Exchange 2000 / 2003 – Exporting Mail to .pst files with ExMerge

KB ID 0000091

Problem

ExMerge has been around for a long time, its used (as the name implies) to merge pst files into existing mailbox’s. However its also a great tool to export/backup users mail box’s if you’re doing a migration, or if you have got your “Disaster Recovery” hat on.

The following is a run through of how to export from a mail store to pst files – Note on a live system this can take some time, the example below was done in VMware on a test Exchange box that had 1000 users (as it was a test server the mailbox’s were tiny) If you need to do this on a production server plan in a LOT of time if your moving a large amount of data.

Solution

 

Note: I’ve mentioned it in the video, but just to reiterate, your mailbox’s need to be smaller than 2GB, if that can not be achieved, you can either;

1. Use ExMerge and export particular “date ranges” and produce multiple .pst files for the same mailbox (hopefully less than 2GB).

2. Use Outlook 2007 (or greater) to export the mailbox to .pst files individually.

Related Articles, References, Credits, or External Links

Download ExMerge 

Exchange 2010 Bulk Import .pst Files

Exchange 2007 – Export Mailbox’s to PST files

Unable to Connect to the Synchronisation Service

KB ID 0001649

Problem

I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager;

Unable to connect to the Synchronisation Service

Some possible reasons are:
1) The service is not started.
2) Your account is not a member of the requires security group.

See the Synchronisation Service documentation for details.

Solution

Well it was the second option in my case. Open Server Manager > Tools > Computer Management > System tools > Local Users and groups > Groups > ADSyncAdmins > Add your user in here.

Related Articles, References, Credits, or External Links

NA

Password Sync: No Recent Syncronization

KB ID 0001640

Problem

I recently migrated the server that was running my Azure AD Connector. It was showing no errors post migration so I thought no more about it. A few days later I logged in to Office 365 and saw this;

AAD Connect Status
Azure AD Connect
Password sync: no recent synchronization

Solution

Apparently this can suddenly happen if you are running an old version of AAD Connect. But I checked and mine was brand new, (I’d only just installed it remember). A quick look in the Event Viewer pointed me in the right direction.

Event ID 611

Log Name: Application
Source: Directory Synchronization
Date: xx/xx/xxxx xx:xx:xx
Event ID: 611
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {server-name}
Description:
Password hash synchronization failed for domain: pnl.com, domain controller hostname: PNL-MGMT.pnl.com, domain controller IP address: 192.168.100.3. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

 

I’ve highlighted the important part, RPC Error 8453: Replication access was denied. So we have a permissions/rights problem. As I’d set a new user up for the AAD connector software, I checked their rights and found out I was missing the following;

Ensure that the user you are running AAD sync under, has the following permissions on the ‘root’ of your local AD domain.

  • Replicating Directory Changes: Allow
  • Replicating Directory Changes All: Allow

Then I forced an AAD sync, and waited a few minutes, the problem then disappeared.

Related Articles, References, Credits, or External Links

NA

Certsrv: Can Only See User and Basic EFS

KB ID 0001552

Problem

When connected to the Web Enrolment portal (Certsrv) for your Certificate Services, you attempt to submit a certificate request. But you only see User and Basic EFS under Certificate Templates, like so;

Solution

I’ve done this myself many times, usually you are looking for the ‘Web Server‘ template and it’s not there, so we will use that as an example. Go to your CA Server.

Windows Server – Locate CA / Certificate Services

Administrative Tools > Certificate Services > Certificate template’s > Firstly make sure the template you are looking for is actually published! (i.e. is in the right hand window). Assuming it’s published, right click Certificate Templates > Manage.

Locate the template in question, Properties > Security > Grant the USER you are logged in, and attempting to submit the certificate request as, the READ and ENROL rights > Apply > OK.

Restart certificate services.

Allow a little time for Active directory replication, then try again.

Related Articles, References, Credits, or External Links

NA

Windows – A Delegation For This DNS Server Cannot Be Created

KB ID 0001287

Problem

When promoting a server to be a domain controller, you might see the following error,

“A delegation for this DNS server cannont be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are intergrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain “{zone-name}“, Otherwise, no action is required”.

Or if you are on older domain controllers;

I’ve clicked past this error many thousands of times, because I know its safe to do so, but what does it mean? And why (in most cases), can you simply ignore it?

