Category Archives: MS Windows server

SBS 2011 – Import PST in Exhange 2011

6 Replies

To enable import and export of mailboxes on SBS 2011 you need to:

Go to Windows SBS console and create a security group – that shuld be universal (by default) for example: Mailbox management

Add administrator / admin account to the group

Then you need to enable “import / export” feature on members of this group. To do that you need to open Exchange Management Shell (Powershell with Exchange 2010 modules) as administrator and write:

New-ManagementRoleAssignment -Name “Import Export Mailbox Admins” -SecurityGroup “Mailbox management” -Role “Mailbox Import Export”

After that you can folow my article to import or export mailboxes

Sinergija 2010 q&a 2 – sbs 2008 / sbs 7 – tips and tricks

Leave a reply

Here are answers to the questions that we were discusing on my session @ Sinergija 2010

Wsus and port question:
http://www.wsus.info/index.php?showtopic=10906
http://www.wsuswiki.com/WSUSServerFAQ

Console crash reasons?
http://blogs.technet.com/b/sbs/archive/2009/03/12/sbs-console-crashes-when-duplicate-entries-from-av-products-are-written-into-security-center.aspx

Migration? Check this out:
http://www.sbsmigration.com/

Backup solutions for SBS 2008 – we had a presentation on Slovenian Small Business Specialists Community SI try this one…
http://www.backupassist.com/index.html

SBS 2008 / Exchange 2007 remote.company.com and TLS…

Leave a reply

Everyone that has ever installed SBS 2008 has encountered the wizard that create certificate and remote workplace – by default called remote.company.com (yes, you can chose other prefixes but let say that I like remote becouse it is easy to remember for my users…).
SBS wizards generates a certificate for this hostname and uses it for all services (Outlook web access, Active Sync stuff and also for SMTP receive and send connectors…).
The problem is when you want to rename your SMTP receive and send connectors to match the records in DNS. It is a best practice to have same SMTP greetings as the records in DNS so for example if you have a domain company.com and you have an host record A called mail.company.com and MX record pointed to mail.company.com it is correct and I suggest you to folow this rule to have SMTP greeting or fqdn for SMTP connectors to match mail.company.com.

You can rename your connectors however you want by using Exchange management console but you will lose functionality of TLS in SMTP traffic – becouse the certificate remote.company.com does not match fqdn or smtp greeting of a connector that advertise mail.company.com. You will also get an error in Event log saying:

Microsoft Exchange could not find a certificate that contains the domain name mail.company.com in the personal store on the local computer…

 Ok, what can we do now?

Well turn on Exchange Management Shell – that is Powershell with modules for Exchange 2007 management – you can find it in star menu… And first of all we want to see current Exchange certificates that are enabled for Exchange services by using cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

and you wil receive something like this:

Thumbprint                                Services   Subject
———-                                ——–   ——-
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4  IP.WS      CN=remote.company.com
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S      CN=remote.company.com
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S      CN=sbssrv01.company.local
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxx-xxxxxxxx-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
 
Now we should create a new certificate that we will use for SMTP connectors by using cmdlet:
 
New-ExchangeCertificate -domainname mail.company.com -PrivateKeyExportable:1
 
Warning! When you are asked if you want to overwrite certificates chose No!
  
Confirm
Overwrite existing default SMTP certificate,
’45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4′ (expires 14.1.2012 22:37:04), with
certificate ’59D62E7850EE4093AFF1EC73E2623D52058C2B35′ (expires 27.1.2015
17:09:02)?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is “Y”): N
 
so we get output:
Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  …..      CN=mail.company.com
 
Great!  If we want to be shure that everything is working correctly and that Exchange SMTP service is using our new certificate we can use cmdlet:

