SharePoint 2007 Microsoft.SharePoint.Upgrade.SPIisWebSiteWss failed

After upgrading SharePoint 2007 SP3 and Post Feb 2013 CU, I was unable to sucessfully complete the SharePoint Products and Technologies Wizard on step 9. In the ULS logs I was getting the following error:

[SPIisWebSiteWssSequence] [ERROR] [3/14/2013 8:25:31 PM]: Action 3.0.2.0 of Microsoft.SharePoint.Upgrade.SPIisWebSiteWssSequence failed.


[SPIisWebSiteWssSequence] [ERROR] [3/14/2013 8:25:31 PM]: 1387

[SPIisWebSiteWssSequence] [ERROR] [3/14/2013 8:25:31 PM]: at Microsoft.SharePoint.Win32.SPNetApi32.NetLocalGroupAddMember(String groupName, String userName)


The key thing to take away from this is the portion where it says NetLocalGroupAddMember(String groupName, String userName)

This means there are orphaned accounts that are still being used in SP. In my case I went through several places to check.

1. Central Admin, Operations, Update Farm Administrators Group. Delete any users that don't exist.

2. Central Admin, Application Managment, Site Collection Administrators. Delete any users that don't exist.

I re-ran the SharePoint Products and Technologies Wizard and still failed. I than ran

stsadm -o provisionservice -action stop -servicetype spwebservice -servicename ""


stsadm -o provisionservice -action start -servicetype spwebservice -servicename ""

Than I re-ran the wizard from the command prompt and it completed sucessfully.

psconfig -cmd upgrade -inplace b2b

However at this point when I try to configure versioning settings on any list it still fails. This was my original problem. When you set versioning you receive the error:

Unexpected query execution failure, error code 8144. Additional error information from SQL Server is included below. "Procedure or function proc_UpdateListSettings has too many arguments specified." Query text (if available): "SET NOCOUNT ON; BEGIN TRAN; DECLARE @@iRet INT;EXEC @@iRet=proc_UpdateListSettings '5D03B895-A13F-4A5B-8E74-F851AF19BC22','1B8615A3-5964-4F96-BCF2-5519042DB5B9',N'{B7EECCB4-2EDD-463E-A974-BA5781F9E47B}',0,100,NULL,NULL,NULL,NULL,NULL

I then rechecked my app pools, Identity, verify these accounts are still active. This was the culprit for me. There were a few app pools running with accounts that no longer existed after we did a forest migration. I updated the accounts to the a valid farm service account and ran the commands:

psconfig -cmd secureresources


psconfig -cmd upgrade -inplace b2b

After re-running the config wizard it, versioning is working.

To sum up, ensure all services with orphaned accounts are rehomed than run psconfig -cmd upgrade -inplace b2b. I probably didnt' need to run the commands below which at least allowed the configuration wizard to complete.

stsadm -o provisionservice -action stop -servicetype spwebservice -servicename ""

stsadm -o provisionservice -action start -servicetype spwebservice -servicename ""

Just ensure all orphaned accounts are updated prior to running any SP or CU upgrade and especially before runnning the configuration wizard.

MFCMAPI MAPI_W_PARTIAL_COMPLETION == 0x00040680

Ran into an interested case with a customer where his Exchange server crashed and the temp table kept regurgitating the queues. We attempted to delete the temp table using mfcmapi however we received the error below.

MAPI_W_PARTIAL_COMPLETION == 0x00040680

It appears to delete but if you close out and log back in to mfcmapi the temp table still shows with the messages. I surmised that the mailbox\database was corrupt as there was no way to delete this temp table nor the individual messages. We were then stuck as to how to delete the temp table since you can't delete the SMTP mailbox which was likely corrupt to do the server crash. Since this was an SBS server we didn't have the option of moving all our mailboxes to the other store since each store has it's unique SMTP mailbox. Our options were either to run a repair using eseutil or export to pst, delete the store than re-import. However there was a method to delete the SMTP AD object using adsiedit, which will than mark the SMTP mailbox as disconnected than create a new SMTP AD object which will create a new SMTP mailbox. Thanks to the link below which goes over deleting and recreating the AD object.

CN=Connections,CN=Organization Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain Name

Delete object  SMTP (ServerName-{GUID of Mailbox Store})

Then recreate.


http://www.alihassanlive.com/e2k3/2008/7/9/issues-with-smtp-mailbox.html


James Chong
MCITP EA EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Msdeploy Source (contentPath) and destination (metaKey) are not compatible for...

