Wednesday, March 4, 2015

PowerShell one-liner: How to find the AD site name?

How can we query the AD site name of a server with PowerShell? One way to do this is through the .NET ActiveDirectorySite Class:

[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Name

An alterative approach is to query the value for the DynamicSiteName registry key under HKLM:\SYSTEM\CurrentControlSet\services\Netlogon\Parameters.

(Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\Netlogon\parameters").DynamicSiteName

image

Tuesday, March 3, 2015

Exchange and support for CNG/KSP certificates

Cryptography Next Generation (CNG) is a set of APIs which can be found in Windows Server 2008 and newer. CNG offers an advanced set of features to create hashes, encrypt and decrypt data and to manage keys and cryptographic providers. CNG implements the United States government's Suite B cryptographic algorithms. As the hipsters say, CNG is the new PKI but you probably haven't heard of it.

One of the features of CNG is to create certificates that that use a Key Storage Provider (KSP) to store the private key, as opposed to a Cryptographic Service Provider (CSP) like regular certificates do. Exchange does not support these types of certificates for securing OWA and ECP. You will notice this immediately because your users will return back in the FBA screen after logging in after you installed such a certificate.

Read the following article for more information and workarounds: Outlook Web App and ECP redirect to the FBA page in Exchange Server 2013

Monday, March 2, 2015

Free KEMP LoadMaster load balancer!

This is very cool! KEMP gives away the LoadMaster Application Delivery Controller for free. The LoadMaster for Azure was already free, now the virtual appliance is available in a free edition too. Available for all supported hypervisors (VMware, Hyper-V, KVM, Xen, Oracle VirtualBox).

The free VLM has some limitations, for instance the HA setup with an active and hot stand-by unit is not supported. Another important limitation is that the free LoadMaster doesn't come with the awesome support paying customers receive. Also there are some bandwidth and SSL TPS limitations, all in all not much special for most home, lab, testing and other non-production deployments.

image

Get yours now at http://freeloadbalancer.com/

Friday, February 20, 2015

Outlook Anywhere Kerberos and moving to Exchange 2013? Read this first.

If you run Exchange 2010 and are using Kerberos authentication for Outlook in a load-balanced environment you probably have scheduled the RollAlternateserviceAccountPassword.ps1 script. This script updates the alternate service account credential (ASA credential) and pushes the new value to your CAS servers. Common parameter options are -ToEntireForest, -ToArrayMembers or -CopyFrom with -ToSpecificServers. If you are familiar with the script, I assume they need no clarification.

Now consider a scenario where you used -ToArrayMembers and you add your first Exchange 2013 CAS server to that site. The script uses the Get-ClientAccessArray cmdlet to query the members of this array, this cmdlet returns the Exchange 2013 CAS servers in that site too.

image

Unfortunately the script is not able to update the ASA credential on both 2010 and 2013 servers. This causes the script to fail when it tries to process the Exchange 2013 CAS server and ultimately cancels the process of updating and synchronizing the ASA credential. Unless you configured specific monitoring for this process you'll probably won't notice the issue before stuff breaks and users start complaining. To check if this issue applies to your environment:

Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialstatus |Fl Name, AlternateServiceAccountConfiguration

By the way, the RollAlternateserviceAccountPassword.ps1 script writes a log file in the $exinstall\Logging\RollAlternateServiceAccountPassword folder. Be ware this log is written on the server where the script is executed, this is not necessarily the server where you scheduled the script to run.


There are several workarounds to prevent this from happening. First you could consider to deploy the Exchange 2013 CAS servers in another site. Another option is to update a single server first and then use the -CopyFrom and -ToSpecificServers switches to update your Exchange 2010 CAS servers which you have to specify.


