Tuesday, October 30, 2007

IronPort



We finally deploying IronPort and dumping our existing SMTP appliance. It was a horrible and painful experience during last 2 years to have SMTP appliance which is not Enterprise level. We found out we wasted our resources, $$$$ and made our network vulnerable to multiple treats by having wrong SMTP appliance.

The short story we are deploying IronPort, my first impression about IronPort is impressive. This appliance seems to be Rock.

Multiple SMTP domain support

  • Each appliance is capable of having multiple names and IP addresses
  • 10.000 Concurrent connections
  • AV updates every 15 minutes
  • Outbreak updates every 5 minutes
  • RDNS, A record, MX record, IP reputation, RBL list check on the SMTP handshake
  • The internal interface is great, most logical design

I will write in more details how IronPort works and how we will deploy it in true enterprise environment. We will have to go trough the migration, which seems very smooth.

Best,

Oz oozugurlu

Sunday, October 28, 2007

DCDIAG verify domain controller health



DCDAIG is one of the most important comprehensive tools available for measuring the health for AD and DC's, and every Active Directory administrator must know how to use.

DCDIAG analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting. As Active directory administrator DCdiag should be the essential for when it comes to troubleshooting DC related issues. After downloading support tolls you can use /h (help switch) to discover all available options. Don't forget you can always dump the output on the command line into a text file by using >DCDiag.txt switch (or any extension you wish to use)


Let's start with basic test

  • You logged into your work station, open CMD line with your admin privileged, alternatively you cn fire up PSEXEC and execute remote CMD on the DC you will be performing this test. Either way is fine.
  • My domain controller name is nhqdtcdc5 don't forget you need to install windows 2003 tools to get the DCDIAG

Dcdiag /testdns /nhqdtcdc5

  • Testing server: JPK\NHQDTCDC5
  • Starting test: Connectivity
  • ......................... NHQDTCDC5 passed test Connectivity
  • Doing primary tests
  • Testing server: JPK\NHQDTCDC5
  • DNS Tests are running and not hung. Please wait a few minutes...
  • Running partition tests on : archq
  • Running partition tests on : Schema
  • Running partition tests on : Configuration
  • Running enterprise tests on : ri.SMTP2525.net
  • Starting test: DNS
  • ......................... ri.SMTP25.net passed test DNS

dcdiag /test:DnsBasic /s:nhqdtcdc5

DCDIAG is most often used to verify domain controller health. It can be used to report on a single connectivity issue (like DNS) or on a host of possible network and service connectivity issues. You can use it to issue a report on a single server or all of them in your Active Directory forest central top-tier administrators.

DCdiag

dcdiag /test:registerindns /dnsdomain:archq.ri.STP25.net

The DNS configuration is sufficient to allow this computer to dynamically register the A record corresponding to its DNS name.

The test DNS test verifies that the following mandatory Active Directory Domain Controller services are running and available:

  • DNS client service
  • NETLOGON service
  • KDC service
  • DNS Server service (if DNS is installed on the domain controller)

In this example we logged into management server and run the below command to the DC

Dcdiag /test:DNS /s:dc1 (DC1 is the remote domain controller)

C:\WINDOWS\system32>dcdiag /test:DNS /s:nhqdtcdc4

doing primary tests

Testing server: JPK\NHQDTCDC4

NS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : DomainDnsZones

Running partition tests on : ForestDnsZones

Running partition tests on : archq

Running partition tests on : Schema

Running partition tests on : Configuration

Running enterprise tests on : ri.SMTP25.net

Starting test: DNS

......................... ri.STP25.net passed test DNS


Best,

Oz ozugurlu

Saturday, October 27, 2007

Fixing Replication Lingering Object Problems



Below article is taking from Microsoft TechNet explaining Lingering Object and related problems. The article ends with naming a tool which can be used to clean up the AD database (Repadmin.exe)In active directory a object's DN must be unique; two objects can't have the same DN (distinguish name). Let's take a look at real life scenario where Domain admin A creates user called "oz",, before the replication takes place lets think a scenario same user name has been added to .DIT database on another DC (Domain Controller). When Replication happens collusion occurs. Who will win is a good question. The object which was created first will be added "CNF" after its name. CNF is conflict so second created object will live. Now which one is good candidate for deletion, is up to you. Either delete the second one or rename the CFN to the original name of get rid of the first one.

I have also added another TechNet notes regarding to object name conflicts

  • Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to be *CNF:guid, where "*" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.
  • This will cause an event ID 12292 to be logged in the system event log on the domain controller. You must clean up Active Directory to resolve this error.

I have recently find out we have 277.000 DLT object in our active directory. More than 70% of the AD seems to be polluted in this case. Of course the cause of this mess is not to have any maintenance plan at all when AD was stood up. The AD Engineers who designed where I work seem to forget about the health of the .DIT database and left KCC and replication problems to their own fate. The result is the numbers I have given earlier. Of course I don't have to mention about this number is taken from one child domain only, there are several child domains exist and AD pollution is all over the network.

  • When an object is deleted, Active Directory replicates the deletion as a tombstone object, which consists of a small subset of the attributes of the deleted object.
  • By inbound-replicating this object, other domain controllers in the domain and forest become aware of the deletion. The tombstone is retained in Active Directory for a specified period called the tombstone lifetime. At the end of the tombstone lifetime, the tombstone is deleted from the directory permanently.
  • See the
    Microsoft article
    about Tombstone Lifetime and Replication of Deletions

How Lingering Objects Occur

  • When conditions beyond your control cause a domain controller to be disconnected for a period that is longer than the tombstone lifetime, one or more objects that are deleted from Active Directory on all other domain controllers might remain on the disconnected domain controller. Such objects are called lingering objects.
  • Because the domain controller is offline during the entire time that the tombstone is alive, the domain controller never receives replication of the tombstone.