When using msdeploy to migrate a site you receive the error below:

C:\Program Files\IIS\Microsoft Web Deploy V3>msdeploy -verb:sync -source:package
=c:\Sitewirefly.zip -dest:metakey=lm/w3svc/1

Error: Source (contentPath) and destination (metaKey) are not compatible for the
 given operation.
Error count: 1.

After spending some time troubleshooting, the root cause seems to just be a corrupt zip file. In my case my zip file is close to 7GB. After chasing a red herring on this particular error I tried opening the zip file and did not open. On windows 2003 there is a 2GB limitation or it gets corrupt. 2008 does not have this limitation. I tried using 7zip where does appear to zip and open, but when opening the zip file all the contents are 0 bytes. Winzip did not help even though there is no 2GB limit with the new editions after 9.0. As an alternative I just ended up using the archive method below.


C:\Program Files\IIS\Microsoft Web Deploy V3>msdeploy -verb:sync -source:archive
dir=c:\site1archive,encryptpassword=mypassword -dest:metakey=lm/w3svc/3 > msdepl
oymigrate.log

C:\Program Files\IIS\Microsoft Web Deploy V3>msdeploy -verb:sync -source:archive
dir=c:\site1archive,encryptpassword=mypassword -dest:metakey=lm/w3svc/3 > msdepl
oymigrate.log


James Chong
MCITP EA EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

GAL photo not removing after removing thumbnail attribute

After importing a GAL picture using the command below:

Import-RecipientDataProperty -Identity "James Chong" -Picture -FileData ([Byte[]]$(Get-Content -Path "C:\pictures\jchong.jpg" -Encoding Byte -ReadCount 0))


The picture sucessfully shows in the GAL, after removing the picture GAL using cmd below or removing the thumbnail attribute using adsiedit the picture does not show in the GAL.

Set-Mailbox "James Chong" -RemovePicture

However I noticed that my picture was still showing in the social connector page in Outlook. After spending sometime trying to identify where AD was picking this up the picture I gave up. Then some days later, I was tinkering with my iphone and noticed my picture in the email so I clicked on it and there was an option to delete. After deleting the photo from my iphone the picture no longer shows in the outlook social connector. It seems that the iphone must have downloaed the pic when it was imported and started using the picture.


James Chong
MCITP EA EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

New-MailboxExportRequest Couldn't connect to the source mailbox

After reconnecting a disabled mailbox and attempting to run an export request you receive the following error:

[PS] C:\Windows\system32>New-MailboxExportRequest user1 -FilePath "\\dcexmailp01\PST Dumps\srosenwinkel1.pst"


Couldn't connect to the source mailbox.

+ CategoryInfo : NotSpecified: (0:Int32) [New-MailboxExportRequest], RemoteTransientException

+ FullyQualifiedErrorId : EC413571,Microsoft.Exchange.Management.RecipientTasks.
NewMailboxExportRequest
 
You attempt to log into webmail and you receive:
 
Exception


Exception type: Microsoft.Exchange.Data.Storage.AccountDisabledException

Exception message: Cannot open mailbox /o=first organization/ou=exchange administrative group (fydibohf23spdlt)/cn=recipients/cn=user1.
 
In this instance I reconnected a disconnected mailbox to a new user. Thinking it was the DS cache I waited for some time. There is a KB article http://support.microsoft.com/kb/2682047
 
"You cannot access a mailbox for several hours after you disconnect and then reconnect the mailbox in an Exchange Server 2010 SP2 environment" which says to install SP2 RU3 which is already installed.


After some time had elapsed, I attempted to disable the mailbox and reconnect and still same error.
 
When you run get-mailboxstatistics user1 |fl you see
 
DisconnectDate : 2/3/2013


DisconnectReason : Disabled
 
To resolve this error, once you have reconnected the mailbox you have to run
 
get-mailboxdatabase |clean-mailboxdatabase again.
 
James Chong
MCITP EA EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Update Rollup 3 for Exchange Server 2010 SP2 Installation Procedures

Rollup 3 For Exchange Server 2010 SP2 has been released May 29th 2012. Installing rollups for Exchange is pretty straight foward, however here are some nuiances and procedures to follow when updating any roll ups.

As with any roll ups it's required to disable the ForeFront Controller Service prior to running the roll up by running fscutility /disable. What this does removes the ForeFront Controller Service dependency from the Exchange Transport service. I've personally never ran this on previous rollups knowing it was required and never had a problem. However with this rollup I got bit. After spending approximately 1hr 20 mins for the rollup to almost complete it was stuck at starting services because the transport service could not start because of the ForeFront Controller dependancy so it rolled back the entire install.

