Wednesday, June 29, 2016

IMAP4 Frontend with Exchange 2013

A customer of Avantgarde Technologies was having issues with IMAP4 on Exchange 2013.  In Exchange 2013 the IMAP Role has changed and how has a "front end" and "backend role".  This is shown by two services below.

The IMAP4 backend role listens on

If we telnet "localhost" we hit the IMAP backend service.

If we telnet the server on any other IP address on TCP143 we hit the IMAP front end service.

This is what is confusing.  By default the IMAP4 frontend proxy server component is disabled even if the service is started.

If you telnet the server on its local IP address as shown below.

You will simply get a blank Telnet screen which will automatically close the session seconds after.

This happens as the ImapProxy frontend is disabled by default on the Server Component State of the server.

To enable it, use the following command.

Set-ServerComponentState -Identity Servername -State Active -Requester HealthAPI -Component ImapProxy

Need IT Support with Microsoft Exchange in Perth?  Click Here.

Tuesday, June 21, 2016

Modern Public Folders in Multi-Tenant Environments

Modern Public Folders is a new feature introduced in Exchange 2013 and also available in Exchange 2016 to allow companies to leverage Database Availability Groups and utilise log shipping as opposed to SMTP for replication providing numerous advantages which we will not focus on in this article.

If you new to Modern Public Folders, here is a good article to get you started:

In this article, we will focus on Modern Public Folders in a multi-tenant environment.  We will be going through how to achieve multi-tenancy with Microsoft Exchange 2013 / 2016.

It is important to note, there are numerous methods for setting up Public Folder in a multi tenant environment.

In the example below we have:
  • One root Public Folder per tenant/company
  • One Public Folder Mailbox per tenant/company
  • One security group to represent all users from each tenant/company
  • Access based enumeration to each tenant/company can only see their root level Public Folder.
With Exchange 2013 and Exchange 2016, the first Public Folder mailbox created is always deployed as the Master Hierarchy Mailbox.  This mailbox is the only Public Folder mailbox with a writeable copy of the Public Folder hierarchy.  All additional Public Folder mailboxes created contain a read-only copy of the hierarchy.

When we are talking about Hierarchy, we are not talking about Public Folder content, only the folder structure which makes up the Public Folders.

First thing we need to create is a master Public Folder Hierarchy mailbox.  In a multi-tenant environment I generally recommend no content be placed in the master Public Folder Hierarchy mailbox and it only be used to maintain the writeable copy of the Public Folder Hierarchy.

As the first Public Folder mailbox created is always the Master Hierarchy, simply use the New-Mailbox command to create the mailbox.  I always recommend clearly naming this mailbox so it is easily identifiable as the Public Folder Mailbox Hierarchy mailbox.  This was done by giving it the name of "MasterHierarchy".

Next create a Public Folder mailbox for each tenant/company.  The intent here is all content for each company will be stored in their respective public folder mailbox.  In this example we will be using my company Avantgarde Technologies as an example tenant.  I'm using the naming convention CompanyPF for each respective Public Folder mailbox.

Next create a new Public Folder at the root "\" of the Hierarchy.  Make sure you specify the Public Folder mailbox you want to store the Public Folder in or by default Exchange will automatically pick any Public Folder mailbox which could be the Master Hierarchy mailbox or another tenants mailbox.

The name of the Public Folder specified below is the name the tenant will see in Outlook.

By default, all root public folders can be seen by all tenants.  To ensure no tenants can see the "Avantgarde Technologies" root level Public Folder, remove the Default user Access Rights as shown in the screenshot below.  This will ensure no one can see this Public Folder.

Lastly, ensure you have a Security Group containing all users from the tenant/company. Grant the group access to the root level Public Folder - I recommend Owner or PublishingEditor rights or refer to the following TechNet article about other Public Folder permissions you can grant here.

Only users of the "Avantgarde Users" security group will be able to see the root Public Folder Avantgarde Technologies and all other Tenants in the environment will be hidden to the Avantgarde Technologies employees.