Solution

Quick Answer:

If you’re here because you have just Googled the error and don’t really care, because you have work to do, then in 99% of cases this error can be ignored. Unless you need assets within your internal domain DNS to to addressable, or look-upable, (if those are words!) From the public internet.

But I’m creating a child domain? If you are creating a child domain, then the machine you are promoting to be a domain controller in the new child domain, should be a member of the root domain first! Also you need to be logged on with a member of the enterprise administrators group. When creating a child domain you should NEVER see this error because a DNS delegation is created for you automatically in the root domain. The only error you may see is;

Could not log into the domain with the specified credentials. Supply a valid credential and try again.

Make sure you are a member of the root domains enterprise admin group and that the root domain is contactable.

The Long Answer:

It’s complaining because it can’t make a ‘delegation’ in the domain that’s directly above you, what does that mean? Well a delegation is (as the name implies) a method of delegating authority for a DNS zone somewhere else, to another DNS server to be precise. so for the following;

AD domain domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail.

AD Domain subdomain.domain.com looks to the servers responsible for com and looks for a delegation to itself, if one does not exist it tries to create one and will fail. NOTE this domain might look like a subdomain/child domain but if you selected new domain in a new forest, it isn’t (this can be confusing that’s why I’m mentioning it).

AD Child Domain subdomain.domain.com This will look to the DNS servers responsible for domain.com (the root domain in your forest) and it will create a delegation for you. For this to work you will have selected “Add a new domain to an existing forest”.

Providing you are an enterprise administrator the delegation will be created for you in the domain ‘above’ you.

If you open the delegation, you will see that the name server entry for your child domain has been created;

The domain ‘Above’ me isn’t a Windows domain, or it’s a public domain?

Then, if you need to have your domain assets addressed by their DNS name from the internet, you need to do the following.

  1. Allow DNS access to your internal DNS Server(s) from the Internet, (via UDP and TCP port 53).
  2. Create an A (or AAAA) record for each of your DNS servers, with a public name i.e. ns1.yourdomain.com etc.
  3. Create an NS (name server) record that points to each of your DNS servers A (or AAAA) records.

 

Related Articles, References, Credits, or External Links

NA

Migrate Exchange 2010 to Exchange 2016 or 2013

Part 2

Migrate Public Folders Exchange 2010 to Exchange 2013 / 2016

KB ID 0000789

Problem

Continued from Migration From Exchange 2010 to Exchange 2016 / 2013 Part 1

Solution

Exchange 2016 / 2013 Migration Step 7 “Migrate Public Folders”

Note: This article uses the newer ‘Batch Migration’ method. Make sure your exchange server is patched and up to date or the process will not work.

Minimum Patch Levels

  • Source: Exchange 2010 SP3 RU8 (At Least).
  • Source: Exchange 2007 SP3 RU15 (At Least).
  • Destination: Exchange 2013 CU7 (Or Later).
  • Destination: Exchange 2016 RTM.

The new migration scripts are here PF-Migration-Scripts-v2

1. Make sure the user you will be performing the migration as, is in the right security groups, (Organizational Management and Recipient Management).

2. On the Legacy Exchange server download the  PF-Migration-Scripts-v2 Then extract them to the servers C: drive.

3. Launch the Exchange Management Shell > Change to the script directory > Then create a folder name to folder size mapping file by running the Export-PublicFolderStatistics.ps1 script, supply the name of the file you want to create. (Here I use PublicFoldersStats.csv). Then supply the name of the server, (the legacy one, with the source public folders on it).

[box]

cd c:\Scripts
./Export-PublicFolderStatistics.ps1 PublicFoldersStats.csv Mail-Server 

[/box]

4. Create a Public Folder to Mailbox mapping file, by running the PublicFolderToMailboxMapGenerator.ps1 script, supply it with the maximum mailbox size (in bytes) Note: The Maximum size is 25GB. You will also need to supply the import file you created in step 3 (PublicFoldersStats.csv). Finally supply the name of the output file you wish to generate i.e. Folder2Mailbox.csv.

[box]

./PublicFolderToMailboxMapGenerator.ps1

[/box]

5. Open the last CSV file you created (Folder2Mailbox.csv) and take note of the TargetMailbox name. By default the first one is called Mailbox1, I’m changing it to Public-Folder-Mailbox and saving the change. Note: You may get more than one! If so take note of them all, or rename them accordingly.