When you run the fscutility /disable (from the forefront directory in using cmd) it wll say that it was sucessfully in removing the dependency. However, you may get a warning that it failed because the transport and ForeFront Controller Service was running. In this case stop the services and re-run the command.

Once the rollup is completed you need to run fscutility /enable. Again you may get an error that it failed because the MS transport and ForeFront Controller Service is running. In this case stop the services again and re-run the command. I would also reboot when all is complete.

Since rollups take anywhere from 1hr to 1.5hrs, you want to make sure you also remove the patching servers out of any load blancing pool whether hardware based or NLB.

As with any rollups and service packs you also want to start with your EDGE, CAS\HT first then your Mailbox servers.


James Chong
MCITP EA EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2007 to Exchange 2010 Cross Forest Migration Job Aid

Here is a production job aid I've created to perform cross forest mailbox moves migrating from Exchange 2007 to Exchange 2010.

Purpose


This Job Aid is to provide the steps required to migrate a ipcfcdom user account and mailbox to corp.dom The instructions will cover using ADMT to migrate the user account, profile and computer. The instructions will also cover using Powershell to migrate the mailbox. Finally the instructions will cover migrating the SharePoint and ResolveIT accounts.

Audience

This document is intended for use by Server Engineering.

Instructions

Step Description

CORP.DOM = New Target Forest
IPCFCDOM= Source Forest

Prereq



Verify that the computer is Wired and set classID to corp “ipconfig /setclassid * corp” (This may not apply to you. This is to ensure new migrated systems will use the DHCP servers in the new Forest and not the source Forest)



1. Provision source AD account to be Exchange Aware.



a. Log into DCEXCASP01 (Target Exchange 2010 CAS Server). Launch Exchange Management Shell Start  All Programs  Microsoft Exchange Server 2010



b. Change directory to C:\Program Files\Microsoft\Exchange Server\V14\Scripts



c. Type: $Local = Get-Credential you will get a windows prompt. Enter your admin credentials for the ipcfcdom domain. Type: $Remote = Get-Credential you will get a windows prompt. Enter your admin credentials for the corp.dom domain.



d. Delete the GALsync contact in the Corp domain OU GalSync\FromILM for the user you are migrating. If you don’t it merges with the contact producing john doe1734633. Then you will need to rename it to take out the random numbers and set the contact to apply email address policy and set corp as the external address.





.\Prepare-MoveRequest.Ps1 -Identity "CN=Alexander Htet,OU=reston,DC=ipcfcdom,DC=inphonic,DC=com" -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject –overwritelocalobject



New-MoveRequest -Identity "CN=alexander htet,OU=FromILM,OU=GALSync,DC=corp,DC=dom" -RemoteLegacy -TargetDatabase "mdb04 tier2" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete

Ignore Warning Message

WARNING: When an item can't be read from the source database or it can't be written to the destination database, it

will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting Exchange not copy such items to

the destination mailbox. At move completion, these corrupted items will not be available at the destination mailbox.



e. To check the status of the mailbox move, launch Exchange Management Console

f. Expand Recipient Configuration  Move Requests. Double click the user to get the stats on progress



2. Migrate the user account to corp.dom using ADMT



a. Log into the ADMT server EQDCP03.CORP.DOM with svcadmt account

b. Launch Active Directory Migration Tool on desktop

c. Action menu, user account migration Wizard

d. 1. Welcome page, next

e. 2. Domain selection, click next. All fields should be pre-populated

f. Source: ipcfcdom.inphonic.com DC: fcrs05 Target: Corp.dom DC: Eqdcp01

g. Select Users from Domain

h. Add and find the user to be migrated

i. Target OU choose destination OU

j. Password Options, Migrate Passwords

k. Password Migration Source DC: fcrs05

l. Enable Target Accounts. Migrate user SIDS to target domain

m. Enter ipcfcdom\svcadmt credentials

n. Fix users group memberships

o. Object Property Exclusion, leave blank

p. Migrate and merge conflicting objects. Move merged objects to the specified Organization unit

q. Finish





3. Migrate the user profile using ADMT



a. Action menu, security Translation Wizard

b. Welcome page, next

c. Previously migrated objects

d. Domain selection, click next. All fields should be pre-populated

e. Select computers from domain

f. Add and find computer to be migrated. Domain selected should be ipcfcdom

g. Translate Objects, User profiles.

h. Security Translation Options, Add

i. Finish.

j. Log in corp.dom ADUC. Locate the migrated account and uncheck “user must change password at next logon”



After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button “Run pre-check and agent operation” and click start. If you get the following error below it means the corp\svcadmt is not local admin on the client machine.



