Robocopy – File Server Migration

KB ID 0001233

Problem

I’ve done a lot of migrations, and moving a client’s files and shared data, usually makes them cringe. 

I’ve lost count of the amount of times I’ve heard ‘We can’t have any downtime’, which is fine, until you tell them how much its going to cost to do this on a Saturday! 

As I posted recently, Microsoft have made this a lot easier with the file serve migration tools, which will do the whole thing for you, and migrate profiles, and shares etc.

Windows Server – Migrating Files / Folders / Shares / User Profiles

Thats great, but I find sometimes it’s a little ‘sluggish’ when copying data, and sometimes it’s better to just go ‘old school’  and use Robocopy.

Solution

Why Robocopy? Well the advantage to Robocopy, is you can use it to only copy new files or files that have changed. So in a two step procedure, you can do an initial file copy during working hours, then copy the differences out of hours, and repoint people to the new shares.

Tip: Unless you know the network well, always assume there’s some shares you don’t know about, run the fsmgmt.msc tool and expand ‘shares’.

Robocopy Step 1

Just in case things go wrong, I’m going to generate a log of whats going on, so I can see any errors or files skipped when I’ve finished. On the root of the destination servers C: drive create a folder called ROBOCOPY-Logs, and within this folder create another folder called Last-Copy, (you will see why later).

Replace the values in red below, to suit you environment;

[box]robocopy \\OLDSERVER\d$\FOLDER D:\FOLDER /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\ROBOCOPY-Logs\FOLDER.log /V /NP
[/box]

Where OLDSERVER is the source fileserver, D$ is the drive letter on the Source Server, and D is the drive letter on the new server.

What are those switches doing?

  • /E Copy subdirectories recursively, (including empty ones.)
  • /ZB Use ‘restartable’ mode, and if this fails use ‘backup’ mode.
  • /copy:DATSOU Copy Data, Attributes, Time Stamps, Security, Owner, aUditing information
  • /R:3 Retry three times, if you don’t specify this, it will retry one million times!
  • /W:3 Wait time between the retries above.
  • /log Will output the log to the folder we created above.
  • /V Produce output in verbose (detailed) mode.
  • /NP Do not show percentage progress

Robocopy Step 2

The second time, the command is virtually the same, with one extra switch, (see below).

[box]robocopy \\OLDSERVER\d$\FOLDER D:\FOLDER /e /zb /copy:DATSOU /MIR /r:3 /w:3 /log:c:\ROBOCOPY-Logs\Last-Copy\FOLDER.log /V /NP
[/box]

  • /MIR This is the ‘mirror directory’ switch, and people are scared of it. Why? Because in the documentation it says it removes or ‘purges’ files. People mistakenly think that it will remove any files from the source that do not exist in the destination. This is incorrect it will only remove files from the destination that no longer exist in the source.

 

It Has Not Copied Share Permissions!

That’s correct, I never said it would, it copies NTFS permissions, ownership and ACL information. If you want to copy Share permissions then use the smigdeploy tools from the link I posted above.

Can I Copy the Share Permissions Afterwards?

Yes, if you take a look at the following article, (I wrote a while ago,) you can see me doing just that, after a file copy.

Migrating – Folders and Share Permissions

I Can’t Copy Profiles / I get Permissions Errors?

  • Make sure the user you are using to copy files with, is a member of the ‘Backup Operators’ Group.
  • Make sure you execute the Robocopy command from an administrative command window.
  • Try doing the copy from the SOURCE server.

 

Related Articles, References, Credits, or External Links

NA

AnyConnect – ‘Your environment does not meet the criteria’

KB ID 0001232 

Problem

For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got.

Cisco AnyConnect
Logon denied: Your environment does not meet the access criteria defined by your administrator.

Solution

A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for authentication.

I probably should have guessed the answer earlier than I did, (because I’ve written an article on it). But the reason this was failing was, the firewall had a Dynamic Access Policy (DAP) attached to the remote VPN, that only permitted access to users that were in a particular Active Directory group. This user was not a member of that group.

To check your Dynamic Access Policies and understand how to find them, (you need to be in the ASDM!) See the following article;

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Related Articles, References, Credits, or External Links

NA

VMware ESX – Enable ‘Embedded Host Client’

KB ID 0001231 

Problem

Since ESX 6.0.0 Update 2 you’ve been able to use the Embedded Host Client in ESX. Which is great if (like me) you use a Mac because I don’t have to fire up a windows box to load the ‘Fat’ VI client anymore.

What about older version of ESX?

If you are running 5.5 (update3) or newer then you can install and use the Embedded Host Client.

Why didnt you just upgrade to 6.0.0 Update 2?

Well my second host is using the custom HP build of ESX, and I didn’t want to do a remote upgrade, to find my host then had no drivers for its network cards!

