Tuesday, December 23, 2008

Merry Christmas and Happy New Year


I would like to wish Merry Christmas and Happy New Year to all my friends, Students and visitors. I would not have gone this far without your support and I do appreciate it.


I am wishing you and your lovely families all the best, great Xmas and Happy New year, also I wish the New Year will bring good health and high spirits.

Oz ozugurlu MVP (Exchange)

MCITP (EMA), MCITP (EA) MCITP (SA),

MCSE (M+, S+) MCDST, Security+, Server +, Project+

Blog:http://smtp25.blogspot.com/

Blog:http://telnet25.wordpress.com/

Monday, December 22, 2008

Offline defrag & Exchange maintenance

Should offline defrag be considered as one of the scheduled maintenance task for Exchange administrators? The short answer is going to be "No". The simple reason behind this, taking Exchange offline will cause "Outage" and if there is no space gain (white space, 30 percent usable space) there is no point of performing offline defragmentation at any cost.

Let me state this up front, those of you who are running enterprise version of Exchange should never perform offline defrag and cause outage, you need to create empty database and move user mailboxes

(In the night& off business hours) onto it and delete the old one contains white space. (Assuming you does have at least, one mail store available to achieve this goal.)

The process behind running offline defrags is that, exchange wont takes existing database and remove the white pages out the database and makes it ready to use. It Instead it copies used pages from old database and creates new database. When copy pages finishes it re-point the logs to the new database and it assigns nee signature to it.

How do we know if we need to perform offline defragmentation, the Exchange server's application logs "1221" will tell you how much white space (unusable)

Here is great article goes deep into 1221

http://blogs.msdn.com/jeremyk/archive/2004/04/09/110553.aspx

Here is MS team blog goes deep into

http://msexchangeteam.com/archive/2004/07/08/177574.aspx

Best,

Oz ozugurlu MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/

Sunday, December 21, 2008

Dedicated Active Directory Sites for Exchange 2007

I remember it used to be the best practice for placing the Exchange servers to its own site in Exchange 2003. To protect the DC/GC and dedicate them exchange usage only, and not letting other processes to eat up all DC/GC resources in multimaster replication model, we even lift the "DC locator DNs SRV Records" and give higher priority so that those DC/GC should be used by exchange only.

The problem is hard coding "DSAccess" causes the single point of failure if dedicated DC's are not accessible. Putting Exchange to its own site, will force exchange (DSAccess) to located DC's within its site fist, and it they are no accessible they will go out and located other DC's so that exchange remains happy and functionally.

Placing DC/GC ratio is 1:4, meaning 1 DC/GC per 4 Exchange servers, for Exchange 2007 1 DC/GC for per mailbox server. (Details in the following article)

How do all these apply to Exchange 2007? If you remember the changes in Exchange 2007 structure, "Site base routing" you will make you, predict a close guess and know dedicated DC/GC is not recommended for Exchange 2007.

I always wondered why we could not have more control over DSaccess, such as hard code it for specific server and at the same time being able to say, if these wont response go discover automatically any available GC or even tell it where to go second? Maybe next version of exchange (-:, who knows

Here is excellent article at Exchange Team Blog.

Best,

Oz ozugurlu MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/

Monday, December 15, 2008

Recommended mailbox size and Exchange Databases

Below is classical questions asked at least one time in every consulting place I walked in so far. I do understand from the costumer stand point why to ask these questions to Exchange SME.

From my experience most of the contract I death with did not fallow the MS best practices. The ones did follow, very little work to do, or there was no reason for me to be there.

Here is a great tip for those who wish to implement MS best practice. Use magic way of locating this information "goggle it". Most of the time Google will take you to right article or TechNet page faster than any other method as far as I know. I have also included some basic foundation information which I think is very important for all exchange administrators to know and understand better the entire concept.

Optimizing Database Access

The exchange database arte not to be larger than 50 to 100 GB, according to best practices, explained in below MS article, the link for the original article is also included.

  • For servers supporting large information stores (50 to 100 GB), it is especially important to follow these guidelines
  • Place transaction log files and database files on different disks.
  • Dedicate a high performance spindle to the transaction logs.
  • Use a dedicated partition for the databases. Experience shows that as servers get bigger, the database partition starts to use a lot of I/O. This is especially true for RAID 5 partitions because of the added overhead. As a result, it's a good idea to only put database files on the database partition.
  • Put the MTA database and tracking logs on the system disk (if you don't have a spare spindle), not the database partition.

    The reality behind the size of the database is that the bigger the database is, it gets harder for application to handle. Same goes for I/O, CPU and memory relationship. The factors listed above are to provide the best performance. The RAID also indicating the most redundancy for given configuration. The fact is that, understanding what type of operations any application uses, the key for deciding the RAID level. For instance, if the task or process read intensive (Logs) the RAID level has to be decided in accordance to the read operations. If, the task or process write intensive (Database) same goes for RAID. So keep in mind the fastest and most redundant way will be considering these factors and performing implementation accordingly.

The following sample disk configuration is recommended for typical large servers.

  • Mirror set 1

    System disk. Includes binaries, swap file, MTA database.

  • Mirror set 2

    Transaction files only.

  • RAID 5 partition

    Exchange information store and directory databases only.

What is the recommended mailbox size for per users, what are the some industry best practices out there, people are already using

  • What is the recommended size for Exchange databases?

    50-100 Gig for per database.

  • Offline Exchange Defragmentation and how long will it take.

    It takes about one hour to defragment 5 to 10 GB

  • Why to do Exchange offline defragmentation?