[PS] C:WindowsSystem32>Get-ExchangeCertificate 

[PS] C:WindowsSystem32>

Thumbprint                                Services   Subject
———-                                ——–   ——-
59D62E7850EE4093AFF1EC73E2623D52058C2B35  ….S      CN=mail.company.com
45EEEB44DF4BFE2EB1B7A7592EA1DF5BF93F44B4  IP.WS      CN=remote.company.com
42F146B12BEF918A6A8FC730F5AA87AC4ACB1CEB  IP..S      CN=remote.company.com
817F1311CB72FB70F962EC0FAD2D8FA857F114A4  ….S      CN=sbssrv01.company.local
4BAAC7906689AFF0129767CF492AAE058B5DF494  ….S      CN=Sites
8F1D9C5FEB6EF0C39F25175AFBDEA54FE9668EF9  …..      CN=xxxxxxxxxxx-xxxxxxxxxxxx01-CA
8E4F33523325500F38ECF41FCDFBBE684AFC6145  …..      CN=WMSvc-WIN-K7KGUV5MQ40
We can now see that SMTP connectors are using all certificates (S defnies SMTP service).
Ok… How can you test that TLS works?
You can try it by using telnet client and connect to your server:
telnet mail.company.com 25
 
Exchange should respond something like:
220 mail.company.com Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
12:09 +0100
 
then you can write:
helo test.blablabla.com
 
220 mail.company.com Microsoft ESMTP MAIL Service ready at Wed, 27 Jan 2010 17:
13:07 +0100
helo test.blablabla.si
250 mail.xxxxxxxxxxxxxxxx.si Hello [xxx.xxx.xxxx.xxx]
after that enter command:
starttls

 

server should respond:

220 2.0.0 SMTP server ready
 
Server ready? Super! 🙂
 
PS.
If you did miss something you will receive error from server saying:
 
starttls
500 5.3.3 Unrecognized command
 
If you get that? Read this tutorial again 🙂
PS. PS. You do not need to restart anything when you apply this commands… No need for restarting Exchange services…
Special thanks to Saso Erdeljanov for some hints about this issue…

Exchange 2007 / 2010 – remove headers

4 Replies

If you are using Windows server 2008 SBS or Exchange 2007 or Exchange 2010 you send with your e-mail also mail headers that (I think) you would not like to “share” with external world:

Received: from mail.server.si (xxx.xxx.xxx.xxx) by mail.server2.si
 (172.31.200.2) with Microsoft SMTP Server (TLS) id 8.2.247.2; Wed, 19 May
 2010 13:08:47 +0200
Received: from SRVEXCH01.domain.local ([10.11.12.2]) by SRVEXCH01.domain.local
 ([10.11.12.2]) with mapi; Wed, 19 May 2010 13:08:02 +0200
From: xxxxx xxxxx xxxxx@xxxxx
To: =?iso-8859-2?Q?xxxxx_xxxxx=E6_=28xxxxx=xxxxx=2Exxxxx=29?=
 <xxxxx@xxxxx>
Return-Receipt-To: xxxxx@xxxxx
Date: Wed, 19 May 2010 13:08:00 +0200
Subject: xxxxx
Thread-Topic: xxxxx
Thread-Index: Acr3Q4r6dSBNnU37R9ypBLYy8PMzcA==
Message-ID: <13204AAD07BCDD4EB69C3367FF1783A9124C065BB2@SRVEXCH01.domain.local>
Accept-Language: sl-SI
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sl-SI
Content-Type: multipart/alternative;
 boundary=”_000_13204AAD07BCDD4EB69C3367FF1783A9124C065BB2_”
MIME-Version: 1.0
Return-Path: xxxxx@xxxxx
X-MS-Exchange-Organization-PRD: xxxxx.si
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (xxxxx.xxxxx.xxxxx: domain of xxxxx@xxxxx
 designates xxx.xxx.xxx.xxx as permitted sender) receiver=xxxxx.xxxxx.local;
 client-ip=xxx.xxx.xxx.xxx; helo=mail.xxxxx.si;
X-MS-Exchange-Organization-SCL: 1
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.8917.498;SV:3.3.8919.449;SID:SenderIDStatus Pass;OrigIP:xxx.xxx.xxx.xxx

If you want to remove this stuff we need to create a Hub Transport Rule:
Open Microsoft Exchange Console
Navigate to:
Microsoft Exchange Organization Configuration Hub Transport Transport Rules

Right Click and select New Transport Rule and name it “Remove headers” click Next,

chose From users inside or outside the organization and select Inside click Next,chose Remove header and as message header just write: Received twice click Next…

 

You are done… Headers will not be sent any more to users outside the organization…

Bye,
Luka (under influence of wonderful NT Konferenca 2010)

Windows Server 2008 R2 Foundation on HP ML 110 G6 – SBSBIOSLock

10 Replies

NT Konferenca 2010 is almost here…

While preparing my demos for my sessions I needed to install Windows server 2008 R2 Foundation on an HP ML 110 G6 which was given to me for demos…
After unpacking and starting the server I inserted DVD with installation inside… I get this nice screen telling me Validantih HP Platform Please Wait … 🙂

After a minute I got this error – a popup windows came up with folowing message:

SBSBIOSLock

could not find the media

If you want to continue your installation you need to get to HP BIOS and change the value on SATA emulation from RAID to AHCI. It worked for me… Well leave me alone I need to finish my installation. 🙂

Windows server 2008 R2 Active Directory – Recycle Bin Feature

Sometimes you delete user from AD and it could cause a big headache 🙂

Well… No more. Windows server 2008 R2 Beta – which is by the way already publicly available has a new functional level for AD that allows you to activate so called Recycle Bin Feature
In this demo you will se my AD server with a domain called demoadps.local on which I will enable this feature. As I mentioned before – functional level should be Windows server 2008 R2.

Watch the video

First of all you need to enable the feature by typing a Powershell cmdlet/command:

Enable-ADOptionalFeature ‘Recycle Bin Feature’ -Scope Forest -Target ‘domain.local

after that you can check for deleted items by typing:

Get-ADObject -SearchBase “CN=Deleted Objects,DC=domain,DC=local” -ldapFilter “(objectClass=*)” -includeDeletedObjects | FT ObjectGUID,Name -A

This will show you the deleted objects which you can restore by entering:

Restore-ADObject -Identity 6ff46162-15c2-4d42-8e15-2fcac5c8422e

** domain.local should be changed with your domain name
6ff46162-15c2-4d42-8e15-2fcac5c8422e should be changed with a ID that matches your deleted object…

To make it simplier I have recorded a video tutorial to do that…

Hyper-V server 2008 R2 beta is available!!! (with Hyper-V v2.0)

Leave a reply

Here it comes powerfull and with new so desperately awaited features… Hyper-V 2.0…

http://www.virtualization.info/2009/01/microsoft-releases-hyper-v-20-and.html

http://edge.technet.com/Media/Demo-Hyper-V-Server-and-Live-Migration/

http://www.microsoft.com/virtualization/downloads.mspx

Take a look / give it a try!

PS. take a look at new redesigned Microsoft Virtualization site… Where you can find all information about all MS virtualization products …:

http://www.microsoft.com/virtualization/default.mspx

0X8004010F weekend – Windows server 2008, Exchange 2007 SP1

Leave a reply

This weekend I was playing crawler… I know almost all internet sites describing the problems around 0X8004010F – damn error regarding Offline address book distribution…

But nowhere I have encountered the problem describing this error code in combination with Windows Server 2008 and Exchange 2007 SP1 with rollup 5.

Well… As I figured out it apparently does not work – if you want OAB to be distributed by Web-based distribution…

You get this error in your Outlook 2007 SP1 clients (on Windows XP and on Windows Vista)

As I can see there is somekind of permission problem becoues OAB virtual directory points to:

C:Program FilesMicrosoftExchange ServerClientAccessOAB

This directory has NO NTFS permissions for Auhtenticated users… but in IIS there is on this folder a parameter: Pass-through authentication – but as I know it can not work becouse your credentials are not covered in NTFS permissions of that folder.

But it does not work even if you give NTFS permissions to authenticated users… (you are still prompted for username and password in Outlook…)

Maybe I am missing something but weekend is almost over and my users need to use Exchange and RPC over HTTP(s) feature in their Outlooks tomorow… What I did is that I disabled Web-based distribution of Offline address book and I left only Public folder distribution. It took a couple of minutes for autodiscover.xml to update and Outlooks to get new parameters about Offline address book distribution.

Everything works correctly now…

Comments / suggestions appriaciated…

PS.
Hey all you Exchangegurus!
I think you will find this link useful: https://www.testexchangeconnectivity.com/