Sunday, May 30, 2010

Blackberry deployment notes for Windows 2008 Domain Controllers

if you have large number of BB devices you might get:
[40206] (12/22 08:58:11.625):{0x1A38} MailboxManager::SubsystemInitialize - Using MAPI profile 'BlackBerryServer'
[50000] (12/22 08:58:11.672):{0x394} Controller: This BES Agent is under control of BlackBerry Agent Controller
[20137] (12/22 08:58:11.719):{0x1A38} MailboxManager::SubsystemInitialize - g_pSession->OpenMsgStore (0x80040111)
[40000] (12/22 08:58:11.719):{0x1A38} Setting PR_PROFILE_CONNECT_FLAGS CONNECT_IGNORE_NO_PF true
[40206] (12/22 08:58:11.719):{0x1A38} MailboxManager::SubsystemInitialize - Using MAPI profile 'BlackBerryServer'
[20137] (12/22 08:58:11.797):{0x1A38} MailboxManager::SubsystemInitialize - g_pSession->OpenMsgStore (0x80040111)
[10277] (12/22 08:58:11.797):{0x1A38} BlackBerry Messaging Agent MERC74 Agent 1 failed to start. Error code 5305
[50106] (12/22 08:58:11.797):{0x1A38} Stopping BlackBerry Mailbox Agent 1 for Server

[40000] (12/22 09:44:49.654):{0x4EC} CDO initializing failure in CDO helper 1046a930 (2)
[30001] (12/22 09:44:49.764):{0x4EC} CDOCalendar::Initialize - Code = 800406f9, WCode = 04f9, Code meaning = IDispatch error #1273,
[30002] (12/22 09:44:49.764):{0x4EC} Server = mercmbx11, Mailbox = Description = The information store could not be opened. [MAPI 1.0 - [MAPI_E_LOGON_FAILED(80040111)]]
[30180] (12/22 09:44:49.764):{0x4EC} {saskit} CDOCalendar::Initialize - Error in call m_spCalendarFolder = m_spCDOSession->GetDefaultFolder
[40000] (12/22 09:44:49.764):{0x4EC} CDO initializing failure in CDO helper 1046a930 (4)

[30181] (12/22 15:04:32.463):{0x1A38} Performing system health check (BlackBerry Mailbox Agent 1 - BESX Version
[30038] (12/22 15:04:32.463):{0x1A38} Worker Thread: *** No Response *** Thread Id=0x1350, Handle=0x7B0, WaitCount=6, WorkingTime=68 min, LastActivity=68 min, Event: NEW_MB_PCKT_RESCAN, User: , Server: , Activity: MAPISendertoRIMSender - RIM_HrGWResolveProxy
[30038] (12/22 15:04:32.463):{0x1A38} Worker Thread: *** No Response *** Thread Id=0x1564, Handle=0x1664, WaitCount=6, WorkingTime=68 min, LastActivity=68 min, Event: NEW_MB_PCKT_RESCAN, User: , Server: , Activity: MAPISendertoRIMSender - RIM_HrGWResolveProxy
[50020] (12/22 15:04:32.463):{0x1A38} Some worker threads have been blocked for 6 health checks

In addition, it is likely that if this article applies, the BlackBerry Manager will return an error when opened regarding

here is a guide for deployment of BB servers in 2008 Domain controllers environment


Netapp storage best practices for Exchange 2010

Nice post:

Saturday, May 29, 2010

the Exchange 2010 Configurator Script

Hi There,

I often win points on EE by answering lots of web services question, and also spending lots of troubleshooting EWS on EE, of course I win points, but after all users experience have been degraded and admins suffered.

If you read my previous article you will find that there are lot of configuration that must be done on the Exchange web services including (OWA, ECP,EWS,EAS,OAB) for outlook and Exchange to work smoothly.

I always find lot of people running into troubles configuring their Exchange server and using the poweshell, so I created this nice powershell script that will answer you very simple questions and configure Exchange web services including (OWA, ECP, OAB, AES, Internal SCP, EWS)
Here is the script notes:

Internal domain name entered in the FQDN format.

Server name entered in netbios format.

Autodiscover and webmail URLs are entered in FQDN format with no HTTP or HTTPS.