    If there is enough whitespace (Unusable space) on the exchange databases, the administrator might consider performing offline defragmentation. Remember offline means "Outage" so it has to be planned with business owners and end users.

    There is no need to perform offline defrag, if you are running enterprise version of exchange. Simply create new database move the users into this newly created database and delete the old database.

  • Is your mailbox is big and causing performance issues to the exchange server?

    It's not the size of the mailbox that impacts performance - it is the number of items in the folder or folders that are being accessed on the server. Read more


Ps: Please remember these number are estimate, the actual CPU,HD, and month of memory in the system will effect these numbers.

Below information taken from same article, if you pay attention to couple lines below you will have good foundation and understand how exchange writes data to the database.

When Exchange is running, technically the databases are inconsistent.

Exchange starts, while Exchange is running normally, the databases are technically inconsistent. Why is that so?

The Exchange database engine caches the disk in memory by swapping 4 KB chunks of data, called pages, in and out of memory. It updates the pages in memory and takes care of writing new or updated pages back to the disk. This means that when requests come into the system, the database engine can buffer data in memory so it doesn't have to constantly go to disk. This makes the system more efficient because writing to memory is "cheaper" (or faster) than writing to disk. When users make requests, the database engine starts loading the requests into memory and marks the pages as "dirty" (a dirty page is a page in memory that has been written with data). These dirty pages are then later written to the information store databases on disk.

Although caching data in memory is the fastest and most efficient way to process data, it means that while Exchange is running, the information on disk is never completely up-to-date. The latest version of the database is in memory, and since many changes in memory haven't made it onto disk yet, the database and memory are out of sync

Why LOG files are very important (Many people think databases are the most important)

  • Most people naturally think that the database files are the most important aspect of data recovery. But, transaction log files are actually more important because they reflect what will happen with the data, not what has happened.
  • Transaction log files are a sequence of files whose purpose is to keep a secure copy on disk of volatile data in memory, so the system can recover in the event of a failure.
  • When a change is made to the database, the database engine updates the data in memory and synchronously writes a record of the transaction to the log file that tells it how it could redo the transaction in case the system fails
  • Logically you can think of the data as moving from memory to the log file to the database on disk, but what actually happens is that data moves from memory to the database on disk
  • To keep track of the data that hasn't yet been written to the database file on disk, the database engine maintains a checkpoint file called Edb.chk for every log file sequence. The checkpoint file is a pointer in the log sequence that maintains the status between memory and the database file on disk. It indicates the point in the log file where the information store needs to start the recovery from if there's been a failure. In fact, the checkpoint file is essential for efficient recovery because if it didn't exist, the information store would have to attempt recovery by starting from the beginning of the oldest log file it found on disk and then check every page in every log file to determine whether it had already been written to the database
  • Circular Logging—Don't Use It! And why

    It eliminates your ability to recover all changes since your last backup if your information store is corrupted due to a hardware failure. Remember logs are the duplication of real data being written to the database, it is insurance for exchange if information in the memory vanishes. When you turn on circular login, start deleting all logs as they come in, you are eliminating to your exchange server to recover if it crashes. Therefore you would need your last full backup to get back to business. Or after tuning CL logging it is advices to immediate full backup.

When offline defrag runs, it creates a new database file and then copies all the data in the old file to the new file.

This can take a lot of time. On average, it takes about one hour to defragment 5 to 10 GB.

http://www.microsoft.com/technet/archive/exchangeserver55/maintain/edbwp.mspx?mfr=true

Recommended Mailbox Size Limits

http://msexchangeteam.com/archive/2005/03/14/395229.aspx

Best,

Oz ozugurlu MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/


Friday, November 21, 2008

Rollup 5 for Exchange Server 2007 Service Pack 1

If you have not had chance to look into RU5, here it is , along with all the fixes. There are quite a bit fixes and I recommend you all to schedule deployement to your exchange 2007 servers

more information can be obtained below KB953467

http://support.microsoft.com/?kbid=953467


Best,

Oz ozugurlu MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/


Tuesday, November 11, 2008

Why we should not install Exchange on Domain Controllers

This post below is from TechNet and to me it is very interesting and has a great value. It seems to be the case for installing Exchange on a domain controllers happening time to time and making me say all the times

No, No, No (- :, same way around I most often get upset to see another application on the domain controllers and yes I do know Microsoft gives you everything and tell you install it Small business servers makes me always say

no no no, please (-: don't do it.

The point is for those of you work in enterprise environment will know the best practice is to dedicate separate resources for any server and off course it cost more $$$$.

Anyways, some of the basic troubleshooting skill and knowing some the trash holds for exchange and outlook is the key to identify the bottlenecks and performance related issues which is addressed in this article

Here is the situation:

The domain controller was configured by somebody else, w2k3 with all Sp's. I had to install exchange 2003 on that server.

The installation went fine, and exchange is working perfect ....BUT The webmail is working fine, but the communication between exchange and

Outlook is a problem. When I configure outlook to use exchange, and when I click on 'check name',

the DNS resolving is already slow, but it resolves .... . Then, when I want to start outlook it says (on all clients) that there is no communication possible with the Exchange server and outlook shuts down

Response

Thomas, this is going to be third time you will hear the same thing (-: installing exchange on a domain controller is *** no, no, no for many reasons, obvious one is the performance and unhappy clients and more work for you. Complicating scenarios in such will make clients and business suffer in my opinion.

Anyway the way Exchange application is build by design, will consume all memory resources for instance ( Store.exe) and will let even your OS ( windows 2003) or your DC's Lsas.exe not being so happy up front may cause replication problems and lookup problems and performance problem soon or later.