To add additional tenants to the environment, repeat the process documented above.  Make sure you ensure that:
  • All root level public folders have the default user permissions removed straight away to protect privacy of each tenant on your Exchange environment.
  • When creating the root level public folders in PowerShell you manually specify the correct Public Folder mailbox or Exchange will pick one at random.
  • Consider using provisioning scripts to remove user error and protect yourself against privacy breaches.
All sub-folders created in Outlook will automatically append to the parents Public Folder mailbox.

One last thing I want to touch on is the "-DefaultPublicFolderMailbox" of the Set-Mailbox command.  Many people when they initially go about setting up Public Folders for multi-tenant Exchange they think about creating a public folder mailbox for each tenant then using "-DefaultPublicFolderMailbox" for all user mailboxes of each tenant.  Before writing this article I googled around to see if there was already an article similar, and saw people were attempting this incorrect method of deployment.  The reason this approach will not work is as mentioned earlier, all Public Folder Mailboxes have a "read only" copy of the entire Public Folder Hierarchy (meaning all Public Folders in the Exchange Organisation).  This means "yes they do have the Public Folder structure of other tenants/companies in the environment".  We want to ensure tenants only see public folders related to their company by locking down permissions to meet privacy reasons.

I hope this article has been informative for you and I would like to thankyou for reading.

Click here for IT Support in Perth with Microsoft Exchange

Friday, June 17, 2016

Setting Delivery Restrictions and Exchange Administration Center

Delivery Restrictions is a feature of Exchange Server which has been around since Exchange 2000 and allows companies to easily limit who can send to a distribution list or mailbox.  A very common use of Delivery Restrictions is to limit who can send to the "All Users" or "All Staff" distribution group.

In previous releases of Exchange such as 2010, 2007 and even 2003 - delivery restrictions were very easy to configure via the Graphic User Interface (GUI).

In later revisions of Exchange, Delivery Restrictions have been left out of the GUI and now must be configured by PowerShell.

This can be easily configured by using the "AcceptMessageOnlyFrom" attribute on DistributionGroups and Mailboxes for which you want to configure Delivery Restrictions.  The "AcceptMessagesOnlyFromDLMembers" is when you want to limit the group/mailbox to a Group of users who are allowed to send.

To set this, simple:

Set-DistributionGroup "Avantgarde Users" -AcceptMessageOnlyFrom "Clint Boessen"

However what if you want to configure multiple users or groups who need delivery restrictions on a mailbox or distribution group?  The -AcceptMessageOnlyFrom attribute does not allow you to comma separate values.

This is where it becomes more complicated...

Here is the syntax to add multiple groups or users to Delivery Restrictions in PowerShell:

Set-DistributionGroup -Identity "All Staff" -AcceptMessagesOnlyFromDLMembers "All Managers"

Set-DistributionGroup "All Staff" -AcceptMessagesOnlyFromDLMembers((Get-DistributionGroup "All Staff").AcceptMessagesOnlyFromDLMembers + "Executive Assistant")

Set-DistributionGroup "All Staff" -AcceptMessagesOnlyFromDLMembers((Get-DistributionGroup "All Staff").AcceptMessagesOnlyFromDLMembers + "Executive Group")

I hope this post has been helpful!

Need IT Services in Perth from Subject Matter Experts?

Exchange 2016 CU2 - Automatically Move Exchange Databases back to Preferred Server

In Exchange 2016 CU2, Microsoft has released a new feature which has been a request of mine since the release of Exchange Database Availability Groups (DAGs) in Exchange 2010.  I have built many Exchange 2010/2013 and 2016 clustered environments for customers around Perth over the years however one problem I always see is customers do not rebalance databases after Windows Updates.

Many customers (even after trained) do not put DAG nodes into maintenance mode and simply install updates on a node and reboot causing a database failover to occur.  They then do the remaining servers in the cluster usually ending up with all databases residing on a single server.

