Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Accessing Exchange 2013 On-Premise Public folders for Office 365 Users

In | 3 comments»
Recently I have been working with a friend on his Exchange 2013 Hybrid configuration. After the Hybrid configuration is setup and configured its becomes easy to start migrating and moving on-premise mailboxes to the cloud (Office 365) and assign them the needed licenses.........etc.

One issue we received from the users was that being not able to see and access their Public folders from their Outlook client. Yes its Legacy and Microsoft have been trying to phase it out however still many companies depend on it and users love it.

Microsoft has a very good document for configuring legacy public folders for Exchange hybrid configuration however its mainly on Exchange 2007 and 2010.

For more info, check it on https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx

So little background on Public folders in Exchange 2013, starting 2013 there is no longer a specific separate database for Public folders but rather there are now special mailboxes which store both the public folder hierarchy and content.

When you create the first public folder mailbox, it will be the Primary Hierarchy Mailbox (Check below image)

 
 






So in the above screenshots the Public folders are stored in MasterHierarchy Mailbox. This was the tricky point. So how to configure the cloud/Office365 users access the On-Premise Exchange 2013 Public folders:

  1. First of all we need to sync this mailbox (MasterHierarchy) to the cloud using DirSync or whatever tool you are using for syncing your On-premise users to the cloud, this user/Mailbox should be synced from the local on-premise AD to the Cloud/Office 365.
  2. Open an Exchange online Power shell (To do this follow this document https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx )
  3. Run the below command from the Exchange online Power. Shell "Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes MasterHierarchy@domain.com" You will replace domain.com with your actual domain name.
  4. To make sure the public folders are set for remote access and can be viewed for Exchange online users run the following Power Shell command " Get-OrganizationConfig | fl *public* "
This should do the trick and you can access your public folders. One more thing is what if you have a mail enabled public folders that you need to send emails. Well this is not synced using the DirSync or whatever tool you are using. In this case we will go back to the first document I mentioned https://technet.microsoft.com/en-us/library/dn249373(v=exchg.150).aspx


  1. Go to Step 2 in the document referred above and download the 2 scripts.
  2. Follow Step 3 and run the needed commands from your Exchange 2013 to Sync your mail enabled public folders.

Hopefully this post will help users facing this common issue with Hybrid configurations.




Event 1096, The Processing of Group Policy failed.

In | 1 comments»
Recently i came across a group policy processing failure when a user tries to do a gpupdate /force, it works for the User Policy and fails for the computer policy with an error that group policy failed processing. As a result any computer policy on this device will fail.

Upon checking the Event viewer, the system log was filled with the Event ID 1096 as attached below.


As per the Event ID 1096, Windows couldn't apply the registry-based policy settings for the LocalGPO. The first place to check was the Registry.pol file located locally on the computer.


Steps to resolve this issue:


  1. Delete or rename the registry.pol file under c:\windows\system32\grouppolicy\machine\registry.pol
  2. Configure any administrative template settings in the local Computer settings GPO. This will re-generate automatically a new registry.pol file.
  3. Gpupdate /force will run normally without any problem.

For more info about Local GPO and corrupted Registry.pol, please check the below links:






Two DNS Records with same IP Address. Aging and Scavenging problems with DHCP Lease duration !!

In | 1 comments»
Aging and Scavenging is very crucial and important for Active Directory Integrated zone, it should be carefully planned and configured. We recently faced a problem when a System Admin reported to me having two DNS records having the same IP address in the DNS Active Directory Integrated zone.

The first thing that came to my mind was to check the Scavenging settings however they both (Refresh and Non-Refresh) seem to be fine compared to the DHCP release time. Always remember that the main rule for this setting is that the Non-Refresh Interval + Refresh Interval should be greater than the DHCP release time. You can tweak it depending on your network, IPs availability and how busy is your network with computers in and out but always keep in mind this main equation.

The second thing to check was the DHCP scope properties and specifically the DNS Tab. Upon checking this setting i noticed that Dynamically Update DNS only if requested by DHCP clients is selected as shown below.





It should be noted that with this above setting, only if the client initiate a request to renew or release by maybe using the ipconfig /release command, then the DNS record will be updated or removed from the DNS zone. As per Microsoft Support advice, in most circumstances, the DHCP client won't initiate the DHCP release request (The client is just removed from the network) and the DHCP and DNS integrated zone won't notice that this client is removed and they still think that this client is online.

After the DHCP lease duration ends, the DHCP server will get this IP back and another client may get this same IP and register itself with the same IP. Now remember the main equation we mentioned earlier, since the Aging and Scavenging time didn't end (They are greater than the DHCP lease), the result will be two records with the same IP address in the DNS zone.

The Solution to this issue is to ensure the DNS record is deleted once the Lease time is reached, we need to change the setting in the image above (Scope Properties - DNS) to Always Dynamically update DNS A and PTR Records.