Internal name are set to server FQDN thus the certificate has to include the server name as well.

If you have multiple servers you will need to run the script for each server.

Other than this attached the script file along with the script itself here for your reference, you can use and customize this script to meet your need, use the script at your own responsibility blab la bla (legal stuff ), and your comment and feedback are welcome on e14(at)Ingazat(dot)com.
#Add exchange 2010 snap in for mailbox creation

Add-PSSnapin Microsoft.Exchange.Management.Powershell.E2010 -ea silentlyContinue

write-Host "Welcome to the Exchange configurator, This script will help you to configure the Exchange web services to avoid common missing

and wrong configuration, This script is created by Mahmoud Magdy (

you can reach me by email on e14(at)ingazat(dot)com use this script under your own responsibility"

write-Host "The Configurator will list the current system configuration for your reference the config will be saved to c:\e14systemconfig.txt"

$systemconfig = @(Get-OwaVirtualDirectory
fl name,internalurl,externalurl)

$systemconfig = $systemconfig + @(Get-ecpVirtualDirectory
fl name,internalurl,externalurl)

$systemconfig = $systemconfig + @(Get-oabVirtualDirectory
fl name,internalurl,externalurl)

$systemconfig = $systemconfig + @(Get-WebServicesVirtualDirectory
fl name,internalurl,externalurl)

$systemconfig = $systemconfig + @(Get-ActiveSyncVirtualDirectory
fl name,internalurl,externalurl)

$systemconfig = $systemconfig + @(Get-ClientAccessServer
fl Name,AutoDiscoverServiceInternalUri)

out-file c:\e14systemconfig.txt

write-Host "The Configurator will start asking you some questions then will configure your environment"

$InternalDomainname = Read-Host "What is the name of the Internal domain name"

$Servername = Read-Host "What is the name of the Internal server name"

$Externalwebmail = Read-Host "what is the url used by users to acces OWA Externally e.g

please don't include https://"

$InternalAutodiscover = Read-Host "what is the url used by users to acces autodiscover internal URL

(this will be retrieved from AD SCP please don't include https://"

$InternalURL = $servername + "." + $internaldomainname

$ServernameURL = "https://" + $InternalURL

$httpsExternalwebmail = "https://" + $Externalwebmail

$owaextURL = $httpsExternalwebmail + "/owa"

$owaintURL = $ServernameURL + "/owa"

$ecpextURL = $httpsExternalwebmail + "/ecp"

$ecpintURL = $ServernameURL + "/ecp"

$EWSexternalURL = $httpsExternalwebmail + "/EWS/Exchange.asmx"

$EWSInternalURL = $ServernameURL + "/EWS/Exchange.asmx"

$oabextURL = $httpsExternalwebmail + "/oab"

$oabintURL = $ServernameURL + "/oab"

$EASexturl = $httpsExternalwebmail + "/Microsoft-Server-ActiveSync"

$EASinturl = $ServernameURL + "/Microsoft-Server-ActiveSync"

$Autodiscogerinternalurl = $InternalAutodiscover + "/Autodiscover/Autodiscover.xml"

$Autodiscogerinternalurl = "https://" + $Autodiscogerinternalurl

write-Host "The Configurator will start Configuring your System now"

get-owavirtualdirectory -server $servername
set-owavirtualdirectory -ExternalUrl $owawextURL -InternalUrl $owawintURL

get-ecpVirtualDirectory -server $servername
set-ecpVirtualDirectory -ExternalUrl $ecpextURL -InternalUrl $ecpintURL

get-oabVirtualDirectory -server $servername
set-oabVirtualDirectory -ExternalUrl $oabextURL -InternalUrl $oabintURL

get-WebServicesVirtualDirectory -server $servername
set-WebServicesVirtualDirectory -ExternalUrl $EWSexternalURL -InternalUrl $EWSInternalURL

get-ActiveSyncVirtualDirectory -server $servername
set-ActiveSyncVirtualDirectory -ExternalUrl $EASexturl -InternalUrl $EASinturl

Get-ClientAccessServer -Identity $Servername
Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Autodiscogerinternalurl

write-Host "The Configurator is done you might want to run this script on other servers"

save the code above to scriptname.ps1 and run it by double click on it, you can run this PS from windows powershell (I added the Exchange snapin) or the Exchange management shell.

