Essential Exchange

Script for From The Field

michael — Mon, 06 Oct 2008 19:57:00 GMT

The authors of the upcoming "Windows Server 2008 Terminal Services Resource Kit" asked me if I wanted to write a script for them for a section named "From The Field". I said sure! I based the script on one I wrote a long time ago, which you can access here. So the readers have the EXACT script that was published I'm putting this on my blog.

The purpose for this script is to tie the script to a particular event that might occur from Terminal Services. This capability is a new feature of the Windows Server 2008 Event Log Subsystem. If that event occurs, then this script is executed to send an email.

Now, the Resource Kit goes into detail of the event id that happens and how you actually do that tying together. Go buy it! :-)

Of course, there are multiple ways to skin this cat, but here is one for you to use.

Option Explicit

'''----- script configuration area
Const strSMTPServer = "arvon.alpineskihouse.com"
Const strFrom       = "alerts@alpineskihouse.com"
Const strTo         = "adam.barr@alpineskihouse.com "
'''----- end configuration area

Dim objMail               ' the CDO object
Dim objWSHNetwork         ' windows-script-host network object
Dim strNetBIOSComputer    ' the netbios name of our computer

''' get the NetBIOS computer name
Set objWSHNetwork  = CreateObject ("WScript.Network")
strNetBIOSComputer = objWSHNetwork.ComputerName
Set objWSHNetwork  = Nothing 

''' do the real work to send the message 
Set objMail = CreateObject ("CDO.Message")
objMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/sendusing")      = 2
objMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver")     = strSMTPServer
objMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objMail.Configuration.Fields.Update

objMail.From     = strFrom
objMail.To       = strTo
objMail.Subject  = "Critical error!! " & strNetBIOSComputer & " failed to reboot " & Now
objMail.Textbody = "Critical error!! " & strNetBIOSComputer & " failed to reboot " & Now & vbCRLF
objMail.Send

Set objMail = Nothing

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

It's All About The IOPS, Silly!

michael — Fri, 19 Sep 2008 13:50:00 GMT

In yesterday's EMO (Exchange Messaging Outlook eZine, subscribe at http://www.slipstick.com/emo) I had an article named It's All About The IOPS, Silly! which discussed the impact of RAID-1 and RAID-5 arrays on total IOPS calculations.

However, space didn't allow me to talk about SANs (Storage Area Networks) in regards to IOPS.

Where Exchange is concerned (and SQL Server as well, although that isn't our focus here), you do not want to be sharing your "disk group" or "volume group" or "virtual array" (or whatever your SAN software calls it) with any other application - unless you've performance tested it in the worst case.

SANs allocate storage in terms of LUNs - Logical Unit Numbers. For a given server, a LUN is allocated to that server (note that in the case of clusters, quorum disk may be visible to multiple servers at one time) and only one server may have write access to that LUN at a time. A LUN may, or may not, be tied to a particular disk array or disk set contained within the physical hardware of the SAN.

Many types of SAN software support a concept known as "LUN Stacking". In this case, an array (be it RAID-1, RAID-5, RAID-10, whatever) has multiple logical stripes of the disk where multiple LUNs are allocated on the same array. Arguably, this is what SANs are all about - allowing you to control storage logically instead of drive-by-drive. And, for many (perhaps most) applications this makes sense.

However, while the BEST CASE SCENARIO says that the IOPS available for a LUN is the maximum IOPS available for that disk set, the WORST CASE scenario says that the IOPS available for a LUN is equal to the number of accessors (servers) that are using that physical array.

So, for example, if you have five servers hitting a RAID-1 array via different LUNS, the best case performance scenario says that you can have the maxiumum IOPS available to the hardware available to each server. The worst case is IOPS / 5.

For example, if your RAID-1 group has a calculated IOPS of 250, one server could potentially benefit from having a total IOPS of 250 available to it. However, if all the servers are hitting the disk, the performance would be more like 50 IOPS. While for many small and medium businesses, an IOPS of 250 is probably sufficient to meet their Exchange needs - only the smallest of companies can get adequate performance on 50 IOPS total.

Another reason you want to avoid sharing LUNs is due to the usage profiles of the various Exchange needs.

Database access (which includes queues, mailbox stores, and public folder stores) is completely random. The creation of log files (transaction log files, message tracking logfiles, and protocol log files) is completely sequential. If you share LUNs between different usage profiles, then your performance will suffer (especially for those needs which are optimized for sequential access).

Conclusion: Just Say No! Don't let your SAN guys tell you what kind of storage performance requirements Exchange has. You need to be prepared to tell them!

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Groups and their Membership

michael — Fri, 19 Sep 2008 13:09:00 GMT

I'm working with a new client and this client is a "wholly owned subsidiary" of another company and is getting ready to be spun off as their own company.

One of the things we are doing is configuring their network to be standalone and not part of the corporate Active Directory. That involves creating users, group, moving computers, installing a new Exchange organization, etc. etc.

But sometimes it's the simple things that bite you...

We'd gotten an export of the OU for the subsidiary out of corporate in a CSV file - every object, every attribute. That was a mess in-and-of itself, but at least all the data was there.

So we started importing the data. And it broke.

Huh? We'd done this before and no problem. What was going on here?

Like I said - the simple things...

This set of users and groups were using embedded groups. Sometimes up to five levels deep. (That is, a group within a group within a group within a group within a group.)

Well, you can't assign a group membership to a group that doesn't exist! Seems obvious, in retrospect.

The solution? Go through and harvest all groups FIRST - just create the groups in Active Directory. Then, go back through and assign membership to the groups.

Here is a somewhat sanitized version of the code we used. On the first pass, it creates groups. On the second pass, it will assign membership to the groups. This shows a number of PowerShell techniques in group management - including creating groups, checking for membership in a group, and adding members to a group.

Also note: there are several places where this script could be optimized. But I was more interested in clarity (since, as a consultant, I won't be there forever!).

