KB ID 0001399

Problem

Always On VPN was a bit of a misnomer when it was released, as it was only really ‘on’ when a user logged on. So when comparing it with ‘Direct Access‘ it didn’t have the capacity to ‘Manage Out’. With the release of Windows 10 (1709) this has been rectified with ‘Device Tunnels’, (more on that later).

The solution uses RAS, NAP (NPS), and PKI (Certificate Services). Obviously Active Directory is a requirement, and in addition I’ve also got a file server setup just for ‘testing’ access to domain resources.

Step 1: Active Directory Work

You will need to setup some security groups in AD, I’m going to use;

• VPN-NPS-Servers
• VPN-RAS-Servers
• VPN-Users

Note: You can of course use ‘domain users’ if you are rolling this out domain wide.

Add your NAP/NPS server(s) to the VPN-NPS-Servers group, (remember you need to add computers to the search criteria, or you wont find them).

Add your RAS server(s) to the VPN-RAS-Servers group.

Add your domain users(s) to the VPN-Users group.

Step 2: PKI (Certificate Services)

PLEASE: Don’t just race forward and install Certificate Services. Every domain certificate problem I’ve ever had to worked on has been the result of someone ‘just lashing it in’. Take the time to do it properly, and think about your domain PKI design, consider things like, Offline Root CA’s, Multi-Tier Sub CA’s, CRL, and OCSP.

Luckily, I’ve spent a ton of time already on Certificate services, look though the following article;

Microsoft PKI Planning and Deploying Certificate Services

If you are simply setting this up on the test bench, or for a POC, (in a non-production domain). Then add the role from Server Manager.

These are the roles I deploy, but for this solution you only really need the Certification Authority, role.

Note: If you are interested what the other roles do, then search for them above, (I’ve blogged about NDES, and the Enrollment Web Services before).

Step 3: Certificate Templates

You will need to create and publish three certificate templates;

• VPN-User (Based on the User Template)
• NPS-Servers (Based on the RAS and IAS Template)
• VPN-Servers (Based on the RAS and IAS Template)

VPN-User Certificate: Open the certificate services management console > Certificate Teplates > Manage > User > Duplicate Template.

General Tab: 

• Template Display Name: VPN-User
• Publish certificate in Active Directory UNTICK.

Compatibility Tab:

• Certification Authority: Windows Server 2016 (Though 2012 R2 will work)
• Certificate Recipient: Windows 10 (Though Windows 8.1 will work)

Request Handling Tab:

Allow private key to be exported: UNTICK

Cryptography Tab:

• Provider Category: Key Storage Provider
• Providers: First: Microsoft Platform Crypto Provider, Second: Microsoft Software Key Storage Provider.

Note: Theres two because the first one requires a TPM chip, if the client machine does not have one the procedure fails. By allowing ‘Microsoft Software Key Storage Provider’ if will ‘fall-back’ to that option, if there is not TPM chip.

Security Tab:

• ADD: VPN-users: GRANT: Read, Enrol, and Autoenroll.
• DELETE: Domain Users

Note: In a test environment, you may also want to UNTICK the option ‘Include e-mail name in subject name‘ on the Subject Name tab or you may see this problem.

Issue the certificate template.

Repeat the procedure but this time make a duplicate of the RAS and IAS template.

General Tab:

• Template Display Name: NPS-Servers.

Compatibility Tab:

• Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
• Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Security Tab:

• ADD: VPN-NPS-Servers: GRANT: Read, Enrol, and Autoenroll.
• DELETE: RAS and IAS Servers.

Apply > OK > Now make a second duplicate of the RAS and IAS certificate template.

General Tab:

• Template Display Name: VPN-Servers.

Extensions Tab:

• Edit > Add > IP Security IKE Intermediate > OK > OK.

Security Tab:

• ADD: VPN-RAS-Servers: GRANT: Read and Enrol ONLY.
• DELETE: RAS and IAS Servers.

Subject Name Tab:

Supply In the Request: TICK (Accept the warning).

Compatibility Tab:

• Certification Authority: Windows Server 2016 (Though 2012 R2 will work).
• Certificate Recipient: Windows 10 (Though Windows 8.1 will work).

Issue Both of the server certificate templates.

Step 4: Group Policies Auto-Enrolment

Again, I’ve written about this before, so for some extra reading on the subject, see the following article;

Deploying Certificates via ‘Auto Enrollment’

In the’ Group Policy Management Console’ create a new GPO, I’m simply linking it to the root of the domain, you can of course link it to the OUs that your RAS and NPS servers live in.