I hope to win less points on EE from EWS and win more points from this article

Sunday, May 23, 2010

Exchange 2010 using C# and to create mailboxes using remote shell connect

here is a nice code snippest:
SecureString password = new SecureString();

string str_password = "pass";

string username = "userr";

string liveIdconnectionUri = "http://exchange.Domain.local/Powershell?serializationLevel=Full";

foreach (char x in str_password)




PSCredential credential = new PSCredential(username, password);

// Set the connection Info

WSManConnectionInfo connectionInfo = new WSManConnectionInfo((new Uri(liveIdconnectionUri)), "",


connectionInfo.AuthenticationMechanism = AuthenticationMechanism.Default;

// create a runspace on a remote path

// the returned instance must be of type RemoteRunspace

Runspace runspace = System.Management.Automation.Runspaces.RunspaceFactory.CreateRunspace(connectionInfo);

PowerShell powershell = PowerShell.Create();

PSCommand command = new PSCommand();


command.AddParameter("Identity", usercommonname);

command.AddParameter("Alias", userlogonname);

command.AddParameter("Database", "MBX_SBG_01");

powershell.Commands = command;



// open the remote runspace


// associate the runspace with powershell

powershell.Runspace = runspace;

// invoke the powershell to obtain the results

return = powershell.Invoke();


catch (Exception ex)






// dispose the runspace and enable garbage collection


runspace = null;

// Finally dispose the powershell and set all variables to null to free

// up any resources.


powershell = null;


Friday, May 21, 2010

'Group is too large to display. communicator can not be used for groups with more than 100 members

you might receive this message in OCS 2007 Client when you try to expand a group in OC.
first you have to know that OCS client is hard coded with a maximum of 150 members to display, if you want users to display more than the default 100 limit then create the following client side policy and restart the OCS Client:
Open Registry:
go to
Create a Key: MaxDLExpansion (DWORD)
and type 150 as the value.
More KBs:
Thanks to Jeff for that great hint

Outlook 2007 may crash when you create a new mail when it is connected to Exchane 2010 servers

Outlook users in online or Cachedm mode connected to Exchange 2010 creating a new email message get outlook crashed and might get:
Faulting application OUTLOOK.EXE, version 12.0.6504.5000, time stamp 0x49e7f47e, faulting module EMSMDB32.DLL, version 12.0.6504.5001, time stamp 0x49fea4b0, exception code 0xc0000005, fault offset 0x0003adfa, process id 0x2a6c, application start time 0x01ca3097445ad092.

Make sure that your users have the msExchQueryBaseDn attribute wit hthe search base DN, make sure that you don't use Exchange 2007 Address List segregation in Exchange 2010 environment.
to add the basedn from powershell use this cmdlet:
get-mailbox -resultsize unlimited

Foreach { $dn = “LDAP://” + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = “DC=Domain,DC=local”;$obj.setinfo()}

Tuesday, May 18, 2010

How Exchange 2010 Message Tracking are indexed

Exchange 2010 has a optimziation for the message tracking logs as they are faster, this is indicated here:
but they are not documents, if you wonder how message tracking are indexed they are indexed by Exchange 2010 using message ID and address information to allow much faster search and lookup in the tracking console.

the content is under publishing but this is an insider info, more detail will be provided as I get them.

Monday, May 17, 2010

Unable to moun Exchange 2010 DB, replication service stops.

you might get this error:
Microsoft.Exchange.Configuration.MonadDataProvider.CommandExecutionException: Unexpected error [0x79596503] while executing command 'mount-database'. ---> System.InvalidCastException: Specified cast is not valid.

how to solve this:
to solve this issue delete the EnableVSSWriter from the registry and restart the server.