Unable to determine the local path for ADMIN share on the machine "desktop". rc=-2147024891



When the Agent Operation changes from Running to Successful, click Close.





4. Migrate the computer to corp.dom using ADMT



a. Action menu, computer migration Wizard

b. Welcome page, next

c. Domain selection, click next. All fields should be pre-populated

d. Select computers from domain

e. Add. Location should be ipcfcdom

f. Target OU = Automatic Updates, Non Production, Infrastructure, Infrastucture Clients...

g. Translate Objects, unselect all.

h. Minutes before computers restart = 1

i. Object Property Exclusion, skip

j. Conflict Management. Migrate and merge conflicting objects. Move merged objects to the specified target Organizational Unit

k. Finish. Close. After a few seconds the Active Directory Migration Tool Agent Dialog menu will pop up. Select the radio button

l. Run pre-check and agent operation and click start. Ater status changes to completed you can click close.





5. Post User Configuration



a. When the computer has rebooted, ensure that user logs into corp.dom domain as the computer will still default to ipcfcdom.

b. Delete the "Closest GC” registry key. Search the registry for this key and delete it

c. Launch Outlook. You do not need to create a new profile. You will receive warning message that Outlook must restart due to administrative changes. Ignore the message and continue with Outlook.





6. Set the migrated user’s account extensionattribute15 to “migrated” so Galsync will not create contact for this user in the corp.dom domain. Failure to do this will create a contact for an already existing user in corp.dom causing email issues.



a. Log in dcexcasp01.corp.dom

b. Type adsiedit.msc in the run box

c. Expand Default Naming Contact and highlight the OU where the user resides.

d. Right click the user and properties. Search for extensionattribute15 and type in “migrated” without the quotes





7. Migrate the user’s SharePoint Account. You will need DB owner rights to SP DB.



a. Log into the SharePoint server DCSPAPPS01

b. Launch cmd

c. STSADM -o migrateuser –oldlogin ipcfcdom\user -newlogin corp\user –ignoresidhistory

d.

You should receive “operation completed successfully”



Update the display name. After migrating the SharePoint account, the display name changes from John Doe to corp\jdoe. To change it back to the friendly name:



1. Log into SharePoint Server DCSPAPP01

2. Launch Powershell

3. Enter the following lines one at a time



a. [Reflection.Assembly]::Load("Microsoft.SharePoint, Version=12.0.0.0, Culture=Neutral, PublicKeyToken=71e9bce111e9429c")



b. $site = New-Object -TypeName Microsoft.SharePoint.SPSite -ArgumentList http://inside.simplexity.com



c. $user = $site.RootWeb.SiteUsers["corp\jdoe"]



d. $user.Name = "John Doe"



e. $user.Update()



After you migrate John Doe, and you’re ready to migrate a second user, you only need to type in lines C,D,E. You can copy and paste all 3 lines into powershell rather than entering in one at a time.



8. Migrate the user’s ResolveIT Account. You will need ResolveIT Sysadmin rights.



e. Log into the ResolveIT.simplexity.com

f. Go to administration  System –Users  User Management

g. Click edit user. UserID enter bsmith and click find

h. Scroll down under the menu heading “Mandatory fields for all users”

i. Change the authentication Method to Primary (LDAP/Exchange/Active Directory)

j. Scroll down and click save

Manually Migrate User Profile Using Reg Hack

1. Log into machine with admin rights and launch regedit and naviate to

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

2. Highlight the SID that corresponds to the Corp user. You can locate it by highlighting each SID entry and looking at the ProfileImagePath string value example C:\Users\bsmith.CORP.

3. Edit this entry to equal the profile path of the original ipcfcdom profile path.

Replace:

ProfileImagePath = C:\Users\bsmith.CORP

with

ProfileImagePath = C:\Users\bsmith.ipcfcdom

Search-AdminAuditLog The attempt to search the administrator audit log failed. Please try again later

When running the command Search-AdminAuditLog you receive the following error:

The attempt to search the administrator audit log failed. Please try again later.


 
This is because the query is not valid. For example the below would be an invalid query and would produce the error.
 
Search-AdminAuditLog -StartDate 05/16/2012 -EndDate 05/16/2012 -ObjectID "jyoung"

An example of a correct query syntax to query who's made changes to a mailbox called John Doe would be like below.