Edit the policy.

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

1. Configuration Model: Enabled.
2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
3. Update certificates that use certificate templates: TICK.

Close and exit the policy editor.

Now Im creating another policy for my USER auto enrolment, (I could have used the same policy above, that’s linked to the root of the domain, but I like to keep them separate, it’s your choice). Anyway just ensure the policy is linked to your USERS.

Edit the policy.

Navigate to: User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrolment > Properties.

1. Configuration Model: Enabled.
2. Renew expired certificates, update pending certificates, and remove revoked certificates: TICK.
3. Update certificates that use certificate templates: TICK.

Step 5: Testing CertificateDeployment

Remember we are deploying two computer certificates and one user certificate, and they are all based on group membership, so your servers need to be rebooted before they will get their group membership, and your user(s) need to log off and log on. Also bear in mind you might want to force group policy, see the following article;

Windows – Forcing Domain Group Policy

NPS-Servers Certificate: Windows Key+R > certlm.msc > Personal > Certificates > You should have a certificate based on the NPS-Server template.

VPN-Server Certificate: Windows Key+R > certlm.msc > Personal > Certificates > All Tasks > Request New Certificate > Next.

Note: You are doing this one manually, because this certificate does not auto-enrol, that’s because the certificate will need a different common name on it, (the public DNS name of the RAS server).

Next > Click the ‘More information…’ link > In the Subject Name Section, Set the Common name to the public DNS name of the RAS server. In the Alternative name section set the DNS value to the FQDN on the server (internally) > Apply > OK.

Enroll > Finish.

You now have a certificate based on the VPN-Server template.

VPN-User Certificate: Just a quick note, on the Windows 10 client, run certlm.msc again but this time ensure you have your domain CA server certificate listed in the ‘Trusted Root Certification Authorities’ folder.

Now this console lists computer certificates, and we need to look at user certificates (I could just run certmgr.msc instead), but old habits die hard, so I’ll launch an mmc console > and add a snap-in.

And add ‘certificates’ (Note: If I were an administrator I would be prompted to choose computer or user certificates, as I’m just a user, then current user is selected by default). > OK.

And there’s my certificate based on the VPN-User template.

If you’re struggling, and the user certificate refuses to appear, read my note (above) about e-mail addresses (that’s a very common error that causes auto-enrollment to fail). For troubleshooting look in the Event logs and in the ‘Failed Requests’ Section on your CA server. For all certificates, if something isn’t working then either somethings in the wrong group, the wrong group has been given permissions on the certificate template, or the GPO is linked to the wrong location.

That’s it for Part One, in Part Two I will look at deploying my RAS/VPN server into my DMZ, and having a rant/sneer at Microsofts continuing policy of trying  to bypass my firewall. 

Related Articles, References, Credits, or External Links

A massive thank you to Joseph Moody, and Kevin Kaminski, fellow MVP’s who took the time to reply to my Always On VPN queries.

KB ID 0001400

Problem

I needed to spin up some Windows 2016 Servers, and a domain to do some testing. I have promoted hundreds maybe thousands of domain controllers, so I wondered if this time I could do it with PowerShell. It’s actually easier than using the GUI!

Solution

If you were doing this in Server Manager, you would have to add the role first, and PowerShell is no different;

Then promote the server to a new DC in a new forest;

Supply the new domain name and the recovery password. Select ‘Y’ to reboot, go and have a coffee, when finished you will have a new DC in a new domain, ready to log into.

Related Articles, References, Credits, or External Links

NA

KB ID 0001401

Problem

I’ve not had to do this since the days we got “The terminal server has exceeded the maximum number of allowed connections” errors. Now thankfully Windows Server tells us who is logged on so we can ‘ask politely’ before we boot them off!

Today though, my user session got all messed up, and I needed to kick ‘myself’ off remotely, (and have a fresh session.)

Solution

From a remote machine run the following command, to see who is logged on and, (more importantly get the session number for that user);

Above the ID of ‘1’ denotes the session number, select the one that corresponds with the user you want to log off. Then issue the following command;

Job done, that was easy!

Related Articles, References, Credits, or External Links

NA

KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows 10. They would connect fine but I could not resolve any FQDNs for my domain?

Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

KB ID 0001403

Problem

Back in Part One, we setup the AD (Groups,) and the Certificate services that will knit everything together. Now we need to configure an NPS server that acts as a RADIUS server for our remote clients, And a RAS Server that our remote clients will connect to.