In Exchange 2016 CU2 there is a new shiny feature which "automatically fails back" the database to the preferred server based on Activation Preference.  This is known as "PreferenceMoveFrequency".

After all your Exchange 2016 servers (or more technically the Primary Active Manager) have been upgraded to Exchange 2016 CU2, you will have a new DAG property called PreferenceMoveFrequency.

What this switch does is define a frequency (measured in time) when the Microsoft Exchange Replication service will rebalance the database copies by performing a lossless switchover that activates the copy with an ActivationPreference of 1.

How cool is that... automatic failback to preferred members.

Now when I build a new Exchange cluster for a customer, after I leave and close out the project I can be sure that the databases will automatically fail back to the preferred server after the customer installs Windows Updates on cluster nodes.  This is important as it keeps the load across the cluster balanced.

To set this feature, simply use the following PowerShell command:

Set-DatabaseAvailabilityGroup -Identity DAG01 -PreferenceMoveFrequency ([TimeSpan]::Zero)

Need specialised Exchange consulting in Perth?  Contact Avantgarde IT Services on 08 9468 7575

Sunday, June 12, 2016

Reduce your IT Support costs by purchasing quality hardware upfront

During my career in the IT Industry, I see many small business entities purchase cheap consumer grade hardware from a local computer store in order to reduce IT costs.  This is bad practice and almost always leads to significantly higher IT Support costs in the long term.

For more information, please see my article "The Importance of Quality Hardware to reduce IT Support Costs"

Reduce your IT Support Costs in Perth by talking to us now.

Tuesday, June 7, 2016

.NET Framework 4.6.1 and Exchange 2013 / 2016

Currently with Exchange 2013 CU12 and Exchange 2016 CU1, it is not supported to install .NET Framework 4.6.1 as it causes issues databases unexpectedly dismount or failover to alternative servers within a DAG cluster.  This issue is documented on the following KB article:

To ensure .NET Framework 4.6.1 does not install on your Exchange Servers, make sure you put the following registry key in place on your Exchange Servers:
  1. Back up the registry.
  2. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
  3. Locate and click the following subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP
  4. After you select this subkey, point to New on the Edit menu, and then click Key.
  5. Type WU, and then press Enter.
  6. Right-click WU, point to New, and then click DWORD Value.
  7. Type BlockNetFramework461, and then press Enter.
  8. Right-click BlockNetFramework461, and then click Modify.
  9. In the Value data box, type 1, and then click OK.
  10. On the File menu, click Exit to exit Registry Editor.
What if I have already installed .NET Framework 4.6.1 on my Exchange Servers?  If so use the following procedure:
  1. If the server has already automatically updated to 4.6.1 and has not rebooted yet, do so now to allow the installation to complete
  2. Stop all running services related to Exchange.  You can run the following cmdlet from Exchange Management Shell to accomplish this:  (Test-ServiceHealth).ServicesRunning | %{Stop-Service $_ -Force}
  3. Go to add/remove programs, select view installed updates, and find the entry for KB3102467.  Uninstall the update.  Reboot when prompted.
  4. Check the version of the .NET Framework and verify that it is showing 4.5.2.  If it shows a version prior to 4.5.2 go to windows update, check for updates, and install .NET 4.5.2 via the KB2934520 update.  Do NOT select 4.6.1/KB3102467.  Reboot when prompted.  If it shows 4.5.2 proceed to step 5.
  5. Stop services using the command from step 2.  Run a repair of .NET 4.5.2 by downloading the offline installer, running setup, and choosing the repair option.  Reboot when setup is complete.
  6. Apply the February security updates for .NET 4.5.2 by going to Windows update, checking for updates, and installing KB3122654 and KB3127226.  Do NOT select KB3102467.  Reboot after installation.
  7. After reboot verify that the .NET Framework version is 4.5.2 and that security updates KB3122654 and KB3127226 are installed.
  8. Follow the steps here to block future automatic installations of .NET 4.6.1.
Need IT Support Perth?  Contact Avantgarde Technologies on 08 9468 7575

Monday, May 2, 2016

Windows 7 Computers Rebooting During Day for Updates

A customer was having an issue where Windows 7 computers randomly rebooted during the day for Windows Updates without providing a prompt for users the option to postpone updates.  This was resulting in frustrated users with computers rebooting in the middle of sending important emails, word processing tasks etc.