 

Solution

You will need to enable SSH on the host, connect via SSH and issue the following three commands;

[box]

esxcli network firewall ruleset set -e true -r httpClient
esxcli software vib install -n esx-ui -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
esxcli network firewall ruleset set -e false -r httpClient

[/box]

Now you can connect to and manage the client via web browser, the URL will be https://{ip-adress-or-name}/ui

 

Related Articles, References, Credits, or External Links

NA

Exchange Renaming and Moving Databases

KB ID 0001229

Problem

Exchange has a habit of naming its databases as ‘Mailbox Database {Random-Number}’. This makes my OCD ‘itch’. So one of the first things I do is rename the database to something more sensible. Then I like to move the databases from the server system drive, and also relocate the log files into their own partition/drive.

Solution

Rename a Mailbox Database

Log into Exchange Admin Center > Servers > Databases  > Select the Database > Edit > Rename the Database as required > Save.

Note: You can change the database location here also, but not the log file path so I do that using the Exchange Shell.

Moving a Mailbox Database and Log Files

The syntax for mixing both the database files and the log files is;

[box]Move-DatabasePath MBX-DB-2016 -EdbFilePath E:\EX-Databases\MBX-DB-2016.edb -LogFolderPath L:\EX-Logs[/box]

You will be asked to confirm the move and that you are happy to take the database offline.

Related Articles, References, Credits, or External Links

NA

Exchange – Cannot Delete Mailbox Move Request

KB ID 0001228 

Problem

On the tail end of an Exchange 2010 to 2016 migration last week, I needed to decommission the old Exchange 2010 server. It would not let me remove the mailbox database, as it had a ‘move-request’ that it thought had not completed, (for the administrator account). However if I tried to delete the move request from the EMC this happened;

Error

Failed to communicate with the mailbox database

MapiExpetionNoAccess Unable to open message store

(hr=0x080070005, ec=-2147024891

 

Solution

Even trying to remove the move request with PowerShell failed. In the end I had to remove the request in ADSIEdit.msc. 

Windows Key+R > asdiedit.msc > Connect to > Default Naming Context > DC={your domain}, DC={your domain extension} > Navigate to the user affected > Properties > Filter > Show only attributes that have values.

Locate the following two values and clear them;

msExchMailboxMoveFlags

msExchMailboxMoveStatus

This is enough to remove the failed mailbox move request, but if you’re nervous, then just refresh the move request section and it should disappear.

 

Related Articles, References, Credits, or External Links

 

Outlook – Constantly Prompts for a Password

KB ID 0001227 

Problem

I did an Exchange 2010 to 2016 Migration for a school this week. They are going to reimage all their PCs to Windows 10 and install Office 2016 over the summer holidays. But a few staff members were working over the holidays and needed their Win7/Outlook 2010 clients pointing to the new Exchange server.

This I did (I simply created new mail profiles and let auto discover do its work). But then the Outlook clients prompted for a username and password every five minutes (even if ‘remember password’ was ticked).

Solution

Outlook constantly prompting for passwords all the time is a common problem, and one I really struggled with here. Make sure before you troubleshoot this error that you have done the following;

  • Updated your version of Outlook with the latest updates.
  • Make sure you have NOT cached old/incorrect passwords in Windows Credential Manager.
  • Make sure some ‘clown’ had NOT ticked ‘Always ask for Credentials’ (Account > More Settings >security tab). While you are in there if you are on Office 365 ensure ‘Anonymous Authentication’ IS selected.
  • Make sure you are NOT going though a proxy server! If you are, you need to make an exception for the Exchange traffic.
  • The names and urls that your Exchange server are setup and match the certificate on the Exchange server (and can be resolved in DNS) see this article.
  • Try changing the username Outlook is trying to authenticate with, from username@domain-name to DOMAIN\User-name (particularly if your email address and public/private domain name are NOT the same).

Given my Exchange background the answer was pretty much staring me in the face. Modern Exchange servers, use https for pretty much everything now, (IMAP and RPC are old school). The problem was the account settings to collect mail via https/Outlook anywhere needed changing. After a bit of trial and error and some internet searching the following cured the problem.

Note: The following ‘More Settings’ Options were removed in Outlook 2016. To get that to work, you need to have your autodiscover setup correctly! The easiest way to do this, is DELETE any A or CNAME records that point to autodiscover.doamin.com, and setup an SRV record (thats for Pubic DNS Space and Private DNS Space.

Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

Go to the properties of your mail account > More settings.

Tick > Connect to Exchange using HTTP  > Exchange Proxy Settings.

Enter the correct URL of your Exchange server > Tick connect using SSL only > Enter ‘msstd:{Exchange-URL} > UNTICK both the https options > Set the authentication to NTLM Authentication (or negotiate) > OK.

