Outlook OAB download fails with 0x80004005 and/or 0x8004010F

KB ID 0000035 

Problem

0x8004010F is caused by client not being able to see the Offline Address Book.

0x8004010F Error With Exchange 2013/2016/2019

Firstly make sure your autodiscover is correct, on the Exchange server open the Exchange management shell, and issue the following  command.

[box]

Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

[/box]

If you need to fix/change it, use the following syntax.

[box]

Set-ClientAccessServer -Identity PNL-MAIL-2019 -AutoDiscoverServiceInternalUri "https://mail.petenetlive.com/autodiscover/autodiscover.xml"

[/box]

Then check that the Offline Address Book is set correctly also.

[box]

Get-OabVirtualDirectory -server PNL-MAIL-2019

[/box]

 

If you need to fix/change it, use the following syntax.

[box]

Set-OabVirtualDirectory -Identity "PNL-MAIL-2019\oab (default web site)" -InternalUrl "https://mail.petenetlive.com/oab" -ExternalUrl "https://mail.petenetlive.com/oab"

[/box]

Then ensure ALL Mailbox databases are set to use the Default Offline Address Book.

[box]

Get-Mailboxdatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book”
Get-MailboxDatabase | Ft Name, *book*

[/box]

Then check for the existence of the ‘Arbitration Mailbox’

[box]

Get-Mailbox -Arbitration | where {$_.PersistedCapabilities -like “*OAB*”} | ft Name, Servername, Database

[/box]

If its broken/ missing then you can do the following.

[box]

New-OfflineAddressBook -Name “NEW-OAB” -AddressLists “\Default Global Address List” -VirtualDirectories “PNL-MAIL-2019\OAB (Default Web Site)”
Get-Mailboxdatabase | Set-MailboxDatabase -OfflineAddressBook “NEW-OAB”
Create New-Mailbox -Arbitration -Name “OAB-GEN” -UserPrincipalName OAB@pnl.com –DisplayName “OAB-Generation-Mailbox” -Database MBX-DB-2019v2
Set-Mailbox -Arbitration OAB@pnl.com -OABGen $true

[/box]

Then finally restart the Exchange services WARNING this will cause downtime.

[box]

$services = Get-Service | ? { $_.name -like "MSExchange*" -and $_.Status -eq "Running"};foreach ($service in $services) {Restart-Service $service.name -Force}

[/box]

For Exchange 2020 / 2007 (0x8004010F Error)

1. Log onto the Exchange Server.
2. Start > All Programs > Exchange Management Console > Organisation Configuration > Mailbox > Offline address Book > Create a new one (Must have a different name to {Default}.
3. Delete the Old Offline Address Book.
4. Set the one you created as the default.

WAIT 20 MINUTES – If the Problem Persists

1. Log onto the Exchange Server.
2. Start > All Programs > Exchange Management Console > Server Configuration > Mailbox.
3. Select the Mailbox store in the middle section > Right Click > Properties.
4. Client Settings tab > Browse > Select the Address book you created above > OK > OK.

WAIT 20 MINUTES

Note: I’ve also fixed by creating a new mail profile – though when I switched back to the original one it was ok – so I may not have been patient enough.

Related Articles, References, Credits, or External Links

NA

Windows Server – Sysprep

KB ID 0000729 

Problem

I don’t deploy large amounts of servers at once, so Windows Server sysprep is not as important as it is with the client operating systems I deploy. But I do need to create virtual machine templates, (mostly for testing), but some clients like to have server templates. I prefer to manually sysprep and shutdown a server then either convert or clone it to a template.

Thankfully sysprep is in the same place as it was with Server 2008 R2.

Solution

As before you can either run sysprep from command line by navigating to its location and running it with the correct switches. Or simply browse to it with Windows Explorer and double click it.

Related Articles, References, Credits, or External Links

Server 2008 R2 Where is Sysprep

Exchange 2000 / 2003 – Exporting Mail to .pst files with ExMerge

KB ID 0000091

Problem

ExMerge has been around for a long time, its used (as the name implies) to merge pst files into existing mailbox’s. However its also a great tool to export/backup users mail box’s if you’re doing a migration, or if you have got your “Disaster Recovery” hat on.

The following is a run through of how to export from a mail store to pst files – Note on a live system this can take some time, the example below was done in VMware on a test Exchange box that had 1000 users (as it was a test server the mailbox’s were tiny) If you need to do this on a production server plan in a LOT of time if your moving a large amount of data.

Solution

 

Note: I’ve mentioned it in the video, but just to reiterate, your mailbox’s need to be smaller than 2GB, if that can not be achieved, you can either;

1. Use ExMerge and export particular “date ranges” and produce multiple .pst files for the same mailbox (hopefully less than 2GB).