[PS] C:\Users\jyoung.CORP\Desktop>Search-AdminAuditLog -Cmdlets Set-Mailbox -objectids "corp.dom/Corporate Locations/Reston/John Doe" -StartDate 05/10/2012 -EndDate 05/12/2012 -IsSuccess $true

When searchng for the target mailbox John Doe you must use the complete CN like in my example corp.dom\corporate... you can't use just the username, alias etc.
Another option is to just do a complete dump and export to txt file and do a search against the txt file.

search-adminauditlog > c:\log.txt

James Chong
MCITP |EA |EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com 

Exchange Recovery Database with Backup Exec 2010 R2

Below are the steps in order to restore an Exchange 2010 DB to a recovery database using Backup Exec 2010 R2.

1. Create 2 folders on the Exchange mailbox server.

•Database –> E:\Recovery\Database

•Transaction Logs –> E:\Recovery\Logs


Make sure you're restoring full backup and not differential otherwise otherwise only the logs will restore.
New-MailboxDatabase -Recovery -Name RDB -Server DCEXMAILP01 -EdbFilePath "E:\Recovery\RDB\RDB.EDB" -LogFolderPath "E:\Recovery\RDB"


Mount the DB, need a blank DB file to Pre-exist then dismount and delete all files except the .edb in the E:\Recovery\Database. (Ensure that on the DB properties the check box is checked for for database can be overwritten by a restore. It should still be checked.

Once recover is complete, the DB will automatically be mounted.
Get-MailboxStatistics -Database RecoverDB

Restore-Mailbox -Identity User1 -RecoveryDatabase rdb

Restore to pst

New-MailboxExportRequest -Mailbox User1 -FilePath file://dcexmailp01/PST%20Dumps/User1.pst

Get-MailboxExportRequest (to show the status of the export)


James Chong
MCITP | EA | EMA; MCSE M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Web.config Configuration An Extension of Name "SecurityServiceBehavior" already appears in Extension Collection

The following error on your web app can be due to multiple reasons, however the root issue is because your web.config is being loaded twice. The error is does not indicate that you have duplicate tags in the web.config nor that its an issue with this specific tab. How does the web.config reoload twice? One is something within your code where when you get to your webapp, it can do some other function or loging that calls your web.config again. Another reason in my specific case was due to incorrect IIS settings on the web app for example:

The root on website test.com has an application declared with home:


d:\intepub\wwwroot\test\virdirectory instead of just d:\intepub\wwwroot\test
Then there is a virtual directory off the root of test.com called virdirectory with a  home directory of:

• d:\intepub\wwwroot\test.com\virtualdirectory

This causes the web.config to be loaded twice.

James Chong
MCITP | EA |EMA; MCSE |M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips

When migrating from Exchange 2003 to 2010, it may be imperative to set up coexistenance during the migration to ensure smooth transition during the period when you have both your Exchange 2003 and Exchange 2010 environments running. This is the idea situation if you have many users\servers and can't perform an day or weekend cutover of moving all your mailboxes to the Exchange 2010 server. To set up coexistenance here are some tips I've encountered:

1. If you are using mail.contoso.com as the DNS name for your Exchange 2003 Outlook Mapi, OWA, and Activesync then perform the following.

In external DNS update the DNS record mail.contoso.com to the IP of the Exchange 2010 server. Create another record legacy.contoso.com and point that to the IP of the Exchange 2003. In internal DNS create legacy.contoso.com with the IP of the Exchange 2003 server. Do not change the internal DNS mail.contoso.com, leave that as is because your Exchange 2003 Outlook users are still using mail.contoso.com, if you change the internal record, your Outlook 2003 users will not work since it will be pointing to the Exchange 2010 server and it can't proxy rpc back to 2003. Before making DNS changes, set the TTL to something like 5 minutes 24 hours before you create these record,  this ensures when you change the records, you're not waiting for an hour or more for the DNS cache to timeout and hamper your testing and\or toubleshooting.

2. Go to the Exchange 2010 EMC and add the externalURL

Set-OwaVirtualDirectory -Identity "exchange2010cas01\owa (Default Web Site)" -Exchange2003Url https://legacy.contoso.com/exchange

3. Set the same for the activesync virtual directory

Set-ActiveSyncVirtualDirectory \Microsoft-Server-ActiveSync* -ExternalURL https://legacy.contoso.com/Microsoft-Server-ActiveSync

Supposedly you don't necessarily need to set the legacy against the activesync virtual directory for 2003-2010 coexistenence because Exchange 2010 will directly proxy to the 2003 activesync. I have found this did not work and required you to set the activesyncvirtualdirectory and let it redirect. At this point you should be able to open a browser outside the network and be able to perform the following.