We checked Group Policy Windows Update settings, all was configured correctly however computers still rebooted.

After troubleshooting further, we found that a deadline in WSUS was set to "Same day approval at 5:00AM".  This meant as a deadline was set at 5:00AM in the morning, as soon a computers received the update upon boot, they already missed the deadline and immediately installed without prompting users to postpone the reboot.

We removed the setting for same day approval and this resolved the problem.

Avantgarde Technologies, a leading IT Support Perth based company.

Wednesday, April 13, 2016

Windows 7 SP1 hanging on Checking for Updates

Trying to perform a simple task of installing Windows 7 x64 Enterprise with Service Pack 1 on some virtual machines in my lab to test a product.  Windows 7 SP1 comes with Internet Explorer 8 and is very out of date in most aspects for application testing.

After in building a few Windows 7 VM's from my ISO, all of them sat there hanging on "Checking for Updates" for hours.

Ugg... something I didn't have time for as I was trying to test something urgently for a customer.

After installing the latest Windows Update client from on each freshly built Windows 7 workstation, they then detected updates in 4 minutes and I was able to start patching.

Wednesday, March 16, 2016

Microsoft Word Performance Issues - KB3114717

A customer contacted me mid-February complaining of significant performance issues with Microsoft Word 2013 SP1 (32bit).  When users copied and pasted text, scrolled up and down a document or changed formatting Microsoft Word continuously hung and entered a not responding state.  In addition users sometimes experienced up a 60 second delay when typing from when characters appeared on the screen.

We did significant troubleshooting on the issue including
  • Disabled Anti-Virus products
  • Full malware scan using multiple AV engines
  • Disabled all non Microsoft services and applications from System Startup
  • Disabled all Microsoft Word Add-ins
  • Disabled graphics acceleration in Microsoft Word
None of these troubleshooting steps resolved the issue.

After talking to Microsoft, it turns out that Microsoft released a bad Windows Update KB3114717.  This update was released on the 9th of February and caused numerous performance issues with Microsoft Office.  After removing this update from all workstations, it resolved the issue.

Tuesday, March 15, 2016

Searching RBL Agent Logs on Microsoft Exchange

In this blog post I will show you a quick way to search through large amounts of Real Time Blacklists logs on an Exchange Server.  This article assumes you have RBL Providers in place on an Exchange server which can be enabled as per the following article:

Once RBL listing is turned on, you will have a bunch of log files under the following directory (provided Exchange was installed to the default C:\ directory):

C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\AgentLog

We want to track down which RBL provider blocked an email from a spammer with the from address of but we first need to identify what log file contains the entry.  To do this open a command prompt and navigate to the FrontEnd\AgentLogs directory.

Run the following command:

find /c "" *.log | find ":" | find /v ": 0"

After running this command we can see that it found one entry for in the file AGENTLOG20160313-1.LOG.

Open the log and search for the email in question.

We can see this email was blocked by RBL provider.

Hope this post was helpful. 

Wednesday, March 9, 2016

Remove Run menu from Start Menu - Policy Bug

Today I stumbled across a bug with Windows 8.1 / 2012 R2 with the Group Policy setting:

User Configuration ->Policies -> Administrative Templates -> Start Menu and Taskbar-> Remove Run menu from Start Menu

I had this policy applied to a Remote Desktop Session Host through Loopback in a user session lockdown policy.

When this policy was applied, I could not access any network share on my 2012 R2 file servers and received the following error message:

Accessing the resource \\fileserver\share has been disallowed.

I could received the same error when attempting to access the file server shares through a DFS namespace.

After removing this policy setting from my RD Session Hosts, the issue was resolved.