Causes of Long Disconnections

  • Unexpectedly long disconnections can be caused by the following conditions
  • A domain controller is left in a storage room and forgotten, or shipment of a prestaged domain controller to its remote location takes longer than a tombstone lifetime
  • A bridgehead server is overloaded, and replication becomes backlogged. Excessively high replication load on a global catalog server, in combination with a short Intersite replication interval, can result in updates not being replicated.
  • An outdated domain controller can store lingering objects with no noticeable effect as long as an administrator, application, or service does not update the lingering object or attempt to create an object with the same name in the domain or with the same user principal name (UPN) in the forest. However, the existence of lingering objects can cause problems, especially if the object is a security principal.


     

Symptoms Associated with Lingering Objects

  • A deleted user or group account remains in the global address list (GAL) on Exchange servers. Therefore, although the account name appears in the GAL, attempts to send e-mail messages result in errors.
  • Multiple copies of an object appear in the object picker or GAL for an object that should be unique in the forest. Duplicate objects sometimes appear with altered names, causing confusion on directory searches. For example, if the relative distinguished name of two objects cannot be resolved, conflict resolution appends "*CNF:GUID" to the name, where * represents a reserved character, CNF is a constant that indicates a conflict resolution, and GUID represents the objectGUID attribute value.
  • E-mail messages are not delivered to a user whose Active Directory account appears to be current. After an outdated domain controller or global catalog server becomes reconnected, both instances of the user object appear in the global catalog. Because both objects have the same e-mail address, e-mail messages cannot be delivered.
  • A universal group that no longer exists continues to appear in a user's access token. Although the group no longer exists, if a user account still has the group in its security token, the user might have access to a resource that you intended to be unavailable to that user.
  • A new object or Exchange mailbox cannot be created, but you do not see the object in Active Directory. An error message reports that the object already exists.
  • Searches that use attributes of an existing object incorrectly find multiple copies of an object of the same name. One object has been deleted from the domain, but it remains in an isolated global catalog server.
  • If an attempt is made to update a lingering object that resides in a writable directory partition, events are logged on the destination domain controller. However, if the only version of a lingering object exists in a read-only directory partition on a global catalog server, the object cannot be updated and this type of event will never be triggered

Luckily Microsoft comes into rescue

Use Repadmin.exe option /removelingeringobjects, which safely remove instances of lingering objects from both writable directory partitions and read-only directory partitions

Repadmin.exe provides the following

  • Compares the directory database objects on a reference domain controller with the objects on the target domain controller, which contains (or is suspected to contain) lingering objects.
  • If you use the /advisory mode parameter, events are logged in the Directory Service event log for the objects that are found.
  • If you do not use the /advisory mode parameter, the found objects are deleted without replicating the deletions; that is, the deletions occur only on the target domain controller.

Best

Oz ozugurlu

Why RUS (recipient update service) is giving you hard time?



IS your RUS not stamping newly created accounts in active directory? Are you seeing many Event ID: 9562
MSExchangeIS on the exchange server application log, and you research entire Google and all you could find was manually rebuild the Recipient Update Service (RUS), this is what Microsoft recommends anyway. Here is the good news; RUS no longer exist in Exchange 2007. Exchange 2007 uses, instance turn on, when mail enabled object created Exchange stamps it instantly (read more) .The RUS trouble shooting can be very frustration. Before start performing RUS trouble shooting lets refresh our memories about RUS and recipient update service.

Recipient Update Service,

  • The Recipient Update Service creates and maintains Exchange-specific attribute values in Active Directory.
  • RP (recipient policy) recipient policies to control e-mail address settings and to manage mailboxes.
    Recipient policies are a set of configurable rules that run on a schedule and evaluate all the messaging-enabled objects in your Active Directory forest. The policy uses the rules to filter all of the objects and to selectively apply e-mail addresses of specific types to those instances that fit the predefined rules

May of the RUS troubleshooting starts turning the diagnostic logon on the exchange server

  • MSExchangeAL\LDAP Operations
  • MSExchangeAL\Address List Synchronization
  • MSExchangeSA\Proxy Generation (Exchange 2003 only)

Troubleshooting RUS part 1 there is part two as well.

Please pay attention the notes in the article follow as below

  • Repeatedly choosing Rebuild on the RUS or Apply This Policy Now on a policy can complicate the troubleshooting process by causing the RUS to process large numbers of objects.
  • These results in the application log quickly overwriting itself and make it difficult to follow the sequence of events described above. When troubleshooting the RUS, it is best to avoid Rebuilding or Applying and instead focus on a single test user and use only Update Now to check for new and modified objects. After an Update Now, you can walk through the events described above to understand what the RUS is doing to a particular recipient

Each instance of the Recipient Update Service associates one Exchange server (where the Recipient Update Service runs) with one Windows 2000 or Windows Server 2003 domain controller (on which the Active Directory objects are updated). Only one Recipient Update Service object can be associated with one Active Directory domain controller.

If you have multiple sites, you can also add multiple instances of the Recipient Update Service for each domain. In this scenario, an instance of the Recipient Update Service is hosted on a domain controller in each site and mailbox creation is not dependent on the inter-site replication schedule of Active Directory.

The recent troubleshooting scenario I have to deal was a lot of Event ID: 9562 on the exchange server.

