Archive

Archive for October, 2008

Test From My iPod

October 21, 2008 Leave a comment

As per title, test post.

Move along please.

Categories: Personal

Renewing Internal Certificates –> The Easy Way

October 15, 2008 Leave a comment

Internal certificates for Exchange expire. End of.

You need to be wary, and keep an eye on your Event logs (especially for any Hub Transport or Edge role servers), and look for the following error message;


Event Type: Warning
Event Source: MSExchangeTransport
Event Category: TransportService
Event ID: 12018
Date: 08/09/2008
Time: 12:24:15
User: N/A
Computer: SERVER
Description:
The STARTTLS certificate will expire soon: subject: SERVER.DOMAIN.LOCAL, hours remaining: A41370EEC5510BD5D5F3D1DB4A8D27846F045A2C. Run the New-ExchangeCertificate cmdlet to create a new certificate.

When you get these, it’s easy enough to fix.

Get-exchangecertificate.jpeg

Note the services the certificate is enabled for (by default: POP, IMAP, IIS, SMTP on CAS + HT servers). Copy the thumbprint of the certificate, and run the following;

get-exchangecert2.jpeg

If the certificate is SMTP enabled, you will get the following error message;

get-exchcert3.jpeg

Select [Y] for Yes.

Checking the certificate again, you should find the new one installed with a new expiry date (and the old one too);

get-exchcert4.jpeg

If you wish to use the Certificate for IIS also, type the following;

enable-exch1.jpeg

Ok, last bit. Test the certificates are working, then remove the old;

remove-exch.jpeg

All done.

Categories: Exchange 2007

OALGen will skip user entry ‘USER’ in address list "\Global Address List’ because the SMTP address " is invalid

October 13, 2008 2 comments

This old flame popped up again the other day. Now I seem to remember there was some pre-SP1 issues regarding this, however I wasn’t aware that post-SP1 you could still have problems.

Basically the OAB wont generate entries for users who’s "Email" field in AD is blank (or, in fact, not the same as the "Reply To" address in Exchange).

What do you do if you have multiple users who are incorrect, and you need to fix it (but don’t want to spend hours finding / fixing accounts one at a time)?

You script it of course.

DSQuery user (you may need the -limit flag) > objects.txt

Edit to remove the MS command crap (so that it starts @ your first user)

Save the following script as a vbs file (in the same folder as your objects.txt) and run.

‘ This code will output all users without a email address in AD who should have one.

‘ It will also change the address (if required)

‘ Writted by Stephen Croft from ANS

strtextfile = "objects.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)

Dim primary

strSMTP = "SMTP"

Do

strobject = objTextFile.ReadLine

strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)

on error resume next

‘Gets current Email AD Field?

intEmail = objObject.Get("mail")

‘Finds Primary Email Address from "proxyAddresses"

For Each EMail In objObject.GetEx("proxyAddresses")

primary = InStr(1,EMail,strSMTP,0)

If primary = 1 Then

Intproxy2 = Right(EMail,Len(EMail)-5)

End If

Next

‘Should the user have an address (i.e. is there a primary SMTP)?

If intProxy2 "" Then

‘Echos to command object that is blank, and correct email address.

If intEmail = "" Then

WScript.Echo strobject & " is blank, should be " & Intproxy2

‘Changes AD object (2 lines of code) to have Primary as AD Email

objObject.Put "mail", intProxy2

objObject.SetInfo
End if

Else

End If

‘Blanks all variables to keep it functioning properly

intEmail = ""

intProxy = ""

intProxy2 = ""

Loop Until objtextfile.AtEndOfStream = True

The bolded lines change the objects, probably best REM’ing these out and testing what it wants to change (and to what for that matter) by running it from a cmd prompt, and piping it into a output.txt of some sort.

And excuse my scripting, it’s not always the tidiest (but it works goddamn it!! 😛 )

Have fun 🙂

Categories: Exchange 2007, VBScript

Finding users who are not Inheriting Rights

October 6, 2008 Leave a comment

Got a request from a support company, they have found multiple users who are not inheriting rights from above. These users are random, and he wanted a quick way to find (and therefore fix) the users effected. Screenshot below of the checkbox the users have mysteriously "unchecked";

VBScript0.jpeg

So I created a little script that will check users to see if they are set to inherit or not.

First, create a new folder. Get a list of all users in your AD (or a specific OU) by doing the following;

VBScript1.jpeg

Now, create a VBScript file with the following content;

‘ This code will output all users who are currently NOT inhereting

‘ Security from above.

‘ Writted by Stephen Croft and Chris Stos-Gale from ANS

strtextfile = "objects.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)

Const SE_DACL_PROTECTED = 0 ‘ set to 0 to enable inheritance

Do

strobject = objTextFile.ReadLine

strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)

Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control

If objntSD.Control = 39940 Then

WScript.Echo strobject & " Needs Changing"

End if

Loop Until objtextfile.AtEndOfStream = True

And save in the same folder as your objects.txt file that the first part created.

Now, back to command prompt for the following;

VBScript2.jpeg

Where test.vbs is your vbs file you created (obviously).

This will create a output txt file (test.txt in this matter) that is Tab Seperated (for Excel import) of all users who are NOT inheriting rights from above.

To change them to be inheriting, either pick through the list manually, or edit the VBS script slightly as per below;

‘ This code will output all users who are currently NOT inhereting

‘ Security from above.

‘ Writted by Stephen Croft

strtextfile = "objects.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)

Const SE_DACL_PROTECTED = 0 ‘ set to 0 to enable inheritance

Do

strobject = objTextFile.ReadLine

strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)

Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control

If objntSD.Control = 39940 Then

intNTSDControl = intNTSDControl And SE_DACL_PROTECTED

objntSD.Control = intNTSDControl

objObject.Put "nTSecurityDescriptor", objntSD

objObject.SetInfo

End if

Loop Until objtextfile.AtEndOfStream = True

Obviously be careful with this, and don’t hold me responsible if it breaks anything!!!

Mutual-TLS between Exchange 2007 and external domains.

October 2, 2008 Leave a comment

Hmm.

Couple of people have raised calls regarding this.

Surprisingly (well, not), the documentation from Microsoft is rather bizarrely.. well, Microsoftised.

However, it is decent background reading anyway, so I will paste here the required links (for Exchange 2007 mind), and possibly later post with a “shortened” version for normal people to understand.

Certificate Uses in Exchange Server 2007

TLS Functionality and Related Terminology in Exchange 2007

How to Configure Mutual TLS for Domain Security.

Fantastic (eugh) reading, so get ready to be Microsoftised and enjoy it 😉

Categories: Exchange 2007

Troubleshooting 0x8004010F OAB errors (External Link)

October 2, 2008 Leave a comment

Here has some interesting info regarding OAB and 0x8004010F errors 🙂

Enjoy.

Problems with Public Folder Replication?

October 2, 2008 Leave a comment

Having problems getting PF’s replicated (or moved) between 2003 and 2007?

KB 830181 suggests a fix for Exchange 5.5 / 2000 to 2003.

However, I have it on good advice (Thanks Mr Chandra) that this method can also fix any “sticking” folders in 2003 –> 2007. Only difference is that instead of restaring the MSExchangeTransport service, you have to bounce the box.

Mr Chandra also suggested you place this on the receiving server.

Worth a go for the sake of a reboot.