Monday, February 15, 2016

Windows cannot move object because Access is denied

I came across an interesting error today when attempting to move a security group to a new location in Active Directory.

Windows cannot move object because Access is denied

This issue was caused by "Protect object from accidental deletion"

By default this feature is only enabled on organisational units however in this environment, some groups and user objects had this feature enabled as well.  I believe this was manually enabled by a sysadmin in the past.

Tuesday, January 26, 2016

Why my Domain Password Policy Not Applying?

Back in 2009 I published a very popular article "The Low-Down on Password Policies" which has been viewed by thousands of IT Professionals and referenced by application vendors in online documentation such as SysOp Tools Software.

In this post we are going to talk about password policies further and cover off what appears to be a bug but is actually "by design".

My customer had a handful of domain controllers with a single 2008 R2 domain controller and three Server 2012 R2 domain controllers.  The PDC Emulator resides on Server 2008 R2.

The Server 2008 R2 domain controller was applying the password policy correctly however the 2012 R2 domain controllers were not (or so I thought).

Running an rsop.msc on the 2008 R2 domain controller (the PDC) shows the policy being applied from the Default Domain Policy.

 The 2012 R2 domain controllers the resultant set of policy displayed no policies being applied.

The same was experienced running an "gpresult /v" on the 2008 R2 or 2012 R2 domain controllers.

"gpresult /v" on 2008 R2:

"gpresult /v" on 2012 R2:
The account policies above are the domain Kerberos policy, not the password policy.
The password policy simply did not apply to the 2012 servers.  After further investigation in my test lab, I saw that only the domain controller running the PDC emulator displays the password policy when performing a Resultant Set of Policy.
This means every domain controller in a domain will not display the password policy from a resultant set of policy apart from the primary domain controller.
How do I check if the password policy is applying correctly on my domain controllers?
There are two commands which check the password policy:
  • net accounts (checks local password policies on a server)
  • net accounts /domain (checks the domain password policy on a server)
Domain Policy always wins over a local policy.
Computer Role: Backup means it is not a Primary Domain Controllers (PDC).
So in summary... if you see a password policy not applying to a domain controller when you check Group Policy, this is normal behaviour and is by design unless the server is the PDC emulator.

Thursday, January 14, 2016

Exchange 2013 - Could not find any available Global Catalog in forest

I was contracted to redesign a companies AD Sites and Services Topology - it was never setup correctly and despite being a 500 user organisation with 13 branch sites, they were still running of the "Default-First-Site-Name" which is generated automatically by Active Directory for a new domain.

As part of the new design, I updated the Default-First-Site-Name to a name which reflects their main datacentres then went through the process creating the additional site objects, site links and subnet objects.

After renaming Default-First-Site-Name I also updated the AutodiscoverSiteScope on the Client Access Servers in the Exchange 2013 cluster to reflect the new site name (as required for correct site SCP lookups).

After approximately 30 minutes, the IT Department complained they were no longer able to work on Exchange 2013 servers - all commands in the Exchange Management Shell failed with:

Could not find any available Global Catalog in forest

Oh dear!

After a quick investigation, the issue was only isolated to Exchange 2013 management tools and Outlook clients were not affected by the Site Object rename.

In order to force Exchange Server to redetect Active Directory Sites and Services topology, a restart of the "Microsoft Exchange Active Directory Topology" service is required on all Exchange servers.  Unfortunately almost every Exchange Service is dependent on this service!

As a result, we needed to wait until after business hours where we rebooted every Exchange 2013 server in the cluster.

This resolved the problem.

Tuesday, January 5, 2016

Windows DNS Forwarder Population

A customer contacted me today asking why when they promoted all these domain controllers, they had old DNS forwarders automatically configured on each server.

When DCPROMO installs the DNS Server service it also activates, by default, the auto-configuration of the DNS Server service. This auto-configuration process configures the forwarders list, the root-hints and the resolver, among other things, like creating the zones if required.