The RUS did not run due to replication issues on the Child domain. The RUS was running from another child domain targeting a DC with in the second domain controller. The exchange server who was having 9562 errors was located in the second child domain. I quickly figured out the configuration on the exchange server (DNS) was not set correctly. I wrote many articles about why Exchange must point to Local DC/DNS server. After making necessary correction I have to go to AD Site and services. I verified the KCC has replication connection created automatically, with one of the remote bridgehead server (DC/DNS). I created manual replication partner from problem site to the remote bridgehead server. I created another KCC replication form remote bridgehead server back to the problem exchange server, and have them force replication.

After this rebuilding the RUS, made the trick


Regards,

Oz ozugurlu


Monday, October 22, 2007

Port Query (portqueryui)



Here is another real nice tool from Microsoft, it is portqueryui, the GUI version of port query. This toll becomes very handy in day to day operations. Using this toll also makes good understanding about ports being used by an application. If you did not download and played with portqueryui, go ahead and download it.

Some Ports need to be remembered

  • Protocol: LDAP
    Port (TCP/UDP): 389 (TCP)
    Description: Lightweight Directory Access Protocol (LDAP), used by Active Directory
  • Protocol: LDAP
    Port (TCP/UDP): 379 (TCP)
    Description: The Site Replication Service (SRS) uses TCP port 379.

  • Port (TCP/UDP): 3268 (TCP)
    Description: Global catalog. The Windows 2000 Active Directory global catalog (which is really a domain controller "role") listens on TCP port 3268. When you are troubleshooting issues that may be related to a global catalog, connect to port 3268 in LDP
  • Protocol: DNS
    Port (TCP/UDP): 53 (TCP)
    Description: Domain Name System (DNS) is at the heart of all of the services and functions of Windows 2000 Active Directory and Exchange 2000 Server. You cannot underestimate the impact that a DNS issue can have on the system. Therefore, when service issues arise, it is always good to verify proper name resolution.
  • Protocol: SMTP
    Port (TCP/UDP): 25 (TCP)
    Description: Simple Mail Transfer Protocol, is the foundation for all e-mail transport in Exchange 2000 and 2003. The SMTP Service (SMTPSvc) runs on top of the IIS Admin Service. Unlike Exchange 2007. Exchange 2007 has its own SMTP stack and it is not part of IIS anymore. Microsoft finally rewrote the SMTP stack.

Best,

Oz ozugurlu

First day in Brazilian Jiu-Jitsu (BJJ) class at Capital Jiu-Jitsu Scholl



I did enjoy the class and learn some nice moves from the first day. I think I was luck since I met Rodrigo Gracie on the first day. I asked Rodrigo if he could show me one of the moves. I grappled him pretty strong; he chocked me in seconds, which I enjoyed it. He is such a nice guy and it was truly an honor to be choked by him. He said technique is always stronger than a physical power. Since I have no technique yet I was using my power and that seems to be not worked well. Here is my first impression; it is awesome sport, a lot of ground grappling, throwing.

here is some information about scholl,Royce Gracie Jiu-Jitsu Course ("RGJJ") classes are for those students who desire to learn the proven techniques of the Gracie family. The complete art of Gracie Jiu-Jitsu is taught, including techniques for self-defense, ground grappling, throwing and basic striking. Classes are separated by belt levels. Beginner classes are for White Belts from 0 - 3 stripes. Advanced Classes are for 4 Stripe While Belts and up (Commercial break ends here )

Rezky company me, so I owe him my thanks. We could not make Ron to sign up, he seems to be interested but for some unknown reason, he is not ready yet.

Heads up I am getting first stripe soon

This time good luck to me,

Oz ozugurlu

Sunday, October 21, 2007

What Happens When Computer account for Exchange server reset in Active directory



In active directory consist of objects. These objects are users, computers, OU (organizational units) etc. Each computer objects have a secure channel with their Domain controller. Over this secure channel the workstation and the DC (domain controller) are able to talk each other. In WIN2000 the computer account objects change their secret password every 30 days, old NT days this was done every 7 days. If for some reason the computer account is reset (domain admin reset it) Microsoft gives us the ability to reset that secure channel by using Netdom.exe.

Go to Joe's site (www.joeware.net) and locate WIN32 tools, this way we can tell the last
time that the computer changed its 'secret password'

  • Each Windows-based computer maintains a machine account password history containing the current and previous passwords used for the account. When two computers attempt to authenticate with each other and a change to the current password is not yet received, Windows then relies on the previous password. If the sequence of password changes exceeds two changes, the computers involved may be unable to communicate, and you may receive error messages (for example, "Access Denied" error messages when Active Directory replication occurs).
  • Resetting a computer account breaks that computer's connection to the domain and requires it to rejoin the domain. In my scenario this was done on Exchange server. The computer account was reset and there was no way to log into the server, except server itself locally. Taking the server out from domain rebooting it, adding the server back to the domain worked. All exchange services were up and running after joining to domain with same name. Remember renaming Exchange will break the exchange and there will be no way to bring exchange back to the live from death, this is of course not supported by Microsoft.

Truthfully speaking, if I had to speculate, I would think resetting computer account for exchange would screw the exchange server. Taking the Exchange out from domain and adding it back is kind of worrying process especially in the production environment. Since I had no choice and little time to bring the exchange back online, I moved forward taking the server out fro domain and adding it back to the domain and saw all worked well Exchange server is up and running

Best

Oz ozugurlu

Wednesday, October 17, 2007

ESEUTIL Redirecting Temp Databases onto another Drive



Going through ESEUTIL, here are some recommendations.

