de-DEen-GB
 
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft Technologies like Exchange, Office 365, Azure and Cloud Security.
On February 15, 2017
0 Comment
430 Views

Problem

When querying mailbox statistics in an Exchange organization using the following cmdlet (example) you might receive a warning that the object has been corrupted, and it's in an inconsistent state.

Get-Mailbox USER | Get-MailboxStatistics

WARNING: The object 3d16fdbb-5584-436b-b6c2-ee89adab9b9f has been corrupted, and it's in an inconsistent state. The following validation errors
happened:
WARNING: Cannot extract the property value of 'DeletedItemCount'. Source: PropTag(DeletedMsgCount), PropType(Int), RawValue(-11),
RawValueType(System.Int32). Target: Type(System.Nullable`1[System.UInt32]), IsMultiValued(False). Error Details: <n/a>

Solution

Check whether the affected mailbox is a regular user mailbox or if the mailbox is in a disconnected state. If the mailbox is disconnected you can either ignore the warning or remove the mailbox from the mailbox store.

If the mailbox is a regular user check the corresponding identity and move the mailbox to a different database.

Get-Mailbox -Identity 3d16fdbb-5584-436b-b6c2-ee89adab9b9f

Name                      Alias                ServerName       ProhibitSendQuota
----                      -----                ----------       -----------------
JohnDoe                   johndoe              MX01             1.8 GB (1,932,735,488 bytes)

Get-Mailbox johndoe | New-MoveRequest -TargetDatabase DB01

Enjoy.

 

 

Read More »
On February 13, 2017
0 Comment
353 Views

Exchange Server 2013Exchange Server 2016Description

This script helps administrators and support desk personnel to connect an Exchange Server 2013+ using remote PowerShell. You can either connect to a dedicated Exchange Server or connect to a randomly selected Exchange Server.

You can implement the function in your own scripts to connect to Exchange remotely. David Lee has written an excellent post about how to use saved credentials with PowerShell scripts.

Examples

# EXAMPLE
# Connect to the specified server EX01
./Connect-ToExchange.ps1 -Server EX01

# EXAMPLE
# Connect to a randomly selected server
./Connect-ToExchange.ps1

Version History

  • 1.0, Initial community release

Links

Follow

Read More »
On February 8, 2017
0 Comment
455 Views

Problem

Recently a colleague of mine found an interesting issue with an Exchange Server 2013 organization setup.

The local service desk personnel wasn't able to select a target organizational unit (OU) when creating new mailboxes. The ECP dialogue just showed an empty window.

Reason

By default the ECP OU picker result set contains 500 entries only.

The OU picker does not query the Active Directory with -ResultSize Unlimited.

Solution

Microsot Knowledge Base article 3038717 provides the solution for this issue.

When querying the local Active Directory for the overall number of organization units using the following command, it turned out that the Active Directory contained more than 4.000 OUs.

(Get-OrganizationUnit -ResultSize Unlimited).Count

Use this cmdlet to determine the current number of organization units and define a reasonable number for querying Active Directory.

Add a new key node to the ECP web.config file on each of your Exchange 2013 servers.

<appSettings>
	<!-- Provisioning Cache identification -->
	<add key="ProvisioningCacheIdentification" value="Ecp" />
	<!-- ALL OTHER LINES HAVE BEEN REMOVED AS THIS IS FOR REFERENCE ONLY -->
	<add key="AccountTerminationEnabled" value="false" />
	<!-- Enable legacy logout page. To enable new signoff page delete the entry. (3) -->
	<add key="LogonSettings.SignOutKind" value="LegacyLogOff" />
	<!-- Allow the OU picker for New-Mailbox to retrieve 5000 organization units from AD, default = 500 -->
	<add key="GetListDefaultResultSize" value="5000" />
</appSettings>

The ECP web.config file is located in

  • $exinstall\ClientAccess\ecp

Saving a modified web.config normally triggers an application pool restart. If required, use the following one-liner to restart the ECP application pool across all Exchange 2013 servers.

Get-ExchangeServer | ? { $_.AdminDisplayVersion -like '*15.*'} | % { Invoke-Command -ComputerName $_.Name -ScriptBlock {Restart-WebAppPool MSExchangeECPAppPool } }

Note

It has not yet been verified, if the issue is present with Exchange Server 2016 as well. If so, just let us know.

Links

Keep enjoying the oddities of Exchange Server.

 

 

 

 

Read More »

Exchange Server 2013Exchange Server 2016Description

This script helps to create ceritifcate requests (CSR) based on hostnames used for internal and external Urls of Exchange Server virtual directories.

The script queries Exchange Server 2013+ virtual directory hostnames to create a certificate request.

The request is created using an inf file template. You can prepare multiple template files to choose from. Template files are supposed to be stored in the same folder as the PowerShell script.