Sunday, May 16, 2010

Exchange 2010/2007 Virtual Directory Default Permissions

We see that a lot on forums users asking for the default permissions on virtual directories, also in some troubleshooting we found that
wrong NTFS permissions or in-correct IIS authentication might affect autodiscover, EWS, OAB or OWA/ECP, so for reference here they are:
NTFS permissions
Authentication Users
(read, Read and Execute)
Basic Auth.
System (Full Control)
Windows Auth.
Administrators (Full Control)

Authentication Users (read)
Basic Auth.
System (Full Control)

Administrators (Full Control)

Authentication Users (read)
Windows Auth.
System (Full Control)

Administrators (Full Control)

Basic Auth.
Authentication Users (read)

System (Full Control)

Administrators (Full Control)

Windows Auth.
System (Full Control)

Organization Management
 (Traverse, Read & Execute,
Read Attribute, Read Extended Attribute)

View only organizations Managenet
(Traverse, Read & Execute
, Read Attribute, Read Extended Attribute)

Administrators (Full Control)

IIS_IUSR (Traverse, Read &
Execute, Read Attribute,
 Read Extended Attribute)

Basic Auth.
Authentication Users (read)

System (Full Control)

Administrators (Full Control)

Authentication Users (read)

System (Full Control)

Administrators (Full Control)

Basic Auth

Windows Auth.

Exchange 2010 AD Topology Services error DSC_E_NO_SUITABLE_CDC, also Transport service is not starting and setup cannot complete

as the topic says you might get that error DSC_E_NO_SUITABLE_CDC also the setup cannot continue since the transport service cannot reach the start state, if you get those errors then diable IPV6 from the registry here is how:
1. Click Start
, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
2. In the User Account Control dialog box, click Continue.
3. In Registry Editor, locate and then click the following registry subkey:
4. Double-click DisabledComponents to modify the DisabledComponents entry.

Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
2. Type DisabledComponents, and then press ENTER.
3. Double-click DisabledComponents.
5. Type any one of the following values to configure the IPv6 protocol, and then click OK:
1. Type 0 to enable all IPv6 components.

Note The value "0" is the default setting.
2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface. This value also configures Windows Vista to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.

Wednesday, May 12, 2010

How to configure the WNLB Multicast IP to be routable

as you all know when you configure microsoft WNLB in multicast mode, the IP is not routable from anotehr segments or VLANs thus cannot be reached residing in different VLANs trying to access the IP directly.

some of you might have to run Multicast NLB for one reason or another, to make it routable you will have to be pretty advanced network guys, but not so fancy gears, but here ae the general steps:
1- You need to be running PIM routing
2- Configure an ARP entry for the "unicast ip to multicast mac" 3- relationship on your layer 3 devices.
4- Configure static mac-address-table command that is on the interfaces where servers are conneccted.
5- Disable-snooping.

Join Microsoft Egyptian Group (MEGG)

Today we are starting the MEGG,
As you all know there are a lot of Egyptian IT pros, as community is growing either in the virtual community on blogs, forums or in individual basis with no real experiences exchanged.

The idea started with creating a group dedicated for the Egyptian IT community concentrating on Microsoft Technology and others technologies as well and bringing the experience that we all have into one place and in one to one basis.

The idea of MEGG of not bringing a usual IT experiences, we are looking to bring the best Microsoft and IT gurus in Egypt to enhance the community awareness not only from online point of view but also offline and starting delivering sessions and conferences to raise the awareness, bring the latest technologies in house and exchange and experiences in the Egyptian Community.

We are bringing several Technology Experts who will be speaking about Microsoft and IT technology in general including Microsoft Officials, MVPs , Expert Consultants and IT geeks.

you can join our page on Facebook here: and know more about the upcoming events and conferences.

More details will be sent to you if you subscribed, please join us since it will be an amazing experience. Please feel free to forward this email to people who might be interested.

Tuesday, May 11, 2010

Check Point replaced by a Forefront TMG 2010 appliance - solution by a Forefront TMG business partner


Oilfield Services

The Solution

SecureGUARD TMG950 appliance based on Microsoft Forefront Threat Management Gateway 2010 (TMG)

The Microsoft security solution has been expanded by adding the partner's convenient management and support functionalities and deeply integrating them into the customer's Microsoft infrastructure.

The Challenge

VAOS Ltd. is a company which specializes in oilfield projects in the inaccessible desert regions of the Sahara. The company headquarters are in Malta and there are branch offices in Linz (Austria) and Libya. A number of smaller branches are also connected. These are mainly located in the middle of the desert, so extreme demands are made on the IT infrastructure too: besides the high temperatures of up to 58° C, there are long distances of hundreds of kilometres between branches and there is no reliable electricity supply or telephone or Internet connection.