Make sure you have good backup (Basic rule, always make sure you got a working good backup)

  • Make sure you have good backup ( Basic rule, always make sure you got a working good backup)
  • Make sure you have enough space to perform the ESEUTIL (110%)
  • Be Patient, after running ESEUTIL Defragmenting a database requires free disk space equal to 110 percent of the size of the database that you want to process. To determine the actual space required, follow these steps
  • Make sure that the information store service is not running.
  • At a command prompt, run the following command:
  • ESEUTIL /ms "database.edb"
  • Calculate the free space by multiplying the number of free pages by 4 KB.
  • Subtract the figure that you obtained in step 3 from the physical size of the database.
  • The figure that you obtained in step 4 represents the data in the database. Multiply this figure by 110 %. The resulting figure that you obtain is the space that you need to have available to defragment the database.
  • Divide the figure that you obtained in step 3 by 9 GB per hour. The figure that you obtain is the approximate time that it will take to defragment the database.

After running ESEUTIL and waiting couple hours, the ESEUTIL errors out with following warning, obviously I did not realize the temp files were defaulted to the C drive and C drive ran out space.E drive had over 100 Gig, there I needed to point the Temp database. I used same switch with additional switch as follows /te: \Temp.edb

C:\>"C:\Program Files\Exchsrvr\BIN\ESEUTIL.EXE" -d "E:\Program Files\Exchsrvr\MD

BData\priv1.edb" /te:\temp.edb


 

  • Defragmentation Status (% complete)


 

0 10 20 30 40 50 60 70 80 90 100

|----|----|----|----|----|----|----|----|----|----|


 

Operation terminated with error -1808 (JET_errDiskFull, No space left on disk) after 10096.297 seconds.


 

C:\>"C:\Program Files\Exchsrvr\BIN\ESEUTIL.EXE" -d "E:\Program Files\Exchsrvr\MD

BData\priv1.edb" /te:\temp.edb


 

Microsoft(R) Exchange Server(TM) Database Utilities

Version 6.0

Copyright (C) Microsoft Corporation 1991-2000. All Rights Reserved.


 

Initiating DEFRAGMENTATION mode...

Database: E:\Program Files\Exchsrvr\MDBData\priv1.edb

Streaming File: E:\Program Files\Exchsrvr\MDBData\priv1.STM

Temp. Database: e:\temp.edb

Temp. Streaming File: e:\temp.STM


 

Defragmentation Status (% complete)


 

0 10 20 30 40 50 60 70 80 90 100

|----|----|----|----|----|----|----|----|----|----|


 

Best,

Oz Ozugurlu

Exchange 2000 16 Gig limits



Exchange 2000 is seems to be not working, event log is showing 9175 Mapi session errors .We followed below registery hack to get the Exchange databases to 17Gig. We will have to perform in-place upgrade after we complete the ESEUTIL. Event log 1221 shows not much of a claimable space. We will have to perform in place upgrade for exchange from Exchange 2000 to Exchange 2003, without upgrading to OS to windows 2003 and doing Exchange in-place upgrade, is breaking my heart (-:, management decision is overruling my desicion and my feelings one more time getting beat up my management desicion. Below is the registery hack to bump the databases up to 17Gig.

My proposed plan in this scenario is follow below

  1. Identify the large mailboxes. ( located 5 mailbox close to 6Gig)
  2. Requested Network administrator perform, local archive for those accounts
  3. Applied register hack brought the server up and running ( I had to stop and restart several times, SMTP and MTA services along with Information store, finally changes took effect. Be patient if register may take little time to go in effect after the changes
  4. Purge any mailbox, which has been deleted, run Cleanup agent
  5. Finally run ESEUTIL /D , have enough coffee and rent good movie, to wait ESEUTIL to finish.

1. Click Start, click Run, and then type regedt32.exe.
2. Locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\<Exchange Server Name>\Private-<long hexadecimal string>
3. On the Edit menu, click Add Value, and then type the following in the Value name box: Temporary DB Size Limit Extension
4. Select REG_DWORD for the data type, and then click OK.
5. Enter a value of 1, and then click OK.
6. Quit Registry Editor.

If the Temporary DB Size Limit Extension registry value exists for a specific database and if the value is set a value other than zero, the database size limit (if any) is increased by 1 gigabyte. However, this registry value is not read dynamically; it is only read when a database is started. When the Exchange Information Store starts, an event 9657 will be logged as a warning to inform you that you are using a temporary database size limit.

If the Temporary DB Size Limit Extension registry value exists for a specific database and if the value is set a value other than zero, the database size limit (if any) is increased by 1 gigabyte. However, this registry value is not read dynamically; it is only read when a database is started. When the Exchange Information Store starts, an event 9657 will be logged as a warning to inform you that you are using a temporary database size limit.
Note To prevent new e-mail content from being added to the mailbox store beyond the temporary 17-GB limit during the recovery process, we strongly recommend that you stop the Simple Mail Transfer Protocol (SMTP) service and the Microsoft Exchange MTA Stacks service before you mount the mailbox store. For more information about how to remove unnecessary database content and how to defragment the database, click the following article number to view the article in the Microsoft Knowledge Base:

Best

Oz Ozugurlu

Process of locating Domain Controller

Following article describes the mechanism that Windows XP Professional uses to locate a domain controller in a Windows-based domain. Understanding the workstation logon process makes easier for future troubleshooting issues. Some of the key services in windows need to be understood clearly. Netlogon service is one of them.