A. Go to mail.contoso.com from outside the network and access a mailbox for a 2010 user and a 2003 user

B. Go to legacy.contoso.com  from outside the network and access a 2003 user

C. On your activesync phone you should be able to access your 2003 user without changing any settings on your phone and still set to mail.contoso.com (some troubleshooting steps below if you can't)

D. On your activesync phone you can also set the mail server to legacy.contoso.com and access your 2003 server.


You also need to ensure the following are set. On your Exchange 2003 front end, make sure you enable integrated authentication for the activesync directory as well as Basic. Also DISABLE the require SSL on the activesync vdir as well. You also need to DISABLE require SSL on the exchange virtual directory on your 2003 FE. I set this directly from IIS and not ESM and didnt run into DS2MB re-writing.

In addition if you are doing http to https redirect on your Exchange 2003 OWA you need to turn this off whether you were performing this using the http custom error file or some other method.


If you experience activesync slowness its because you didnt disable the require SSL on the Exchange virdir on your 2003. I also didnt need to disable the RPC\HTTP nor disable forms based on the 2003 to have it work.

Another tip: You dont want to set up the HTTP to HTTPS redirect on your 2010 just yet. Because if you're using mail.contoso.com for everything, outlook, activesync, owa and you're in this split brain DNS setup then it can break services. This is because when a 2010 user logs into OWA using say just http://mail.contoso.com/ it goes to the 2010 CAS and CAS will do a redirect to to https://mail.contoso.com/ but your CAS will use the internal DNS and mail.contoso.com internally will go to your Exchange 2003 which your 2010 user doesnt reside. This will render a redirect loop in the browser.

This is just one of the limitations of coexistence if you use a single namespace mail.contoso.com for all your services. Another limitation is internal 2010 users after they are migrated will not be able to use OWA or activesync on the internal wifi because they will be pointed to mail.contoso.com which of course points to 2003 internally. Of course you can go with alternate solutions such as using a new namespace for your 2010 users but that would mean you would have to re-home their devices and outlook anywhere after they are migrated so not seamless.

Once complete you want to enable your Exchange 2010 cas Outlook Anywhere to allow for both NTLM and Basic authentication since it's possible you may have Outlook Anywhere clients that may be set to either NTML or Basic already. I ended up requiring to set all 3, just setting the -defaultauthentication method for ntlm and basic did not work.

Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod ntlm, basic

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod ntlm, basic

 Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod ntlm, basic


James Chong
MCITP | EA |EMA
Security+, Project+, ITIL
msexchangetips.blogspot.com

Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group DAG

When attempting to backup an Exchange 2010 DAG you recieve the following error:

V-79-57344-896 - Backup Exec attempted to back up an Exchange database according to the job settings. The database was not found in the Database Availability Group (DAG), however. Update the selection list and run the job again.


You have verified that the backup exec agent service is running with the LSA account and is in the Exchange org admin group. In this instance the issue was caused by renaming the database display name for example “MDB01 Tier1” to “MDB01 Tier 1 500GB”.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Calendar sharing is not available with the following entries because of permission settings on your network

When attempting to share a calendar to another internal user using outlook 2010 you receive the error

Calendar sharing is not available with the following entries because of permission settings on your network

After deleting the nickname cache and choosing the name from the GAL you still receive this error. In this instance it was resolved using:

set-mailbox user1 -applymandatoryproperties


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

UAG Exchange 2010 OWA Error_Code=51 has resulted in too many redirects

Summary: After rebooting UAG servers, you receive the following error in your browser when attemping to access owa.company.com

https://outlook.company.com/internalsite/internalerror.asp?site_name=trunk1&secure=1&error_code=51 has resulted in too many redirects.

Root cause: In this instance every time the UAG is rebooted (in our case montly windows patch) one UAG box failed to start the internal site in IIS. If you start the site or run "activate" in the UAG console, OWA will work.

What is happening is that UAG accepts the Outlook anywhere request, and does an internal redirect to its own “internal site”. This is normal, as the InternalSite, listening on port 6001, is UAG’s administrative engine (handles login, authentication, errors etc).

Root fix: There is an error event that comes up after we patch on UAG2 that doesn’t occur on UAG1 even though they are configured and patched exactly the same.

Event id 107
Report Server Windows Service (ISARS) cannot connect to the report server database.

Two services were stopped on UAG2 below. It appears one service is starting before the other “SQL Server Reporting Services (ISARS)” before “SQL Server (ISARS)”.

Set the dependency in the registry.