The resulting inf file used to create the certificate request is stored on the same directory as the PowerShell script. The script queries for the certificate's common name (CN).

If created, the certificate request is stored in the same directory as the PowerShell script. The content of the certificate request file is the CSR to be submitted to a Certificate Authority.

INF Template file

Copy the following content to a text file, name it Default-Template.inf and save it to the same directory as the Create-CertificateRequest.ps1 file. Aternatively, download the template as a zipped archive file.

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=##COMMONNAME##" 

Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 2048 ; Valid key sizes: 1024, 2048, 4096, 8192, 16384
KeySpec = 1 ; Key Exchange – Required for encryption
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
RequestType = PKCS10 ; or CMC.
HashAlgorithm = sha256
SMIME = FALSE 

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}##DNSSAN##"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

Examples

# EXAMPLE 1
# Create a new certificate request inf file used dedicated organizational information. The common name will be determined seperately.
    
.\Create-CertificateRequest.ps1 -ModernExchangeOnly -Country DE -State NW -City Hueckelhoven -Organisation Varuna -Department IT

# EXAMPLE 2
# Create a new certificate request for Exchange 2013+ using the common name only. The common name will be determined seperately.
    
.\Create-CertificateRequest.ps1 -ModernExchangeOnly -CreateRequest

Version History

  • 1.0, Initial community release

Links

Follow

 

Read More »

Problem

The Skype for Business client merges contact data from different sources when displaying the contact card. The merged data is used to perform name resolution when performing a user search. In a more complex deployment scenario where an email domain name is in shared use in two in Active Directory forests you might run into a situation where the Skype for Business client tries to use the wrong target address.

Such a scenario would look like as follows.

Forest A is used as a dedicated infrastructure for developers. When logged on to the development network the users should be able to skype with colleagues currently connected to the default office client network.

Forest B is the default office client network.

Clients logged on to forest A connect to the Skype for Business infrastructure in forest B as external clients. Forest A is used for user account authentication while forest B is used for Skype for Business connection and authentication. 

Forest A

Forest A runs an Exchange Server 2013 organization.

  • Active Directory domain: SednaDevelopers.com
  • SMTP domains: dev.Sedna-Ltd.com, Sedna-Ltd.com

Forest B

Forest B runs an Exchange Server 2013 organization and a full Skype for Business 2015 server deployment.

  • Active Directory domains:
    • root.internal - Forest root, resource domain with Skype for Business 2015, Exchange 2013
    • Sedna-ltd.com - user domain, primary email domain
  • SMTP domain: Sedna-Ltd.com

Both Active Directory forests to not have trust of any sort established.

Such a configuration would result in forest A users trying to contact a Skype for Business user using the wrong address. Instead of using John.Doe@Sedna-Ltd.com the Skype for Business client of Jane Doe@Sedna-Ltd.com (logged on to forest A) would try to contact John.Doe@dev.Sedna-Ltd.com. As there is no endpoint defined for dev.Sedna-Ltd.com a connection could not be established. Therefore, no availability information is available and no call or chat connection could be established.

Reason

The Skype for Business client uses merged data pulled from the Skype for Business address and from the local (Forest A) Active Directory (GAL). This results in a connection attempt to John.Doe@dev.Sedna-Ltd.com.

Forest A object attributes

  • proxyAddresses: SMTP:John.Doe@dev.Sedna-Ltd.com
  • proxyAddresses: smtp:John.Doe@Sedna-Ltd.com
  • msExchShadowProxyAddresses: sip:John.Doe@Sedna-Ltd.com
  • msExchShadowProxyAddresses: SMTP:John.Doe@dev.Sedna-Ltd.com
  • msExchShadowProxyAddresses: smtp:John.Doe@Sedna-Ltd.com
  • msRTCSIP-UserEnabled: TRUE
  • msRTCSIP-PrimaryUserAddress: John.Doe@Sedna-Ltd.com

Forest B object attributes

  • proxyAddresses: sip:John.Doe@Sedna-Ltd.com
  • proxyAddresses: SMTP:John.Doe@Sedna-Ltd.com
  • msRTCSP-InternetAccessEnabled: TRUE
  • msRTCSIP-UserEnabled: TRUE
  • msRTCSIP-PrimaryUserAddress: John.Doe@Sedna-Ltd.com

Solution

  • Create a new text file named ocapi_test.config.xml using notepad
  • Add the following Xml text
<?xml version="1.0"?> 
<settings> 
  <UseMsoSearch>false</UseMsoSearch> 
</settings>
  • Save the file in same directory as Lync.exe
  • Terminate the Skype for Business client
  • Delete all files from the users SIP folder
    • e.g. C:\Users\JDOE\AppData\Local\Microsoft\Office\16.0\Lync\sip_Jane.Doe@Sedna-Ltd.com
  • Restart the Skype for Business client

 

Enjoy Skype for Business

 

 

 

 

Read More »