After changing this setting you will need to restart both DHCP server and DNS server services.


Reference Link:

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx



WMI Unhealthy on 2008R2 Domain Controllers - WBEM_E_QUOTA_VIOLATION

In | 0 comments»
Windows Management Instrumentation (WMI) is a key core windows management technology. It provides a consistent approach to carry day to day management operations with programming or scripting languages.

I recently started getting WMI failures on daily basis on my 2008R2 domain controllers accompanied by several scripts failure and DNS performance degradation.


Also I noticed that the Configuration Manager SCCM evaluation rules on this domain controller failed and SCCM is reporting errors. The policy Request date on the SCCM is few hours back and it will never report back to SCCM till the DC/Server is rebooted.


Troubleshooting Steps:


  1. I started by running the WMI diagnosis tool from http://www.microsoft.com/en-us/download/details.aspx?id=7684
  2. The WMI diag log file reported WBEM_E_QUOTA_VIOLATION as follows:
.5265 16:34:02 (0) ** 981 error(s) 0x8004106C - (WBEM_E_QUOTA_VIOLATION) WMI is taking up too much memory
.5266 16:34:02 (0) ** => This error is typically due to the following major reasons:
.5267 16:34:02 (0) **    - The requested WMI operation is extremely costly in terms of resources and
.5268 16:34:02 (0) **      the WMI provider handling this operation has exceeded the authorized limits.

 3.  tried later to check whether the basic WMI function is working by running the below test:

1.     From Elevated Command Prompt type Run wbemtest, connect the namespace root\cimv2
2.     Click Query… and enter the following query “Select * from Win32_ComputerSystem”
3.     This test failed and the following error was reported.

0x80041017 Facility: WMI  Description: Invalid Query

1   4. I tried fixing and rebuilding the WMI Repository as follows:

  • Disable and stop the WMI service. sc config winmgmt start= disabled and net stop winmgmt
  • At a command prompt (cmd), change to the WBEM folder. cd %windir%\system32\wbem
  • Rename the repository folder. rename repository repository.old
  • Re-enable the WMI service. sc config winmgmt start= auto
  • Run the following command to manually recompile all of the default WMI .mof files and .mfl files
  • cd %windir%\system32\wbem
  • for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s


The only way to get around this issue was to manually reboot the server. After Rebooting the server, it works for  few hours without a problem then the failures start again. One thing else to be noticed is that the WMIPRVSE.exe process is consuming huge amount of memory during this problem.

Resolution Steps:

  1. Increased the "MemoryPerHost” value to 1 GB (1073741824), by default it should be 536870912 which means 512 MB as per attached article


2. Install the following WMI fixes

KB Article Number (s) : 2705357  
Language: All (Global)  
Platform: x64  
Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix399300/7600/free/447586_intl_x64_zip.exe)

KB Article Number (s) : 2692929  
Language: All (Global)  
Platform: x64  
Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix395847/7600/free/446374_intl_x64_zip.exe)

KB Article Number (s) : 2617858  
Language: All (Global)  
Platform: x64  
Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix384504/7600/free/437954_intl_x64_zip.exe)

KB Article Number (s) : 2465990  
Language: All (Global)  
Platform: x64  
Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix354372/7600/free/425609_intl_x64_zip.exe)

KB Article Number (s) : 2492536  
Language: All (Global)  
Platform: x64  
Location: ( http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix360823/7600/free/429002_intl_x64_zip.exe)




For a list of suggested WMI hotfixes on different windows platform, please check this blog which is maintained and updated regularly.








Error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device

In , , | 0 comments»
I Purchased few weeks ago the Microsoft Surface Pro tablet, its a very nice production tablet that really enables remote users to run their production applications and workloads. There are still some room of improvement to get promoted as the number one choice of tablets for business users. From my point of view the three main things that need improvement are the Battery Life, 3G/4G connectivity option and better Camera.

Surface Pro comes with windows 8 Professional which is very nice and allows you to join your corporate network however it lacks a great feature which is Direct Access ! So I decided to turn it to fully productive device and install windows Enterprise on it. Its very simple as if you are building a new normal fresh computer.

I formatted the Surface drive however I kept the recovery image (for any future need), after finishing Windows Enterprise I installed the latest Surface Pro Firmware and Driver Pack http://www.microsoft.com/en-eg/download/details.aspx?id=38826

Finally I got my DirectAccess working on my Surface. That was really an exciting moment. Th next challenge was joining my domain MBAM/Bitlocker policy. Our MBAM / Bitlocker policy requires the use of a PIN while booting the computer. When the MBAM encryption wizard started I got the error 0x803100B7 Group Policy settings require the creation of a startup PIN, but a pre-boot keyboard is not available on this device and by checking the event viewer the following details were provided as per attached image


To Fix this issue we need to change/enable few settings in the Surface Local Policy.

