backups and Exchange Server, since ever this issue is not always working as required or as you would expect, but that’s off-topic 🙂

One of the most common stories is that without a working Exchange Server backup when  you perform massive mailbox moves, transaction logs will get piled and fill up the volume or disk that they reside in. and then panic starts, “hey my databases were dismounted…” then of course the administrator realizes that the space on the log drive or volume has indeed ran out and now he needs to figure out what to delete.. and here’s where this post comes in…

So how can you delete or purge Exchange server logs without any risk ? well, in simple – you cannot, because the whole idea of restoring an Exchange or for this matter any transactional database requires you to have a first – “full” backup of the database itself and all transaction logs that were generated since the the date of the database creation date, or the last “successful” “full backup”.

Now here’s a nice method to “fake” a “full backup” or an on-demand transaction logs purge when you see you will be soon out of space, using the Exchange VSS writers and the diskshadow utility (available with Server 2008 or 2008 R2) . This procedure also “proves” that a VSS backup for your Exchange Server will work fine.

note: This method was tested on an Exchange server with Locally Attached Disks, not storage attached LUNs.

Use this method on on your risk. You should preform a “Full Backup” right after this process is done.

This example will show you how to purge the logs for a database that is located on Drive D, the log files of the databases are also located in Drive D. we will “fake backup” drive D and this will trigger the logs to be purged.

Note: If you have separated your log files and database file in different drives, or you want to include additional databases in the “backup” you must include the additional drives in the process, so in the example below, you will “Add volume e:” after “Add volume drive d:” and so on…

  1. Open Command prompt
  2. Launch Diskshadow
    1. Add volume d:
    2. (optional, add one line for each additional drive to include) Add volume X:
    3. Begin Backup
    4. Create
    5. End Backup
  3. At this step you should notice the following events in the application log indicating that the backup was indeed successful and logs will now be deleted.

Here’s some screenshots from the process:

Diskshadow commands for the example

The Diskshadow example screenshot.

ESE Event ID 2005

ESE – Event ID 2005 – Starting a Full Shadow Copy Backup

MSExchangeIS Event ID 9811

MSexchangeIS – Exchange VSS Writer preparation.

ESE Event ID 224 - Logs being Purged

ESE Event ID 224 – Logs are now purged 🙂

MSExchangeIS Event ID 9780 - Backup complete

MSExchangeIS Event ID 9780 – Backup is now complete.

side note: although this example was tested against Exchange 2010, it should work just as fine with Exchange 2013 & 2007.

Hope this helps you !

ilantz

Solving Sync Issues Error 80004005-501-4B9-560 in Exchange 2010 RTM and SP1

Update

The current “Best Practice” is to upgrade your Exchange Server to Service Pack 2 and apply Update Rollup 3 for Exchange Server 2010 Service Pack 2 (KB2685289), as this issue has been permanently solved.

See Synchronization of an organizational forms library fails when you use Outlook in Cache mode in an Exchange Server 2010 for additional information.

Hello Everyone,

Since the first migrations of Exchange 2003 to Exchange 2010 we’ve seen a really annoying error within Outlook 2003, 2007 and Outlook 2010 when trying to De-commission  legacy servers, specifically when moving all public folders replicas including the EFORMS REGISTRY system folder and it’s children folders. once the organizational forms ( respectively you might see a different folder name within your organizatino ) is replicated only to the Exchange 2010 – a log / error message will be created in the Sync Issues upon an Outlook Send/Receive operation:

11:56:54 Synchronizing Forms
11:56:54 Downloading from server ‘public folder server
11:56:54 Error synchronizing folder
11:56:54 [80004005-501-4B9-560]
11:56:54 The client operation failed.
11:56:54 Microsoft Exchange Information Store

Notice: Use this method at your own risk ! This method is for organizations that do not use Forms !

Many posts and different resolutions were recommended, my original “fix” for this issue was to not replicate the organizational forms folder to the new Exchange 2010 public folder when starting to De-commission the Exchange 2003 server, practically “leaving it behind”.

I recently handled a situation where the Exchange 2003 server was already removed, and the forms folder was already replicated to Exchange 2010, and the error was already in place. I could not use Exchange 2003 System Manager to remove the replica, Exchange Management Shell or EXFolders. You cannot really leave an empty replica list within the tools.

MFCMapi to the rescue 🙂

  1. Open MFCMapi, click the session menu, select the logon and display store table option.
  2. Double click public folders, expend the public root tree, expend NON_IPM_SUBTREE, expand EFORMS REGISTRY.
  3. Locate and select the organizational forms folder.
  4. Scroll the property list to find the PR_REPLICA_LIST entry – double click it and clear the value inside – clear means delete the values inside the property. Setting PR_REPLICA_LIST to NULL actually leaves us with an empty replica list – which “solves” this issue.
  5. Note that when you click to apply the change of the PR_REPLICA_LIST the property list will immediately shrink, this is normal 🙂
  6. Exit Outlook, wait and see that indeed the Sync Issues folder does not include a new log with the 80004005-501-4B9-560 error.

Use this method at your own risk ! and again – this method is for organizations that do not use Forms !

Some references for you usage:

Troubleshooting: Error synchronizing folder Synchronizing Forms 80004005-501-4B9-560

Outlook synchronization error [80004005-501-4B9-560] with a Microsoft Exchange Server 2010 mailbox

“80004005-501-4B9-560” synchronization error logs are generated in the Sync Issues folder in Outlook in a Business Productivity Online Suite Dedicated environment 

Office Suite – Latest Updates

Hey again,

I tend to always spend some time looking up the latest Office / Outlook updates, and found this following link from the office center on TechNet to be much useful.

It has a nice table of the latest Service Pack, Latest Public Update and Latest Cumulative Update for Office 2003 / Office 2007 / Office 2010

http://technet.microsoft.com/en-us/office/ee748587 – Update Center.

Enjoy !

Exchange 2010 SP1 Calendar Repair Assistant – Does not run?

So you want to use the Calendar Repair Assistant (CRA) with Exchange 2010 SP1, you’ve ran a few powershell commands, but nothing happens ?

You’ve missed a change Exchange 2010 SP1 introduced two new settings for Set-MailboxServer related to the Calendar Repair Assistant:

-CalendarRepairWorkCycle and -CalendarRepairWorkCycleCheckpoint
These parameters work together. The CalendarRepairWorkCycle parameter specifies the time span in which all mailboxes on the specified server will be scanned by the CRA. For example, if you specify seven days for this parameter, the CRA will process all mailboxes on this server every seven days. Calendars that have inconsistencies will be flagged and repaired according to the interval specified by the CalendarRepairWorkCycleCheckpoint parameter. For example, if you specify one day for this parameter, the CRA will query every day for new mailboxes that require processing.

To have you exchange server schedule a daily repair schedule at 23:00 PM, while making sure this task runs each day (Cycle), and searches for new mailboxes to process every 12 hours (CycleCheckpoint) run the following:

Set-MailboxServer -Identity MBX2 -CalendarRepairSchedule 1.22:00-1.23:00, 2.22:00-2.23:00, 3.22:00-3.23:00, 4.22:00-4.23:00, 5.22:00-5.23:00, 6.22:00-6.23:00, 7.22:00-7.23:00  -CalendarRepairWorkCycle 1.00:00:00 -CalendarRepairWorkCycleCheckpoint 12:00:00

Now it will actually run 😉

Enjoy !