  • On the client (the computer that is trying to locate the domain controller), the Locator is initiated as a remote procedure call (RPC) to the local Netlogon service. The Netlogon service implements the Locator DsGetDcName API call.
  • The client collects the information that is needed to select a domain controller, and then passes the information to the Netlogon service by using the DsGetDcName call.

The Netlogon service on the client uses the collected information to look up a domain controller for the specified domain in one of two ways

For a DNS name, Netlogon queries DNS by using the IP/DNS-compatible Locator--that is, DsGetDcName calls the DnsQuery call to read the Service Resource (SRV) records and "A" records from DNS after the domain name is appended to the appropriate string that specifies the SRV records.

A workstation that is logging on to a Windows-based domain queries DNS for SRV records in this general form

_service._protocol.DnsDomainName

Active Directory servers offer the Lightweight Directory Access Protocol (LDAP) service over the TCP protocol. Therefore, clients find an LDAP server by querying DNS for a record of the form:

_ldap._tcp.DnsDomainName

  • The Netlogon service sends a datagram to the computers that registered the name. For NetBIOS domain names, the datagram is implemented as a mailslot message. For DNS domain names, the datagram is implemented as an LDAP User Datagram Protocol (UDP) search.
  • UDP is the connectionless datagram transport protocol that is part of the TCP/IP protocol suite. TCP is a connection-oriented transport protocol. Note that UDP allows a program on one computer to send a datagram to a program on another computer. UDP includes a protocol port number, which allows the sender to distinguish among multiple destinations (programs) on the remote computer.

Each available domain controller responds to the datagram to indicate that it is working and returns the information to DsGetDcName.

The Netlogon service caches the domain controller information so that subsequent requests do not need to repeat the discovery process. Caching this information encourages consistent use of the same domain controller and a consistent view of Active Directory.

_LDAP._TCP.dc._msdcs.domainname


 

After the client locates a domain controller, the client establishes communication by using Lightweight Directory Access Protocol (LDAP) to gain access to Active Directory. As part of that negotiation, the domain controller identifies which site the client is in, based on the IP subnet of that client. If the client is communicating with a domain controller that is not in the closest (most optimal) site, the domain

If the client has already tried to find domain controllers in that site (for example, when the client sends a DNS Lookup query to DNS to find domain controllers in the client's own subnet), the client uses the domain controller that is not optimal. Otherwise, the client performs a site-specific DNS lookup again by using the name of the optimal site. The domain controller uses some of the directory service information for identifying sites and subnets.

After the client locates a domain controller, the domain controller entry is cached. If the domain controller is not in the optimal site, the client flushes the cache after 15 minutes and discards the cache entry. The client then attempts to find an optimal domain controller in its own site.

After the client has established a communications path to the domain controller, the client can establish its logon and authentication credentials and, if necessary for Windows-based computers, set up a secure channel. The client then is ready to perform normal queries and search for information against the directory.

The client establishes an LDAP connection to a domain controller to log on. The logon process uses Security Accounts Manager (SAM). Because the communications path uses the LDAP interface and the client is authenticated by a domain controller, the client account is verified and passed through SAM to the directory service agent, then to the database layer, and finally to the database in the Extensible Storage engine (ESE).

Best

Oz Ozugurlu


 

Monday, October 15, 2007

Static IP & why we need DHCP Client service running?



Here is outstanding interview question by Sirak Mulatu, if servers need static IP address as best practices, why the DHCP client service needs to be running on the Exchange server. Best practice is to disable all unnecessary services to make exchange even stronger?

Fair enough the service DHCP Client is being used to register DNS names. "Manages network configuration by registering and updating IP addresses and DNS names.". Imagine registration won't happening active directory integrated DNS world. The clients who needs mail service, won't be able to locate the Exchange server due to missing records, which will drop the entire Exchange server off from a network,

This will create a disaster in the SMTP mail flow. Be careful about this service.

Service Name



dhcp client


Starts the DHCP Client service.


This command is available only if you have installed the TCP/IP protocol.


The DHCP Client service manages network configuration by registering and updating IP addresses and DNS names. The DHCP Client service supports obtaining an IP address from the DHCP service.


You cannot stop or pause the DHCP Client service.

netlogon

Starts the Net Logon service.

The Net Logon service verifies logon requests and controls domain-wide replication of the user accounts database

Start the Net Logon service on all the servers in a domain that use a copy of the domain's user accounts database

workstation

Starts the Workstation service

The Workstation service enables a computer to connect to and use network resources.

server

You can use the Server service to share server resources with users on the network


Best,

Oz ozugurlu

SIS (Single Instance Storage)



In year may 1999 Tech-Ed Microsoft represented declared, Exchange is the first messaging system which is using SIS. It is up to you believe Microsoft product manager or not, I am just a messenger. What is this SIS? It is shared message storage if you would think so, Exchange stores copy of message and creates pointer to multiple mailboxes within the same mail store. If a message is sent to one recipient, and if the message is copied to 20 other recipients who reside in the same mailbox store, Exchange Server maintains only one copy of the message in its database. Exchange Server then creates pointers

These pointers link both the original recipient and the 20 additional recipients to the original message. If the original recipient and the 20 additional recipients are moved to another mailbox store, only one copy of the message is maintained in the new mailbox store.

As you can imagine the benefits clearly listed below

  • Reduce I/O positive impact
  • Less work on Exchange, more power for non redundant work
  • Without it, Exchange may go crazy and losing all its resources, imagine a mail 10Meg send to 1000 people on the same mail store.
  • Reduced storage improvements ( less data to store obviously)
  • Any other similar effect you can think of.