For more information on planning the migration from Exchange 2010 to Exchange 2013 with regards to Kerberos authentication I recommend this excellent article on the Exchange Team Blog: Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication

Thursday, February 19, 2015

PowerShell one-liner: Add a computer to a domain or workgroup

Today I ran into an issue where I needed to remove some servers from the domain, perform some tasks and add them again. Adding a server to the domain is very common, use the Add-Computer cmdlet like this:

Add-Computer -DomainName MyDomain.tld

Or even this to change the computer name in the process:

Add-Computer -DomainName MyDomain.tld -NewName server34

To remove a computer from the domain and add it to a workgroup we can use the Remove-Computer cmdlet:

Remove-Computer -Workgroup temp

Or maybe:

Remove-Computer -Workgroup temp -Force -Restart

Makes sense, doesn't it? Don't forget to use an elevated prompt (Run as Administrator) or all you will see is an Access Denied error.

Can't install Edge Transport on domain member server.

I'm in the process of deploying a couple of Edge Transport servers in a DMZ domain. The installation on each of them failed at the same point with the exact same error message:

Active Directory operation failed on localhost. This error is not retriable. Additional information: The parameter is incorrect.
Active directory response: 00000057: LdapErr: DSID-0C090D14, comment: Error in attribute conversion operation, data 0, v23f0

image

Unfortunately I was not able to find information about the LDAP error code, not even a mention on a website or forum. So I went a couple of steps back and checked my implementation plan. Installing the prerequisites for Edge Transport is fairly simple and the DNS suffix was already set because this server is a domain member. Couldn't think of a mistake I made.

A quick search on the internet pointed met to an article Jaap Wesselius wrote a time ago: Edge Transport server fails in Active Directory domain. The issue Jaap describes is very similar, although the actual LDAP error is slightly different and was present in CU5 and CU6. Unfortunately I can confirm this issue is still there in CU7, assuming both our issues have the same root cause.

Due to time constraints I was not able to involve PSS to investigate the issue further and had to choose for the workaround of installing Exchange while the servers is in Workgroup mode. After the Edge Transport role was installed I was able to add the server to the domain and Exchange was functioning properly.

Wednesday, February 18, 2015

Concerns about using 3rd party add-ins in Azure

Recently I deployed a WordPress website from the Azure Marketplace. As with most Azure services the process of setting this up is very easy and a lot happens behind the screen.

One of the configuration items is a MySQL database provided by ClearDB.

image

So after you deploy the solution, the ClearDB database will be linked to your Azure Website. So far so good.

This morning I got a call from the web designer who said 'the server is down'. After some more questions I understood that the website was still available, but the connection with the database failed.

I checked the Azure Health dashboard and all checks were green. Which to be honest did not surprise me because my experience with the availability of Azure services has been very good until today.

image

Next stop was the Notifications section in the Azure Portal which had nothing too. In the mean time the web designer called and said the database was back but complained he had lost hours of work. At this point I was getting serious doubts about my decision to have my new company website built on Azure infrastructure.

At first I did not notice anything relevant on the ClearDB website until I read the FAQ again and noticed a link to their health information. It was immediately clear they had major issues in my region:

image

Unfortunately I discovered this hours after the incident happened and there was no mechanism in place for this information to reach me pro-actively.

I had a similar issue when I transferred some resources to a new Azure Subscription and someone deleted my SendGrid subscription. Had to visit the Azure Gallery, purchase the SendGrid service again and change the configuration of my Azure services to use the updated subscribtion.

Both incidents made me realize we still need to think of our services (website, email, ...) as a whole and include all dependent components in the picture. The fact that we are billed by Microsoft and have an manage the service from a single dashboard does not mean we have a single point of contact when it concerns support or health information.

Added to my (long) to-do list: Investigate if I can migrate from ClearDB MySQL to Azure SQL...

Friday, February 13, 2015

Cisco AnyConnect: Failed to initialize connection subsystem

Today I ran into this error when trying to start a Cisco AnyConnect VPN connection: Failed to initialize connection subsystem

image

After some reading I found the easiest way of fixing this issue is to use the Troubleshoot compaibitlity-wizard against vpnui.exe in C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client.

image

Click Try recommended settings and note that the wizard has used Windows 8 compatibility mode:

image

Click Test the program... and apply the settings with Yes, save these settings for this program.