At all locations, the old solution was to be completely replaced on the basis of Check Point. The small locations were to be connected by satellite.

The central administration of the entire solution from the technical location Linz was a very important focus, i.e. implementation of access to distributed Microsoft systems, a distributed Active Directory with 4 domain controllers at four different locations, a distributed Microsoft Exchange mail system with four mail servers, distributed update (Microsoft WSUS) and client deployment (Microsoft Windows Deployment Server) infrastructure at four locations.

A VoIP telephone connection to all branches via site-to-site VPN was also asked for, as well as access to the SAP applications (including access from the outside).

Of course, IT security had to be guaranteed throughout all connections at all locations.

The Technical Solution

The technical solution was implemented via the security software Forefront Threat Management Gateway 2010 (TMG) from Microsoft integrated into a SecureGUARD TMG950 appliance, which supplements and expands the former by adding management and support functionalities.

At the IT headquarters in Linz, a virtualized Microsoft Enterprise Management Server (EMS) has now been installed in addition to a cluster with two nodes. Two SecureGUARD TMG950 appliances are used for the two nodes. The other two large locations at Portomaso and Tripoli are both connected via a TMG950 appliance. The SecureGUARD Starter Edition was sufficient for the smaller locations with their small numbers of users: this is an economical alternative allowing locations with only a few users to be connected as it uses a modified version of the TMG Workgroup Edition. The price is very reasonable due to the limitation to 25 simultaneous users.

All branches are connected via site-to-site VPN and are administered centrally from Linz. This is made possible by the "Branch Office Deployment" function of SecureGUARD appliance management in conjunction with the new functionality of the Microsoft Enterprise Management Server in Linz, which permits the central administration of the Standard or Workgroup Edition.

The SecureGUARD programmers ensured the communication of customers and suppliers via the enterprise software SAP by using a self-developed NAT driver specially designed for the Microsoft TGM 2010. Comprehensive enterprise security is provided for by the functionalities of the new Microsoft Threat Management Gateway 2010: firewall, antivirus scanning, URL filtering and HTTPS inspection protect all branches.

The Result

The new security functions of the TMG allow the entire administration of the customer to be carried out from one location. Downtimes are minimized as a result of the improved disaster recovery, in which Microsoft integrates a firewall as well as malware and content protection into one unit. On the part of VAOS, this saves personnel resources and a considerable amount of time during operation, thus reducing the costs required for implementing IT security. The functionalities of the SecureGUARD Appliance Management System and of the wizards such as the Branch Office Deployment Wizard guarantee faster software roll-out.

Company Profile

SecureGUARD GmbH has its headquarters in Linz and is a leading Austrian manufacturer of high-quality integrated security solutions. All units, from small low-maintenance and low-noise branch office units to redundantly equipped high-performance units with 8 CPU kernels, have the same SecureGUARD functionality. As a Microsoft Gold Certified Partner, SecureGUARD is intensively involved in the development of the Microsoft Forefront Threat Management Gateway (TMG) and the Microsoft Forefront Unified Access Gateway (UAG). With the Microsoft-certified SecureGUARD appliance for Microsoft TMG 2010 and UAG 2010, SecureGUARD combines hardware, software and support to form a high-quality security solution which can be used in particular in homogeneous Microsoft environments with central authentication.

For more information, please go to:

Author: :
Helmut Otto, CEO SecureGUARD GmbH

View article...

FW: CRITICAL UPDATE - Exchange 2010 Address List Segregation and Current Support Stances


Feed: Dgoldman's WebLog
Posted on: Monday, May 10, 2010 8:38 PM
Author: dgoldman
Subject: CRITICAL UPDATE - Exchange 2010 Address List Segregation and Current Support Stances


Back on Wednesday, [January 06, 2010] I published the following blog: Exchange 2010 Address List Segregation – Update. In this blog I made the following statement: "I think you will be happy to know that I am towards the end of wrapping up the Exchange 2010 Address List Segregation white paper. I will post another update as soon as we are finished with the editing and when it will be posted.". After working with development we agreed to post this blog to state a few things:

  1. We all know and agree that many customers are looking for this whitepaper to be completed. This *IS* a top priority for us, however this is going to take some time to complete.
  2. There is *NO* guarantee that the whitepaper will be completed by the release of SP1 for Exchange 2010 which is targeted for the 2nd half of the 2010 calendar year.

