Changing SID of a cloned machine using sysprep tool

I created some VMs in my lab recently and one of the VMs were cloned. When I tried to add this particular Windows Server 2012 R2 VM to domain it showed the following error

SID

I used the sysinternals tool PsGetsid to confirm that the SID on both the base VM and the clone were the same.

So, the next thing to do is change the SID of the server which I am trying to add to domain. By default, Sysprep is available in Windows with which you can perform this operation.

Go to Run and type Sysprep  and click Enter.

sid1

In the Sysprep folder, launch the sysprep application.

sid2sid3

Select the Generalize check box and click OK.

sid4

Sysprep will start and once done your machine will restart to the below screen

sid5.jpg

sid6

sid8

Input the values and you will login to the machine. You may have to change the hostnames etc. again.

Error “Passive copy of Mailbox Database is not in a good state. Status: FailedAndSuspended”

Recently it was noticed that an active mailbox database copy got failed over and was in a “Failed and Suspended” status.

1

Upon analyzing the event viewer, the following alerts were noticed:

evnt

 

evnt1

The first thing you can do is to right click on the problematic database and select Resume Mailbox Database Copy

3

The database will start re-synchronizing and will become healthy. If still issue persists, you can right click the database and select Update Mailbox Database Copy option.

4

You can also use Exchange shell to troubleshoot these issues.

When further analysis was performed, we noticed that the issue occurred due to the storage drive issues which was later resolved.

evnt5

Reference : http://exchangeserverpro.com/how-to-reseed-a-failed-mailbox-database-copy-in-exchange-server-2010/

Resolve “420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address​” error in Queue viewer

Recently when in shift, I noticed that the scom alerts indicated more than 200 messages in queue of our transport servers. Upon checking the queue viewer I could see messages being piled up in the queue with the error 420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address.

Queue

As the error says, the messages were getting piled up due to a duplicate smtp address. The event viewer log revealed the following:

Event1

Event2

The logs clearly says another AD object is assigned with the duplicate email address and the next thing to do is to find out the object and delete it.

So, you can search for the email address in Active Directory Users and Computers console in the custom search section with the “proxy address” attribute.

Search

Once you find the AD object, delete the ambiguous address from the proxy address attribute of the other AD object.

proxy

Check and confirm that the issue has been resolved.

Move File Share Witness to another server

DAG is configured in my client’s Exchange environment and the file share witness is configured as a hub transport server. Due to the O365 migrations, the management has decided to cut short the number of on-premise servers. Hence, the current FSW server which also happen to be a CAS/HUB server was planned for decommission. So we had to move the FSW role to a different CAS/HUB server.

This can be achieved either using GUI or shell.

In GUI, select the DAG properties and modify the existing values with the new directory and server details. Once done, click OK and confirm whether the changes have been reflected or not.

FSW1

In order to make this exact change through Exchange shell, execute the below command:

Set-databaseavailabilitygroup -witnessdirectory “Directory” -witnessserver “ServerName” -identity “DAGName”

To confirm, execute the command:

Get-DatabaseAvailabilityGroup -Identity “DAGName” | Select Wi*

Configure RpcClientAccessServer Attribute on Mailbox Database

Recently, my team was notified on an issue happening to outlook clients. Outlook was not able to launch for all users in a particular site. The outlook connection status indicated that it is trying to connect to the F5 load balancer/CAS array, but immediately drops the connection.

Error

We suspected an issue at the load balancer end and hence planned to bypass the load balancer and directly connect to the CAS server instead.

We tried to manually configure outlook for a test mailbox with the fqdn of the CAS server, but the profile configuration was not successful. DAG was configured and the mailbox database in which the mailbox resided had a copy on another Mailbox server. I tried to activate the passive copy and the observed the status, but the issue persisted.

It was then noticed that the RpcClientAccessServer attribute for the mailbox database was configured to point to the fqdn of the cas array, which was expected. In order for outlook to bypass the cas array and directly connect to the CAS server this attribute value should be changed and made to point to the CAS server.

Following cmdlets were used for this :

First to view the current configuration, the below command was executed in Exchange shell :-

Get-MailboxDatabase -identity MailboxDatabase | select rpcclientaccessserver

Now to modify th attribute to point to CAS server,

Set-MailboxDatabase -identity MailboxDatabase -RpcClientAccessServer ‘CASServerFQDN’

Once this change was performed, outlook connected directly to CAS and the connection was established. Later it was identified that there were some network/port issues which prevented the connection. The above change was then reverted and the RpcClientAccessServer attribute was pointed to CAS array.

Hide DL membership in Exchange 2010

As we know while sending a mail to a distribution group, we can view the members of the distribution group by clicking on the ‘+‘ symbol next to the email address in outlook.

DL

In case you want to disable expanding the distribution group, you can achieve it through ADSI Edit as discussed below:

Launch ADSI Edit, find your distribution group and select Properties.

Select Attribute Editor and find out the attribute ‘hideDLMembership‘. Now set the value to ‘True‘ to hide the membership of the DL.

image004.jpg

 

Reference : http://exchangeblog.pl/en/tag/distribution-group-en/

Disable Clutter folder in Office 365

Office 365 has added a new feature called Clutter starting from June 2015. A new folder called Clutter will be available, if you have an Exchange Online mailbox. It performs intelligent email filtering and based on the behavior of an individual, moves low priority mails to this folder.