Think all the garbage you get when you receive your newspaper, free coupons etc. Imagine in your neighborhood 10 homes receive all these garages, or instead there is a shared mailbox, postman puts only one copy of each garbage collection so that people can read if they want it.

In Exchange 5.5, there is one database on the server.  Mail sent to multiple mailboxes on that server is only stored once, with pointers delivered to each recipient.  In Exchange 2000 and Exchange 2003, you can have up to 20 databases, where each database could have one copy of the message should recipients reside on each database. Each additional database adds an additional 2 percent to the database IOPS. How well Exchange utilizes single instance storage depends on the percentage of time messages are sent to recipients on the same database, and the average message size. Larger messages have more benefit with single instance storage.

Lastly I want to mention about Brick level backup. Why everyone don't recommend brick level backup? Lest start with Microsoft, the company who invented Exchange server application does not recommend brick level backup, due to several reasons. Introduction of RSG in exchange 2003, there really is not logic having brick level backups; it is such a waste of time and resources. I happen to have experience recently , one of your helpdesk administrators could not find out the reason, why he was backing three times more data than, his actual database sizes when he performs brick level backup. The reason easily can be discovered with understanding the SIS and how it works.

Regards,

Oz ozugurlu

How Much Memory Exchange 2007 Supports



For the most part having worried about Exchange I/O seems to be vanished with Exchange 2007 and powerful 64Bit environment. The main reason Exchange 2007 is able to take advantage of being able to perform most of the operations in memory and the 64Bit architecture is supporting the rest of it. The idea of breaking new roles, seems is the right decisions, and will improve the functionality of exchange server and its quality in my opinion. The new Exchange Transport service (SMTP transport stack), usage of ADAM on the Edge server, secure Edge transport sink one way from inside out to DMZ seems to be carefully planned and well hardened structure

  • The 32Bit architecture is limited to use 4Gig memory (Exchange&2003). The 64Bit version windows is 2003 X64 provides 8TB. Based on the Exchange server role Microsoft has some recommendations and recommended maximum memory as below.

Database Cache Size in Exchange 2003

  • Exchange 2003 runs on a 32-bit operating system, which limits the maximum size of the virtual address space to 4 gigabytes (GB). The operating system leaves only 2 GB of addressable RAM for a single application such as Exchange (or 3 GB when the /3GB switch is set in the Exchange boot.ini file). With such a limited amount of addressable RAM available, the size of the database cache must be carefully managed to allow Exchange to perform at its highest level. 

Database Cache Size in Exchange 2007

  • A large database cache greatly increases performance because disk input/output (I/O) is reduced and the ability to read information from memory is much faster than having to read information from a disk. With the 64-bit architecture in Exchange 2007, the maximum size of the database cache is no longer constrained by limits on the virtual address space. Instead, it is determined by the amount of available memory and by database I/O. For example, on a server that has 16 GB of physical RAM, ESE may increase the database cache to 8 GB if this amount is sufficient to meet its memory needs, and leave the remaining memory for system cache and other applications that are running on the server. 

Best,

Oz ozugurlu

BlackBerry cause additional overhead on exchange server



Do you know how much extra I/O overhead BlackBerry server will have impact on the Exchange server? Do you know how BlackBerry is design to talk to exchange server. The BlackBerry Enterprise Server connects to the Microsoft Exchange Server using the Messaging Application Programming Interface (MAPI) protocol. MAPI was designed to function on LAN connections, not WAN connections.

  • Below information is taken from TechNet and explaining the overhead with RIM.

In Exchange 2000 and Exchange 2003, users that have BlackBerry devices place additional demands upon the server. In the field, many customers see a two to four fold increase in database disk I/O. For more information, see the RIM whitepaper.

BlackBerry users cause additional overhead that affect the database IOPS of a server. When RIM tested 1000 BlackBerry enabled MMB2 users with BlackBerry Enterprise Server 4, they saw database IOPS increase by a factor of 3.64 over the standard MMB2 user without BlackBerry. This factor could be significantly smaller or larger depending on how BlackBerry devices are used in the environment. The BlackBerry test included: 10 synchronization commands; two memo adds, one modify, one delete; and four task adds. Actual BlackBerry device use will not be this constant, causing a lesser or greater affect on actual IOPS.

For a mail system consisting of 2,000 heavily used mailboxes, of which 500 are BlackBerry enabled, a total of 3820 IOPS is projected on the database volume. The formula to calculate this is:

Estimated BlackBerry IOPS per User for User Type × Number of Users

In this example, 1.0 IOPS × 2,000 mailboxes=2,000 IOPS. If 500 of those users have BlackBerry devices, then those 500 users add 500 mailboxes x 3.64 IOPS=1820 IOPS, or 3820 total IOPS.

Using a conservative ratio of two reads for every write (66% reads to 33% writes), you would plan for 2,546 read I/O and 1,273 write I/O requests per second for your database volume. Every write request is first written to the transaction log file and then written to the database. Approximately 10 percent of the total 3,820 IOPS seen on the database volume will be seen on the transaction log volume (10 percent of 3,820 is 382 IOPS); 1,273 write I/O requests will be written to the database. See the Performance and Scalability guide for in depth strategies for properly calculating your server size.

Regards,

Oz ozugurlu

No Free/Busy Information



You have noticed clients are not able to locate each other free busy information. The fact is that the organization went through a mail migration from exchange 2000 to exchange 2003 and all free busy data is gone. You have asked to bring the free busy back to life from death.