For future references please do not install exchange on a domain controller "Since domain controllers busy they authenticate users, they deal with (.dit) database and they don't like sharing their resources with any other applications as well as exchange.

In your case they even do more, they are GCs, WINS and who knows if you have other services turned on.

Now for your outlook slowness problem let's focus on the statement you made

"Communication between exchange and Outlook is a problem."

When you configure exchange for a client from outlook for the name of your exchange servers and client name window on the setup, you can put there the name of your domain controller instead of your exchange server.

This will trigger quick look up for the user mailbox location process the request will go to AD database and locate the user object, and the attribute called "ExchangeHomeDB" will be located and the name of the exchange server will be placed into the outlook setup quickly.

Before I speculate more the problem can you please post some of the event logs from your exchange server (application logs) if there is anything interesting.

General questions I would ask

Does outlook client closes up on all the workstations? Try multiple workstations and make sure this is not client side issue as wrong link speed on the NIC, or bad switch etc.

Open outlook from one of the client with outlook /RPCdiag and observe the window to see where outlook application is trying to connect?

As it was suggested before since you have the exchange and DC/GC on the same box this will generate stress on the DC and exchange lookup ups might be the problem, poor performance from DC/GC to the exchange will cause slowness.

Are you seeing any errors " Outlook is retrieving data from exchange server" the famous Christmas Balloon

Check this article it might give you an idea how outlook works

http://smtp25.blogspot.com/2007/05/outlook-is-retrieving-data-from_23.html


Remember

The server that Outlook queries for this information is either a "Microsoft Exchange Server" or "Global catalog server" which is same box in your case

If the server name appears as a NetBIOS name, the data is being retrieved from an Exchange Server computer. If the server name appears as a fully qualified domain name (FQDN), the data is being retrieved from a global catalog server.

You may have to turn on some of the performance counter on the exchange server to indentify the bottleneck

On the bottom of this article

Troubleshoot performance issues

Physical disk (all instance)


  • Avg Disk Sec/Read
  • Avg Disk Sec/Write
  • Current Disk Queue Length


MSExchangeIS


  • MSExchangeIS
  • RPC Averaged Latency
  • RPC Requests
  • RPC Operations/Sec


Finally

Typically, it is a good idea for the RPC Requests counter to be lower than 10.

If it is higher than 25, this is an indicator of a resource bottleneck.

Only 100 requests can be handled at the same time.

If the RPC Requests reach 100, the client will experience refused connections

The recommended values for the Avg Disk Sec/Read counter and for the Avg Disk Sec/Write disk counter are as follows:

  • Good < 20 msec
  • Fair < 30 msec
  • Poor < 40 msec
  • Cache/Exec < 1 msec
  • Cache/Good < 2 msec
  • Cache/Fair < 4 msec

You need to spent time to identify all these and come up with conclusion

Good luck

Oz

Oz ozugurluMVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com/

Friday, November 7, 2008

Some Random Thoughts for AD & DNS best practices.





DNS as known as Domain name system and widely accepted and it is being used heavily with active directory and ADDS services. I have noticed most of the time administrators try to find the tune up the DNS or wonder what the correct way to deal with it is. I decided to put some best practices and tune up I use it all the time and share with you all here on my blog.

Before we dive into DNS I wanted to refresh some good information in regards to DNS ports.

  • Most of us do know DNS uses port 53 UDP and TCP it depends the query.
  • DNS Service uses dynamic UDP ports (above 1023) for all client standard query messages
  • The client requests from a random port above 1023 to server port 53
  • DNS Servers response from the port 53 to the originating port on the client (above 1023)
  • Only the server-to-server communication goes from port 53 to port 53. The requests as well as the responses.

What are the some of the best practices when it comes to configuring and tuning DNS servers in active directory? Please note that most of the experienced administrators will recommend using AD integrated DNS.

  1. Point DNS servers to itself in the TCP/IP properties as their Primary DNS. Pointing AD/DNS server to ISP DNS servers on the TCP/IP Properties is NO NO NO !!!!!!
  2. Install DNS on domain controllers and use Active directory integrated DNS option.
  3. Using more than 2 NIC on the DC's/DNS's are NO NO NO !!!!!!
  4. Every DC registers bunch of dynamic records in DNS and having two NIC will confuse the clients and applications who are trying to locate services from DCs, so avoid the trouble and don't let this happen. Most often I see genius idea of having second interface on the domain controller for backup purpose (backup VLAN)
  5. Disable all other interfaces if there are any and name them "Disabled do not enable" on the TCP IP properties of each disabled interface, on the advance tab "register this connection's addresses in DNS" Unchecked, in case the interface gets enabled and register itself to the DNS database.
  6. Forward the recursive queries which your domain is not authoritative for to the ISP DNS servers and let them do the heavy work. ( internet connectivity for the servers and clients)
  7. Enable the root hints option beside forwarders if the forwarders won't response the queries.
  8. On the NIC card properties of your DC/DNS make sure the option "register this connection's addresses in DNS" is checked, the box is ticked.
  9. Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , go to properties , click on name servers and make sure all the servers listed there are domain controller and they are functioning properly. Each IP listed there will claim to be the DNS name space for your domain and will response the queries. If there is an IP address no longer DC/DNS remove it from the list
  10. Go to your DNS, forward lookup zone locate _msdcs.yourDomain.org , on the bottom make sure "Secure only" is selected , or otherwise if you have UNIX servers updating DNS you will need to enable secure and none secure, but most of the cases "Secure ONLY" unless you really know the environment don't pock around with this settings and leave it secure.