I need to mention the support stances here.

  1. There is *NO* support for Exchange 2003 address list segregation.
  2. There is *NO* supported upgrade path from Exchange 2003 address list segregation to anything.
  3. If you have a mixed organization (Exchange 2003 and Exchange 2007) you must have everything on Exchange 2007 for you to be in a supported configuration. For more information on this please see this blog: This blog clearly defines the support stance and what needs to be done to migrate.
  4. There *IS* support for a native organization using Exchange 2007 and address list segregation if you have followed my white paper.
  5. There is *NO* supported upgrade path from Exchange 2007 using Address List Segregation to Exchange 2010 using Address List Segregation.
  6. If you are using the 2007 address list segregation whitepaper to host customers and you run in to a problem, you will be told that you are using an unsupported configuration. At this point you will need to remove the address list segregation in order to receive support. This is documented in the 2007 Address List Segregation whitepaper

"It is also important to understand that any attempt to use this whitepaper to configure Exchange 2007 for a commercial "hosting" solution is not supported. This whitepaper is not a replacement for the Microsoft HMC (Hosting and Collaboration) software. The information that is provided in this whitepaper is meant for internal segregation use only."

If you are planning on using Exchange 2010 and you currently have Exchange 2007 using Address List segregation *YOU MUST* remove all address list segregation from your organization to avoid running into the bug that we are currently working on at this time. PLEASE HEED THIS WARNING!!

In order to revert your organization back to a default exchange installation permission set you can follow this blog: and

I mentioned that I would speak about the nature of this problem. Due to the architectural changes in Exchange 2010, Address Book queries are performed in a different way than we did in prior versions of Exchange. I am not going to explain this in full, however you can view this blog for those new component changes:

The problem that I ran in to was that if you already had the deny permission set on the default global address list from using the 2007 Address List segregation white paper and you have installed Exchange 2010 the exchange server will not have the ability to read the default global address list. At this point the default global address list object would be removed from all of the objects showInAddressList attribute. Here is what happens once this occurs:

  1. Users will start missing from the default global address list
  2. Users in their respective companies will no longer show up in that companies global address list
  3. Users can show up in another companies global address list
  4. Outlook users crash upon logging in to their mailbox

Your only option to fix this

  1. Keep your Exchange 2010 servers intact.
  2. You will need to reset the ACL's on the default global address list. This means you will need to reapply the 'Read' and 'Open Address List' for the Authenticated Users group.
  3. You will need to open up powershell and run the following command "update-globaladdresslist"
  4. Run Get-Mailbox | set-mailbox -ApplyMandatoryAttributes

WARNING: In the event that this does not fix it for any objects in your organization this becomes a manual fix from here. You will need to look up the object that is still having a problem using ADSIEdit.msc and look at the showInAddressList attribute. You will need to add the legacyExchangeDN for the default global address list and this will fix the problem for that object.

NOTICE: This blog has been approved by the Microsoft Exchange Product Group.


View article...

Exchange 2010 DAG and Hyper-v Cluster supportability statement - Supported but how

We all have been tought that Exchange 2010 DAG cannot be installed on a hyper-v Cluster or ESX Cluster (generally any hypervisor clustering), this is a correct statement but not entirely true.
the correct statement that Installing Exchange 2010 DAG is not supported on Hypervisor Clustering only when you confiure the VM that hosts the Exchange as highly available machine, thus you control the High availability of he VM using clustering.

if you Install Hyper-v or ESX clustering, you can Install Exchange 2010 DAG normally on a VM that is hosted on any single host of the Hypervisor cluster as long as this machine is not highly available from the Hypervisor point of view meaning that you cannot move it using live migration or Vmotion.
you can now install the DAG on your Hypervisor Cluster physical server normally, don't make the VM highly available, size the IOPs and Memory and you are fine.
Hope that this helps you in your virtualization and Exchange Project

