Test Layout

When you have a DAG with only two nodes, the StartDagServerMaintenance.ps1 script is smart enough to recognize that you can't have 2 additional copies of the database. However, if you have more than 2 DAG members, then the script complains that it can't run because the local database copy is required for redundancy. I ran into this at a client where we created a database in the DR site for running test cmdlets with SCOM. There are two copies of the database in the DR site. Other databases have two copies in the main site and one copy in the DR site. You can override the default behaviour with the switch OverrideMinimumTwoCopies. Example: StartDagServerMaintenance.ps1 -Server DAGnode1 -OverrideMinimumTwoCopies

I was doing an Exchange migration on the weekend and had a large number of move requests. Being the slightly OCD computer person as most of us are, I wanted to see how things were progressing occasionally. However, I didn't want to be dumping stuff into spreadsheets and be counting items. After few false starts, I ran across the Group-Object cmdlet. For me, this cmdlet is in the same category as Measure-Object. I've never had a need in the past. Now I'm happy to have it. My solution: Get-MoveRequest | Group-Object -Property Status The results looked like this:

Exchange 2010 and later do a nice job of providing high availability with database availability groups (DAGs) and load balancing. However, one configuration detail doesn't automatically synchronize between multiple Exchange servers, and that is receive connectors. If you create receive connectors for relaying output from printers or scanners then the connector you create is unique on each server. That's fine if you are pointing the devices at individual Exchange servers but to have high availability, you need multiple load balanced servers with the same configuration. To do this, you need to create the same receive connectors on each server. During intial setup creating 2 or 4 receive connectors with the same settings for authentication and such isn't too big a deal. The item that's a pain is the remote IP ranges that are allowed to use the receive connector. Many organizations have a large list of individual IP addresses that are allowed to use the receive connector. I...

I was teaching an informal class this week on certificates and Active Directory Certificate Services (AD CS). When a class is informal, you don't necessarily create detailed lab activities ahead of time. It's more like you have a general flow you want to do. Consequently, something just don't work as you expect. We used IIS Manager to create a domain certificate from the internal CA that we has setup. That part worked fine based on the Web Server template that exists automatically after installing AD CS. After that I thought this would be a great way to demonstrate superceding a template. Turns out I was wrong. The wizard in IIS Manager will only request certificates based on the Web Server template. If you take that one away, the wizard for creating a domain certificate doesn't work. We were using Windows Server 2012 R2, but this behavior is also consistent in Windows 2008/2008 R2 (IIS 7/7.5) The work around is to use the Certificates snap-in to create the certificate ...

Apple recently released iOS 9 and this is important for Exchange administrators. Many implementations of Exchange 2010 are implemented on Windows Server 2008 R2 which does not meet the security requirements for iOS 9 to connect. Apps on iOS 9 or later and OS X 10.11 or later use App Transport Security. App Transport Security defines minimum security standards that must be met for a network connection to be successful. The default behavior requires: TLS version 1.2 Perfect forward secrecy SHA256 or better for certificate signature 2048 bit or better RSA key (or 256 bit or better ECC key) If your Exchange server does not meet the App Transport Security requirements then the connection is dropped by iOS or OS X. This applies to web services. So, it will affect OWA, ActiveSync, and EWS (Outlook for Mac). We are just starting to see iOS 9 installed by clients and are in the process of ensuring that servers meet the requirements. NOTE: As of right now (Sept 20/15), iOS 9 does not appear to b...

In a single server Exchange environment, you can get away with some misconfiguration because the Exchange servers don't need to communicate with each other. Recently I was working with a larger client that made a common configuration error on receive connectors. This client had the following configuration: multi-role DAG members in datacenter #1 multi-role DAG members in datacenter #2 all mailbox databases are replicated between the two datacenters 1 public folder database in each datacenter Message delivery was working properly between servers in datacenter #1. Only passive database copies were in datacenter #2. However, there were issues with public folder replication. Some public folders were not replicating properly from datacenter #1 to datacenter #2. Looking at the queues for servers in datacenter #2, you could see that the queue between AD sites had a large number of messages. The following error was present on the queue: 451 4.4.0 Primary target IP address responded with: ...

Setting up a new VM for a client today and ran into a new issue. Well new to me. Fortunately others have seen this before. In a brand new Windows Server 2012 R2 VM (provided by Dell), I downloaded all of the available updates from Windows Update and started the installation. After a long period of time, the VM rebooted and I got the following message: We couldn't complete the updates Undoing changes Don't turn off your computer I'm a reasonably patient guy, but after 40 minutes of this I decided that waiting longer wasn't going to fix this. The first round of searching suggested that I disable Secure Boot for the VM. Apparently others had good luck with this: http://blog.powerbiz.net.au/fixes/we-couldnt-complete-the-updates-undoing-changes-error-on-windows-server-2012-r2/ Unfortunately I restarted the VM and Windows Server 2012 R2 hung in exactly the same spot again. Although I only waited about 10 minutes this time before declaring it hung. So, what's next. There i...