During the automatic configuration of the Forwarders, the following process occurs:
  1. Try to copy the forwarders list from a peer DNS server. A peer DNS server is any DNS server that has a copy of this DC domain’s zone. To get the peer server list the process queries for the NS list of the domain’s zone and then contacts each server returned on the list until it finds one from which it can copy the forwarders list. Once the process finds a peer from which it can copy the forwarders list it skips the next step. If no peer is found (because the NS query returned empty), none of them could be contacted, or none of them has forwarders configured, then move to step #2.
  2. If the previous step was not able to provide a forwarders list, then use as forwarders all the DNS Servers that are currently listed in the resolver for all the adapters, without any specific order.
  3. If none of the previous two steps can provide a forwarders list, then the new DNS server will not have forwarders configured.
If you have different DNS Forwarders configured for various sites on your network, the DNS server will automatically configure itself to one at random so make sure you check the forwarders after promoting a new server!

Wednesday, December 30, 2015

Data Deduplication Enhancement in Windows Server 2012 R2

Windows Server 2012 R2 has a new feature which I can see very handy in the real world especially with VDI environments which have lots of Virtual Hard Disk files (VHD's) of similar nature.

In Server 2012 R2, Data Deduplication is now supported on VHD data stores.  This was not supported with the initial release of Server 2012.

Data Deduplication is also supported on Cluster Shared Volumes (CSVs) with file servers configured in scaled-out for high availability.

For companies that run a Microsoft-based VDI pool with multiple hosts, Data Deduplication can reduce the storage requirements of the VDI environment up to 90%.

Sunday, December 27, 2015

The Dirty Little Secret about P2V Migration with System Center Virtual Machine Manager

Physical to Virtual Migration has been around for a long time ever since companies started making the transition to Virtualisation as a standard back in 2008 with the release of VMware ESX 3.x quickly followed by 4.x and vSphere.

There a many tools on the market for Physical to Virtual migration of machines with the most common being "VMware vCenter Converter: P2V Virtual Machine Converter", "Microsoft Virtual Machine Converter 3.0" and the handy little tool from sysinternals "Disk2vhd".

In the brand new shiny System Center Virtual Machine Manager (VMM) 2012 R2, this tool also supports Physical to Virtual migration of workstations as an easy transition to a virtual platform for physical servers.

However if you look at the fine print in the "prerequisites" you will see:

"Cannot have any volumes larger than 2040 GB"

What the @$%@!!!

Very disappointing seeming this is the latest release of VMM and this limitation is still around... this would trip up many companies who are still looking to virtualise that legacy file server or mail server sitting around on their network!

Saturday, December 26, 2015

Event Viewer Tasks

I just want to touch against a feature in Windows Server 2008 R2 - 2012 which I believe is very cool.  Windows Event Viewer has the ability to launch tasks automatically when a particular error occurs.  This is great for companies that do not have System Center (or similar) tools in the environment to perform remediation tasks when problems occur on server infrastructure.

The button in Event Viewer is called "Attach Task to This Event"

Clicking it we can see that it actually relies on the Task Scheduler service to monitor the event logs.

Select Start a Program then associate it with cscript.exe or powershell.exe to launch a script that performs remediation tasks whenever the event error reoccurs.  You can instruct your script to also notify administrators via email which is very easy with PowerShell using the Send-MailMessage cmdlet.

Monday, December 21, 2015

Common DCDIAG Error with NCSecDesc

When running a DCDiag on 2008 or 2008 R2 domain controllers, it is very common to see the following error when running a dcdiag.exe.

Starting test: NCSecDesc
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
   ......................... DC1 failed test NCSecDesc

This is caused on Active Directory domains which have not prepared Active Directory for read only domain controllers with "adprep /rodcprep".

Server 2012 / 2012 R2 domain controllers do not receive this error for NCSecDesc.

Also it is recommended you do not prepare you domain for RODC unless you intend to deploy Read Only Domain Controllers provided you have the requirement for specific branch locations from a physical security perspective.