Step1: Network Setup

Microsoft have an alarming habit of telling you to connect DMZ assets to the LAN. In their defence I’ve seen some documentation where theres is a firewall in front and behind their RAS/VPN server, but then you keep reading and they refer to the NIC on the LAN and the NIC in the DMZ. As you can tell I’m not a fan, I prefer to have an un-authenticated and an authenticated DMZ, and neither of them are connected to the LAN, So then I can control what can, and cannot flow between the DMZs and the LAN.

My way means I have to allow more ports for domain membership etc, but, if you have a Cisco ASA I’ve covered that in the following article,

Cisco ASA – Allowing Domain Trusts, and Authentication

As for the VPNs and RADIUS you need to allow the following;

From Outside to the RAS Server

• UDP 500 (ISAKMP)
• UDP 4500 (NAT Traversal)

From the RAS Server to the NPS/NAP Server

• UDP 1812 (RADIUS Authentication)
• UDP 1813 (RADIUS Accounting)
• UDP 1645 (RADIUS Authentication)
• UDP 1646 (RADIUS Accounting)

Quite why it needs both pairs or RADIUS ports I’m unsure, I’ve not scanned or packet captured the traffic, but I’m wiling to bet it really only needs 1812/1823 or 1645/1646.

Step2: Install NPS

Server Manager > Manage > Add Roles and Features > Network Policy and Access Services > Complete the wizard accepting the defaults.

Administrative tools > Network Policy Server > Right click NPS (Local) > Register in Active Directory > OK.

Even though its not setup yet, we need to create our RAS server as a RADIUS client > RADIUS Clients > New.

Friendly Name: A sensible name that identifies the RAS server

IP: IP of the RAS server (On the LAN segment)

Shared Secret: Generate a new one and copy it to the clipboard, (you will need it in a minute.)

On the main page, ensure ‘RADIUS server for Dial-Up or VPN Connections’ is selected‘ > Configure VPN or Dial-Up.

Select ‘Virtual Private Network (NPS) Connections > Next > Ensure the RADIUS server you have just created is listed > Next > Ensure ONLY ‘Extensible Authentication protocol’ is ticked > Change its value to Microsoft Protected EAP (PEAP) > Configure.

EAP Types: Remove the one that is listed by default > Add in ‘Smart card or other certificate’ > OK > Under Groups make sure sure you have ONLY added the group you created back in part one > Next > Next.

Next > Next > Finish.

Your connection request policies should look like this.

Your network policies should look like this.

Step 3: Setup RAS

Server Manager > Manage > Add roles and Features > Next > Next > Next > Remove Access > Next.

Select DirectAccess and RAS > Finish the wizard accepting the defaults.

Open the Getting Started Wizard > Select VPN Only.

Administrative Tools > Routing and Remote Access > Right click {server-name} > Configure and enable Routing and Remote Access > Next  > Custom configuration.

VPN Access > Next > Finish > Start service.

Once again right click {server-name} > Properties > IPv4 > Note: If you are not going to use your internal DHCP server/scope, then you can set one up manually (as shown) > Ensure ‘Enable broadcast name resolution’ is selected, and the RAS servers internal/LAN interface is selected > Apply.

Security Tab:  Authentication provider  = RADIUS Authentication  > Configure > Add > Enter the IP of the NPS server > Change > Paste in the shared secret you copied, (above) > OK > OK. 

Repeat the same procedure for Authentication provider, (below).

Drill down to ‘Ports’ > Right Click  > Properties > Select SSTP > Configure > Remove the tick from ‘Remote access connections (inbound only) > OK. Repeat this procedure for ALL the protocols EXCEPT IKEv2, (So when finished, only IKEv2 is set to accept incoming requests).

Step 4: Configure Reference Windows 10 Machine

On a Windows 10 machine* Launch the ‘Change virtual private networks.

*Note: Your logged on user, must have a certificate issued to them, and be a member of the AD group we created earlier. 

Add a VPN Connector.

• VPN Provider: Windows (Built-in).
• Connection Name: Connection-Template.
• Server Name or address: (The ‘public’ name we put on the certificate on the RAS server).

Change Adapter options.

Right click the VPN connection > Properties.

Security Tab:

• Type of VPN: IKEv2
• Data Encryption: Maximum
• Use Extensible Authentication Protocol (EAP)
• Properties > Enter the name on the certificate on your NAP Server, (I know that does not make sense trust me!)
• Tick your Root CA Cert for the domain.
• Select ‘Don’t prompt user to authorise new servers or new authorities’.

Connect your VPN to test it.

Make sure everything works.

Note: I had some DNS resolution problems, see the post below to find out how I fixed them;

Windows 10: Remote VPN Client Cannot Resolve Domain DNS

Now you need to ‘capture’ all those settings so you can give them to your other clients. To do that you need a copy of the PowerShell script MakeProfile.ps1 You will need to edit the script a little, see the example below. Running the script will output two files to the desktop, an PowerShell Script and an XML file

Step 5: Deploying the Settings

At the time of writing you can deploy these settings via three methods, PowerShell Script, SCCM, or Microsoft Intune. I’m simply going to run the PowerShell Script, there are a few restrictions though, you have to be logged on as the particular user. They need administrative rights to run the script, which is a bit of a pain, you can use restricted groups and set the powershell to run at logon with group policy, then remove the policy when configured, but it’s still a bit of a drama. Below I’m simply running the VPN_Profile.ps1 file I generated above.

Now once the user logs in, (and has a valid remote internet connection.) The remote client will auto-connect.

That covers USER tunnels, you can also, (Post 1709 Windows 10 Build,) have DEVICE tunnels. Which I will take a look at in Part Three.

Related Articles, References, Credits, or External Links

NA

KB ID 0001405

Problem

This might seem like an odd title for an article here at PNL? But I’m going to use this page as a place to put all the commands I’m sick of Googling for, and/or working out every time I do an Exchange job.

So as with all the posts here, it’s here for my benefit, and if anyone else gets something from it great!

Exchange General

Change Exchange Licence Code

Exchange Mailboxes

How Many Mailboxes Per Database?

Exchange Mailbox Migrations

Migrate a Single Mailbox

Migrate ALL Mailboxes in one Database to Another

Display Mailbox Migration Progress

Remove Mailbox Move Requests

Exchange Databases

List All Mailboxes in a Database

Show Database (and Log File) Locations

Move a Database (and Log Files)

Show Mailbox Database ‘Whitespace’

Related Articles, References, Credits, or External Links

NA

KB ID 0001404

Problem

I’ve been rebuilding some Hyper hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’

The same is true of storage as well but here I’m just concentrating on networking.

List Network Cards and MAC Addresses

If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)

List Network Teams and Members

From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;

List NICs and IP addresses

To see what IP addresses are in use on which NICs, (physical or virtual) use the following;

Hyper-V: Get vSwitch and Virtual NIC info

As stated above, I’m rebuilding Hyper-V hosts, the following lists all the Management vSwitch(es) and vNICS, (and their names).

Hyper-V: Get vSwitch and Virtual NIC VLAN info

In addition to above, I also need to know the VLANs the vNICs are on.

Related Articles, References, Credits, or External Links

NA

KB ID 0001406

Problem

I’ve got a job coming up to deploy some Duo two factor authentication into a clients RDS farm. To make things a bit easier for them I needed to migrate their RD Connection Broker. They had their Connection Broker, Gateway, and Web roles on one server, (which is not unusual, or incorrect). It turned out, that moving the Connection Broker, was going to be a major task, and it would be a lot easier to move the other two roles.

Solution

Note: Before deploying make sure you have the certificate ready to import (in .PFX format with a known password). If you are confused export the one from the old server. If you’re still confused use the search button above, I’ve written that procedure up before.

Moving the Gateway and Web roles is actually pretty simple to do, the process is, add the server to the RDS farm, ddd the Role, migrate the IIS settings. You can then repoint your firewall rules to the new server and remove the roles form the old one.

Build your new server, update it and join it to the domain.

Add the new server into the RDS deployment, (on one of the RDS farm members).

You can (from one to the other servers in the RDS farm) now deploy the new role, I’m going to deploy RD Web Access first.

Search for, select, then add the new server > Next.

Add

The new role will be deployed, (time for a coffee?).

Select  ‘Configure Certificate’.

Your newly added role will say ‘Error’ > Select it > ‘Select existing certificate’.

Browse to the certificate > Supply the password > Tick ‘Allow the certificate to be added to the Trusted Root……’ option > OK.

When the display changes to ‘Success’ > Apply > OK.

Now you can add the other RDS Server(s) into the Server Manager console on the ‘new’ RDS server.

Now to ‘migrate’ any custom IIS settings, download the web Deploy Tool, either directly fromMicrosoft,

Or you can deploy from the Web Platform Installer.

Then to migrate all the IIS settings issue the following commands;

Repeat the process for the RD Gateway Role

Related Articles, References, Credits, or External Links

NA

KB ID 0001407

Problem

I got asked if I’d ever had to do this today, I vaguely remember having this problem in the past, but I can’t remember how I solved it. You set the ‘Partition Table Type‘ on a  disk in Windows, when the drive is first initialised, like so;

And the default is MBR, so that usually gets ticked, the problem is MBR only supports disks up to 2TB in size. Now if it’s just a new disk, with no partitions on it, you can simply change it;

But if it’s got a partition on it, (and probably some live data) you cant!

The Microsoft solution is to delete the partitions and create a new one, which can be a little time consuming, especially if you have live data on it! So can you convert it to GPT Live with no data loss? 

Solution

Yes! As usual, make sure you have a decent backup first, and if you are using a virtual environment, you can snapshot the virtual machine before hand, (I tested this in the lab, by taking a snapshot, converting a drive from MBR to GPT, then reverting to the snapshot, and it flipped back to MBR with no loss of data). 

You need to know what disk number Windows has assigned to the drive, in disk management right click the drive, and select properties.

Download and extract gptgen-1.1 then run the following command;

Note: Where ‘1‘ is the disk number you took note of above.

That’s it done! In ‘disk management’ you will need to ‘Rescan Disks’ to see the change.

In the unlikely event that something exploded, you can ‘roll-back‘ to your snapshot.

Related Articles, References, Credits, or External Links

NA

KB ID 0001408

Problem

If you have some NFS storage, and you want to use it as a Datastore in your VMware environment, this is the procedure to follow.

Pre-Requisites

I’m assuming you already have a network connection between your ESX servers and the NAS box, (i.e you have a VM Kernel NIC) on the same network. I’m also assuming you have the NFS setup correctly, in this example I’m using  a Buffalo NAS box.

But you can also use a Windows NFS Share, see the follow article;

Solution

In Datastore View > Datastore > Add Datastore.

Next > NFS v3 > Next.

Enter your NFS mount details and IP address > Next > Select the Host(s) that will use the NFS storage > Next.

Finish

Related Articles, References, Credits, or External Links

KB ID 0001410

Problem

If there’s one thing thats grown on me it’s PowerShell, After the last few versions of Exchange you can’t really escape it. So now we have so many clients with their Exchange in Office 365. The ability to connect to that, and use all your usual Exchange commandlets is a bonus!

Solution

If you haven’t already done so, you need to ‘slacken‘ your signing policy, (a little) before proceeding;

Now to access Exchange online you need to be able to authenticate to it, the best way to do that is to ‘cache’ your logon credentials. (Unless you have ADFS Federation then you can skip this step). To enter your O365 creds execute the following command;

Then create the settings for your remote session;

Then to open the session;

DON’T FORGET: When you are finished, to disconnect the session with the following command;

Related Articles, References, Credits, or External Links

NA

KB ID 0001409

Problem

I had a nightmare with this, (this morning). Client had an Exchange 2007 Server in a sub domain, and I am migrating them to Exchange 2016 (via Exchange 2013). While attempting to deploy the Exchange 2013 Server, the ‘Readiness Checks’ failed;

WOW! Thats some error list!

Solution

OK, I’m assuming from this point forward you ARE in the correct AD groups? Those being;

• Schema Administrators
• Enterprise Administrators
• Exchange Organisational Management
• Domain Admins

Note: If you’re in a sub-domain you can’t be in the Domain admins and Schema/Enterprise Admins groups, (see below).

At first I thought it was just a ‘bug’ that I’d seen before, you need to go to your user account in Active Directory and change your primary group from ‘Domain Users’ to ‘Enterprise Admins’, like so;

These Exchange servers were in a ‘Sub-domain’, so I had to go to the Root-domain, and go a bit ‘old-school’. Locate the Schema Master, (it will be in the root domain).

Locate your FSMO Role Servers

Log onto the schema master then either present your Exchange Setup DVD, or navigate to the setup files, and run the following command;

For some reason, every post says go to another DC in the same site as the Schema Master, and continue, well you can do that here? i.e. You can simply run the following commands on the same server!

Execute the following command;

Now if you ONLY HAVE ONE SUB-DOMAIN, or perhaps are upgrading ALL the subdomains for some reason? Run the following command;

Or, if you have multiple sub domains, and want to be a bit more selective, then use the following syntax;

Now, either wait for domain replication, or if you’re lazy, (like me,) force domain replication, then go have a coffee, and retry your Exchange setup.

Related Articles, References, Credits, or External Links

NA

KB ID 0001412

Problem

After an Exchange 2007 to 2013 migration, the client emailed to say that noderunner.exe was maxing out the server memory and CPU.