“SQL Server Reporting Services (ISARS)” Depend on service “SQL Server (ISARS)”


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010: Bulk Provision and Move Mailbox Import-csv

Import-CSV "C:\ADMT\users.txt" | foreach {.\Prepare-MoveRequest.Ps1 -Identity $_.users -RemoteForestDomainController "dcfcdc03.ipcfcdom.inphonic.com" -RemoteForestCredential $Remote -LocalForestDomainController "eqdcp01.corp.dom" -LocalForestCredential $Local -TargetMailUserOU "OU=FromILM,OU=GALSync,DC=corp,DC=dom" -UseLocalObject -overwritelocalobject}

Import-CSV "C:\ADMT\users.txt" | foreach {New-MoveRequest -Identity $_.users -RemoteLegacy -TargetDatabase "mdb06 tier3" -baditemlimit 100 -acceptlargedataloss -RemoteGlobalCatalog "dcfcdc03.ipcfcdom.inphonic.com" -RemoteCredential $Remote -TargetDeliveryDomain "corp.dom" -SuspendWhenReadyToComplete}


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Roadsync Sync Error: (-1002)

When attemping to synch with corporate Exchange server 2010, the roadsync is unsucessful and produces error Sync Error: (-1002).

Sony Ericsson Xperia X8 Model E15A Firmway 2.1 update 1 build 2.1.1.A.0.6.

Resolution: Use the upn as the login name jsmith@domain.com. The upn you can find in the account tab of Active Directory Users and computer.

username: jsmith@domain.com
server: mail.company.com (didn't need to specify the https in the url)
company: domain (didn't need the FQDN)


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Bulk Modify Targetaddress Attribute

Although there are multiple methods to bulk modify AD attributes the sample below shows how to use the the command line version of admodify to update the targetaddress.

C:\Admin\Tools\ADModify_2.1>admodcmd -dn OU=FromILM,OU=Galsync,DC=Corp,DC=dom -f
targetaddress=*@domain.local -custom targetaddress "%'mailNickName'%@domain.local

In this example AD modify will get all contacts in the specified OU with targetaddress of @domain.local and replace it with their alias@domain.local.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Outlook OAB 0x8004010f Not Found

When downloading the OAB from Outlook you recieve not found 0x8004010f. Although there are many issues that can cause this error mentioned in article below

Outlook clients receive error 0x8004010f when downloading the Offline Book Addresshttp://msexchangeteam.com/archive/2007/04/19/437902.aspx

Ensure that the DB has been configured to use the OAB.

Open EMC, Org Config, Mailbox, Database Management Tab.

Right click properties of each Database, Client Settings Tab. Offline Address Book, Browse and select your \Default Offline Address Book.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Microsoft Exchange RPC Client Access Service Fails to Start

When starting the Microsoft Exchange RPC Client Access Service you receive the following error:

The Microsoft Exchange RPC Client Access Service on the local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.

Verify if you have statically configured the RPC port and that it is a valid port in decimal and not hex format.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSExchangeRpc\ParametersSystem

TCP/IP Port



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Public Folder Cannot expand the folder. Microsoft Exchange is not available

When launching Outlook, you receive a login prompt. Email flow continues to work whether you login or not. However when you expand the public folder, you receive the error after you enter your credentials.

Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance. (/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=Servername

From OWA public folder access works.

Ensure that the Microsoft Exchange RPC Client Access Service is running on your mailbox server.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Migrating BES 5.0 to new Forest Using Transporter Suite

Coming soon.

The critical property 'LegacyExchangeDN' is missing in the MailUser object

When performing a new-moverequest you receive the following error:

The critical property 'LegacyExchangeDN' is missing in the MailUser object 'migrateme3'.
+ CategoryInfo : InvalidArgument: (corp.dom/GALSync/FromILM/migrateme3:MailboxOrMailUser
IdParameter) [New
-MoveRequest], RecipientTaskException
+ FullyQualifiedErrorId : 9DC9C0BA,Microsoft.Exchange.Management.RecipientTasks
.NewMoveRequest


The issue is you used ADMT to migrate the user first then ran prepare-moverequest. The issue is that prepare-moverquest although says it is sucessful did not properly convert it into a mail enabled user. The script failed to stamp the legacyexchangeDN as well as the target address. If you manually add the legacyexchagneDN you then run into the error below:

Cannot find a recipient that has mailbox GUID 'f41a2905-8ea2-4ff3-a56f-4ed8739a2622'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], RemotePermanentException
+ FullyQualifiedErrorId : B5053E67,Microsoft.Exchange.Management.RecipientTasks.
NewMoveRequest

I'm still investigating this as prepare-moverequest is supposedly supported after Exchange 2010 SP1 with the overwritelocalobject parameter. The workaround in the meantime that I have if you want to use ADMT first:

1.Use ADMT to migrate all user accounts
2.Prepare-moverequest on all accounts (legacyexchangedn or targetaddress is still missing)
3.Use script to add targetaddress of mailnickname@company.com on all migrated accounts, I use admodify, but you can use powershell etc.
4.Update-recipient on all migrated accounts. This will stamp the legacyexchangedn
5.New-moverequest succeeds



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 Mailbox Move An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present

When performing a cross forest mailbox move using the new-moverequest, the mailbox move fails at the completing stage when viewing in the move request in the EMC. When you open the move request for the user in the details tab you see the following error.