Sunday, December 20, 2015

MSExchange ADAccess EventID 4027

A customer of mine contacted me today regarding an EventID 4027 from MSExchange ADAccess they wanted resolved.  This error was being generated on all Exchange 2013 servers in their cluster.

After looking into the issue, I found that legacy Cross-Forest configuration remained in configuration partition from a previous Cross-Forest Exchange Migration.  This is located under the Configuration --> Services --> Microsoft Exchange Autodiscover.

Simply remove the additional references to the legacy forest (the ones highlighted in yellow above).

Do not remove "Microsoft Exchange Online".  This is a default entry and is used when you create a Hybrid deployment with Office 365.

Monday, December 14, 2015

Outloook 2010 Starting in Safe Mode?

Microsoft recently released a bad Windows Update (KB3114409) which caused Outlook 2010 to start loading in safe mode for multiple clients of mine.  This update has recently been recalled by Microsoft due to the number of issues it caused.

In the event your company installed it across multiple workstations, you can quietly uninstall it across all computers.

One of the easiest ways to do this is creating a Startup Script with Group Policy and create a batch script with the following command:

C:\Windows\System32\wusa.exe /uninstall /kb:3114409 /quiet /norestart

Make sure the batch file is launched via a Startup Script and not a logon script.  Logon Scripts in Group Policy require users to have local administration rights to make system wide changes (something which is not best practice).  Startup Scripts will run under the SYSTEM account with administrative rights.

Sunday, November 29, 2015

Active Directory Topology Diagrammer Error

I'm running Windows 10 with Visio 2016 (both x64 builds).  I needed to draw out the topology from a customers Active Directory domain however when attempting to draw the topology using the free Microsoft tool I received the following error message:

Could not open the Visio Stencil !!!
ADTD can not continue with the drawing.
The current drawing will be canceled !

To resolve this issue, in Visio click File --> Options.
Open the "Trust Center" then click "Trust Center Settings".

Untick all Open and Save boxes as shown below:

After making this change the topology should generate without issues:


Thursday, October 29, 2015

Active Directory Issues - Network Drives Not Mapping

A customer of mine raised an issue in regards network drives not being mapped for users.  This includes drives mapped via Group Policy and Home Drives mapped via the NT4 Home Drive option of the Active Directory user account.

When users attempt to navigate to the UNC paths manually or map a drive manually it works as expected, however mapping network drives automatically upon logon simply did not work.

Also users were unable to navigate to the domain name "\\domain.local".  However users could navigate to "\\domain.local\netlogon" and "\\domain.local\sysvol".  Navigating to the domain root resulted in this error being generated:

\\domain.local is not accessible.  You might not have permissions to use this network resource.  Contact the administrator of this server to find out if you have access permissions.

Logon Failure: The target account name is incorrect.

This issue with not being able to navigate to the domain root UNC share occurred on all member workstations and servers throughout the organisation.  Domain Controllers were not effected by the issue.

The following three event logs were also found throughout the SYSTEM event log on all client workstations throughout the companies domain.

Log Name:      System
Source:        NETLOGON
Date:          26/10/2015 7:56:15 AM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER.domain.local
This computer was not able to set up a secure session with a domain controller in domain DOMAIN due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Date:          23/10/2015 4:02:46 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER.domain.local
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server candc1$. The target name used was cifs/domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          28/10/2015 6:18:58 PM
Event ID:      1006
Task Category: None
Level:         Error
User:          DOMAIN\UserAccount
Computer:      COMPUTER.domain.local
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Some computers were also receiving:

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\sysvol\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

This GUID referenced the Default Domain Policy (the first policy in the domain).  There was nothing wrong with the Default Domain Policy on the customers network, policy was simply not applying to domain members due an issue in Active Directory.

One issue which I focused on was the Kerberos error "KRB_AP_ERR_MODIFIED".  I have seen this issue before when the same SPN was registered on at least two accounts. For example, a SPN was registered on two accounts: A and B. What happens is that KDC will generate a service ticket that may be encrypted with password of account A. Then, when the client sends that ticket to the service during authentication, the service may try to decrypt this using account B.