2. Use Outlook 2007 (or greater) to export the mailbox to .pst files individually.

Related Articles, References, Credits, or External Links

Download ExMerge 

Exchange 2010 Bulk Import .pst Files

Exchange 2007 – Export Mailbox’s to PST files

AnyConnect 4 – Plus and Apex Licensing Explained

KB ID 0001013 

Problem

(Updated 11/05/21)

Before version 4 we simply had AnyConnect Essentials and Premium licensing, now we have Plus and Apex licensing.

AnyConnect Plus and Apex

There are in fact three licensing options;

  • Cisco AnyConnect Plus Subscription Licenses
  • Cisco AnyConnect Plus Perpetual Licenses
  • Cisco AnyConnect Apex Subscription Licenses
  • NEW VPN Only perpetual Licences

Plus and Apex Contain;

AnyConnect PLUS (Cisco pitch “Equivalent to the old Essentials License”).

  • VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms.
  • Basic endpoint context collection (Note: NOT full ISE context support).
  • IEEE 802.1X Windows supplicant.
  • Cisco Cloud Web Security agent for Windows & Mac OS X platforms.
  • Cisco Web Security Appliance support.
  • FIPS compliance.

AnyConnect APEX (Cisco pitch “Equivalent to the old Premium License”).

  • Everything that’s included in AnyConnect Plus.
  • Clientless (browser-based) VPN termination on the Cisco ASA.
  • VPN Compliance/Posture agent in conjunction with the Cisco ASA.
  • Unified Compliance/Posture agent in conjunction with the Cisco ISE 1.3 or later.
  • Next Generation Encryption/Suite B.

Both licenses are available as 1, 2 and 5 (not 3 as listed on the Cisco website) year subscription, or you can buy Plus licenses with a perpetual license option.

Note: For PLUS Licences looks at SKUs starting  L-AC-PLS, for APEX Licences look SKUs starting at L-AC-APX

(Note: if you have a Plus Perpetual license you still need to purchase a software applications support plus upgrades (SASU) contract.

Regardless of which you buy, the SASU for AnyConnect is NOT included in the support contract for the parent device e.g. the SmartNet on your Cisco ASA Firewall.

To purchase support you order the parent license (SKU: L-AC-PLS-P-G) which has no cost, then you add in the relevant license for the amount of clients you have e.g. AC-PLS-P-500-S for 500 users, AC-PLS-P-2000-S for 2000 users etc.

BE AWARE: AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue a ‘show version’ command. When adding an AnyConnect 4 License (regardless of the quantity of licenses added), will license to the maximum permitted AnyConnect Premium license count for the ASA hardware platform, those being;

New AnyConnect VPN Only Licences (Perpetual)

You can now purchase VPN Only perpetual licences, they are sold by ‘Concurrent VPN Connection‘. You order them like so;

L-AC-VPNO-25 (for 25 concurrent VPN connections) you can also buy in 50, 100, 250, 500, 1K, 2500, 5K ,and 10K versions. Depending on what you device will physically support (see below)

Cisco ASA Maximum VPN Peers / Sessions

Cisco Firepower Firewalls

FPR-1010 = 75
FPR-1120 = 150
FPR-1130 = 400
FPR-1140 = 800
FPR-2110 = 1500
FPR-2120 = 3500
FPR-2130 = 7500
FPR-2140 = 10,000
FPR-4110 = 10,000
FPR-4112 = 10,000
FPR-4115 = 15,000
FPR-4120 = 20,000
FPR-4125 = 20,000
FPR-4140 = 20,000
FPR-4145 = 20,000
FPR-4150 = 20,000
FPR-9300-SM24 = 20,000 
FPR-9300-SM36 = 20,000
FPR-9300-SM40 = 20,000
FPR-9300-SM44 = 20,000
FPR-9300-3xSM44 = 60,000
FPR-9300-SM48 = 20,000
FPR-9300-SM56 = 20,000
FPR-9300-SM3x56 = 60,000

Cisco ASA 5500-X Firewalls
5506-X = 50
5508-X = 100
5512-X = 250
5515-X = 250
5516-X = 300
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000
Cisco ASA 5500 Firewalls

5505 = 25 
5510 = 250 
5520 = 750 
5540 = 5,000 
5550 = 5,000 
5580 = 10,000

Cisco ASAv Firewalls

ASAv5  = 50
ASAv10 = 100
ASAv30 = 750
ASAv50 = 10,000
 

Related Articles, References, Credits, or External Links

Cisco AnyConnect – Essentials / Premium Licenses Explained

Cisco ASA 5500 – Adding Licenses

Cisco AnyConnect Ordering Guide

The Web Site for the CA Must be Configured to use HTTPS

KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

2. Expand Default Web Site > Certsrv > SSL Settings.

 

3. Tick ‘Require SSL’ > Apply.

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

Setup FTP Server with Windows Server

KB ID 0000342

Problem

You want to Setup FTP on your Windows Server, (and more importantly make it work without disabling the firewall.) Below are the procedure you will need to carry out.

Note: For older Windows Operating systems like Server 2012, click here, or for Server 2008, click here.