As a side note: I also set the MSSTD address on the Exchange server, with the following shell command;

[box]Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.petenetlive.com

Set-OutlookProvider EXCH -CertPrincipalName msstd:mail.petenetlive.com[/box]

Related Articles, References, Credits, or External Links

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Exchange – ‘Not all the required authentication methods were found’

Public Folder Migration Error hr=0x80040111

KB ID 0001228

Problem

I usually follow my own documented process for migrating public folders to Exchange 2016. I did that this week, and this happened;

Error;

[box]

MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=-2147221231)
Diagnostic context:
    Lid: 49064   dwParam: 0x1
    Lid: 37288   StoreEc: 0x6AB
    Lid: 49064   dwParam: 0x2
    Lid: 49191   EMSMDBMT.EcDoConnectEx called [length=178]
    Lid: 48679   EMSMDBMT.EcDoConnectEx returned [ec=0x80040111][length=56][latency=0]
    Lid: 45169   StoreEc: 0x80040111
    Lid: 50544   ClientVersion: 15.1.225.42
    Lid: 52080   StoreEc: 0x80040111
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 22086
    Lid: 27206
    Lid: 39869
    Lid: 56893   StoreEc: 0x8004010F
    Lid: 44989
    Lid: 24684
    Lid: 20076   StoreEc: 0x80040111
    Lid: 29100
    Lid: 20396   StoreEc: 0x80040111
    Lid: 9486    StoreEc: 0x80040111
    Lid: 24492
    Lid: 18348   StoreEc: 0x80040111
    Lid: 26540   dwParam: 0xE0003
    Lid: 22444   dwParam: 0xC30001
    Lid: 1750    ---- Remote Context End ----
    Lid: 51152
    Lid: 52465   StoreEc: 0x80040111
    Lid: 60065
    Lid: 33777   StoreEc: 0x80040111
    Lid: 59805
    Lid: 52487   StoreEc: 0x80040111
    Lid: 19778
    Lid: 27970   StoreEc: 0x80040111
    Lid: 17730
    Lid: 25922   StoreEc: 0x80040111
    + CategoryInfo          : NotSpecified: (:) [New-PublicFolderMigrationRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server={New-Server},RequestId=6cbefa76-98ad-4a2e-bb33-237d7fd795fd,TimeStamp=03/08/2016 7:1
   7:17 PM] [FailureCategory=Cmdlet-MapiExceptionLogonFailed] 42728F13,Microsoft.Exchange.Management.Migraion.NewMgrationBatch
    + PSComputerName        : {new-server}

[/box]

Solution

Although it looks a pretty scary error, it’s quite straightforward to rectify. I was doing a migration and I’d moved all the mailboxes already, so I had dismounted and removed the mailbox database on the source Exchange server. (Exchange 2010). All I had to to was mount a mailbox database (I just created a new empty one, and mounted it.)

If I then tried to do the migration, it queued up properly!

Related Articles, References, Credits, or External Links

NA

Setting Up Meraki MDM

KB ID 0001226 

Problem

As is usually the case with Meraki this is pretty simple to setup. If you are familier with Meraki and have not deployed MDM before then stop a second. I mistakenly setup a dashboard for a client recently, (like I usually do with Meraki deployments). Then could not work out how to add the MDM component without an order number!

Meraki MDM is free (up to 100 devices) which is great, but BE WARNED, register 101 devices, and you get a bill for 101 devices not 1 device!

Solution

Go to the Meraki website, and register for mobility management, this will let you create a login and a network within the Meraki Dashboard


If you already have a Meraki dashboard you will find MDM under Network-wide > MDM.

If you want to manage Apple devices, then you need to download a certificate from Apple, (this requires you to have an Apple ID, if you don’t have one go and set one up). Download the CSR (Certificate Signing Request), and then USE THE HYPERLINK to go to Apple’s website.

Upload your .CSR file.

Download your ‘push certificate’.

Back in the MDM dashboard, enter your Apple ID  >Browse to your new push certificate, and select ‘Save’.

Note: If you registered though meraki then you will already have a network defined, (skip the next two steps). If you have an existing dashboard, you may need to create a network.

Select MDM > Create Network,

You can now add devices to the MDM network.

Related Articles, References, Credits, or External Links

NA

Exchange 2016 – EAC (ECP) Works But OWA Does Not

KB ID 0001225 

Problem

During an Exchange 2010 to Exchange 2016 Migration, I was busy migrating mailboxes into the 2016 mailbox database. I noticed that while the Exchange Admin Center worked fine (I was doing the migration from there!) Outlook Web Access did not. I got a ‘Something Went Wrong” error.

🙁

Something Went Wrong

We Cant get the information right now. Please try again later.

More Details

Refresh the page

Solution

Navigate to C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy and take a copy of the SharedWebConfig.config file.

Then Paste a copy of that file into the C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess directory.

Then restart the IIS Services (iisreset).

If the problem persists ensure the certificate used for https binding, (in IIS.) is the same for the Exchange Front End, and the Exchange Back End web sites.

Related Articles, References, Credits, or External Links

NA