    Make sure the zone Type is Active Directory-Integrated.

    You can enable dynamic updates from command line

    dnscmd ServerName /Config {ZoneName..AllZones} /AllowUpdate {10}


  11. Same goes for SOA and NS records make sure the IP addresses listed there are healthy valid DC/DNS servers
  12. Open DNS console at the very top where you see the computer icon , make a right click and go to properties
  • Interfaces, listen on
  • Select "Only the following IP Addresses"
  • Make sure there is one interface (Production) listening on DNS
  • I recommend renaming each NIC card as "Production" so you know by looking at the interface what it is.

  1. Click on forwarders
  • List the ISP IP addresses under forwarders for internet name resolution
  • Enable "Use root hints no forwarders are available"
  1. Click on Advance
  • Enable following
  • Fail on load if bad zone data
  • Enable round robin
  • Enable netmask ordering
  • Secure cache against pollution
  • Make sure "name Checking" is Multibyte (UTF8)
  • Load zone data from active directory and registry
  1. Click on monitoring
  • Select a test type
  • Simple query against this DNS server
  • A recursive query to other DNS servers
  • Make sure it passes

Couple things to remember

  • Never install any other application on the DC itself , DC' s are busy they do have ADDS database installed on them and they authenticate users, leave them alone.
  • Installing Exchange on Domain controller is NO NO NO !!!!!!
  • Installing any other application on DC is NO NO NO !!!!!!
  • Not following MS best practices on the physical and logical partition of the domain controllers NO NO NO !!!!!!

Best practices for DNS

Frequently Asked Questions About DNS

Troubleshoot DNS Name Resolution

10 DNS Errors That Will Kill Your Network

Troubleshooting Active Directory DNS Errors

Troubleshoot DNS Name Resolution

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Monday, November 3, 2008

Outlook 2003: Inbox - unable to display folder



Problem

On Terminal server some users are reporting 'Unable to display folder' for the users Inbox". Al other folders seems to be fine, and users can compose new e-mail and sent it without any problems, however accessing inbox generates the error.

Solution:

After poking around with security settings, we discovered the fix was very easy, start outlook with the /cleanviews switch. The outlook did freeze up a little bit and magic switch did do the trick.

Why this happened:

I wish I could come up with logical answer for the corruption of default views, I am in the dark, who knows, the reality is that knowing some of the outlook switches are very useful and save time for sure

I did a post while back about these switches, here are some of the handy ones

  • /cleanviews
  • /CleanProfile
  • /CleanReminders
  • /CleanRules
  • /ResetFolders
  • /Rpcdiag

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Thursday, October 30, 2008

NLtest to see the local PC trust within the Domain




One of the frequent asked questions is that, suddenly the server or workstation drops out the domain and cannot establish successful logon. I have seen such scenarios even on Exchange servers, where administrator goes to AD finds the computer account for the exchange server and clicks on "reset" by mistake, don't ask me how but seriously I have seen this happen at client side.

I have also seen after P2V (Physical to virtual) computer secret is broken and they could not log on to domain. The fix for all these were taking these computers out the domain and adding them back to the domain and re-establish the secure channel between PC, or server to Domain controllers.

The security channel's password is stored along with the computer account on all domain controllers. For Windows 2000 or Windows XP, the default computer account password change period is every 30 days

Below is some very useful information in regards to how windows based computing works with local secret and how this can be reset ?

Each Windows-based computer maintains a machine account password history that contains the current and previous passwords that are used for the account. When two computers try to authenticate with each other and a change to the current password is not yet received, Windows relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may not be able to communicate, and you may receive error messages. For example, you may receive "Access Denied" error messages when Active Directory replication occurs.

You cannot change the machine account password by using the Active Directory Users and Computers snap-in, but you can reset the password by using the Netdom.exe tool

The Netdom.exe tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

Now the question is, is there any way to find out if the trust is broken or in place, to answer this question follow the below examples and investigate each output.

The utility called nttest is used for to test trust relationships

The workstation that is a member of the TESTD domain has an implicit trust with a domain controller

  • C:\>nltest /server:vmdc2 /sc_query:smtp25
  • To determine if a domain controller can authenticate a user account:
  • C:\>nltest /Whowill:smtp25 zz-oozugurlu
  • NLTEST can be used to find a trusted domain that has a given user account.
  • C:\>nltest /finduser: zz-oozugurlu
  • To determine the domain controllers in the ESS domain:
  • C:\>nltest /dclist:smtp25
  • To determine the user
  • C:\>nltest /user: zz-oozugurlu

Technet

KB 325850


Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Tuesday, October 28, 2008

Microsoft TechDays Event in Arlington, VA




Today I attended Microsoft TechDays event is Arlington VA, and had an opportunity to meet with MS folks. I was surprise and exited to meet with Harold Wong (24 Hours of Exchange 2007 webcast series) and also met with Blain Barton. Here is Harold website for all of you one more time, check it out, exchange webcast series, Harold has done incredible work by providing us new futures in exchange 2007 on this video and MP3 series.

The TechDays Event was very interesting, especially Forefront


"Stirling" which is integrated security system which delivers comprehensive solutions. It seems to be Microsoft is going to provide great security system will be doing pretty impressing task. If you want to read more about it here is the link

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Thursday, October 23, 2008

Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name event ID 1196 and Event ID 1119


Problem:

After setting up windows 2008 Cluster with SQL and Exchange 2007, the following event logs are showing on the event log of the both clusters. The errors are not causing any fail over or operational issues but interesting to investigate and needs resolution

Inside technical info:

Below errors indicating that, the Active cluster node is not able to register the "Cluster name resource" into its own configured DNS server. Basically this is what is happening. The Cluster does have resource called Cluster network name resource. This is one of the resources must be created prior to setting up a cluster and it is being created manually in the DNS database. The cluster active node will own this resource and the active node production network interface will go to its configured DNS and will try to register the cluster name resource record to the DNS database itself. In this example the DNS is refusing the registration, because DNS knows the server does not own the resource name, and hence it is not allowing the active role node to register it.