The server was working fine other wise. (I’d previously disabled the search index on the datastore, to speed up the migration, and had only re enabled it that day so I assumed that’s what the problem was, I disabled it once more and jumped on after hours for a look.

You may also see Event ID 1009 logged;

Solution

First thing is to cap the memory that noderunner.exe uses, to do that edit the {Drive-Letter}:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe.config.

Locate the ‘memoryLimitMegabytes=”0″‘ value.

Change it from ZERO, (use everything) to 250 and save the file.

Before we go any further lets check the database index status, execute the following command;

Note: Mine say FailedAndSuspended, (if yours are healthy, simply restart the services below and don’t delete the index folders).

Stop the ‘Fast search’ and ‘Host controller’ services;

To find out where your Database files (.edb files) are, issue the following command;

Go to each location, and in the same folder will be a folder with a long Hexedecimal name, (the GUID of the database). Delete the folder, repeat for each database that has a problem.

Start the services again;

Check the index health again;

Note: If you are running Exchange 2013, make sure you update it to a cumulative update later than version 12.

Related Articles, References, Credits, or External Links

NA

KB ID 0001411

Problem

You see this a lot with 3rd party (purchased) certificates, especially if you have imported them from something else e.g. a web site, appliance, NetScaler, etc.

The correct certificate, is there, it’s just got no name?

Solution

Open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > Properties.

Enter a ‘Friendly Name’ > Apply > OK > Close the MMC.

Back in Exchange Admin Center, simply click refresh.

Related Articles, References, Credits, or External Links

NA

KB ID 0001413

Problem

Background: Just introduced Exchange 2016 into Exchange 2013 Environment. mailboxes on Exchange 2016, can send external mail and internal (to Exchange 2013) mail. No mail flows from Exchange 2013 to Exchange 2016. External mail to Exchange 2016, (which flows thought the 2013 server,) also fails.

Event ID 5006

Cannot find information about owning Mailbox Server {server-path} for database {database-path} in routing tables with timestamp {time-stamp}. Recipients will not be routed to this database.

Event ID 5015

Microsoft Exchange cannot find a route to the source transport server or home MTA server {server-path} for connector {connector-path}  in routing tables with timestamp {time-stamp}. Microsoft Exchange is ignoring the source transport server.

Solution

Oh I struggled with this for hours! I removed and recreated the receive connectors, on the Exchange 2016 Server. I went though ADSIEdit and checked all the databases, servers and connectors had inheritable permissions, and that the Exchange Server group had the right permissions. I restarted the transport services, and rebooted the Exchange 2016 server.

I was about 7 pages deep in Google translating Spanish and Russian tech posts, when I started to think I might have to ring Microsoft. When I stumbled on a Technet post that had the same Event IDs I posted above.

ANNOYINGLY: The fix is to reboot the 2013 Exchange server! (So I had to plan in some downtime). I was a bit skeptical this would work, and it did take a few minutes, I watched the ‘Undeliverable Queue’ change and the mail get delivered.

Thank you EngineerBoy wherever you are!

Related Articles, References, Credits, or External Links

NA

KB ID 0001414

Problem

Every iteration of Exchange comes up with some new system/hidden mailbox type that stops me deleting mailbox databases!

Solution

OK, I’m assuming you don’t actually have any mailboxes in the database? the following will tell you;

If you are running Exchange 2016 you might have an AudiLog account;

For 2013 (and older) the likely culprits are Arbitration, Archive, or Discovery Search mailboxes, (the latter you need an extra command to see).

To move a Discovery Search Malbox

I Can’t Find Anything and it still Wont Let Me Delete the Datastore?

Well, there’s two things you can do;

1. On a Domain Controller, 0pen ADSIEdit.msc and Connect to ‘Configuration’. Navigate to Configuration > Services > Microsoft Exchange > {Organisation name} > Administrative Groups > {Administrative-Group-Name} > Databases  >Delete the database from here (BE CAREFUL CHECK TWICE, DELETE ONCE!). Then have a coffee refresh you datastore view and the offender will disappear.

2. With the database dismounted, move its .edb file to another folder, then mount the store, it will complain and ask if you want to mount and empty store > select ‘yes’ > You can then delete it.

Related Articles, References, Credits, or External Links

NA

KB ID 0001415

Problem

I was doing some RDS work for a client today, and it would seem that at some time in the past their RDS Licensing server had died, it had been replaced, and everything was working OK. But when I was adding roles to the new servers, this kept popping up;

The following server in this deployment are not part of the server pool
1. Server-Name
The servers must be added to the server pool.