Monday, May 10, 2010

cannot import or edit certificate in Exchange 2010 - access is denied

When you try to edit or import or modify certificate using powershell of EMC you might get the error:
(PID 980, Thread 10) Task Get-ExchangeCertificate writing error when processing record of index 0. Error: Microsoft.Exchange.Data.Common.LocalizedException: The Exchange Certificate operation has failed with an exception. The error message is: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied
--- End of inner exception stack trace ---
to Fix this issue make sure that the Exchange server is member of the following:
- Exchange Trusted Subsystem group nested in the local admins group on all your CAS/HT boxes.
- Exhachnge servrs are members of this group.
then Restart the servers after any modifications to group membership.

Exchange 2010 Topology Service Doesn't discover the newly installed Domain Controller

Well, Consider this scenario where you have an Exchange server, couple of DCs and you want to remove one of them to replace with a new HW, you install the domain controller works normally and then you shut down the old DC, but Exchange keeps connecting to the old DC.
if you have a single DC you might get a warning message regarding Ad topology service cannot connecto to available domain controllers, how to debug that.
First run DCDiag to validate your DC, netdiag if you are running 2003.
make sure that domain controllers can replicate correctly with each other.
Validate the Exchange topology service is discovering the new DC, restart the service and there will be an event listing discovered domain controller.
run /preparedomain to republish the permissions and ACL and try again.

Sunday, May 9, 2010

Exchange 2010 Mailbox Database in DAG Error: content index catalog files in the following state: 'Failed'.

when you tru to move the active copy from a mailbox server to another server you get error:

Microsoft Exchange Error
Cannot activate database copy 'Activate Database Copy...'.

Activate Database Copy...
An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'DB Name' on server 'servername' has content index catalog files in the following state: 'Failed'.

To Resolve it:
1. Restart the MSExchange Search service on the node which has the active database.
2. Run update-mailboxdatabasecopy -catalogonly for the passive database

DAG installation Logs

If you are installing the DAG and you are getting errors in the Installation or cannot complete the setup for a failed service or something, you can check the following path (c:\exchangesetuplog\dagtasks ) for the logs related to DAG installation, debugging those logs will help you to aid the problem. Nice logs by the way.

Understanding VLV

many of you ponged me about the VLV thingy, actually it was a new concept for me, searching a little bit and found this amazing link:
VLV basiclly is a concept to retrive the data for a VLV aware application and prestage them in theview rather making he server commit an LDAP query to the AD.
Exchange uses VLV to retrive objects from Active directory, VLV must be enabled since objects created with Exchange 2003/2007 are not stamped with the new attribute after Exchange 2010 installation thus VLV must be enabled.

Friday, May 7, 2010

Exchange 2010 and VLV

and intersting not for those who might miss it
Install Exchange 2010 in an Existing Exchange 2003 Organization: Exchange 2010 Help: "Exchange 2010 now creates system address lists in a new container. Recipients created or modified using Exchange 2003 or Exchange 2007 management tools won’t be stamped with these system address lists. As a result, they won’t be seen by the Get-Recipient cmdlet.
To fix this issue, you must enable Active Directory virtual list view (VLV). After you have completed the upgrade of an existing Exchange 2003 organization to Exchange 2010 and have decommissioned your Exchange 2003 servers, you must enable Active Directory VLV. To enable VLV for Exchange 2010, run the Enable-AddressListPaging cmdlet. For more information, see Enable-AddressListPaging."

Wednesday, May 5, 2010

error when you try to reconnect a disconnected user in Exchange 2007

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

User name

Property ManagedFolderMailboxPolicy can't be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. The object's current version is 0.0 (6.5.6500.0).

to solve this issue run the following cmdlet:
Set-Mailbox user -applymandatoryproperties
and try again

Hyper-v Windows 2008 R2 read and write is very slow and copy operations is extremely slow

I was working on a Windows 2008 R2 Hyper-v Deployment, using 2 HP DL 380 G6 Servers with 16 GB of memory and HP MSA 2000, after setting up the hyper-v Cluster and Installed the VM I noticed that copy, read/write operations against the SAN is very slow, and boot time takes about 2-3 minutes to complete.
little troubleshooting led me to know where, HBA drivers where updated, everything is ok, more debugging led me to the following:
to fix this issue you will need to open the MSA 2000 web admin, go to manage, configuration, disks and go to read configuration as I recall and change the mode from standard to super sequential, once done everything worked fine and performance was as expected.

really tricky one.