I hope you find this useful for your scripts!

set-variable ADS_GROUP_TYPE_DOMAIN_LOCALGROUP 1          
set-variable ADS_GROUP_TYPE_GLOBAL_GROUP      2          
set-variable ADS_GROUP_TYPE_LOCAL_GROUP       4          
set-variable ADS_GROUP_TYPE_UNIVERSAL_GROUP   8          
set-variable ADS_GROUP_TYPE_SECURITY_ENABLED -2147483648 

$groupType = $ADS_GROUP_TYPE_GLOBAL_GROUP –bor $ADS_GROUP_TYPE_SECURITY_ENABLED

$csv = import-csv GroupsOnly.csv
#
# Each line contains the dn, the name, the description if one exists, and the member list
# with the dn of each group member. The member list has each member separated by a semi-colon.
#
foreach ($line in $csv)
{
	$dn = $line.dn
	$adsPath = "LDAP://" + $dn
	$objGroup = [ADSI]$adsPath
	if ($objGroup.Name)
	{
		# the above verifies that the group exists. Note that 
		# ADSI is "smart". It doesn't actually access AD and 
		# fill the property cache until you read an attribute
		# from the object.
		"Exists: " + $line.Name
		if ($line.member.Length -gt 0)
		{
			$i = 0
			$members = $line.member.Split(";")
			$lower   = $dn.ToLower()
			foreach ($member in $members)
			{
				$objMember = [ADSI]("LDAP://" + $member)
				if ($objMember.Name)
				{
					# check to see if member is already in group
					[bool]$already = $false
					$userGroups = $objMember.memberOf.Value
					if ($userGroups)
					{
						foreach ($usergroup in $userGroups)
						{
							if ($userGroup.ToLower() -eq $lower)
							{
								$already = $true
								break
							}
						}
					}
					$objMember = $null
					if ($already)
					{
						"`tAlready in group: $member"
					}
					else
					{
						$objGroup.Add(("LDAP://" + $member))
						if ($?)
						{
							"`tAdded to group: $member"
							$i++
						}
						else
						{
							# should be an error displayed on the PowerShell window
							"`tCouldn't add to group: $member"
						}
					}
				}
				else
				{
					# member specified in CSV doesn't exist in Active Directory
					"`tObject doesn't exist: $member"
				}
			}
			"`tadded $i members"
		}
		else
		{
			# members element of the CSV was empty
			"`tno members specified for group"
		}
		$objGroup = $null
	}
	else 
	{
		"Creating " + $line.Name

		$parent = "LDAP://" + $dn.SubString(1 + $dn.IndexOf(","))
		$object = [ADSI]$parent
		$child  = $object.Create("group", "CN=" + $line.Name)

		$child.Put("groupType",      $groupType)
		$child.Put("sAMAccountName", $line.name)
		$child.Put("name",           $line.name)

		if ($line.description.length -gt 0)
		{
			$child.Put("description",    $line.description)
		}

		$child.SetInfo()
		$child = $null

	}

	sleep -milli 500
}

$csv = $null

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I Have a Logo!

michael — Thu, 04 Sep 2008 22:03:00 GMT

In case anyone besides me is counting, I've been at this (consulting, writing, speaking, etc.) for 10 months now. I'm having a blast. I wish I'd done this years ago.

Two months ago I took on a partner and we formed Smith Consulting d/b/a The Essential Exchange as a legal entity (as opposed to the sole proprietership I was previously).

After several weeks of back-and-forth, we finally came up with a logo today, and I'm very pleased with it. It will replace the generic icons you see on this blog fairly soon (image manipulation is not my strong suit). Here it is:

Exchange 2007 Backup and Restore - The Minimum

michael — Thu, 04 Sep 2008 21:22:00 GMT

In larger organizations, the overhead associated with backing up every server in an organization (where every server is already redundant in some way) can become onerous and expensive. In those types of organizations, with dedicated virtual servers for a specific feature or multiple pieces of physical hardware set up clustered or otherwise redundant (round robin, network load balancing, etc.); you are primarily interested in only backing up what makes a particular server unique.

You are well aware that in the case of a catastrophic failure, you can "spin up" a replacement in a couple of hours, be it virtual or physical hardware. It would take longer than that to execute a full restore following all the proper steps.

Therefore, many applications, Exchange included, provide you a mechanism for backing up and restoring only those "things you need".

Let's take the example of a Client Access Server (CAS) crashing catastrophically. For example, a piece of hair falls on the motherboard and it fizzles, taking out the motherboard AND the directly attached storage (DAS). [[OK: not a particularly likely example, but still illustrative.]]

What do you need to have saved in order to CYA (Cover Your A$$)??

Your first option is, of course, the old standard: full system backup, which you can restore after doing a bare metal install of Windows Server to compatible hardware.

The second option, which is a bit more detailed but MUCH quicker, if you've prepared for it, goes as follows:

1] Image a new machine, and name it the same as the old machine

2] Install Exchange, using the /mode:RecoverServer switch, with all other options set to the SAME as you used to install the original server (this is when using DEFAULTS can really save your bacon -- or having excellent server installation documentation)

3] Restore the HKLM\SOFTWARE\Microsoft\Exchange registry key (which you smartly exported and backed up)

4] Restore the ClientAccess Exchange directory (which you also had smartly exported and backed up), which is located by default at C:\Program Files\Microsoft\Exchange\ClientAccess

5] Restore the IIS metabase settings by executing restorevdir.ps1 (since you had executed savevdir.ps1 to back those settings up!)

And wow. You are done.

If you have practiced this process, and your imaging process is fast; you can probably be done in less than 30 minutes. Much less than the two hours or so that a full recovery is probably is going to take you.

Granted, the above is simply an overview. You need to work out the specific details for your environment, but it really isn't that hard. Here are some resources to help you:

Actually, writing a script to do this might be a good project, if I ever get a few free minutes. :-)

You can also extend this concept for generating clones and redundant servers within an Exchange organization. If you examine the various text files, you will note that modifying them for other server names is not that difficult.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Exchange Disk Space, version 2.1

michael — Thu, 07 Aug 2008 20:45:00 GMT

It was pointed out to me, by a party that shall remain nameless, that I depended in today's earlier post Finding Disk Space Used By Exchange Version 2, that I ASSumed that msExchCurrentServerRoles would never be higher than 64 and that that was a bad assumption on my part, for reasons that shall also remain nameless.

So, here is a "fixed" version of just the ShowServerInfo() subroutine. Just rip the old one out, and add the new one in:

Const Exch_Role_Edge         = 64   ' 0x40
Const Exch_Role_Hub          = 32   ' 0x20
Const Exch_Role_UM           = 16   ' 0x10
Const Exch_Role_ClientAccess = 4    ' 0x04
Const Exch_Role_Mailbox      = 2    ' 0x02

Sub ShowServerInfo (ByVal spaces, ByVal strServer)
	Dim objServer, obj
	Dim str, i, msExchCurrentRoles

	On Error Resume Next
	Err.Clear

	Set objServer = GetObject ("LDAP://" & strServer)
	If Err = 0 Then
		msExchCurrentRoles = objServer.Get ("msExchCurrentServerRoles")
		If Err = 0 Then
			i = msExchCurrentRoles
			str = ""
			'' got a exchange 2007 or higher box
			If (msExchCurrentRoles and Exch_Role_Mailbox) = Exch_Role_Mailbox Then
				str = str & "Mailbox "
				i = i - Exch_Role_Mailbox
			End If

			If (msExchCurrentRoles and Exch_Role_ClientAccess) = Exch_Role_ClientAccess Then
				str = str & "ClientAccess "
				i = i - Exch_Role_ClientAccess
			End If

			If (msExchCurrentRoles and Exch_Role_UM) = Exch_Role_UM Then
				str = str & "UnifiedMessaging "
				i = i - Exch_Role_UM
			End If

			If (msExchCurrentRoles and Exch_Role_Hub) = Exch_Role_Hub Then
				str = str & "HubTransport "
				i = i - Exch_Role_Hub
			End If

			If (msExchCurrentRoles and Exch_Role_Edge) = Exch_Role_Edge Then
				str = str & "EdgeTransport "
				i = i - Exch_Role_Edge
			End If

			If i <> 0 Then
				str = str & vbCRLF & Space (spaces) & _
					"Unknown bits set in msExchCurrentRoles = 0x" & Hex(i)
			End If

			e Space (spaces) & "Exchange roles installed: " & str
		Else
			i = objServer.Get ("serverRole")
			If i = 1 Then
				e Space (spaces) & "Exchange role: Front-end server"
			Else
				e Space (spaces) & "Exchange role: Back-end server"
			End If
		End If
		Err.Clear

		obj = objServer.Get ("serialNumber")
		If Err = 0 Then
			If IsNull (obj) Then
				e Space (spaces) & "No version found"
			ElseIf IsEmpty (obj) Then
				e Space (spaces) & "Version string is empty"
			ElseIf IsArray (obj) Then
				For Each str in obj
					e Space (spaces) & str
				Next
			Else
				e Space (spaces) & obj
			End If
		End If
		Err.Clear

	End If
	e " "
	Set objServer = Nothing

	On Error Goto 0
End Sub

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Finding Disk Space Used by Exchange, version 2

michael — Thu, 07 Aug 2008 17:36:00 GMT

In July of 2006, I had a blog entry named Finding Disk Space Used By Exchange, and it was quite well received and it worked well for most people.

However, it had a few issues:

It doesn't work with Exchange Server 2007 because the streaming file was removed from Exchange
If a Recovery Storage Group was present, but the files were removed, it would fail
If an Exchange Server was not reachable via UNC path, it would fail

There was also one out-and-out bug: Per-server totals were not zeroed after each server was evaluated.

And from a feature perspective, lots of folks wanted some information about the storage groups (circular logging, log prefix, etc.) and the servers (version and server roles).

There is a Microsoft script that also contains much of this information, but it is based on CDOEXM, which means that it pretty much must run on an Exchange 2003 server; and it also has the same three issues mentioned above (plus a couple of others - for example, if the EDB and STM files were separated on different volumes or path, it would also fail). James Chong, another Microsoft Exchange MVP, pointed out that script to me. It does have a feature of reporting the current sizes of the logs being used by a storage group.

So, in this version 2, I've fixed the three issues above, fixed the out-and-out bug, and now I provide a fair bit of information about each storage group. I think I also now check for all possible errors that could occur. As before, this script does depend on my Utility Libraries for Exchange Scripting.

I have tested this script in an environment containing Exchange 2000, Exchange 2003, and Exchange 2007. It should work for you with all of those too!

Some sample output from my small test environment:

Exchange Organization Name: First Organization
Default SMTP address for organization: essential.local

All Exchange Servers in forest DC=essential,DC=local
	Server Name: WIN2003-EXCH
	Server Name: WIN2008-EXCH
 
Server name: WIN2003-EXCH
  Exchange role: Back-end server
  Version Version 6.5 (Build 7638.2: Service Pack 2)
 
  Storage group: First Storage Group
    Circular Logging is False
    Zero out deleted databse pages is False
    Log file prefix is E00
    Transaction log location is C:\Program Files\Exchsrvr\mdbdata
    System path location is C:\Program Files\Exchsrvr\mdbdata
 
    Store: Public Folder Store (WIN2003-EXCH)
      EDB file: C:\Program Files\Exchsrvr\mdbdata\pub1.edb
      Size: 18 megabytes
      SLV file: C:\Program Files\Exchsrvr\mdbdata\pub1.stm
      Size: 4 megabytes
      Store Size Total: 22 megabytes
    Store: Mailbox Store (WIN2003-EXCH)
      EDB file: C:\Program Files\Exchsrvr\mdbdata\priv1.edb
      Size: 6 megabytes
      SLV file: C:\Program Files\Exchsrvr\mdbdata\priv1.stm
      Size: 8 megabytes
      Store Size Total: 14 megabytes
    Storage Group total: 36 megabytes
  Server total: 36 megabytes
 
Server name: WIN2008-EXCH
  Exchange roles installed: HubTransport ClientAccess Mailbox
  Version Version 8.1 (Build 30240.6)
 
  Storage group: First Storage Group
    Circular Logging is False
    Zero out deleted databse pages is False
    Log file prefix is E00
    Transaction log location is C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group
    System path location is C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group
 
    Store: Mailbox Database
      EDB file: C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\Mailbox Database.edb
      ** Could not open file: \\WIN2008-EXCH\C$\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\Mailbox Database.edb
      Could not find streaming filename in active directory
      Store Size Total: 0 megabytes
    Storage Group total: 0 megabytes
  Storage group: Recovery Storage Group
    Circular Logging is False
    Zero out deleted databse pages is False
    Log file prefix is R00
    Transaction log location is C:\rsg
    System path location is C:\rsg
 
    Store: Mailbox Database
      EDB file: C:\rsg\Mailbox Database.edb
      ** Could not open file: \\WIN2008-EXCH\C$\rsg\Mailbox Database.edb
      Could not find streaming filename in active directory
      Store Size Total: 0 megabytes
    Storage Group total: 0 megabytes
  Storage group: Second Storage Group
    Circular Logging is False
    Zero out deleted databse pages is False
    Log file prefix is E01
    Transaction log location is C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group
    System path location is C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group
 
    Store: Public Folder Database
      EDB file: C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\Public Folder Database.edb
      ** Could not open file: \\WIN2008-EXCH\C$\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group\Public Folder Database.edb
      Could not find streaming filename in active directory
      Store Size Total: 0 megabytes
    Storage Group total: 0 megabytes
  Server total: 0 megabytes
 
Organization total: 36 megabytes

And here is the code for your enjoyment:

<JOB>
<SCRIPT language="VBScript">
Option Explicit
</SCRIPT>
<SCRIPT language="VBScript" src="lib/constants.vbs" mce_src="lib/constants.vbs">
<script language="VBScript" src="lib/ado.vbs" mce_src="lib/ado.vbs"           >
<script language="VBScript" src="lib/report.vbs" mce_src="lib/report.vbs"        >
<script language="VBScript" src="lib/systeminfo.vbs" mce_src="lib/systeminfo.vbs"    >
<script language="VBScript" src="lib/queries.vbs" mce_src="lib/queries.vbs"       >
<script language="VBScript">
'
' exch-store-space.wsf
'
' This program reports on the space utilization of the EDB and STM
' files for all stores for all storage groups for all servers in the
' Exchange organization.
'
' Updated on August 8, 2008 to deal with missing files
' Also now works with Exchange 2007 (no msExchSLVFile attribute on 2007 servers)
' Also dumps some data about each individual storage group
' Also won't abort on missing Recovery Storage Group
' Also total per-server correctly
'
Dim arr, arrSG, arrStore
Dim s, s1, strServer
Dim i, j, k, orgTotal
Dim objFSO

Call GetSystemInfo
Call GetAllServers

Set objFSO = CreateObject ("Scripting.FileSystemObject")

arr = Split (strServerListDN, ";")

For i = LBound (arr) To UBound (arr)
	Dim serverTotal

	serverTotal = 0
	s = arr (i)
	strServer = Mid (Left (s, Instr (s, ",") - 1), 4)
	e "Server name: " & strServer

	Call ShowServerInfo (2, s)

	Call GetStorageGroupsForServer (arr (i))

	arrSG = Split (strServerSGDN, ";")

	For j = LBound (arrSG) To UBound (arrSG)
		Dim sgTotal

		sgTotal = 0

		s = arrSG (j)
		s1 = Mid (Left (s, Instr (s, ",") - 1), 4)
		e Space (2) & "Storage group: " & s1

		Call ShowStorageGroupInfo (4, s)

		Call GetStoresForStorageGroupLDAP (s)

		arrStore = Split (strStoreDN, ";")

		For k = LBound (arrStore) To UBound (arrStore)
			Dim obj, objFile, strFile, storeTotal

			storeTotal = 0

			s = arrStore (k)
			s1 = Mid (Left (s, Instr (s, ",") - 1), 4)
			e Space (4) & "Store: " & s1

			On Error Resume Next
			Err.Clear

			Set obj = GetObject ("LDAP://" & s)

			If Err Then
				e Space (6) & "** Could not open store in active directory"
			Else
				s = obj.Get ("msExchEDBFile")
				If Err Then
					e Space (6) & "** Could not find EDB filename in active directory"
				Else
				
					e Space (6) & "EDB file: " & s
					' must convert the file to a UNC path
					strFile = "\\" & strServer & "\" & _
						Left (s, 1) & "$" & Mid (s, 3)
					Set objFile = objFSO.GetFile (strFile)
					If Err Then
						e Space (6) & "** Could not open file: " & strFile
					Else
						e Space (6) & "Size: " & _
							FormatNumber (objFile.Size / (1024 * 1024), 0) & _
							" megabytes"
						storeTotal = storeTotal + (objFile.Size / (1024 * 1024))
					End If
				End If
				Err.Clear

				s = obj.Get ("msExchSLVFile")
				If Err Then
					e Space (6) & "Could not find streaming filename in active directory"
				Else
					e Space (6) & "SLV file: " & s
					strFile = "\\" & strServer & "\" & _
						Left (s, 1) & "$" & Mid (s, 3)
					Set objFile = objFSO.GetFile (strFile)
					If Err Then
						e Space (6) & "** Could not open file: " & strFile
					Else
						e Space (6) & "Size: " & _
							FormatNumber (objFile.Size / (1024 * 1024), 0) & _
							" megabytes"
						storeTotal = storeTotal + (objFile.Size / (1024 * 1024))
					End If
				End If
				Err.Clear

				e Space (6) & "Store Size Total: " & _
					FormatNumber (storeTotal, 0) & _
					" megabytes"
				sgTotal = sgTotal + storeTotal
			End If

			On Error Goto 0
		Next

		e Space (4) & "Storage Group total: " & FormatNumber (sgTotal, 0) & _
			" megabytes"
		serverTotal = serverTotal + sgTotal
	Next

	e Space (2) & "Server total: " & FormatNumber (serverTotal, 0) & " megabytes"
	e " "
	orgTotal = orgTotal + serverTotal
Next
e "Organization total: " & FormatNumber (orgTotal, 0) & " megabytes"

Call ClearSystemInfo

Sub ShowServerInfo (ByVal spaces, ByVal strServer)
	Dim objServer, obj
	Dim str, i

	On Error Resume Next
	Err.Clear

	Set objServer = GetObject ("LDAP://" & strServer)
	If Err = 0 Then
		i = objServer.Get ("msExchCurrentServerRoles")
		If Err = 0 Then
			str = ""
			'' got a exchange 2007 or higher box
			If i >= 64 Then
				str = str & "EdgeTransport "
				i = i - 64
			End If
			If i >= 32 Then
				str = str & "HubTransport "
				i = i - 32
			End If
			If i >= 16 Then
				str = str & "UnifiedMessaging "
				i = i - 16
			End If
			If i >= 4 Then
				str = str & "ClientAccess "
				i = i - 4
			End If
			If i >= 2 Then
				str = str & "Mailbox"
				i = i - 2
			End If
			e Space (spaces) & "Exchange roles installed: " & str
		Else
			i = objServer.Get ("serverRole")
			If i = 1 Then
				e Space (spaces) & "Exchange role: Front-end server"
			Else
				e Space (spaces) & "Exchange role: Back-end server"
			End If
		End If
		Err.Clear

		obj = objServer.Get ("serialNumber")
		If Err = 0 Then
			If IsNull (obj) Then
				e Space (spaces) & "No version found"
			ElseIf IsEmpty (obj) Then
				e Space (spaces) & "Version string is empty"
			ElseIf IsArray (obj) Then
				For Each str in obj
					e Space (spaces) & "Version " & str
				Next
			Else
				e Space (spaces) & "Version " & obj
			End If
		End If
		Err.Clear

	End If
	e " "
	Set objServer = Nothing

	On Error Goto 0
End Sub

Sub ShowStorageGroupInfo (ByVal spaces, ByVal strSG)
	Dim objSG
	Dim str, i
	Dim prefix

	prefix = "msExchESEParam"   '' all storage group attributes start with that prefix

	On Error Resume Next
	Err.Clear

	Set objSG = GetObject ("LDAP://" & strSG)
	If Err = 0 Then
		i = objSG.Get (prefix & "CircularLog")
		If Err = 0 Then
			e Space (spaces) & "Circular Logging is " & CBool(i)
		End If
		Err.Clear

		i = objSG.Get (prefix & "ZeroDatabaseDuringBackup")
		If Err = 0 Then
			e Space (spaces) & "Zero out deleted databse pages is " & CBool (i)
		End If
		Err.Clear

		str = objSG.Get (prefix & "BaseName")
		If Err = 0 Then
			e Space (spaces) & "Log file prefix is " & str
		End If
		Err.Clear

		str = objSG.Get (prefix & "LogFilePath")
		If Err = 0 Then
			e Space (spaces) & "Transaction log location is " & str
		End If
		Err.Clear

		str = objSG.Get (prefix & "SystemPath")
		If Err = 0 Then
			e Space (spaces) & "System path location is " & str
		End If
		Err.Clear

		e " "
	Else
		e Space (spaces) & "** Couldn't open " & strSG
	End If
	Set objSG = Nothing

	On Error Goto 0
End Sub
</SCRIPT>
</JOB>

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Free Windows Vista Support (SP1 only)

michael — Wed, 30 Jul 2008 21:54:00 GMT

As you probably know, Microsoft is working on running up its marketing machine to talk about how good Vista really is. (And yes, I was an early convert - I am one of those folks that really like Vista - it took some major thought-pattern changes, but it is really much easier to use.)

As part of this, Microsoft has decided to offer free - yes free - installation and compatibility support for all users of Windows Vista SP1 through March 18, 2009. (Why that date? I have no idea.)

Worldwide telephone support is available, and in the USA and Canada you can also get email and online chat-based support.

For more information, or to take advantage of this offer, visit this website: http://support.microsoft.com/common/international.aspx?rdpath=1&prid=11274&gprid=500921

(Yes, I know this sounds like a marketing post - and it really isn't - I'm just encouraging you to use Vista, if you aren't already!)

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Exchange 2003 SMTP Service - Without Exchange

michael — Mon, 28 Jul 2008 21:11:00 GMT

Learn something new every day...

I was working with a new client today, on an SBS 2003 computer, and they use external e-mail.

However, the original technican that had done the installation of their server had gone through the process of installing Exchange Server, and then disabled all of the services that start with "Microsoft Exchange..." in the Services applet - but they hadn't disabled the SMTP service. As you may know, when you install Exchange Server 2003, it overwrites the Windows SMTP service with its own version of the service that "speaks Exchange".

Whenever I go into a client, I always like to be able to use a local SMTP server to send daily status report to me, for monitoring, and just general e-mailing. Usually, in an SBS environment, I'll use the Exchange SMTP service and if Exchange isn't installed, I'll simply install the Windows SMTP service. This allows me to get around all of the usual problems associated with secure relays, etc. etc.

So, in this case, I was sure that the SMTP service wouldn't work.

I was wrong. The SMTP service works just fine for relaying. You can't manage the SMTP service from the normal IIS Manager, you still have to go to the Exchange System Manager to make changes. But it works just fine.

Like I said, learn something new every day...

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

More on Update-GAC (speeding up PowerShell startup)

michael — Fri, 25 Jul 2008 19:00:00 GMT

Jeffrey Snover of Microsoft, PowerShell dude extraordinaire, recently reminded us of a way to Speed Up PowerShell Startup times, based on an article of over a year ago titled Update-Gac.ps1. And yes, this does help to speed up the Exchange Management Shell and the OpsMgr Command Shell too.

Taking that just a bit further, the assemblies you want to put into the GAC are slightly different when you are running AMD-64 (AMD) or EMT-64 (intel). Here is the script updated to deal with x64 and to suppress the ngen logo:

Set-Alias ngen @(
$ngen_path = Join-Path ${env:\windir} "Microsoft.NET\Framework"
$ptr_width = (gwmi -query "select addresswidth from win32_processor").addresswidth
if ($ptr_width -eq 64) { $ngen_path += "64"; }
dir $ngen_path ngen.exe -recurse | where {$_.length -gt 0} | sort -descending lastwritetime 
)[0].fullName

[appdomain]::currentdomain.getassemblies() | %{ngen /nologo $_.location}

You should execute this script once on each computer where you have PowerShell installed (or each time you install new PowerShell related binaries, too!).

You will not need to do this in PowerShell v2, but that is still not here yet.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Exchange Server 2003 Security Review

michael — Tue, 22 Jul 2008 20:34:00 GMT

The question was recently posed on a mailing list asking whether there was any book that covered the Exchange 2003 security model in depth.

The question came up for the poster because of a recent video that is making the rounds on youtube and elsewhere (http://www.thewebsiteisdown.com). In that video, an errant system administrator deletes a message from his bosses Sent Items folder, so that the boss cannot verify that the administrator was told something specific.

Can that happen??? Well - yes. And it isn't unique to Exchange Server. And yes, that administrator should be fired.

A savvy Exchange administrator, who also has appropriate permissions in Active Directory, can assign herself permissions at any level of an Exchange organization - per mailbox, per mailbox store, per storage group, per server, or for the entire Exchange organization.

While the backend permission sets have expanded dramatically in Exchange Server 2007, the store and user permissions are still quite similar to Exchange Server 2003. There are three whitepapers at Microsoft that can help you learn about the various permissions and how they work within themselves and within Active Directory:

Exchange Server 2003 Technical Reference Guide

Working with Active Directory Permissions in Microsoft Exchange Server 2003

Working with Store Permissions in Microsoft Exchange 2000 and 2003

Another resource is Alain Lissoir's web site. Alain wrote a couple of great white papers on scripting in Exchange 2000 and 2003 and they contain some excellent security related resources.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Attribute Scoped Queries (ASQs) in PowerShell

michael — Mon, 21 Jul 2008 23:31:00 GMT

I'm in the process of tech-reviewing an important book (you'll want it on your shelf once it is released), and one of the things I did today was spend a while figuring out how to do Attribute Scoped Queries in PowerShell. If you develop in C# or C++, or use adfind to do your searches, those tools have supported ASQs for a long time.

I use PowerShell quite a bit for Exchange Server 2007+ maintenance tasks, but I am no expert when it comes to all of the various .NET Framework classes and methods available. In the past, when you've needed to search for all the members of a particular group (using the 'member' attribute) or all of the members of a particular address list (using the 'showInAddressBook' attribute), those particular searches could be very slow and quite inefficient.

With the Windows Server 2003 Domain Functional Level, the ASQ capability becomes available. Using a DirectorySearcher object, you can specify a particular group or a particular address book or (anything else that leads to a multi-valued attribute) and execute an efficient search against the sources to find their components. In this example, you can easily find the members of the 'Domain Admins' group in your domain (note, this is an easy one - there are others that are likely more significant for you).

$group  = New-Object System.DirectoryServices.DirectoryEntry( `
    "LDAP://CN=Domain Admins,CN=Users,DC=essential,DC=local")
$source = New-Object System.DirectoryServices.DirectorySearcher

$source.SearchRoot  = $group
$source.SearchScope = [System.DirectoryServices.SearchScope]::Base
$source.Filter      = "(objectClass=*)"

$source.PropertiesToLoad.Add("member")
$source.PropertiesToLoad.Add("sAMAccountName")

$source.AttributeScopeQuery = "member"

$results = $source.FindAll()

$results

One caveat: when searching for members of a group, ASQ does not work for the primaryGroup! So if you do a search for "Domain Users", it is likely that you will receive no responses in your result. This is NOT an error.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Event 1025, Source MSExchagneIS Mailbox Store, Error 1162

michael — Sun, 20 Jul 2008 16:58:00 GMT

I've brought up a number of new clients on Exchange 2007 recently, and a common issue is this event log warning:

Event Type:      Warning
Event Source:    MSExchangeIS Mailbox Store
Event Category:  General 
Event ID:        1025
Date:            7/18/2008
Time:            10:26:40 AM
User:            N/A
Computer:        EXCHANGE
Description:
An error occurred on database "StorageGroup\Database".
 Function name or description of problem: Restrict/SetSearchCriteria
Error: 1162 Warning: fail to apply search optimization to folder (FID 4-3DBEABE)   Retrying without optimization. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If you spend time on Internet search engines, you'll find lots of bad advice about running an Isinteg to eliminate these, or running an offline defragmentation to get rid of these. At best, those are temporary solutions. I finally had seen so many of these, I asked Microsoft about them. Here is the answer from the horse's mouth:

You have an application that is trying to perform a search using restrictions against a users search folders and this could be a time based query, etc.We will do two types of searches (1 fast optimized search if the indexes are there, 1 slow find) which takes a long time and will chew up processor time for store if your user has a ton of items in their folders (more than 5,000 items per folder). This is just telling you that we are performing an un-optimized search against that table in the store. They cannot be suppressed.

In other words, ignore them. You may have users that have far too many items in their primary folders (Calendar, Tasks, Inbox, Sent Items, Deleted Items) and you can get rid of these messages if you get them to clean those up. But it may not be worth your time and energy.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Outlook and Exchange on the same computer

michael — Mon, 07 Jul 2008 01:01:00 GMT

In 2004, I wrote an article Why Can't I Have Outlook and Exchange on the same Computer? It applied to versions of Exchange prior to Exchange Server 2007. When written, E12 (Exchange 2007) was still quite early in development at MSFT...

Today, times and situations have changed.

With Exchange Server 2007, in fact, the export-mailbox command is only supported on 32-bit machines. This means that you must run export-mailbox on a 32-bit Vista or XP computer where the Exchange Management Tools have been installed, along with Outlook! Amazing.

And, in fact, there are times where Outlook (or the CDO/MAPI binaries) will be required to be executed on an Exchange server to get certain tools to work, including OABinteg and MFCmapi.

Prior to Exchange Server 2007, installing Outlook on an Exchange Server would replace certain DLLs that Exchange required with stub libraries that Outlook used instead. This could break Exchange severely.

Those problem DLLs are gone in Exchange Server 2007. This gives us clear sailing for Outlook and Exchange on the same computer - both servers and workstations.

Thanks to Dave Goldman and Ben Winzenz, both of Microsoft, for answering my questions on this topic.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

ExtraOutlook gives you well, an extra Outlook

michael — Tue, 24 Jun 2008 12:44:00 GMT

Almost everyone has, at one time or another, wished that you could have multiple copies of Outlook running at the same time. After all, opening another mailbox within Outlook doesn't give you windows toast and calendar pops, etc.

The standard answer has always been "run Outlook for your primary mailbox and use OWA for all the other mailboxes", which works; but well, OWA just isn't Outlook.

That's still the official answer.

However, early this year a hacker known as "H.O.G." (for HammerOfGod) released a tool known as ExtraOutlook! This tool actually modifies the Outlook executable and causes Outlook to NOT check to see if another Outlook is running.

If you are "plug-in free", this is a great tool and it works really well.

However, it confuses quite a number of plugins (such as Xonbi) that attempt to open a "default MAPI profile" and find two (or more) running instead of just one.

I'm sure that modifying the Outlook executable puts you straight in the "not supported" arena as well. But if you need the tool - you probably don't care. :-)

Give it a go. No promises, but it has worked for me.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

stealing my work....grrrr....

michael — Fri, 20 Jun 2008 16:34:00 GMT

I was recently (ok, this morning) trying to find out about a vbscript (actually WMI) error that I was getting, with little success. However, in doing so, I found this forum posting: http://www.tutorials-win.com/WindowsServer/Services-Windows/

This irritates me a great deal. Matheiu Chateau, whoever he is, has taken one of my scripts and taken the credit for it.

I originally published that script in 2006, in my blog posting Finding Services Using non-System Accounts. I am MORE than happy that people use it. And I'm MORE than happy that other people recommend it. But doing so without giving proper credit is just wrong. If I could've located an e-mail address for him, I would've written him a scathing e-mail.

grrr....

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Export Mailboxes Larger than 2 GB to ANSI PSTs

michael — Thu, 19 Jun 2008 14:26:00 GMT

I don't often just link to another blog posting for MY blog posting, but this one deserves it. It's not new, but last year fellow Exchange MVP Glen Scales wrote a script which allows you to export large mailboxes to ANSI PSTs.

It does this by copying each item in a source mailbox to a destination PST; when the destination PST is too big (i.e., 1.8 GB in size) the PST is closed and a new one opened. So a mailbox of 10 GB would take 6 PSTs to dump.

In the past, the only real way to handle this with ANSI PSTs was to manually configure a date range for archiving, or selectively export specific folders. This is a real win!

So, see Glen's post: Exporting a mailbox larger then 2 GB and spanning it across multiple PST files with a script.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

"Microsoft Exchange Service Host" fails to start in Secure Exchange 2007 Environments

michael — Tue, 17 Jun 2008 17:40:00 GMT

On Exchange Server 2007, especially post service pack 1 (I ran into this problem while installing service pack 1 update rollup 2), it appears that some of the assemblies (that is, parts of the various Exchange programs) are "signed with Authenticode". This is basically a public/private key infrastructure (PKI) supported by Microsoft to allow people to verify that the various Exchange programs have not been tampered with.

At this moment, you are either thinking "So what?" or "Sounds like a good idea."

Personally, I'm in the "sounds like a good idea" camp. But I'm not sure that the concept is fully baked.

Consider this: part of any PKI infrastructure is a way to indicated when a particular key is no longer valid. Without going into too many PKI details, a key is normally called a "certificate" and the way you check the validity of a key is by seeing if the key is on a CRL - a certificate revocation list.

The first time a managed and signed assembly loads, Windows Server needs to check and see whether the key (certificate) the assembly is signed with is valid. How does it do that? By checking the CRL - at Microsoft. Specifically, at http://crl.microsoft.com/pki/crl/products/CSPCA.crl.

Even if you are in the "sounds like a good idea" camp, you may be asking "what's wrong with that"?

So I'll tell you - many environments do not allow their mailbox servers to talk to the internet (just to the hubs and to clients on specific networks). Many environments do not allow their hub transport servers to talk to the Internet (just to the mailbox and client access and e-mail gateway servers). Etc. etc. In fact, controlling and minimizing access using IPSec to specific servers has long been considered a best practice.

But it won't work with Exchange Server 2007 any more. When installing rollup 2 on a mailbox server, the "Microsoft Exchange Service Host" will fail to start. It will simply time out. No error messages. No log messages. No nothing.

I suspect that it could be any Exchange service that has this problem. This was just the one I happened to run into.

Debugging this was painful. Eventually, after a couple of hours, you do a "netstat -an" and say WTF???!!! in regards to a SYN-SENT to crl.microsoft.com and then you can start backtracking. This is not really documented directly (that is, that an Exchange server has to be able to access the Internet), but there is some information in KB 944752.

You may also find that if you are using a non-NAT proxy that this doesn't work for you. More on that in my next blog post.

Bottom line: after installing patches on your Exchange server, your Exchange server will have to "check in at home" before those patches can start running and you'll have to enable Internet access for that to happen. After they've "checked in", you can disable Internet access again.

What a management nightmare.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Update on June 19, 2008; for those folks who want for at least some of their Exchange servers to be fully isolated from the Internet, there is a workaround. See KB 936707. However, an easier (and apparently undocumented) workaround is to put crl.microsoft.com in your local hosts file - and point it to localhost (127.0.0.1)!

Back from Tech-Ed IT Pro 2008

michael — Mon, 16 Jun 2008 20:19:00 GMT

Sorry for the dead-silence this past week...between meetings and parties and certification tests and working and talking....it was a busy time at Tech-Ed.

(One of my editors is peeved at me - I missed a chapter deadline too!) :-(

So, I'm just going to ramble on here for a bit...

Lots of folks say that Orlando in June is just "too hot". I guess that depends on where you are coming from. I flew down from virginia, and I think that it was cooler in Orlando than it was in Virginia - of course, Virginia was going through a "heat wave". But I found Orlando quite comfortable for the entire week.

However - when I was doing my daily run (ok, it's a jog - I about three and a half miles a day and it takes me 45 minutes - you can figure out that I'm slow!) - there is no question that the humidity was higher. I always sweat - but not quite so much as I did there!

On Monday night, I met with an editor from O'Reilly Media plus a whole bunch of Active Directory folks - collectively "Team A/D" for O'Reilly (those that were present at Tech-Ed anyway). I'm doing tech.review on a couple of A/D books these days. There were some old faces and some new faces - a really good time with a bunch of geeks. Speaking of geeks - expect to hear about GEEC '09 this week from those fine folks at NetPro who bring you DEC (Directory Experts Conference).

Tech-Ed itself ran Tuesday through Friday. I won't bore you with what you've probably already read elsewhere.

But, as expected, Windows 2008 was big news, IIS 7.0, and SQL 2008. Nothing surprising there. Hyper-V of course.

I spent a lot of time talking about deployments, upgrades, and migrations with lots of customers. I think the message behind read-only DCs and server-core has confused a bunch of folks; as has the "story" behind Hyper-V. Many people thought that with server-core coming that they HAD to use it. And lots of folks didn't understand that server-core doesn't support the .NET Framework (and thus it doesn't support PowerShell or the .NET extensions to IIS 7.0!).

Most folks also didn't understand that Hyper-V doesn't do much by itself - it takes an OS to layer on top of it. oh! And NT 4.0 is NOT supported on Hyper-V. That doesn't mean it doesn't work - but it isn't supported (ok ok - NT 4 isn't officially supported anyway - but this means that the Hyper-V folks have not "qualified" NT 4.0 to work properly on Hyper-V - if you want that, you have to stay with Virtual Server 2005).

During one of my talks about upgrade/migration, I went through the entire set of domain functional levels, forest functional levels, Exchange functional levels, and how Outlook functionality was impacted. My head hurt by the time I was done with that talk. It is downright confusing by this point.

I was able to meet and talk with the folks from AppAssure, who have a killer product in their Replay for Exchange. I hope to talk more about that in the future.

I met with the VP from Wiley/Sybex who signed me up for the book I'm working on right now. Unfortunately, I was never able to connect with my current editor for the book. :-(

I also had the fine fortune to be able to meet with Tony Davis of the Simple-Talk online journal. I hope to be able to start doing some work with him soon.

Unfortunately, I didn't get to meet with any of my contacts with Penton Media (the Windows IT Pro/Outlook IT Pro) folks, and Diane from EMO wasn't able to come to Tech-Ed this year.

There were lots of new products and lots of old products. I was shocked to see Syncsort. For no reason whatsoever, really. I can just remember using them in my mainframe days, over 20 years ago....they are still alive and well. I didn't know they had made the transition to client/server.

I took six certification tests while I was there. They offer Tech-Ed attendees a discount for taking tests onsite: $50 per test. So instead of $750 for those tests, I only paid $300. I wasn't able to schedule the final one I need: 70-620 (Vista) because of scheduling conflicts but once I take that one (week after next, I think), I'll also finish up the two Windows Server 2008 MCITP certifications. I'm already "MCITP: Enterprise Messaging Administrator", those two will add "MCITP: Enterprise Administrator" and "MCITP: Server Administrator".

I'm looking forward to the class-work for the Microsoft Certified Master programs. I hope they will fit in the budget of a self-employed consultant! (Check here if you haven't heard about the Master's programs: http://www.microsoft.com/learning/mcp/master/products/default.mspx#EZ).

After the conference I hung around Orlando for a couple of extra days just to relax. It was a good time. I look forward to it next year.

Enough rambling for today. I best go try to bill a few hours tonight to help pay for this trip!

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Tech-Ed 2008

michael — Sun, 08 Jun 2008 15:01:00 GMT

Later this afternoon I'll be hopping in my car and heading for the airport to travel to Orlando for Tech-Ed 2008 IT Pro.

I'll be part of "ask the experts". I signed up for Exchange and PowerShell - somehow I ended up in Server 2008??!!

Come by and say "hi"!

Creating Many Users with PowerShell and Admod

michael — Sat, 07 Jun 2008 21:30:00 GMT

One of the mailing lists I read and occaisionally post on is named ActiveDir. A lot of heavy-hitters in the AD world hang-out around there. I've learned quite a bit by lurking there.

A recent poster had wanted to create a few thousand accounts for testing purposes, and have them all follow a certain format for the samaccountname, the mailnickname, and the e-mail address. That's tough to do with the standard tools (if you are on Exchange 2007, with "new-mailuser" this can be done in a couple of lines of PowerShell, but the poster was on Exchange 2000).

Joe Richards ('joe'), author of admod and adfind (two truly invaluable tools - if you don't have them, get them), said that his admod tool was perfect for this, and offered up the following command line (you'll have to scroll to the right to see it all):

admod -add -autobase 40:cn=Test,ou=test,dc=eng,dc=myco,dc=com -counterstart 23001 -bmod cn={{*cnt*}}_{{*name*}},{{*parent*}} -expand -csv -kerbenc samaccountname::{{*cnt*}}_{{*name*}} mailnickname::{{*cnt*}}_{{*name*}} unicodepwd::MyPassword1! objectclass::user useraccountcontrol::512 msExchHomeServerName::"::"/o=Org/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=mail1"

So the basic assumption here is that 40 users are going to be created in a particular OU. The name of the users are going to be of the format 230xx_Test, the accounts are going to be enabled, have a password set, have a mailnickname set, and a particular Exchange server set.

(By the way - setting mailnickname and msExchHomeServerName will cause RUS to stamp a user object on Exchange 2000 and Exchange 2003. It's not documented. SSSssshhhhh.)

What can you say? That's an amazing command line. But in his post, joe made a negative comment about PowerShell, so I had to respond. (Completely friendly rivalry there...)

Here is PowerShell code to do the same thing. As I shared in my response post - it's a few lines longer, but much easier to read!!! (If you wanted to do it all on one line - you could - but it would be impossible to read.)

function createUsers([string]$base,[string]$userPrefix,[string]$userSuffix,[string]$homeServer,[string]$password,[int]$baseCount,[int]$count)
{
	$objBase = [adsi]('LDAP://' + $base)
	[int]$top = $baseCount + $count
	for ([int]$i = $baseCount; $i -lt $top; $i++)
	{
		[string]$user = $userPrefix + $i.ToString() + $userSuffix
		$objUser = $objBase.Create("user", "cn=" + $user)
		$objUser.Put("sAMAccountName",       $user)
		$objUser.Put("mailNickName",         $user)
		$objUser.Put("msExchHomeServerName", $homeServer)
		$objUser.SetInfo()
		$objUser.psbase.Invoke("SetPassword",           $password)
		$objUser.psbase.InvokeSet("useraccountcontrol", 512)
		$objUser.psbase.CommitChanges()
	}
	$objBase = $null
}

createUsers 'ou=OUtest,dc=essential,dc=local' '' '_Test' `
	'/o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=WIN2003-EXCH' `
	'MyPassword1!' 23001 4

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Read-Only Domain Controller Issues

michael — Fri, 06 Jun 2008 14:28:00 GMT

Exchange has caught a lot of crap for publishing the fact that it doesn't work in branch office locations where only Windows Server 2008 read-only domain controllers (RODCs) are available. Exchange simply requires read-write domain controllers. It's a fact.

However, it's been a poorly kept secret that Windows XP and Windows Server 2003 don't work well either in branch locations with only RODCs. You have needed Vista or Windows Server 2008 in those locations for all things to be happy.

Until now: Description of the Windows Server 2008 read-only domain controller compatibility pack for Windows Server 2003 clients and for Windows XP clients. KB 944043 fixes many of the issues with Windows XP (service pack 2 or service pack 3 only) and Windows Server 2003 (service pack 1 and service pack 2).

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

MAPI/CDO for Windows Server 2008 and Windows Vista

michael — Thu, 05 Jun 2008 17:29:00 GMT

If you want to write client applications to run on computers that use MAPI or CDO (for example, web servers) and you don't want to install (or can't install) either the Outlook client or the Exchange management tools, then you need to install the MAPI/CDO libraries.

These were released just last week for Windows Server 2008 and Windows Vista. You can get them here.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

I Had To Laugh...

michael — Wed, 04 Jun 2008 17:22:00 GMT

We consultants help each other out, of course. I know Exchange and Active Directory pretty well, but put me in front of Citrix or a big T/S farm or a PKI implementation - heck, I'll scream for help without any qualms whatsoever.

So, a consultant I share favors with called me this week - quite perplexed.

He was working at a company and they were working on a hardware migration - Exchange Server 2003 to Exchange Server 2003. They had a 50 GB store and a few hundred mailboxes.

This company had an onsite junior technician who wanted to help out, so my comrade-in-arms had given this junior tech a list of things to do, in order to prepare for the migration. Off the junior tech went to do them...

...and he came back and said "all done, but would you move the mailboxes? I don't feel comfortable with that...."

So....a couple hundred mailboxes moved later, and no more mailboxes would move. <scratch head>

Outlook connects, but no e-mail is being delivered to or from those folks who have been moved. <scratch head some more>

<investigate, investigate, investigate>

So I remote in, and five minutes later, I'm laughing so hard I almost split a gut.

The instructions my friend had given the junior tech. included how to install Exchange Enterprise and to install service pack 2.

Well, the junior tech. couldn't find the media for service pack 2. So, almost correctly, the junior tech. assumed he could just install Exchange Standard and set the registry key so that it would support a larger mailbox store.

So that's what he did. A perfectly good Exchange Standard install and he set the "Database Size Limit in Gb" to 75 - no problem for a 50 GB store.

BUT....(you knew this was coming, right?)

....wait for it....

he forgot to install service pack 2

So the store would mount...say oops! too big....dismount.

Lather, rinse, repeat.

The moral of the story? Well, I guess there are a couple:

1) Trust...but verify - ensure that what you think was done was actually done. Like Gregory House says, "People always lie." I would add - even when they don't mean to (it isn't always malicious).

2) Use your Event log. If it is telling you things that don't make sense - see moral 1. Occam's Razor almost always applies.

3) It's ok to ask your friends for help. :-)

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!