I could have ignored the error and finished the job, but things like this remaining ‘unfinished’ really wind me up. So I thought I’d sort it out.

Solution

At first I thought I could just dive into either ADSIEdit or ‘AD Sites And Services’, make a quick change and everything would be fixed. That revealed that the site licence server was set to a server that also didn’t exist! (So I fixed that, still the problem remained).

So if all else fails then use PowerShell right?

Error: Object Reference not set to an instance of an object

After some research I discovered that the RDS servers are stored in a database, (Windows Internal Database) on the connection broker(s). So you need to download the ‘SQL Management Studio’ software on your connection broker(s). Then ‘Run As’ administrator.

Connect to, “\\.\pipe\MICROSOFT##WID\tsql\query“

Under Databases you will find a database called RDCms  >Expand that, and drill down to the tables. Locate rds.server. Press the ‘Query’ button > Right click the rds.server table > List top 1000 rows.

Locate your ‘Dead’ server here you can see mine has an ‘Id’ of 3. Look in the following tables and make sure there are no references to Id 3. (I didn’t have any, my only reference was in the rds.server table.)

• rds.RoleRdcb (Connection Broker)
• rds.RoleRdls (License Server)
• rds.RoleRdsh (Session Host)
• rds.RoleRdvh (Virtualisation Host)
• rds.RoleRdwa (Web Access Host)

In the bottom of the Query Section enter the following, (as applicable, i.e your column might be ServerId, and your server might be number 123)

Press ‘Execute’, Close the SQL Manager, repeat on any remaining ‘Session Brokers’. Have a coffee, then try again, the problem should be resolved.

Related Articles, References, Credits, or External Links

NA

KB ID 0001416

Problem

The day after I had deployed some RDP Web access servers, I got the call that all the Linux (Intel NUC Thin clients), could not connect to the RDP farm, all the windows machines were fine?

Error

[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core.transport] – BIO_read returned a system error 14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core] – freerdp_set_last_error ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x2000D]
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.client.x11] – Freerdp connect error exit status 1

Solution

I was confused, because I’d not done any work on the Connection Broker? (All the thin clients are ‘in-house’). While support stated building a new broker, I researched the error online.

The reason this had started, was because of a Windows update KB4088776 After removing this update from the ‘Session Hosts’ and the’ Connection Broker’, the Linux (FreeRDP) client could then reconnect.

Related Articles, References, Credits, or External Links

NA

KB ID 0001417

Problem

If you’ve arrived here, you are trying to run a script, and you cant;

Solution

 Execute the following command;

Then run your script.

THIS WILL ONLY WORK: While that PowerShell window is open, so don’t close it if you are running a lot of scripts.

I Want to Always be Able to Run Scripts?

OK you can either change the ‘Scope’ of that last command, from ‘Process’ to to ‘CurrentUser’, or ‘CurrentMachine’.

• Process: The execution policy affects only the current Windows PowerShell process.
• CurrentUser: The execution policy affects only the current user.
• LocalMachine: The execution policy affects all users of the computer.

Or you can simply change the policy ‘Globally’;

Possible values are;

• Restricted: Does not load configuration files or run scripts. Restricted is the default execution policy.
• AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
• RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
• Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
• Bypass: Nothing is blocked and there are no warnings or prompts.
• Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.

Related Articles, References, Credits, or External Links

NA

KB ID 0001418

Problem

This is Part-One of a migration from ‘on-premise’ Microsoft Exchange, to Office 365 (Exchange Online). I’m using my spare ‘test domain’ (.co.uk). And I’m using the 5 user E3 Office 365 subscription that the good folk at Microsoft let me have, as part of my MVP benefits.

Note: I’m using Exchange 2016, with a ‘full-hybrid’ migration into Office 365.

Step 1: Pre-Requisites

DNS: You will need access to the DNS records for your public domain, both to ‘prove’ it is your domain, and to divert mail flow, and client requests to Exchange online, rather than your on premise Exchange.

Licenses/Subscription: You need an office 365 subscription, and available licences for all the users you want to migrate. At time of writing the minimum subscription level that includes Exchange Online is E3. (Note that’s not strictly true, you do get Exchange online with E1, but you dont get any office products, so I’ve never seen an E1 licensed migration). You’ll need to have access to Office 365 with a ‘global administrator‘ account.