Sunday, May 2, 2010

Exchange 2007/2010 webservices and autodiscover ultimate torubleshotting guide

Hi, during my online activities I can see that Exchange 2007/2010 web services are causing a lot of issues to people, and lots are suffering from it.

I decided to put this ultimate guide to spare the hustle and allow smoother and nicer web services experience.

Well, let us first list the directories that are used in the Exchange web service:

-          EWS is used for OOF, Scheduling assistance and free+busy Lookup.

-          OAB provides offline address book download services for client.

-          Autodiscover is used to provide users with autodiscover service.

-          EAS provides ActiveSync services to Windows Mobile based devices.

-          OWA provides outlook web access for users.

-          ECP provides Exchange control panel feature for Exchange 2010 users only.

Issues that might be resolved using the troubleshooting steps here:

-          You cannot set the OOF using outlook client, you receive the server not available error.

-          You cannot view free/busy information for other users.

-          You cannot use scheduling assistance, also you might receive not free/busy information data retrieved.

-          You cannot download Offline Address book errors.

-          You cannot use autodiscover externally.

-          Certificate mismatch error in autodiscover, users prompted to trust certificate in outlook 2007/2010.

I will update this post to include all of the errors that I face and solve in my work or on EE to help experts all over EE to quickly solve their issues.

First let us start by the configuration required post Exchange 2007/2010 installation for the above to work correctly:

-          Configure External and Internal URLs for OWS, ref:

o   You have to configure the internal URL to be the server name in case you have multiple servers in NLB.

o   External URL will be the URL used by users to access webmail e.g.

o in multiple CAS servers will be the NLB FQDN.

-          Configure External and Internal URLs for OAB, ref:

o   This will point if multiple CAS servers are used then this will point to NLB FQDN.

o   If single server used this will point to the internal server FQDN in the internal URL, and the which is used by webmail users.

-          Configure the autodiscover internal URL:

o   You will use the powershell cmdlet : Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceInternalUri: <Internal URL>, this FQDN must match the URL included in the certificate.

o   If you cannot use internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.

o   If you have multiple CAS in NLB this will be the NLB FQDN.

o   You cannot set autodiscover external URL since outlook will try to access, this behavior is by design and cannot be changed.

o must be included in the certificate that you assign to IIS if you purchasing a certificate externally from 3rd party provider.

-          Configure EAS internal and External URLs, ref:

o   This URL will point to the NLB FQDN internally

o   This IRL will point to NLB FQDN Externally.

-          Configure the EWS (which provides availability, OOF) internal and external URLs

o   You can set the internal FQDN and External FQDN using: get-webservicesvirtualdirectory | Set-WebServicesVirtualDirectory  –InternalUrl: https://url.domain.local/EWS/Exchange.asmx –ExternalURl:

after all of the above settings you have to take into considerations the following note:

-          All of the above uses https connection, so SSL certificate must be configured and assigned to IIS on the CAS servers.

-          Since all of the above uses https, if you have a proxy traffic might be affected.

-          Make sure that clients can access the URL internally and externally, you can do that by going to the above URL using IE or Firefox and validate that you can access them.

-          For some people after doing the above configuration you still receive some errors so make sure of the following:

o   IIS is started.

o   OWA application pool, OAB application pool and EWS application pool are running and started with no errors

o   If you receive authentication error, error 500 service not available, error 400 login time out, or unspecified error you will need to rebuild your virtual directories. You can do that as following:

§  For OWA:

·         Get-owavirtualdirectory | remove-owavirtualdirectory

·         New-owavirtualdirectory.

·         You can repeat this step for EWS (webservicesdirectory), OAB (OABvirtualdirectory) and autodiscover(autodiscovervirtualdirectory)

·         You will have to note that you will need to re-configure any customizations you made to OWA after removing and deleting it, also you will have to redo any internal and external URL configuration you have did in the past

Hope that I helped you in this post, the post will be updated to include all of the issues we solve to give you the smoothest Exchange experience.