What does cluster network name resource do?

"The name of the SQL Server is defined by the network name cluster resource, and that name will be used by applications and end users to connect to the failover instance; together these resources represent a logical Windows Server on the network, while running across one or more real Windows Server computers. A failover instance of SQL Server is an item that is created during SQL Server setup; it is not provided by Windows Server."



Root Cause:

When static record got created the option "allow any authenticated user to update DNS records with the same owner" was not selected. Therefore the Cluster nodes (active node) who will own the cluster name resource won't be able to register this resource record to the DNS database behalf of the resource records itself.

Solution:

Go to DNS, find the record ( A & Pointer record) for the cluster name resource.

  • Make a right click
  • Go to properties
  • In the security make sure the "Authenticated users" are included
  • Make sure it has "Write: rights and Special permissions
  • Click Advance, locate authenticated users, and click edit
  • Make sure, Write all properties, Read permissions, All Validated Writes selected
  • Click okay tree times to exit

After investigating further, you will notice there are no more errors on the System logs in this regard


Log Name: System

Source: Microsoft-Windows-FailoverClustering

Date: 10/23/2008 9:30:35 PM

Event ID: 1196

Task Category: Network Name Resource

Level: Error

Keywords:

User: SYSTEM

Computer: MCCNPWINSQL02.smtp25.org

Description:

Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:

DNS operation refused.

Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-FailoverClustering" Guid="{baf908ea-3421-4ca9-9b84-6689b8c6f85f}" />

<EventID>1196</EventID>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2008-10-24T01:30:35.648Z" />

<EventRecordID>74214</EventRecordID>

<Correlation />

<Execution ProcessID="1956" ThreadID="20004" />

<Channel>System</Channel>

<Computer>MCCNPWINSQL02.smtp25.org</Computer>

<Security UserID="S-1-5-18" />

<Data Name="ResourceName">Cluster Name</Data>

<Data Name="StatusString">DNS operation refused.

</EventData>

</Event>


Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Friday, October 17, 2008

Creating Bulk Users in Exchange 2007 part two




Hi everyone, this is oz and in this video session we will learn how to create bulk yours in exchange 2007 with very little afford. So just follow me and you will realize how easy this will be.Creating mailbox users has never been easy, especially if you have exchange 2007 and I am going to demo you this easy task in just seconds.

Okay let's get the ball rolling, Log into your exchange 2007 server first and open internet explorer , Go to my Blog www.smtp25.org on the top search for

"Creating BULK Users in Exchange 2007 for testing

part 2 "

Now you found the article. Open your notepad and copy and paste the following string into your notepad. Now we need to open EMC (exchange management console), before we copy and paste the string below we need to make sure the Exchange is ready. Let's find out the name of the storage group

I am going to type Get-MailboxDatabase and find out the name of the Storage group, and here it is I have several of them in my case




  • SG1-MB1
  • SG2-MB1
  • SG3-MB1
  • SG4-MB1
  • SG5-MB1

I am going to pick one, let's say SG4-MB1 and create users in that Storage group and I am going to name these users "Security"


1..100 | ForEach { Net User "User$_" MyPassword=01 /ADD /Domain; Enable-Mailbox "User$_" -Database SG1-MB1 }



We will go back and verify the users present on our exchange server. Now you can change the number of users and the name for the users as you wish

Oz ozugurlu

MVP (Exchange)

MCITP (EMA) , MCITP (EA ) MCITP(SA),

MCSE (M+,S+) MCDST, Security+, Server +,Project+

Blog: http://www.smtp25.blogspot.com

Thursday, October 16, 2008

Directory Database Mounting AD 2008

Directory Database Mounting is one of the new cool futures active directory windows 2008, being able to take snapshot and using it with LDAP tool, such ADUC and looking into offline read only .DIT database.

How cool is that can you imagine. We will do this right now right here together. Why in the world we would ever need to do this Anyway, Imagine you are going to perform security audit and you capture the state of active directory .dit READ ONLY database and you will work on it.

You don't want helpdesk or domain admins to make changes while you are auditing .dit database or you will export Active directory information and wish to plan or design active directory OU structure and so on Whatever reason you have, you will learn how to do this in just seconds and you will see how easy this will be.

What toll or tools we are going to use to accomplish the mission here? We will use build in AD tools such as

  • Ntdsutil
  • Dsamain.exe

STEP BY STEP



Log onto ADDS Server windows 2008

Click on Start go to run , and type the following

  • Ntdsutil
  • Snapshot
  • activate instance ntds
  • create (uses volume shadow copy)
  • mount {GUID}
  • list mounted ( will list the snapshot )
  • dsamain /dbpath <path_to_database_file> /ldapport <port_#>
  • dsamain -dbpath C:\$SNAP_200810160916_VOLUMEC$\Windows\NTDS\ntds.dit -LdapPort 10000

  • The video will show you how to accomplish this step by step. This is my first video and I do appreciate any feed back if you find it useful and like it or not would be appreciated

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Monday, October 13, 2008

How to Deal with Exchange White Space


Question:

I am looking to provide some free space and white space numbers to mgmt for capacity planning. Currently running 2003sp2 in 6/2 cluster. Can you recommend some scripts or free apps that you use? Currently we have mom and i have been getting some data but have to manually enter into spreadsheets for trending etc.