Backups: Not really a pre-requisite, but how are you going to backup your cloud mailboxes? As far as Microsoft is concerned, your online email gets deleted after its retention period, (amount of time after a user deletes it, i.e. up to 100 days). If your business continuity plan, requires you to keep mail ‘x‘ years, then you will need to think about Azure Backup, or a third party backup solution.

Existing Exchange: Unless you are going to use a third party migration tool, then your on premise Exchange needs to be at Exchange 2010. So if you’re still at Exchange 2007/2003/2000, then you need to either; 1) Upgrade your on-prem Exchange, 2) Do another on-prem migration before you start, or 3) Purchase a third part migration tool. Note: With Exchange 2007 you can add one Exchange 2010 Exchange server, then migrate.

Certificates: You MUST HAVE a certificate on your Exchange that is publicly singed by a third party certificate vendor. There’s no excuse to use self signed certificates these days, (for Exchange). For this exercise I bought a certificate for a year and it cost me less than ten dollars, thats half the price of a one users monthly licence for Office 365? WARNING even with a correctly setup PKI environment with publicly published CRLs etc, your own certificates wont work, and you wont find out what’s wrong, until you have migrated users, and carnage/downtime will ensue! BUY A CERTIFICATE: I’d recommend a wildcard cert for your public mail domain.

User UPN’s: I’ve already covered this before in the past, things will be a lot easier, if you change all your users UPN’s to match their Email addresses.

For more information, see the following article;

Changing Domain Users’ ‘User Logon Names’ and UPN’s

Step 2: Onsite Preparation

Fail to prepare – prepare to fail.

What most people fail to do is make sure both their AD domain, and existing Exchange is healthy, (just because everything appears to be working, doesn’t mean everything is healthy). Install the latest cumulative update for your on-premise Exchange server ,and dig into the logs to make sure everything is as it should be!

Mailbox Replication Proxy Service

MRS Proxy is at the same solution we use for ‘cross-forest’ mailbox migrations, and your on-prem Exchange will act as the MRS proxy for your mailbox migration. To enable MRS Proxy: Exchange Admin Center > Servers > Virtual Directories > EWS > Edit.

General > Enable MRS Proxy Endpoint > Save

You can also check the service is running, (Windows Key +R > Services.msc {Enter}).

Exchange 2010 Note: If you’re running Exchange 2010, you can enable MRS Proxy with the following PowerShell command;

Azure Active Directory Connector

You can download the Azure AD connector from Microsoft, it can be installed on any member server. It will replicate your users and groups etc, into Office 365. Download and execute the installer > Tick ‘I agree….’ >  Continue.

Use Express Settings.

Note: You would only NOT use Express settings if you only wanted to replicate certain groups or sub domains, or if you wanted to use ADFS, (for example because you already had Azure secured services).

Provide your office 365 logon details > Next.

Provide logon details for your on-premise domain > Next.

You will probably only see your local domain, and it will be flagged ‘Not Added’ that’s fine, below you can see my public domain because it’s already been added to office 365, (I’ll cover that later) > Next.

Tick ‘Exchange hybrid deployment’ > Install.

Read and act on any warnings > Exit.

Note: If, (as above) it asks you to enable the ‘AD Recycle bin’, see the following post;

Windows Server 2016: Active Directory Recycle Bin

It will take a while, (depending on the size of your AD,) to replicate.

After a while you will start to see all your users appear in your office 365 portal, as they are replicated across.

Enable Exchange Hybrid Deployment

Back in Exchange admin Center > Hybrid > Configure > Sign into Office 365.

Once authenticated, notice the URL changes to Exchange online! > Configure.

Click here > Install.

Run.

Next.

I only have one on-premise Exchange server, so that’s selected,( if you had multiple servers, choose the one you want to use) > Next.

Sign in.

Once authenticated > Next.

Full Hybrid > Next.

Enable.

You need to create a ‘text’ record in your public DNS to proceed.

So I’ve jumped on my public DNS host management portal, and created the text record required.

Tick ‘I have created…..’ > Verify > Next.

I dont have any ‘Edge Transport Servers’ > Next.

Again I only have one, if you have multiple CAS servers, select the one you want > Next.

And again for the ‘Send Connector’ select the CAS server that will connect to Office 365 > Next.

Select your certificate. MAKE SURE it has selected a publicly signed one, NOT a self signed one! > Next.

Enter the correct public FQDN for your on-prem Exchange > Next.

Note: This must match either the CN on your certificate, or if it’s a wildcard certificate, the domain must be the same.

Update

Close

So far so good, in Part Two, I’ll add my public domain to my Office 365 account and start migrating some users.

Related Articles, References, Credits, or External Links

NA