  • Problem: Free /Busy information is not present
  • Cause: Recent migration from Exchange 2000 to Exchange 2003
  • Solution: make sure the distinguish name of the PF folder is same as the site folder name attribute.
  • Solution 2: If you have verified the DN matches to site folder name, you need to backup the data on the PF folders delete the PF database and recreate another one.
  • Distinguish name

CN=Public Folder Store (CHTXFTWEX1),CN=First Storage Group,CN=InformationStore,CN=CHTXFTWEX1,CN=Servers,CN=CH Fort Worth TX,CN=Administrative Groups,CN=chapTELNET25,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=chapTELNET25,DC=org

  • Site folder name

CN=Public Folder Store (CHTXFTWEX1),CN=First Storage Group,CN=InformationStore,CN=CHTXFTWEX1,CN=Servers,CN=CH Fort Worth TX,CN=Administrative Groups,CN=chapTELNET25,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=chapTELNET25,DC=org


PS: You are still not seeing the Free/Busy folder under public folders (backup all PF information) delete the PF database and recreate the new one.

http://smtp25.blogspot.com/2007/08/no-freebusy-information-could-be.html

Best,

Oz ozugurlu

Tuesday, October 9, 2007

BOB Arrives to Chicago!



We recently sent one of our EMC senior consultants to our datacenter in Chicago, of course this is Bob. Upon his arrival he wrote e-mail back to us to let us know we got there. I found this E-mail hilarious and decided to blog it. Bob is going to build many exchange server in Chicago and he will lead enterprise migration affords, I will post some of his experience in my blog as well and share the wealth of his knowledge on my blog.

Here he goes,

Hello Mom and Dad,

Dan and I arrived to Chicago just fine. You no longer have to worry about us. We arrived to Chicago, got checked into the hotel and came straight to the CDC...after breakfast :). This place is a bit weird. I believe it is an old church that was renovated to become office space and a Datacenter. I'm scared to curse or think any bad thoughts in this old church. We got through security (thanks Brad for the help). The Datacenter is HUGE. Dan and I got lost inside it. It is at least 4-5 times larger than the Datacenter we have at home. We are now waiting for someone to take us to our next field trip to see where all of our new toys are. We found our staging area and we are ready to have some fun, but everything is a process here. We'll stay in contact and let you know how the process goes. We are having fun...wish you were here.

Best Regards,

Oz

Sunday, October 7, 2007

Windows cannot load extensible counter DLL BlackBerry Router, Perflib cannot be found



After scheduled reboot on our BES servers, we start seeing below errors. After doing quick resource we were able to stop the errors as follows below.



Problem: BES server even log is logging 1023, BES seems to be working

Solution: we have done two things to fix the issue

  1. Make sure the register key is in place Open Register on the BES server and drill down to following key
  • HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\BlackBerry Router\Performance
  • C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BypassRouter\BlackberryRouterPerf.dll
  1. " if the DDL file is missing go ahead and add it at the end of the line "BlackberryRouterPerf.dll"

Event Type: Error

Event Source:

Perflib

Event Category:

None

Event ID:

1023

Date:

10/7/2007

Time:

11:35:39 AM

User:

N/A

Computer:

NHQBES6

Description:

Windows cannot load extensible counter DLL BlackBerry Router, the first DWORD in data section is the Windows error code.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:0000: 7e 00 00 00

  1. Download "exctrlst.exe" windows 2000 resource kit , Extensible Performance Counter List (exctrlst.exe)
  • Install it and go to resource kit directory,
  • double click on exctrlst.exe
  • locate Blackberry Router
  • uncheck the 'performance counter enabled' box

This should take care of this problem go back to event log and make sure you are not getting any more event id 1023

Best Regards,

Oz ozugurlu

Saturday, October 6, 2007

RPC OVER HTTP



Everyone knows if RCP/HTTP won't work it is going to be a challenge to make it work. Here is one of the best document we were able to use to address most of our issues, Bill Boswell. In my opinion he is one if the best when it comes to Exchange. Click Below ling to get to PDF.

Using RPC over HTTP with Exchange Server 2003 SP1

Using real certificate will save you many troubles. If you cannot efforts the real certificate at least to see how it works, get SSL diagnostic from clicking on this link. If you want free certificate go to Star.com yes it is free. If you have some budged go to godaddy.com

Use RPC ping, to make sure it works fine, if you cannot make RPC Ping work don't worry for going forward, you want to make sure it work, follow the Bill Boswell PDF to get to bottom the problem

  • VSOWA1= OWA/RPC Server
  • Administrator: (Administrator account mail enabled)
  • SMTP25= SMTP Domain Name
  • mail.SMTP25.org ( FQDN RPC Proxy Server)

rpcping -t ncacn_http -s mail.smtp25.org -o RpcProxy= mail.smtp25.org -P "oozugurlu,smtp25,*" -I "oozugurlu,smtp25,*" -H 1 -u 10 -a connect -F 3 -v 3 -E -R none

Open your outlook with RPCdiag switch, to ensure the connectivity

Click, start, run , Outlook /rpcdiag

Warm Regards

Oz ozugurlu


 

Thursday, October 4, 2007

Active Directory Questions



Team, I am posting some more Active directory question. These questions below are getting little more complicated than previous questions. I am also including feedback from Joe Nagy. Joe has been passing his knowledge to us and I wanted to share some of it with you all here.

Please pay attention to Joe's feedback there is so much to gain from his feedback if you pay attention.If you have any question, please post it here.