Since you have cluster you do have enterprise version of Exchange 2003. I won't recommend taking the exchange database offline for defragmentation to gain white space and I would not even bother to do that. Simple reason is that no need for it.

You can simply create new mail store and move users onto this new mail store. It would be better to create two new databases if you can and move users evenly cross these two databases and simply delete the old one when there is no mailbox left onto it

Here are the rules.

1. There is no need for offline defrag if you are running exchange enterprise version
2. Simply create new databases and use "Move mailbox wizard" to move the mailboxes
3. Delete the original database when there is no mailbox on it
4. Move users in the night, you can schedule mailbox move, don't forget exchange uses 4 treats one at the time, meaning if you schedule 20 user to be moved exchange will start dealing with 4 mailbox first one at the time as soon as one is done, the next one in the list will be moved.
5. The smaller the exchange database the happier the exchange will be. This is true for most of the databases exchange will like to deal with smaller databases, so be on top of the game and don't let the databases grow too much.
6. Communicate with your users and make sure the users are aware of the move and they won't be able to use the mailboxes during move (exchange will lock the mailbox)
7. Doing things in smart way will avoid mistakes so the white space is calculated event id 1221 on the application log of your exchange server, if you really curious about it calculate the white space simply adding all 1221 estimated usable space.
8. I have this mailbox count script will dump all your mailboxes their size and etc onto nice excel spreadsheet so this will give you nice map and help you plan your mailbox move (http://smtp25.blogspot.com/2007/08/mail-box-count-script_4766.html)
9. Seriously look into moving into exchange 2007, there is huge difference 64 BIT servers with right memory and CPU and correct RAID for the OS and Exchange will make huge difference. I start migrating some of our client's results are fantastic.
10. Move AD into AD 2008 if it is possible this will speed things a lot from my experience
11. MOM will keep an eye on your exchange server and let you know ahead of time most of the issues
--Oz Ozugurlu
MVP (Exchange) MCITP (EMA),
MCITP (SA) MCSE 2003, M+, S+, MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Jiu-Jitsu and Exchange 2007


Well I am not going to blah blah this time, there really isn't any connection with Exchange 2007 and Jiu-Jitsu as far as I concern so far (-:

It has been a year and I have been practicing Jiu-Jitsu and one of my dreams to spar with Royce Gracie since I start practicing. Well my dream came true and I had an honor to roll with him last Friday, beside sparring with master I asked him to chock me out and he was kind enough to make it happen.

Those of you who do not know Royce or Jiu-Jitsu here is the link






--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Saturday, October 11, 2008

WINDOWS 2008 DNS improvements



Active directory integrated DNS is not required for AD to run properly ????, in fact I have heard people claming, UNIX based DNS works faster and better for the active directory. AS we all know if DNS is not working regardless it is integrated AD or UNIX the life will be very difficult for ADDS and Exchange admins, and the fact it you cannot run a network unless and unless you have DNS in place. Over years working with AD and DNS, I found AD integrated DNS is to way to go and never had any type of problems as long as it is set and maintained correctly.

Every version of windows comes out, I look for GUI or command line improvements on the DNS console and unfortunately I am not yet so successful to find what I was expecting, in term of the DNS GUI and its functionality.

Critics, Why is it not easy to add CNAME record, why we have to dig down and down on the little window which is not expendable and very much inconvenient to work with. Doing a search in the DNS console is not efficient in my opinion and why it was not made with MMC 3.0? as some other futures looks incredibly useful? Anyway I guess we just need to wait and hope to see we get better and smart GUI and command line to work with.

Let's take a look at some of the functionality in DNS and some of the new futures.

Background zone loading

The DNS data is retrieved from the directory service and this might have caused delay in especially large environments. So the result is the client is waiting DNS service is unable to use it while waiting DNS to come up.

Windows Server 2008 now loads zone data from AD DS in the background, when it restarts so that it can respond to requests for data from other zones

The DNS server can use background zone loading to begin responding to queries almost immediately when it restarts, instead of waiting until its zones are fully loaded

The zone data is stored in AD DS rather than in a file: AD DS can be accessed asynchronously and immediately when a query is received, while file-based zone data can be accessed only through a sequential read of the file

  • Enumerates all zones to be loaded.
  • Loads root hints from files or AD DS storage.
  • Loads all file-backed zones, that is, zones that are stored in files rather than in AD DS.
  • Begins responding to queries and remote procedure calls (RPCs).
  • Spawns one or more threads to load the zones that are stored in AD DS

LLMNR

DNS client computers can use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available. For example, if a router fails, cutting a subnet off from all DNS servers on the network, clients on the subnet that supports LLMNR can continue to resolve names on a peer-to-peer basis until the network connection is restored.

The DC Locator component of a client computer running Windows Vista or Windows Server 2008 periodically searches for a domain controller in the domain to which it belongs. This functionality helps avoid performance problems that might occur when a client locates its domain controller during a period of network failure, thereby associating the client with a distant domain controller located on a slow link. Previously, this association continued until the client was forced to seek a new domain controller, for example, when the client computer was disconnected from the network for a long period of time. By periodically renewing its association with a domain controller, a client can now reduce the probability that it will be associated with an inappropriate domain controller.

A client computer running Windows Vista or Windows Server 2008 can be configured (programmatically, with a registry setting, or by Group Policy) to locate the nearest domain controller instead of searching randomly. This functionality can improve network performance in networks containing domains that exist across slow links. However, because locating the nearest domain controller can itself have a negative impact on network performance, this functionality is not enabled by default.

Read more


--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Wednesday, October 8, 2008

Server 2008 Metadata Cleanup




After failed DCPromo we always had to perform metadata cleanup, meaning go to .DIT database and take out the information related to failed DC and let it rep0licated to all other DC's within the Forest/Domain

Remember Steps below (-: from old version of Windows


  1. Open a command prompt.
  2. Type the following command, and then press ENTER:
  3. ntdsutil
  4. At the ntdsutil: prompt, type:
  5. metadata cleanup
  6. Perform metadata cleanup as follows
  7. At the metadata cleanup: prompt, type:
    connection
  8. At the server connections: prompt, type:
    connect to server Server
  9. At the server connections: prompt, type:
    quit
  10. At the metadata cleanup: prompt, type:
    select operation target
  11. At the select operation target: prompt, type:
    list sites
    A numbered list of sites appears.
  12. At the select operation target: prompt, type:
    select site SiteNumber
  13. At the select operation target: prompt, type:
    list domains in site
    A numbered list of domains in the selected site appears.
  14. At the select operation target: prompt, type:
    select domain DomainNumber
  15. At the select operation target: prompt, type:
    list servers in site
    A numbered list of servers in a domain and site appears.
  16. At the select operation target: prompt, type:
    select server ServerNumber
  17. At the select operation target: prompt, type:
    quit
  18. At the metadata cleanup: prompt, type:
    remove selected server

Now much afford involved getting the same work done in windows 2008?

  • Find the domain controller
  • Right-click on the DC, and then select Delete.
  • The checkbox on the bottom will forcefully delete the domain controller from Active Directory, which is same as metadata cleanup.

Dont you love windows 2008 (-:

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Monday, October 6, 2008

RPC over HTTPS Script



This script will help you to configure your outlook (2003 and 2007) for RPC over HTTPS. It is very easy and requires no scripting knowledge at all. This is one of most asked question, how to make the RPC/HTTP configuration transparent to user?

So I asked one of my friends to write/Modify a script for this purpose. Here is the script below if works like a charm and very easy to modify and I will walk you through step by step.

Complements and credits goes to Gene Strickland, rest is for me (-: , I took the article out , just e-mail me I will send you the script and the notes showing how to mdify it, real simple


--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com



What are lingered objects?

LingeringObjects are introduced by DCs/GCs that have been offline or failed to replicate for the tombstone lifetime.

Tombstone, when object is deleted in active directory it becomes tombstone, the tombstone is used to replicate the deletion throughout the Active Directory environment

Let's say we have DC1 and DC1 and they are replication partners. Because AD is multimaster replication model when any objects gets created in DC1 has to replicate DC2 and .DIT database on both DC become consistent (KCC is the process makes the replication among domain controllers)

On DC1 I created user account and KCC-----à replicated this information to the DC2. I have taken DC2 offline, let's say about 2 weeks and there were 50 users got deleted on DC1. The DC1 will mark these users as deleted users. The object attribute is "IsDeleted" set to "true". This indicated object has been marked for deletion and will be removed from Active directory database.

The DC2 is offline more than 180 Days; the server must not brought back to production network. At this point the server needs to be re-baseline and active directory needs to be uninstalled from the Domain controller.

The DC promo must be run with /forceRemoval switch and after uninstalling AD from the domain controllers, the NTFSUTIL must be used to clean up (meta data cleanup)the production domain and allow replication to occur the changes and DCPromo in the DC2 if you still need it, would be the process.

Why wouldn't AD delete them right away? Because if there is no information about deletion of the object how would the other domain controllers would know what to do with same object? How about recovery, be possible if there was a need for this object to be recovered and it is not there.

Summary

  • Object got deleted
  • The directory service moves tombstoned objects to the Deleted Objects container
  •  they remain until the garbage collection process removes the objects
  • The garbage collection process by default runs every 12 hours on a DC
  • Tombstone life time is set to 60 days windows 2000/2003
  • 180 days windows 2003 SP1
  • The tombstone lifetime must be significantly longer than the garbage collection frequency to ensure that deletion of objects is replicated to other DCs.

One of the nice futures with windows 2008 is to ability to turn the future on "Protect object from accidental deletion", you need to click on View and turn on the advance futures to see the option.

This is a great and smart option in my opinion, and will prevent mistakes if this attribute is turned on. If administrator is still deleting an object while this attribute is turned on (unselecting this prevention) this will be no more mistake and will be intentional afford in my opinion

Before this if we have to achieve same results we needs to go to top of the domain and add everyone into security permissions for this object and all child objects and deny delete and delete subtree as it is explained in the article below.

reference


 

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Sunday, October 5, 2008

What is change in Windows 2008 with DC PROMO?



DCPROMO is the process of promoting a Sever to become domain controller and can be run from GUI or CMD window. The question is, what is change in windows 2008 when we perform DCPromo, and here is little summary. The .DIT database is still the partitioned database and seeing .DIT with MMC 3.0 looks nice but there are not big/Major changes to the structure of database.




The making DC is GC is integrated with the Wizard, as well, old days we had to go to site and services, find the DC, NTDS settings properties and checkmark was hidden there, this is no longer the case with new DCPromo.Replication is over the network or from media (IFM) this can reduce the network traffic (the network connectivity still is needed)

The new ntdsutil ifm subcommand is also recommended because you can use it to remove secrets, such as passwords, from the AD DS database so that you can install a read-only domain controller (RODC). When you remove these secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation

Finally the installation path for .DIT database ,t he best practice will be keep the .Dit and SysVol together and place Logs on separate hard disk spindles most likely RAID 0 + 1 fashion.