Setup FTP Server (Windows Server)

Setup FTP on Windows Server 2012 (Including firewall setup)

 Setup FTP on Windows Server 2008 R2 (Including firewall setup)

Firewall Configuration for FTP on Server 2008 R2 (Included in the Video above).

>

Related Articles, References, Credits, or External Links

NA

Hard Drive Full?

KB ID 0000012

Problem

The fact that I’m going back to re-write article 0000012, should tell you this is an omnipresent problem! Either very suddenly, or slowly over time you have a drive or a volume that’s full to bursting point. These days with laptops which have smaller SSD drives it’s a common problem.

I’ve seen literally hundreds of post in forums, most of them are answered with ‘Use WinDirStat’, or ‘Use TreeSize’. Techies seem to be a fan of one or the other, and stick with the tool that’s served them best.

What If There’s No Room To Install Either Of these?

Good point, then you can use PowerShell, I’ll cover that below also. Well I said everyone has a favourite solution, here’s mine,

WinDirStat

My weapon of choice, install it and give it the drive you want to analyse;

When it’s finished, you will see something like this;

So you get a graphical representation of the drive, and you can see TWO things straight away, firstly you can spot large files, click on them and it will tell you what they are. Secondly it groups ‘Types’ of files together, if you just look at folder sizes it can be misleading e.g. The ‘red’ files above are my MP3 Collection, I know that folder is massive and I expect it to have a lot of stuff in it. But in some cases this is great! e.g. If your IIS server is churning out logs and theres a folder with millions of them in it, you will spot it straight away.

Why Do I Prefer This? I prefer the graphical front end, I can send a screen shot to client, and they understand what’s happening, and it’s always been free. (There is a free version of TreeSize in fairness). I just like this one.

TreeSize

Once you’ve installed simply select the drive in question,

You can then drill down folders which are sized based on usage. One thing I do like about TreeSize is, it knows the difference between file size and actual size, and you can swap views accordingly. But I’ve included it here so every-time I post this article link in a forum, you can see both and make your own mind up.

PowerShell

This is really a PowerShell version of using the same approach TreeSize uses. You need a PowerShell plugin called PSFolderSize, then simply navigate to the the drive in question and run Get-FolderSize.

[box]

Install-Module PSFoldersize
cd {Drive-Letter}:
Get-FolderSize

[/box]

You can then drill down {cd folder-name} one at a time repeating the same command.

 

Related Articles, References, Credits, or External Links

NA

Exchange – Move ‘ALL’ Mailboxes From One Database to Another

KB ID 0000864 

Problem

While replacing an Exchange Server on my test network last week, I needed to get all the mailboxes moved across to the new one. Exchange gets upset if you try and delete a mailbox database that has data in it.

Solution

1. Launch the Exchange Management Shell > Firstly lets get the names of my Databases, then I can simply copy and paste them into the move mailbox command.

[box]

Get-MailboxDatabase

Get-Mailbox -Database Source Database Name -ResultSize Unlimited | New-MoveRequest -TargetDatabase Target Database Name

[/box]

2. The Mailbox moves should then be queued, depending on how many there are, this can take some time to complete.

3. To check on progress issue the following command;

[box]

Get-MoveRequestStatistics -MoveRequestQueue Target Database Name

[/box]

 

4. When complete you should remove the movement requests like so;

[box]

Get-MoveRequest | where {$_.status -eq “Completed”} | Remove-MoveRequest

[/box]

5. That’s all the ‘user’ mailboxes, but your source database server may have system mailboxes in it. These will be either Arbitration mailboxes, or Archive Mailboxes (or both). I don’t have any archive mailboxes, but I do have Arbitration mailboxes. To find out for your databases, use the following commands;

[box]

Get-Mailbox -Database Source Database Name -Arbitration

[/box]

6. To move Arbitration and Archive mailboxes, use the following commands;

[box]

Get-Mailbox -Database Source Database Name -Arbitration | New-MoveRequest -TargetDatabase Target Database Name

Get-Mailbox -Database Source Database Name -Archive | New-MoveRequest -TargetDatabase Target Database Name

[/box]

7. You can monitor progress with the same command you used in step 3, and remove the move requests with the same command you used in step 4.

8. In addition you may also have some Auditlog mailboxes like so;

[box]

Get-Mailbox -Database Source Database Name -Auditlog | New-MoveRequest -TargetDatabase Target Database Name

[/box]

9. Also you may have Monitoring Mailboxes, (In the screenshot below you can see I don’t have any archive mailboxes, as the command returns no results)

[box]

Get-Mailbox -Database Source Database Name -Monitoring | New-MoveRequest -TargetDatabase Target Database Name

[/box]

10. When complete remove the move requests;

[box]

Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

[/box]

11. Finally on Exchange 2013 (and newer) you may also have Public Folder Mailbox(s).

[box]

Get-Mailbox -Database Source Database Name -PublicFolder | New-MoveRequest -TargetDatabase Target Database Name

[/box]

Don’t forget to remove any outstanding move requests.

Related Articles, References, Credits, or External Links

NA

AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN