Wednesday, February 25, 2015

File Share Witness & Exchange 2013

In a DAG ( Exchange 2013) to have ability to perform automatic failover requires three separate physical network locations.In the scenario below two redundant datacenters for DAG and third datacenter is used (Azure Network.) for Witness server for DAG1. If you look carefully you will realize we used two different Active Directory Site for DC1 and DC2 and stretched the DAG1 on both datacenters. We placed Domain controller on the Azure network and created AD site. ( Enabling FSW on the DC  while possible it is not recommended configuration)

Organizations with only two physical locations now can also take advantage of automatic datacenter failover by using a Microsoft Azure file server virtual machine to act as the DAG’s witness server.

This configuration requires a multi-site VPN. It has always been possible to connect your organization's network to Microsoft Azure using a site-to-site VPN connection. However, in the past, Azure supported only a single site-to-site VPN. Since configuring a DAG and its witness across three datacenters required multiple site-to-site VPNs, placement of the DAG witness on an Azure VM wasn't initially possible

How to configure Azure network for FSW is documented here

In this configuration several things to be considered.

  • Make sure your operational  requirements meets the usage of the Azure Network
  • Initials configuration extending Azure network to your data centers will require addition network configuration and the work is  documented on the link provided above.
  • You will need to pay as you go within the Azure Network. ( remember Cloud is not cheap)
  • Having Domain Controller AND extending your network to Cloud could help you if your plans to move into Cloud at some point.
  • Configure Multi Site VPN documented here





Oz Casey, Daedal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog

Sunday, February 22, 2015

Outlook Connectivity With Exchange 2013


There are major changes within Exchange 2013 compared to Exchange 2010. The way Outlook Client connect to Mailbox Server to get its mail data is  “simplified” there is no need for middle tier with Exchange 2013. The way I see,  as long as Exchange Server and its architecture requires less IOPS to operate, there will be more room for improvements and simplicity.


  • User Logs into workstation, it authenticates to active directory with a valid user name and password.
  • User opens Outlook at the first time, outlook performs AutoDiscover Lookup to figure out logged in user mailbox GUID.
  • Outlook connects to CAS Server, and CAS Authenticates the request (Exchange 2013) using HTTP, it provides mailbox GUID as its endpoint to CAS array.
  • CAS takes this information and performs Active Directory lookup
  • AD will provide the user information back to CAS Server
  • CAS server will make a query to Active Manager Instance, which runs inside the “Microsoft Exchange Replication Service” on all Mailbox Servers
  • Active Manager Instance will pull information about requested user mailbox, the name of the mounted database (Active DB) and the Mailbox server name.
  • CAS proxies the request to Mailbox Server hosting the active copy of database.
  • The data rendering happens on the backed Mailbox Server
  • The affinity for user connection is no longer needed on the CAS level.



Oz Casey, Dedeal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog

Monday, January 26, 2015

Microsoft Ignite 2015

In the past years Microsoft has delivered multiple conferences, with  Ignite we start seeing consolidation of all , the Exchange, SharePoint, Lync, Project, and TechEd conferences.

This gigantic event will be held at May 4-8, 2015 in Chicago, IL and open for all interested.


If you curious how much it will cost you here is a pick view

Pass Options to pick from

  • Full Conference Pass = $2,220
  • Plus Pass = $495
  • Plus Pass: Chicago $495
  • Plus Pass: Limited Edition $195
  • Day Pass = $500
  • Expo Only Pass = $300
  • Student = $995
  • Academic Faculty and Staff Discount = $1,220


I personally do not like huge conferences, My reasoning is too many good stuff and limited time to to attend and digest all. Those of you who are lucky to make upcoming Ignite will feel reasoning.

The content of the ignite look incredibly rich and exciting by the way if you like to see the content, take a look some of the highlights

Have fun everyone who will be at the ignite 2015.

Oz Casey, Dedeal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog

Wednesday, December 10, 2014

Recovering Active Directory From Total Lost Disaster Recovery Basic Steps.

In this article I will help you to understand, how to recover your entire forest from total lost. Many networks these days do have multiple domain controllers and especially on enterprise networks losing all available domain controllers less likely but still possible. If you do not have published SOP for recovering your Active Directory Forest the steps in this article might provide you frame work you need.

Scenario: Entire datacenter is gone, you do have your backup and infrastructure ready on the second data center.

Note: backup at least two Domain controller from each domain regularly to preserve better recovery option when needed.

Note: per Microsoft it is not recommended to restore FSMO role holder in the interest of simplicity.  (Forest recovery white paper)


now we lost DC1 , and we must recover Entire Forest /Domains from tape backup. 



  1. Prepare VM host on the DC2 , ready to be deployed
  2. Make sure each VM is able to talk to ( TCP/IP) your backup media Servers in the DC2
  3. Recover first Domain Controller on the Forest Root from good tape backup (SystemState)
  4. You will need to know DSRM administrator user name and password
  5. Reboot into  DSRM (Directory Services Restore Mode) mode by pressing F8 key after successful restore.
  6. Install VM host integrated Drivers ( Do not remove any of the existing drivers came with image, it could cause blue screen)
  7. Disable all Physical NIC cards , un-check option register this connection into DNS on all the NIC’s which are no longer being user. Domain controllers in general do not need more than single NIC.
  8. Make sure all Disks for the Recovered DC is configured correctly ( SYSVOL and .DIT )
  9. Bring all Disks online , make sure correct disk labeling is in place ( same as lost DC )
  10. Verify SYSVOL and .DIT exist after successful recovery
  11. Configure TCP/IP  IPV4 or IPV6 properties based on your needs, you can use different IP address schema, domain controllers will register their new IP addresses and their DC related DNS records into DNS on the first reboot.
  12. Reboot the DC into regular mode
  13. Wait for SYSVOL to become available ,
  14. login to DC with Domain administrator privileges
  15. Perform an authoritative  SYSVOL restore Set BurFlags to D4
  • Click Start, and then click Run.
  • In the Open box, type cmd and then press ENTER.
  • In the Command box, type net stop ntfrs.
  • Click Start, and then click Run.
  • In the Open box, type regedit and then press ENTER.
  • Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

  • In the right pane, double-click BurFlags.
  • In the Edit DWORD Value dialog box, type D4 and then click OK.

From command prompt type “net Share” to verify SYSVOL is shared.

Perform metadata cleanup ( Windows 2008 use ADUC ) or NTDSUTIL , if you are in large environment using ADUC is much faster, simply locate the DC computer object and select delete.( Related Link )

Tip: If you leave the FSMO Role holders to last to FSMO role DC’s will force FSMO Seizure to surviving DC ( one last step to worry about seizing the FSMO Roles)

  1. Reset machine account twice
  2. Reset the krbtgt account password twice
  3. Reset all trust passwords
  4. Seize the FSMO roles if you have not done it already
  5. Delete all orphan KCC replication connections
  6. Clean up DNS, Name Servers , Forwarders , Stale CNAME, Glue records, delete them all.
  7. Promote second DC on the root domain, if you have single label domain name space at this point you would DCPROMO other DC’s.
  8. On the Child Domain Restore First Writable Domain Controller
  9. Log into DSRM mode
  10. Perform all initial steps done on the previous restore
  11. Make sure TCP/IP properties Primary DNS for Child Domain controller is pointing to Root DC.
  12. Reboot restored Child Domain controller into regular mode.
  13. Wait for SYSVOL to be available
  14. Log into DC
  15. You need to set BurFlags to D2 on the child domain controller , if you wont do this SYSVOL folder will disappear after some time.
  16. Use RepAdmin  to make sure replication from Child to Parent is working
  17. Perform Metadata Cleanup
  18. Perform FSMO Role Seizure.
  19. Check to make sure DNS comes up.
  20. Cleanup all stale CNAME,A , GLU, RDNS entries 
  21. Make sure DC’s are stable
  22. Start planning your application servers recovery and have fun (-:


DCDiag and RepAdmin are two of the most powerfull command line tools use them.

dcdiag /V /C /D /E /s:DCname > C:\temp\DcDiag.txt


Oz Casey, Dedeal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog

Download Forest Recovery White Paper