Error details: An error occurred while updating a user object after the move operation. --> The value 'HTTP§1§1§§§§§§' is already present in the collection.

Resolution: Delete the protocolsettings using adsiedit for both the source and target user.

1. Open adsiedit.msc from run command on source DC
2. Locate your user in the domain partition
3. Locate attribute protolsettings and delete all values
4. Repeat steps for target user in target domain
5. Resume the failed mailbox move


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

ActiveX component can't create object: 'ADMT.Migration'

When attempting to set exclusions or add exclusions on ADMT you receive the following error:

C:\Admin\scripts\ADMTExclusion.vbs(1, 1) Microsoft VBScript runtime error: Activ
eX component can't create object: 'ADMT.Migration'


Resolution:

Run the command from the C:\Windows\SysWOW64> directory.

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange 2010 New Forest Migration Provisioning Distribution Lists

Exchange 2007 and Exchange 2010 have the ability to provision mailbox enabled users. What about Exchange Distribution Lists? Previous options were to use a third party migration suite or powershell or even LDIFDE. As you noticed ADMT 3.2 by default does provision or create Exchange Distribution Lists. If you use ADMT 3.2 to migrate a Distribution List, it will get migrated to the target forest but as a flat AD group only. Exchange is unware of this group being a Distribution Group. In order for ADMT 3.2 to provision this as an AD group you have to prevent ADMT 3.2 from exluding Exchange attributes during the migration.

Create a new notepad file and name it ADMTexclusion.vbs and enter the lines below.
Set objMig = CreateObject("ADMT.Migration")
objMig.SystemPropertiesToExclude = ""

Then run the file on your ADMT server:

C:\Windows\SysWOW64>cscript c:\admin\scripts\admtexclusion.vbs

Caveats: ADMT excludes Exchange attributes by default to prevent issues with provisioning mailbox users prior to Exchange 2010 SP1. So ensure that you're on SP1. To get additional details read article below. Also note that even though you provision the DL with ADMT it will not bring over all the attributes such as send restrictions, hide from GAL etc.

Exchange 2010 Cross-Forest Mailbox Moves
http://msexchangeteam.com/archive/2010/08/10/455779.aspx


James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

IIS7 Application Request Routing and Outlook Anywhere 2010?

Is it possible to use IIS7 ARR as an alternative reverse proxy in lieu of UAG\TMG? From testing, I was able to get it to work but had to pan out some key issues.

After setting ARR up to point to my CAS servers, OA did not connect.

The issue was with IIS7 default 30MB HTTP request limit. The IIS trace logs show that Outlook is trying to send 1GB (1073741824 bytes) of data and getting 404.13 Content length too large. Note this is an empty mailbox. Once we up this to this value it works. The request is always sending exactly this much data which MS thinks it could actually an error code in the bytes field and not actually the bytes. 1073741824 also represents “unknown error condition” code. Highly unlikely it’s sending 1GB since the IIS logs on the Exchange server do not show this. Theory is that ARR is running into some error condition trying to process rpc over http requests.



James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com

Exchange Powershell "Cannot save changes made to an item to store"

When running the following powershell command you receive the "Cannot save changes made to an item to store"

[PS] C:\Windows\system32>Get-Mailbox -Server "dcexmailp02" |
Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (14:Int32) [
Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DF365789,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

In additional if you run:

[PS] C:\Program Files\Microsoft\Exchange Server\v14\Scripts>Get-Mailbox
| Set-CalendarProcessing -ProcessExternalMeetingMessages $true
Cannot save changes made to an item to store.
+ CategoryInfo : NotSpecified: (21:Int32)
[Set-CalendarProcessing], QuotaExceededException
+ FullyQualifiedErrorId : DEBD37F4,Microsoft.Exchange.Management.StoreTasks.
SetCalendarProcessing

Resolution: You have a mailbox that has a quota of 0 set. In this case, I had configured a mailbox with a 0 send\receive limit for users to use to check Freebusy times during migration coexistence and prohibited the account from sending\receiving email.

James Chong
MCITP | EA | EMA; MCSE | M+, S+
Security+, Project+, ITIL
msexchangetips.blogspot.com