6. Now copy the ‘Scripts’ Directory from your legacy 2010 Exchange server, to the new 2013 / 2016 Server.

7. Whilst still on the new Exchange 2013 / 2016 Server, you need to open a command shell, navigate to the scripts directory and then run the Create-PublicFolderMailboxesForMigration.ps1 script. Reply ‘A’ to run all the scripts, then supply the name of the mapping csv you created above, (Folder2Mailbox.csv). Supply the estimated concurrent users to this mailbox, and enter ‘Y’ to proceed. Now the public folder mailbox will be created.

(Note: Public folders are now in a Mailbox, NOT their own Mailbox database, as in older versions of Exchange).

[box]

cd c:\Scripts
./Create-PublicFolderMailboxesForMigration.ps1

[/box]

8. Next we need to create a ‘batch task’ much the same as when we migrate multiple mailboxes. This first command creates the task, and the second one sets it running. (Change the values in red to match your own). 

Update: 05/08/16: Make sure you have a ‘mailbox database’ mounted on the source Exchange server before proceeding, or you may see the following problem.

Public Folder Migration Error hr=0x80040111

[box]

New-MigrationBatch -Name PF-Migration -SourcePublicFolderDatabase (Get-PublicFolderDatabase -Server EX2010) -CSVData (Get-Content C:\Scripts\Folder2Mailbox.csv -Encoding Byte) -NotificationEmails info@petenetlive.com
Start-MigrationBatch PF-Migration

[/box]

9. There are two ways to check its progress, 

Check Public Folder Migration Progress Option 1 From Command Shell

[box]

Get-MigrationUser -Batch PF-Migration | Get-MigrationUserStatistics -IncludeReport | fl

[/box]

It might say Queued for quite a while, don’t worry!

Check Public Folder Migration Progress Option 2 From EAC

Open the Exchange Admin Center website and logon. Navigate to recipients > Migration > View Details

10. If you were looking at the progress you will see its stops just before 100%, this is because you need to “Lock” the source public folder and let the migration complete. WARNING this will involve downtime, so warn your users, or do this next step out of hours.

To MAKE SURE you are ready, check either the progress report like so;

Or, re-run the progress command above and look for 95% completion and ‘Automatically suspending job’

DOWNTIME FROM THIS POINT ONWARDS

11. Go to the legacy Exchange 2010 server and ‘lock’ the source public folders for migration, and restart the service.

[box]

Set-OrganizationConfig –PublicFoldersLockedForMigration:$true
Restart-Service MSExchangeIS

[/box]

12. Now access to the legacy Public Folder Database is shut down, but before replication to the new Public Folder Mailbox can be completed you need to return to the new Exchange 2013 / 2016 server and run the following commands;

[box]

Set-OrganizationConfig -PublicFoldersEnabled Remote
Complete-MigrationBatch PF-Migration

[/box]

13. Wait until it completes;

or in the shell

This can take a little time, I would wait least a couple of hours before proceeding (depending on your network topology, if you have a slow network or the Exchange 2010 server is on another network segment it may take longer).

Now to check the migration worked with a test user, and (provide everything is OK, unlock the Public Folders.

[box]Set-Mailbox -Identity {Test-Username} -DefaultPublicFolderMailbox {PF-Mailbox Name}[/box]

Log on as that user, (Outlook 2010 SP3 or Later.) Make sure the public folders are correct, you can expand them, the permissions are correct and you can create and delete entries. 

It’s All Gone Wrong!

Don’t panic! You can remove the migration request with the following command;

[box]

Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest 

[/box]

Then complete the migration, with the following two commands;

[box]

Set-PublicFolderMigrationRequest –Identity PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest –Identity PublicFolderMigration 

[/box]

13. Once you are ready to proceed, issue the following command, and onfirm that, the public folders are now correct and available.

[box]

Get-Mailbox -PublicFolder | Set-Mailbox -PublicFolder -IsExcludedFromServingHierarchy $false

[/box]

Note: As per feedback (from Tobias Gebler) Test mail flow to your public folders, you may need to manually “Mail Enable” them before they function properly, In some cases you need to disable then re-enable them before they work properly.

14. Remember in Outlook Web App 2013 / 2016, public folders are not visible until you add them!

Note: If, (post Migration to Exchange 2016). Your users cannot access the public folders, see the following article.

Users Cannot Access Public Folders Post Migration (Exchange 2016)

Related Articles, References, Credits, or External Links

Thanks to Brian L. Jensen, for the feedback about the new public folder migration procedure.

Thanks to Eske (Boxx Jakobsen), for the Public Folder Migration feedback and assistance.

