ExMerge has been around for a long time, its used (as the name implies) to merge pst files into existing mailbox’s. However its also a great tool to export/backup users mail box’s if you’re doing a migration, or if you have got your “Disaster Recovery” hat on.
The following is a run through of how to export from a mail store to pst files – Note on a live system this can take some time, the example below was done in VMware on a test Exchange box that had 1000 users (as it was a test server the mailbox’s were tiny) If you need to do this on a production server plan in a LOT of time if your moving a large amount of data.
Solution
Note: I’ve mentioned it in the video, but just to reiterate, your mailbox’s need to be smaller than 2GB, if that can not be achieved, you can either;
1. Use ExMerge and export particular “date ranges” and produce multiple .pst files for the same mailbox (hopefully less than 2GB).
I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager;
Unable to connect to the Synchronisation Service
Some possible reasons are:
1) The service is not started.
2) Your account is not a member of the requires security group.
See the Synchronisation Service documentation for details.
Solution
Well it was the second option in my case. Open Server Manager > Tools > Computer Management > System tools > Local Users and groups > Groups > ADSyncAdmins > Add your user in here.
Related Articles, References, Credits, or External Links
I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this;
AAD Connect Status Azure AD Connect
Password sync: no recent synchronization
Solution
Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new, (I’d only just installed it remember). A quick look in the Event Viewer pointed me in the right direction.
Event ID 611
Log Name: Application
Source: Directory Synchronization
Date: xx/xx/xxxx xx:xx:xx
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {server-name}
Description:
Password hash synchronization failed for domain: pnl.com, domain controller hostname: PNL-MGMT.pnl.com, domain controller IP address: 192.168.100.3. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
I’ve highlighted the important part, RPC Error 8453: Replication access was denied. So we have a permissions/rights problem. As I’d set a new user up for the AAD connector software, I checked their rights and found out I was missing the following;
Ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.
Replicating Directory Changes: Allow
Replicating Directory Changes All: Allow
Then I forced an AAD sync, and waited a few minutes, the problem then disappeared.
Related Articles, References, Credits, or External Links
When connected to the Web Enrolment portal (Certsrv) for your Certificate Services, you attempt to submit a certificate request. But you only see User and Basic EFS under Certificate Templates, like so;
Solution
I’ve done this myself many times, usually you are looking for the ‘Web Server‘ template and it’s not there, so we will use that as an example. Go to your CA Server.
Administrative Tools > Certificate Services > Certificate template’s > Firstly make sure the template you are looking for is actually published! (i.e. is in the right hand window). Assuming it’s published, right click Certificate Templates > Manage.
Locate the template in question, Properties > Security > Grant the USER you are logged in, and attempting to submit the certificate request as, the READ and ENROL rights > Apply > OK.
Restart certificate services.
Allow a little time for Active directory replication, then try again.
Related Articles, References, Credits, or External Links
I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.
Essentially, you update the description of the Computer object(s) in AD so that they list;
The last user who logged on.
What time they logged on.
What AD ‘Site’ the machine is in.
Model of the PC/Laptop.
Serial Number of the machine.
Operating System.
32 or 64 bit.
I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.
Now I can think of loads of situations when that information would be very helpful?
Solution : Last User
So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.
You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.
Change the ‘Applies to’ section to ‘Descendant Computer Objects’.
Scroll down and tick, ‘Write Description’
Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.
Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!
Now create a new Group Policy Object, linked to your USERS.
Edit the policy, and navigate to;
[box]User Configuration > Windows Settings > Scripts > Logon[/box]
Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like; C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.batIT WON’T WORK.)
Close the Group policy editor, then either wait, or force a group policy update.
When promoting a server to be a domain controller, you might see the following error,
“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.
Or if you are on older domain controllers;
I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?
Solution
Quick Answer:
If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.
But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;
Could not log into the domain with the specified credentials. Supply a valid credential and try again.
Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.
The Long Answer:
It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;
AD domaindomain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.
AD Domainsubdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).
AD Child Domainsubdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.
Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.
If you open the delegation, you will see that the name server entry for your child domain has been created;
The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?
Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.
Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.
Related Articles, References, Credits, or External Links
1. Make sure the user you will be performing the migration as, is in the right security groups, (Organizational Management and Recipient Management).
2. On the Legacy Exchange server download the PF-Migration-Scripts-v2 Then extract them to the servers C: drive.
3. Launch the Exchange Management Shell > Change to the script directory > Then create a folder name to folder size mapping file by running the Export-PublicFolderStatistics.ps1 script, supply the name of the file you want to create. (Here I use PublicFoldersStats.csv). Then supply the name of the server, (the legacy one, with the source public folders on it).
[box]
cd c:\Scripts
./Export-PublicFolderStatistics.ps1 PublicFoldersStats.csvMail-Server
[/box]
4. Create a Public Folder to Mailbox mapping file, by running the PublicFolderToMailboxMapGenerator.ps1 script, supply it with the maximum mailbox size (in bytes) Note: The Maximum size is 25GB. You will also need to supply the import file you created in step 3 (PublicFoldersStats.csv). Finally supply the name of the output file you wish to generate i.e. Folder2Mailbox.csv.
[box]
./PublicFolderToMailboxMapGenerator.ps1
[/box]
5. Open the last CSV file you created (Folder2Mailbox.csv) and take note of the TargetMailbox name. By default the first one is called Mailbox1, I’m changing it to Public-Folder-Mailbox and saving the change. Note: You may get more than one! If so take note of them all, or rename them accordingly.
6. Now copy the ‘Scripts’ Directory from your legacy 2010 Exchange server, to the new 2013 / 2016 Server.
7. Whilst still on the new Exchange 2013 / 2016 Server, you need to open a command shell, navigate to the scripts directory and then run the Create-PublicFolderMailboxesForMigration.ps1 script. Reply ‘A’ to run all the scripts, then supply the name of the mapping csv you created above, (Folder2Mailbox.csv). Supply the estimated concurrent users to this mailbox, and enter ‘Y’ to proceed. Now the public folder mailbox will be created.
(Note: Public folders are now in a Mailbox, NOT their own Mailbox database, as in older versions of Exchange).
[box]
cd c:\Scripts
./Create-PublicFolderMailboxesForMigration.ps1
[/box]
8. Next we need to create a ‘batch task’ much the same as when we migrate multiple mailboxes. This first command creates the task, and the second one sets it running. (Change the values in red to match your own).
Update: 05/08/16: Make sure you have a ‘mailbox database’ mounted on the source Exchange server before proceeding, or you may see the following problem.
It might say Queued for quite a while, don’t worry!
Check Public Folder Migration Progress Option 2 From EAC
Open the Exchange Admin Center website and logon. Navigate to recipients > Migration > View Details
10. If you were looking at the progress you will see its stops just before 100%, this is because you need to “Lock” the source public folder and let the migration complete. WARNING this will involve downtime, so warn your users, or do this next step out of hours.
To MAKE SURE you are ready, check either the progress report like so;
Or, re-run the progress command above and look for 95% completion and ‘Automatically suspending job’
DOWNTIME FROM THIS POINT ONWARDS
11. Go to the legacy Exchange 2010 server and ‘lock’ the source public folders for migration, and restart the service.
12. Now access to the legacy Public Folder Database is shut down, but before replication to the new Public Folder Mailbox can be completed you need to return to the new Exchange 2013 / 2016 server and run the following commands;
This can take a little time, I would wait least a couple of hours before proceeding (depending on your network topology, if you have a slow network or the Exchange 2010 server is on another network segment it may take longer).
Now to check the migration worked with a test user, and (provide everything is OK, unlock the Public Folders.
Log on as that user, (Outlook 2010 SP3 or Later.) Make sure the public folders are correct, you can expand them, the permissions are correct and you can create and delete entries.
It’s All Gone Wrong!
Don’t panic! You can remove the migration request with the following command;
Note: As per feedback (from Tobias Gebler) Test mail flow to your public folders, you may need to manually “Mail Enable” them before they function properly, In some cases you need to disable then re-enable them before they work properly.
14. Remember in Outlook Web App 2013 / 2016, public folders are not visible until you add them!
Note: If, (post Migration to Exchange 2016). Your users cannot access the public folders, see the following article.
VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.
Solution
Configuring Windows Active Directory for VMware View
1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.
2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.
Note: You can call the groups whatever you like, and have as many different groups as you like.
3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.
Installing and configuring VMware View 5
4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.
View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..
5. Accept all the defaults and finish the installation.
6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.
7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.
8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.
9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.
Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.
Related Articles, References, Credits, or External Links
In Part 3 we ran through manual pools, if you want to deploy automated pools using ‘Linked Clones’, then you will need VMware Composer. Composer installs on your Virtual Center Server. It also requires a database, the following is a step by step guide to installing SQL Server 2008 R2 and configuring it for Composer.
VMware View 5 Suppored Database Platforms
When you have your databse platform installed and configured, on the Virtual center server create an ODBC connection to the database and install VMware Composer. Finally you will need to enable composer in the VMware View Administrator Console.
Solution
VMware View – Installing SQL 2008 R2 and Configuring for Composer
1. Let the SQL DVD auto-run and choose Installation > New installation > OK > Product Key > Next > Accept the EULA > Next > Install the setup files.
2. Take note of any warnings, here it’s complaining that I’m on a domain controller (in a test environment this is OK, don’t do this in production!). And it’s giving me a firewall warning. I’m going to disable the firewall as I’m behind a corporate firewall, BUT if you want to create an exception for TCP port 1433, or run the following command. That would be the correct way to address the warning.
[box] netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN [/box]
3. You only need the “Database Engine Services” and the “Management Tools” , or you can simply install everything > Next > Next > Select Default Instance* > Next > Next.
*Unless you specifically want a named instance.
4. I set the services to run under the ‘System’ account, if you want to use the domain admin, or another domain service account use that instead. You can use the “Use same account button for all” to save typing > Next.
5. We will need SQL authentication, type in a suitable complex password (You can add the current user of the domain administrator as well) > Next > If your installing Analysis services you can add an account here > Next.
6. Install the native mode default configuration > Next > Next > Next > Install > Close > Exit the SQL installer.
7. Launch the SQL Management Studio > Log in (for servername simply type in localhost) > Right click Databases > New Database..
8. Give the Database a name > Select the ‘Options’ Settings.
9. Change the recovery model to ‘Simple’ > OK.
10. Expand Security > Logins > Create a new login.
13. Give the new user/login a name, select SQL authentication > Set a complex password > Untick Enforce password expiration > Select the user mappping section (on the left).
14. Select the database you have just created and give this new user the “db_owner” role > OK > Exit the management studio
VMware View – Configure ODBC Settings on the Virtual Center Server
15. On the vCenter Server > Start > Administrative Tools > Data Sources (ODBC).
16. System DSN > Add > SQL Server Native Client > Finish,
17. Add in the Database name and the server you installed SQL on > Next.
18. Supply the details for the user you created and the password you set > Next.
19. Change the default database from ‘master’ to the one you created > Next > accept all the defaults > Finish.
20. Click ‘Test Data Source’ and it should say TEST COMLPETED SUCESSFULLY > OK > OK > OK.
VMware View – Installing VMware Composer
Note: Composer MUST be installed on your VMware virtual Center (vCenter) Server.
21. Run the installer > Next > Next > Accept the EULA > Next > Next > Enter the ODBC details and login you created earlier > Next.
22. Next > Install > Finish.
VMware View – Add Composer to VMware View Administrator Console
23. Connect to, and log into the VMware View Administrator Console > View Configuration > Servers > If you already have a vCenter server select Edit > If not select Add.
24. On the vCenter Server settings tab ensure ‘Enable View Composer’ is ticked and add in a domain user (with rights to create, and delete computer objects in the domain) > OK.
25. You will know if the operation was successful as the vCenter logo will change, it will now have a gold/yellow box around it.
Related Articles, References, Credits, or External Links
Below I’ll configure SQL 2008 R2, insofar as I will setup a new database for the View Events, create a user for that database, then finally connect the View 5 Horizon View Connection Server to that database.
Solution
1. Firstly, I’m assuming you have a SQL Server setup and ready to create database on, If you do not rather than reinvent the when follow my instructions in the article below.
Note: Complete ONLY Steps 1 to 6 then return here.
2. Login to the SQL Management Studio > Databases > New Database.
3. Call it View5Events (Note: You can call it ‘Aunty Mary’s Canary’ if you want to).
4. Options section > change the recovery mode to ‘Simple’ > OK.
5. Expand Security > Logins > New Login.
6. Give the user a name i.e. view5events > Tick ‘SQL Authentication’ > Type and re-type a password > Untick ‘Enforce password policy’.
7. User Mapping tab > Tick the View5Events Database > Tick db_owner > OK > Close the SQL Management Studio.
8. Login to the Connection Server (Flash Required) > View Configuration > Event Configuration > Edit,
Database Server: The name of the Server Running SQL. Port: 1433 (Standard SQL Port make sure it it NOT blocked by a firewall). Database Name: View5Events User name: view5events Password: {You set above} Table prefix: _vdi
9. To see if it is working > Monitoring > Events > (It may be empty for a while don’t panic).
Related Articles, References, Credits, or External Links