I searched the customers domain for duplicated SPN's using "setspn.exe -X" and found some however they were not related to the error received.  Also I have never seen the "KRB_AP_ERR_MODIFIED" error generated on EVERY domain member workstation/server in an Active Directory environment.

Looking further into the SPN's we decided to dump the entire domain with every object/attribute to a text file using:

ldifde -f out.txt -d dc=domain,dc=local

Generally SPN against a user account reference a member server on the network running a particular service account such as SQL  However as this issue was affecting the entire domain and KRB_AP_ERR_MODIFIED refers to duplicated SPN records, we looked to see if there were any SPNs set at domain level on an account by searching our output from ldifde for "host/domain.local".

We found an SPN set to the root of the domain from the search results.  Important content from output below is blurred to protect the privacy of the customer.

We went and removed the incorrectly setup SPN record from the problematic service account svc_adfs using Active Directory Users and Computers with Advanced Features turned on then forced replication with "repadmin /syncall /APeD".

After removing the incorrectly configured SPN, we purged the kerberos tickets off a workstation then attempted to start explorer at the root of the domain "\\domain.local".  We were able to navigate to this share successfully.

The issues with network drives not mapping on logon were also resolved.

The SVC_ADFS account was created as part of an AD FS deployment for federation with applications and Microsoft Cloud Services.  AD FS backend roll was installed on two corporate domain controllers and two proxy servers were deployed in a DMZ setup to process the authentication requests from external services.  This is the Microsoft Best Practice for corporate organisations under 1000 seats as it reduces the amount of servers required and provides high redundancy by leveraging NLB on both the backend and frontend AD FS servers as per:

I went over the engineers build documentation who was in charge of implementing AD FS and could not see how the SPN was set, he did not manually set it.

Hope this post helps someone who experiences this same issue.

Monday, October 26, 2015

Enable Firewall Logging on Windows

Are your packets being dropped by Windows Firewall?  Want an insight into what is going on?  Simply open local group policy on a workstation / server (gpedit.msc) or configure a GPO in Group Policy Management Console (GPMC).  Under Windows Firewall with Advanced Security, go to the general properties.  Select the profile --> Logging and enable Logging on the set profile.  The log file by default goes to:


Very handy for troubleshooting.

Exchange 2013 POP3 Proxy Inactive

A customer complained that POP3 was no longer working.  After looking into this, it turned out that PopProxy was Inactive on the Exchange 2013 server.  As to why it was inactive is unknown.

To start the PopProxy was challanging, generally you change ServerComponentState using the maintenance requester for most components.  However running the following command did nothing:

Set-ServerComponentState -State Active -Requester Maintenance -Component PopProxy -Identity AB-EXCH-01

To start the PopProxy component, I needed to use the Exchange 2013 Health API as a requester.

Set-ServerComponentState -State Active -Requester HealthAPI -Component PopProxy -Identity AB-EXCH-01

As shown below:

Exchange 2013 421 4.3.2 Service not active

A customer of mine upgraded an Exchange 2013 cluster node from Exchange 2013 CU7 to Exchange 2010 CU10.  After the upgrade, emails failed to come in on the cluster node with the following SMTP error being generated "421 4.3.2 Service not active".

This can be reproduced by simply telneting the faulty Exchange 2013 server.  After entering MAIL FROM: into the SMTP syntax, the error occurs and is shown numerous times throughout the receive connector protocol logs on the frontend transport stack.

After further investigation I found out that majority of the Server Components for the faulty Exchange Server were in an inactive state.

To bring the server back to an active state, ServerWideOffline was set to Active which resumes all services using a requester of Maintenance.  This was done with the following command:

Set-ServerComponentState -State Active -Requester Maintenance -Identity AB-EXCH-02 -Component ServerWideOffline

Note: ForwardSyncDaemon and ProvisioningRps is Inactive by default.

After running this command all Exchange 2013 components were back to an active state apart from components disabled by default.