Thanks to Tobias Gebler for the Public Folder mail flow feedback.

Migration From Exchange 2010 to Exchange 2016 Part 3

Covering transferring certificates from Exchange 2010, and decommissioning your old Exchange servers.

Original Article Written: 19/04/13

Deploying VMware View 5 – Part 1: Configure Active Directory and Deploy VMware Connection Server

KB ID 0000594

Problem

Note: This is an old post for VMware view version 5, you might want to read Deploying VMware Horizon View instead.

VMware View is a big product, deploying it can be daunting, and if you’re not sure what you’re doing it’s pretty easy to deploy ‘misconfigured’, or at the very least not configured as well as it should. I’m going to run though most requirements, but it would seem sensible to break this up into a few different articles.

Solution

Configuring Windows Active Directory for VMware View

1. Before you start, on your domain controller open active directory users and computers (dsa.msc). Create an OU for your View Desktops, also to make administration easier create a separate OU for any linked clones you are going to deploy. In the example below I’ve nested one inside the other to keep my AD neat and tidy.

2. Also whilst in AD users and computers, create some groups, one for ViewUsers, and one for ViewAdministrators. Add in your users to the groups as required.

Note: You can call the groups whatever you like, and have as many different groups as you like.

3. Now connect to your Virtual Center Server, and add the domain ViewAdministrators group to the LOCAL Administrators group on that server.

Installing and configuring VMware View 5

4. Run the installer for VMware Connection Server (there is a x32 and an x64 version, make sure you download the correct one as VMware call the x64 bit version VMware-viewconnectionserver-x86_64-5.0.1-640055.exe, which at first glance looks like a x32 bit file). Accept all the defaults until you see the following screen, and select View Standard Server.

View Standard Server: Select if this is the first Connection Server you are deploying. View Replica Server: Select this if you already have a connection server and you want to copy the configuration from that server, once in operation it just becomes a standard replica server. View Security Server: Usually placed on an edge network or in a DMZ to broker connection requests. View Transfer Server: Only required if your clients are going to use ‘Local Mode’ for their View desktops..

5. Accept all the defaults and finish the installation.

6. Connect to the VMware View administrator console, this is a web connection to https://{Connection-server-name/admin Note: Adobe Flash is required for it to work.

7. The first time you connect it will take you straight to View Configuration > Product Licencing and Usage > Select “Edit Licence” and type/paste in your licence key.

8. To point the connection server to your virtual center server, select View Configuration > Servers > vCenter Server section > Add.

9. Give it the vCenter server name, and a username and password for a user who is a member of your ViewAdministrators group.

Note: If your vCenter server has VMware composer installed this is where you would enable it. At this time I do not, but I will return here later after I’ve installed it when I cover VMware Composer and ‘linked clones’.

Related Articles, References, Credits, or External Links

Deploying VMware View 5 – Part 2: Configure Windows 7 to be a VMware View Desktop

Set Up the VMware View 5 (and Horizon View) Event Database

KB ID 0000856

Problem

Below I’ll configure SQL 2008 R2, insofar as I will setup a new database for the View Events, create a user for that database, then finally connect the View 5 Horizon View Connection Server to that database.

Solution

1. Firstly, I’m assuming you have a SQL Server setup and ready to create database on, If you do not rather than reinvent the when follow my instructions in the article below.

Deploying VMware View 5 -Part 4 Installing and Configuring SQL 2008 R2

Note: Complete ONLY Steps 1 to 6 then return here.

2. Login to the SQL Management Studio > Databases > New Database.

3. Call it View5Events (Note: You can call it ‘Aunty Mary’s Canary’ if you want to).

4. Options section > change the recovery mode to ‘Simple’ > OK.

5. Expand Security > Logins > New Login.

6. Give the user a name i.e. view5events > Tick ‘SQL Authentication’ > Type and re-type a password > Untick ‘Enforce password policy’.

7. User Mapping tab > Tick the View5Events Database > Tick db_owner > OK > Close the SQL Management Studio.

8. Login to the Connection Server (Flash Required) > View Configuration > Event Configuration > Edit,

Database Server: The name of the Server Running SQL.
Port: 1433 (Standard SQL Port make sure it it NOT blocked by a firewall).
Database Name: View5Events
User name: view5events
Password: {You set above}
Table prefix: _vdi

9. To see if it is working > Monitoring > Events > (It may be empty for a while don’t panic).

 

Related Articles, References, Credits, or External Links

NA