Note: In order to use the Pre-authentication you need to have a Keyboard attached to the surface during the boot, You may use the Surface Touch/Type Keyboard or any external Keyboard connected to the USB port.

  1. Type GPEDIT.MSC in the Run bar to access the local Group Policy Editor
  2. Drill down to Computer Configuration - Administrative Templates - Windows Components - BitLocker Drive Encryption - Operating System Drives
  3. Enable both "Require Additional Authentication at Startup" and "Enable use of BitLocker authentication requiring preboot keyboard input" - Check below image.





After that restart the Bitlocker Management Client Service to kick in back the MBAM wizard which should complete normally without any problem. 










DHCP Superscope Keeps reverting back after Deletion

In | 0 comments»
I passed by this experience after the deletion of a DHCP superscope where the Superscope reverts back after the DHCP server is rebooted or after the restart of the DHCP service. To properly remove a DHCP Superscope, you can perform any of the following methods:




1.      Right click on the Superscope and click delete. It’s safe and won't have any impact on the Sub-scopes under this DHCP superscope. In fact you will receive a message that confirms the deletion without impacting or deleting any child scopes as per attached below.
DHCP Superscope deletion


2.      One other way is to deactivate the sub-scopes (under your DHCP Superscope), move these scopes and then activate them. After all sub-scopes are moved, the DHCP superscope was removed/deleted automatically.
DHCP Technical Documentation:


The Active Directory integrated DNS zone _msdcs.domain.com was not found

In | 3 comments»
Error Reported in Event Viewer or DNS Best Practices Analyzer.

"The Active Directory integrated DNS zone _msdcs.domain.com was not found"

This error might appear in environments and domains that were already built back in the days of windows 2000 or Windows 2003. By default, before windows server 2003 SP1, there was no independent _msdcs.domain.com zone in the DNS console. When the domain was originally created under Windows 2000 or Windows 2003, there was only a _msdcs folder under the domain.com zone which could also provide the resolution for _msdcs.domain.com zone. After windows server 2003 SP1, when you create a zone such as domain1.com, there is an independent _msdcs.domain1.com zone which is the delegation of the original _msdcs folder. This _msdcs will highly benefit the DNS replication.

What is the _msdcs Zone?
According to Microsoft documentation/definition:

“Microsoft-specific subdomain enables location of domain controllers that have specific roles in the Active Directory domain or forest. Resource records for the DNS root domain of a new Active Directory forest are stored in a _msdcs zone instead of a subdomain, and that zone is stored in the forest-wide application directory partition.”
This Zone will host only DNS SRV records that are registered by Microsoft-based services as well as the globally unique identifier (GUID) for all domains in the forest and a list of GC servers in your forest/domain.


DNS support for AD guide
http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx

The Steps needed to resolve these issues are as follows:
1.     Manually created _msdcs.domain.com zone

·         Open DNS console, right-click “Forward Lookup Zones”, click “New Zone”, manually create new zone _msdcs.Domain.com, please select primary zone and check “Store the zone in Active Directory” on the page of Zone Type.
Manual creation of DNS Zone



2.     After that, please check if _ msdcs.Domain.com has been created and the records are correct. If not continue with the next step.

3.     Create a delegated _msdcs zone under the domain.com and delegate it to the _msdcs.domain.com zone. Right-click “Domain.com”, click “New Delegation”, please type _msdcs in the Delegated domain text box

DNS new delegation wizard



4.     Click Add button to type DNS server’s IP address.
5.     Stop and restart NETLOGON and DNS Service.

Troubleshooting Event ID 1058, Group Policy gpt.ini

In | 6 comments»
Event ID 1058

Event ID: 1058
Source: Group Policy

"The Processing of Group Policy failed. Windows attempted to read the file \\domain\sysvol\domain\policies\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\gpt.ini from a domain controller and was not successful."

I passed by this error lately with several environments running Windows 2008 or 2008R2 Domain controllers. The key element in resolving this issue is to determine which group policy is causing this problem.
When you install GPMC you get a sample folder full of very useful scripts that make use of GPMC COM interfaces, The Script we are looking for is the DumpGPOInfo.wsf. For some reason Windows 2008 doesn’t include this folder and you will have to download it manually from the following link
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=14536
After downloading and installing the Sample scripts, use the above mentioned file to get the name of the GPO generating the above error.
Cscript DumpGPOInfo.wsf {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
This will give you the friendly name of the GPO.
You may delete, rename……….etc the GPO from the Group Policy Management Console. In my case I just enabled/disabled one setting and it worked fine and I was able to recreate the GPT.ini file back.
Subscribe to: Posts (Atom)