Tuesday, November 18, 2014

Missing mailbox / Distribution list in Offline Address Book

You might experience this error during an Offline Address Book generation cycle:

Index : 94460
EntryType : Warning
EventID : 9327
Message : OALGen skipped some entries in the offline address list ‘\Global Address List’. To see which entries are affected, event logging for the OAL Generator must be set to at least medium.
- Default Offline Address List
Category : OAL Generator
CategoryNumber : 13
ReplacementStrings : {\Global Address List, Default Offline Address List}
Source : MSExchangeSA

After you set the event log level for the OAL Generator to at least medium, eg. by using this EMS command:
Set-EventLogLevel ‘MSExchangeSA\OAL Generator’ -level Medium
You start seeing these errors:

Index : 94454
EntryType : Error
EventID : 9325
Message : OALGen will skip user entry ‘user1′ in address list ‘\Global Address List’ because the SMTP address ” is invalid.
- Default Offline Address List
Category : OAL Generator
CategoryNumber : 13
ReplacementStrings : {user1, \Global Address List, , Default Offline Address List}
Source : MSExchangeSA

As we can see from the error in the Event Log, OAL Generator claims that the SMTP address ” (blank) is invalid. This is not surprising, as a blank address can not be used for anything.
I have discovered one reason for this error, there might be more. If the user’s primary SMTP address does not match the value in the mail attribute in Active Directory, this error is generated. This happens if you change the primary SMTP address in EMC. EMC does not update the address in the mail attribute. To see if you have any recipients in your organization that have a mismatch between these two values, run these EMS commands:

get-mailbox -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

get-distributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

get-dynamicdistributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ft –auto

This should be possible to do with Get-Recipient as well, but I cannot make it work. Get-Recipient always return every recipient in the organization.

To remedy this situation, these EMS commands may be of interest:

get-mailbox -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-Mailbox $_ -WindowsEmailAddress $_.PrimarySMTPAddress }

get-distributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-distributiongroup $_ -WindowsEmailAddress $_.PrimarySMTPAddress}

get-dynamicdistributiongroup -resultsize unlimited | where { $_.WindowsEmailAddress -ne $_.PrimarySmtpAddress } | ForEach { Set-dynamicdistributiongroup $_ -WindowsEmailAddress $_.PrimarySMTPAddress}

You should probably test these commands with the –whatif parameter added to the Set cmdlets.
A good pointer as to which recipients have a mismatch between these values, are those recipients who no longer have their Email addresses updated by a recipient policy. You can quickly list which recipients are in this state:

get-mailbox -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

get-distributiongroup -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

get-dynamicdistributiongroup -ResultSize unlimited | where { $_.EmailAddressPolicyEnabled -eq $false } | ft –auto

Also recipients who are targets of E-Mail address policies (EAP), but where those policies have not been applied, are candidates for this error.

Lastly, you cannot set the mail attribute if a recipient is a target of an EAP.
Remember to set the Event Log level back to it’s original value after you have finished troubleshooting:

Set-EventLogLevel ‘MSExchangeSA\OAL Generator’ -level lowest

Monday, October 27, 2014

HyperV VHD Permissions

Due to a lack of resources on one of our HyperV hosts, I had to move the VHD to another drive to perform some work. When I moved the VHD back to the original location, I could not start it!
Apparently my earlier actions has stripped the Virtual Machine SID permissions and therefore Hyper-V couldn't take control of the file as necessary.  In order to restore the file permissions I ran the following:

icacls “<path to VHD>.vhd” /grant “NT VIRTUAL MACHINE\<virtual machine SID>”:F

If you don’t know the virtual machine SID, navigate to the folder storing your virtual machine files and click on the Virtual Machines subfolder.  Inside this folder is an XML document named the same as the SID

Thursday, October 9, 2014

Source IP Address Preference with Multiple IPs on a NIC

Deploying SCOM agents on servers in the DMZ isn't that difficult, what is so difficult about this?
All that is needed is to raise a Change Request for the Firewall Team to open up TCP 5723 between the SCOM Management Server and the server to be monitored. Well, you are right.
What about if the server is having a single NIC that is assigned several IP addresses?
That's where the challenge will come.

A behavior that changed with the introduction of Server 2008 is that the source IP address on a NIC will always be the lowest numerical IP. So that whole idea of your primary IP being the first one you put on the NIC will be used by the server to communicate is no longer valid.

For example, let’s say we build a new web server and configure the NIC with IP 10.0.0.100. This IP is registered in DNS and the server uses this IP as the source when communicating with other servers. Our fantastic network administrator has also created a NAT rule on the firewall to map this IP to a particular public IP for outbound SMTP so that our PTR lookups match up.

But now we want to add another IP for a new website and the network admin hands you a free IP which happens to be 10.0.0.50. You add this as an additional IP on the NIC and voila – you have a couple issues:

1) You just registered two names for the same server in DNS if dynamic registration is enabled.
2) Your server is now sending all outbound traffic from 10.0.0.50! (because 50 is lower than 100)

One of these is easily solved – just turn off dynamic registration and manually create the DNS records for the server. The other one is a little trickier because Server 2008 and 2008 R2 will still be sending traffic as the 10.0.0.50 IP.

Fortunately, there is a way to tell Windows not to use the lower numbered IP as a source address by adding the IP via the netsh.exe command. For Server 2008 SP2 and 2008 R2 RTM we need to apply a hotfix first. 2008 R2 SP1 included this fix by default so it is no longer required. Without the hotfix or SP1 you’ll find netsh.exe does not display or recognize the special flag.

Hotfix Downloads:
2008 SP2: http://support.microsoft.com/kb/975808
2008 R2 RTM: http://support.microsoft.com/kb/2386184/

The key to this is the IP address must be added via netsh.exe with a particular flag. So if you’ve already added the IP address via the GUI you’ll need to remove it first. After that, use this command to add the secondary IP:

netsh int ipv4 add address "Local Area Connection" 1.2.3.4/24 SkipAsSource=true

The SkipAsSource flag does two things – first, it instructs Windows not to use this IP as a source IP for outgoing traffic. And secondly, it prevents the registration of this IP in DNS if dynamic registration is enabled. Two birds with one stone!

You can always view the status of the IPs and their SkipAsSource status with the following command:

netsh int ipv4 show ipaddresses level=verbose

Once you have done the above, you can now put in the correct IP address to be allowed for communications through the firewall in your change request.
:)