You can see it as a great feature, at the same time some people feel it is unnecessary. This blog post hence will describe how to disable the clutter folder or de-clutter your inbox..🙂

For an individual, this can be achieved through your OWA settings. Once logged into OWA, select Options -> Mail -> Clutter.

If clutter is enabled, you will see the below screen

image001.jpg

You can just un-check the above boxes and save the settings to disable this feature.

A point to be noted, even-though you disable the feature, the clutter folder still remains in your mailbox and all the mails which were previously in this folder will remain there itself. Since you disabled the feature, new mails wont be moved to this folder. 

An administrator can disable a user’s clutter folder through PowerShell as follows:

Set-Clutter -Identity user@domain.com -Enable $false

In order to globally disable the clutter feature, use the below cmdlet [this may consume some time]:

Get-Mailbox | Set-Clutter -Enable $false

Administrators at some point may have to disable this feature for a certain set of people in your organization, based on some parameters or attributes. For example, the Company attribute. In that case you can use the below cmdlets

For simplicity, we can assign all the user mailboxes in Contoso company to a variable and then call the variable and disable clutter.

$contosousers=Get-Recipient -filter {company -eq “Contoso”} | where {$_.recipienttype -eq “usermailbox”}

In the next step, execute

$contosousers | Set-Clutter -Enable $false

This may also take some time depending on the number of mailboxes.

Configuring Send on Behalf permission for a shared mailbox in Exchange Online

Most of you guys must have noticed that you do not have the option to configure Send on Behalf permission for shared mailboxes in O365. This can be done only using the PowerShell. The below command could be run on PowerShell to achieve this:

Set-Mailbox -Identity test@contoso.com -GrantSendOnBehalfTo testuser

where, ‘test@contoso.com’ is the shared mailbox and ‘testuser’ is the user account or mailbox for which the permission is assigned.

You can confirm the above operation by using the below Get-command

Get-Mailbox -Identity mailbox | FL GrantSendOnBehalfTo


Reference : https://technet.microsoft.com/en-us/library/jj919240(v=exchg.150).aspx

Recovering a mailbox in an Exchange Hybrid Environment

In an hybrid environment a user account can be of two types:

a) User account which is managed in Cloud

b) User account which is synced from on-premise Active Directory

In the first case, if the user account and its corresponding mailbox is deleted [Soft Delete], it can be restored from O365 itself from Deleted Users section. By default, the retention period configured for an Exchange online mailbox is 14 days. You can extend this up to a maximum of 30 days.

To check the configured retention period through Exchange Online PowerShell use the cmdlet : Get-Mailbox | FL RetainDeletedItemsFor

To change the retention period value to a max of 30 days use : Set-Mailbox -Identity “Name” -RetainDeletedItemsFor 30

However, in the latter case if the user account and its corresponding mailbox is deleted, the user account should be restored in the on-premises AD first. The mailbox will automatically re-attach later after directory synchronization.

In the scenario we are about to discuss, we will be merging the contents a disconnected mailbox to a new mailbox in Exchange Online. So lets start:

We have a disconnected source mailbox in Exchange Online now. A new AD user account and remote mailbox was provisioned. This will be the target mailbox.

Note:- You may think that instead of provisioning a new mailbox, we could have attached the disconnected mailbox to the new AD account. But it does not work that way, because the GUID of the old account will be different from the one created now and will result in issues.

  • The next step is to identify the GUID of the soft-deleted mailbox and the target mailbox. For this you will have to connect to Exchange Online through PowerShell first. You can refer here to connect to Exchange Online.

Once connected use the following cmdlet:

For soft-deleted mailbox, Get-Mailbox -SoftDeletedMailbox -Identity “Name” | fl

For target mailbox, Get-MailboxStatistics -Identity “Name” | fl

  • Now, run the cmdlet to restore the mailbox : New-MailboxRestoreRequest -SourceMailbox “GUID” -TargetMailbox “GUID”

You can also restore the archive mailboxes : New-MailboxRestoreRequest -SourceMailbox “GUID” -SourceIsArchive -TargetMailbox “GUID” -TargetIsArchive

If you need to restore both regular mailbox and archive, run both the commands one after the other.

Reference : http://blogs.technet.com/b/exchange/archive/2015/01/13/a-better-way-to-recover-a-mailbox.aspx

Configuring Impersonation rights in Exchange 2010

Recently, the IT team decided to try out a third party add-on that supports Exchange Online with Outlook client. In order to configure this add-on on the server, one of the requirement was to configure a service account to impersonate the users in a Distribution Group. This post provides the steps to achieve the same.

Starting from Exchange 2010, the permission model being used is called Role Based Access Control (RBAC) which allows fine-grained as well as easy control over the level of permissions to be assigned for users or administrators. Impersonation leverages RBAC and in this post, we discuss the ApplicationImpersonation management role associated with impersonation.

First, we will have to define a management scope (say, “TestImpersonationScope“)to filter out the users of the distribution group (say, “Admin Group“):


New-ManagementScope -Name:TestImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq “Admin Group”}

You can use the below command to get more info on the created management scope:

Get-ManagementScope “TestImpersonationScope” | fl

Now, run the below command to allow the service account (say, “testuser“) to impersonate all the members of the created scope:

New-ManagementRoleAssignment –Name:”Admin Group Impersonation Role” –Role:ApplicationImpersonation –User:testuser –CustomRecipientWriteScope:TestImpersonationScope

You can also configure impersonation for all users in an organization.

Reference : https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx
http://blogs.msdn.com/b/dhruvkh/archive/2011/10/19/impersonation-in-the-times-of-rbac.aspx