When you install Active Directory Domain Services (AD DS), you specify where the Active Directory database, log files, and the SYSVOL shared folder will be placed on the server. The database stores information about the users, computers, and other objects on the network. The log files record activities that are related to AD DS, such as information about an object being updated. SYSVOL stores Group Policy objects and scripts. By default, SYSVOL is part of the operating system files in the %windir% directory


Finally export settings, very nice future, can be used to automate the future installations.




What is new in ADDS

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, October 3, 2008

Task Scheduler in windows 2008




Windows 2008 has brought and introduced many new futures making the administration easy. Very first time in the windows history getting some of the necessary basic administration task is not complicated anymore. I am sure many of you always wanted to know or notified if there are changed been made on your Exchange server or domain controller. The way we have been finding these out so far if someone another domain admin breaks certain stuff and we get the notice after damage is done. Consider this is a big environment and many people have domain admin rights due to some unknown reason.

Anyway the shot story is windows 2008 is very smart and I am sure you will enjoy more you get to know it.

Problem:

Domain administrators logging on to Active directory domain controllers and Exchange servers and any other application server and they might be making changes. We have no way of knowing when they log in or if they are using service account to log in to do certain things which is not acceptable by corporate security policy.

Domain administrator user name: zz-JTucker is keep logging onto servers ( because he is domain admin (-:, ) and we don't want him to change things on our server or we want to know as soon as he logs on to one of our server.

Goal:

We would like to take smart approach and we want to know if either certain user / Group etc, logging on to critical windows 2008 servers.

We want to receive automatic e-mail being sent to us, when this event occurs and we want to run certain script to run at the same time based on our needs

Once we establish some basic configuration we can extend this based on our needs.

Scenario:

User names Mike (or a group) is one of the domain admins and we don't want Mike to log onto out servers. Or when Mike logs in we want to get notified.

We want to monitor some of activities or even event logs, such as, NTFRS issues, any SYSvol replication issues, any DNS issues, any other event logs it might be useful for you.

Solution:

Log into one of your windows 2008 server

  • Click on start go to run
  • Type, "taskschd.msc"



  • Expend, Task Scheduler, expend Microsoft, windows and , on the right pane we will click on new folder and name the folder as "AD Alert"


Now we have the folder and we will create schedule job. Click on Create task name it "AD-Alert user logged in"


When running the task, you may want to change this to user account going to be used for this purpose, I have creates user account in my domain and named it as "svc-Alert" for all scheduled task I will be creating going forward for all my needs.




Click on Triggers and click on new, click on begin task and pick "At logon" choose "Specific user or group and click on change user and pick the account for " zz-JTucker" ( John Tucker is domain administrator) and click on okay.

Click on actions, click new and actions menu pick send e-mail , from address Alert@smtp25.org to Alert@smtp25.org ( this is DL I created and I am member of this DL), fill out all required spaces, such as from to address and the relay server FQDN. Make sure you can open telnet from this server to the relay server and able to see 220.



Click okay the lst thing you want to do is make a right click and go to properties and select, "Hidden" for this task.

Now whenever the user " zz-JTacker" you will get an warning e-mail letting you know. You can also make a right click and select run to test the scheduled job.

Second part we will look into how to prompt a disclaimer to the user on the logon process


--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,
MCDST, Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Sunday, September 14, 2008

ESX1 and Virtualizations 64bit Exchange for LAB


I am not going to write how much I am impressed with ESXI here at my blog. One thing I would say this is the great software (OS) me and many of my students have been waiting for to get more hands on ESX and Microsoft technologies.

You may think what is the connection VMware and Microsoft and I am about the explain to you. Virtualization technologies gone far beyond any other technologies and become one of the most skills set in the IT market USA as far as I can tell.

Knowing ESX and the technology behind is the way to corporate work and further any work place pays good $$$$. So the problem is that there was no easy way to learn the technology in the past unless you already work for an enterprise and have ESX servers, you would learn at that point, and this was the case for my learning experience.

So what has changed? VMware released new version call ESXI (Free) believe or not and almost concept same as ESX server. Installing is insane crazy, anyone who can boot from CD-room will be able to install in on any decent server. After getting your ESXI server up and running install windows 2003 and 2008 servers within the ESXI server. (You are limited to your HD space and amount of memory on the ESXI servers)

You don't need expensive server, you don't need RAID controller, and all you need is decent server with lots of RAM and HD space to create a great LAB for yourself.

Download the ESXI software from VMware website and install it on any server you have (most of the Dell servers are good to go). Microsoft has Hyper but being honest it is so easy to install ESXI and the proven UNIX reliability will be hard to defeat in my humble opinion. The foot print of ESXI is incredible.

If you have server laying around don't lose time go get started, you will understand what I mean when you get your hands on the ESXI.

Issue:

The CPU of the host is incompatible with the CPU feature

Solution:

Enable Virtualization Technology" in the server BIOS.

Getting following erros

  • The CPU of the host is incompatible with the CPU feature requirement of the virtual machine; problem detected at CPU id level 0×80000001 regsiter edx.
  • 64BIT problems, you did install ESX and cannot install the 64 bit OS to run exchange 2007?
  • if you have created a Windows 64bit virtual machine you need to ensure that you have enabled "Virtualization Technology" in the host system BIOS.
  • This feature is disabled by default so needs to be manually enabled.
  • The CPU of the host is incompatible with the CPU feature requirement of the virtual machine; problem detected at CPU id level 0×80000001 regsiter edx.


--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com