Restart the Cisco AnyConnect Secure Mobility Agent service or reboot your computer.

image

This happened on Windows 8.1 after I installed some updates, based on reports of other users I suspect Cumulative Security Update for Internet Explorer 11 for Windows 8.1 for x64-based Systems (KB3021952) may be the culprit. Other users report the same issue in Windows 10 Technical Preview.

Cisco AnyConnect observes the IE Work Offline setting for the System Account. Recent updates to IE changes the behaviour of IE which seem to have broken Cisco AnyConnect. Based on my research many similar product use the same approach and can run into issues on Windows 10 TP or older versions of Windows with update KB3021952 installed.

An alternative approach would be to create a key in the registry to fool Cisco AnyConnect. Create a new key GlobalUserOffline with a value of 1 under the path HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

Thursday, February 12, 2015

Windows Mobile does not support your new SSL certificate

The world is moving away from SHA-1 certificates, which is a good thing from a security perspective. Major vendors like Microsoft and Google are forcing Certificate Authorities to give out certificates with the new SHA-256 hashing algorithm. They do this by simply stop trusting root CA’s which give out SHA-1 certificates after a certain date.

What can you do? Not much actually, because every new SSL certificate you purchase or renew will be SHA-256. Of course there are old operating systems which don't support SHA-256, for instance XP versions older than SP3 and Server 2003 without SP2 installed. So basically every modern OS and even much older versions support SHA-256.

GT-B7350 GT-B7350XKAXEU

Now for us Exchange guys there may be an exception, this is Windows Mobile 5 and 6 which do not support SHA-256. Yes, this operating system is very old and has been superseded by Windows Phone 7 and newer. However, it has been sold until not very long ago and products with Windows Mobile may be still available. An example of such a device is the Samsung Omnia 735.

So if you have any users with a Windows Mobile device and are planning to renew your Exchange SSL certificate, please be aware of this issue. Depending of your situation you may consider replacing the devices or even move to SHA-1 certificates which are signed by your own CA. This obviously is not a safe long-term solution but it may buy you some time before you can move to SHA-256 certificates.

Wednesday, February 11, 2015

Fix those silly "106" Performance Counter events on Exchange 2013 servers

You've probably seen them too, lots of errors in the Application log of your Exchange 2013 server from source MSExchange Common and event id 106.

image

Performance counter updating error. Counter name is PowerShell Average Response Time, category name is MSExchangeRemotePowershell. Optional code: 2. Exception: The exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.

The issue is caused by an error in the Exchange setup process where a performance counter definition is tried to read from the wrong location.

The good news is that we can fix this very easy. Copy the following script to a text file and save with the .ps1 extension.

Add-PsSnapin Microsoft.Exchange.Management.PowerShell.Setup
$files = Get-ChildItem $exinstall\setup\perf\*.xml
Write-Host "Registering the perfmon counters"
Write-Host
$count = 0;
foreach ($i in $files)
{
   $count++
   $f =  $i.directory, "\", $i.name -join ""
   Write-Host $count $f -BackgroundColor red
   New-PerfCounters -DefinitionFileName $f
}

Run the script from an Exchange management shell.

image

If you run into issues you can manually retry the process for that specific performance counter definition. For instance, to retry the failed counter definition from the screenshot above you can retry the action:

Add-PsSnapin Microsoft.Exchange.Management.PowerShell.Setup
New-PerfCounters -DefinitionFileName "C:\Program Files\Microsoft\Exchange Server\V15\setup\perf\WorkerTaskFrameworkPerfCounters.xml"

Interesting detail is that Microsoft apparently wrote a KB article about this issue back in 2013 which I failed to pick up. I modified the script to work on servers with Exchange installed in a non-default path. If you prefer to use the original one, don't forget to change the path manually.