1. If full qualified domain name is Smtp25.org what would be the distinguish name

2. Which support tools are being used to troubleshoot the DNS issues?

3. What tools are you familiar with AD General Heath Check?

4. What port Kerberos uses and what is Kerberos

5. What is KCC, and Explain bi-directional ring with extra edges?

6. Explain Journal Wrap, how it happens and how can it be fixed

7. What is default DNS Type code on SRV RESOURCE?

8. Explain lingered object and how to trouble shoot the issues related to it

  • This is to see if they know LDAP. In order to work with LDAP and AD, LDAP has to "bind" to specific object in AD before doing any operations. All 'binds' are done with distinguished names.
  • 2003 support tools added DNS tests to DCDIAG that the 2000 tools don't have. Also for general connectivity/DNS testing Netdiag is very helpful. Plus...there's dnscmd, dnslint..... and of course network monitor captures.... I use Ethereal
  • Anyone who's had to troubleshoot a DC ought to know that DCDIAG /v is almost always the first place to go
  • (Question 4&5) Port 88 UDP and TCP. Kerberos Version 5 is standard on all versions of Windows 2000 and later plus ensures the highest level of security to network resources. The Kerberos protocol name is based on the three- headed dog figure from Greek mythology known as Kerberos. The three heads of Kerberos comprise the Key Distribution Center (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). Kerberos is totally different beast than LM/NTLM. You get tickets instead of contently doing 'challenge/response'. BUT, in an environment you will never ONLY use Kerberos. For things like non-interactive logins(OWA), cross domain SMB access, and many other instances you will fall back to NTLM (v2 if you're setup to not use v1 or LM which are security risks as they store hashes on the servers that can be cracked)
  • NTFS maintains a special log called the NTFS USN journal, which is a high-level description of all the changes to files and directories on an NTFS volume. FRS uses this mechanism in order to track changes to NTFS directories of interest, and to queue those changes for replication to other computers. The NTFS USN journal has defined size limits and will discard old log information on a first-in, first-out basis in order to maintain its correct size.
  • If FRS processing falls behind the NTFS USN journal, and if NTFS USN journal information that FRS needed has been discarded, then FRS enters a journal wrap condition. FRS then needs to rebuild its current replication state with respect to NTFS and other replication partners.
  • Resolution: To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:

1. Click Start, and then click Run.

2. In the Open box, type cmd and then press ENTER.

3. In the Command box, type net stop ntfrs.

4. Click Start, and then click Run.

5. In the Open box, type regedit and then press ENTER.

6. Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

7. In the right pane, double-click BurFlags.

8. In the Edit DWORD Value dialog box, type D2 and then click OK.

9. Quit Registry Editor, and then switch to the Command box.

10. In the Command box, type net start ntfrs.

11. Quit the Command box.

When the FRS service restarts, the following actions occur:

The value for BurFlags registry key returns to 0.

Files in the reinitialized FRS folders are moved to a Pre-existing folder.

An event 13565 is logged to signal that a nonauthoritative restore is started.

The FRS database is rebuilt.

The member performs an initial join of the replica set from an upstream partner or from the

computer that is specified in the Replica Set Parent registry key if a parent has been specified for

SYSVOL replica sets.

The reinitialized computer runs a full replication of the affected replica sets when the relevant

Replication schedule begins.

When the process is complete, an event 13516 is logged to signal that FRS is operational. If the

event is not logged, there is a problem with the FRS configuration.


  • LingeringObjects are introduced by DCs/GCs that have been offline or failed to replicate for the tombstone lifetime. Say that DC A and B are online. B goes offline. 10 users get deleted from A. The 10 users remain in deleted items for 60 days or whatever its set to. (Tombstone lifetime). If you bring B back up any time before the 60 days are up, no problem. During replication, B would move the users to deleted items just as on A. But, if its brought up AFTER, those deleted users aren't in the A database at all, anywhere so B knows they aren't on A but has no way of knowing what happened to them. So they remain in B's database as lingeringobjects. Most places use strictreplication consistency to avoid replicating the objects around which could cause problems.

1.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

2.Click Add Value on the Edit menu.

3.Add the following value:


Value Name: Strict Replication Consistency

Data type: REG_DWORD

Value data: If the value is 1 it is enabled and lingeringobjects won't replicate.

Lingering objects may be a problem in the following scenarios:

•The lingering object is holding a value on a unique attribute, such as samAccountName, that another object wants to use.

•The lingering object is a security risk, for example, it may represent a user that you should have deleted.

•The lingering object only exists in the read-only naming context (global catalog). This behavior makes the object difficult to delete.

If you enable Strict Replication Consistency, a destination stops replicating and you receive the error message that is described in the "Symptoms" section of this article if the destination receives modifications for an object that it does not have. Typically, this problem occurs when a good domain controller that does not have the object replicates in a change to a lingering object from a bad source that has been out of contact.

  • If you enable Loose Replication Consistency, if a destination receives a change to an object that it does not have, the entire object is replicated to the target for the sake of replication consistency. This behavior causes a lingering object to be reapplied to all domain controllers in the replication topology.
  • TO REMOVE: 2003 support tools Repadmin has a /removelingeringobjects switch that helps. 2000 is much more difficult, especially in they are in the GC partions that are READ ONLY. You can't delete from READ ONLY. This is where an "operational" attribute comes into play. Progamatically, at RootDSE, an operational attribute called 'removelingeringobject' with info about the object is written. You're essentially telling AD to delete it for you since its read only and you can't.

Best Regards,

Oz ozugurlu