Wednesday, March 23, 2016

Trust Relationship Issues

A pretty common issue that has plagued Windows operating systems in a domain environment for as long as I can remember, the classic fix is to remove the computer from the domain, restart and rejoin the domain.

With Powershell, comes a much nicer and easier method of doing it.
From the computer having the issue, run Powershell as Administrator (log in with a local account, if you have to, or pull the network cable out to log on, then plug it back in again once you've logged on).

Reset-ComputerMachinePassword -Server <Name of any domain controller> -Credential <domain admin account>

Example: Reset-ComputerMachinePassword -Server DC01 -Credential GARHAR\Administrator

After a reboot, the computer/Server should be working fine.

The cause of this can simply be a second computer has been joined to the domain with the same name, causing the initial computer to lose the trust.

The most recent case of this for me was a 2012 R2 RDS server, which is less than 6 months in production. This case, I do not know what caused, which can happen quite often.

Tuesday, March 22, 2016

Exchange 2013 Mailbox Audit

Tasked with the request to gain a list of mailboxes a particular user had access to, I quickly devised a powershell cmdlet to accomplish this, and record the results in a text file.

Get-Mailbox | Get-MailboxPermission | ?{($_.AccessRights -eq "FullAccess") -and ($_.User -like 'DOMAIN\username') -and ($_.IsInherited -eq $false)} | ft id* > C:\temp\users.txt

Nice, quick, easy.

Exchange CU Update Failure on Transport

Recently I was updating Exchange 2013 at a client site, to CU11.
Everything was ticking along nicely, when the installer threw the following error.  It's worth noting, that this error can happen on all CU updates, if there is a Receive Connector set to Hub Transport.
Mailbox role: Transport service FAILED The following error was generated when “$error.Clear();
$connectors = Get-ReceiveConnector -Server $RoleFqdnOrName; 
foreach($connector in $connectors) { if($connector.MaxLocalHopCount -gt 1) { Set-ReceiveConnector -Identity $connector.Identity -MaxLocalHopCount 5 }};” was run: “Microsoft.Exchange.Management.SystemConfiguration Tasks.ReceiveConnectorRoleConflictException: The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector “EX2013SRV2\Test”. Receive connectors assigned to different Transport roles on a single server must listen on unique local IP address & port bindings.​

My immediate reaction was to load the ECP and create a new Receive Connector using Front End Transport, instead of Hub Transport. Easy, right? Internal error 500.
No problem, EMS to the rescue. Nope.
Rebooted server. No joy either.
It's at this point I'm wishing I had a second Exchange server onsite, that I could connect to.
But due to the fact there was only one Exchange server, the only way around the issue was to use ADSIEdit.msc. A reference to this fix was found at
  1. ​Launch ADSIEdit.msc and connect to Configuration
  2. Browse to Configuration > Services > Microsoft Exchange > Org Name > Administrative Groups > Exchange Administrative Group > Servers > Name > Protocols > SMTP Receive Connectors.
  3. Locate msExchSmtpReceiveRole and change the value from 32 (Hub Transport) to 16384 (Front End Transport)
This allowed me to re-run the update, which picked​ off where it failed, and successfully completed.

Email Address Audit

Recently,​ a client asked for a list of all email addresses currently active on the server.
As anyone in IT can tell you, this would be a nightmarish task for any Medium to Enterprise company.
These two scripts will be your friend. They work in Exchange 2010, but I haven't tested them in 2007 or 2013.

Export Mailbox Email addresses and Alias.
Get-Mailbox -ResultSize Unlimited |Select-Object DisplayName,ServerName,PrimarySmtpAddress, @{Name=“EmailAddresses”;Expression={$_.EmailAddresses |Where-Object {$_.PrefixString -ceq “smtp”} | ForEach-Object {$_.SmtpAddress}}} | Export-CSV c:\temp\smtp.csv -NoTypeInformation
The following will give you a useful list of Distribution groups, with all their members. This can be typed in, or copied to a .PS1 file, and ran as a script.
$saveto = "C:\temp\listmembers.txt"

Get-DistributionGroup | sort name | ForEach-Object {

 "`r`n$($_.Name)`r`n=============" | Add-Content $saveto
 Get-DistributionGroupMember $_ | sort Name | ForEach-Object {
  If($_.RecipientType -eq "UserMailbox")
    $_.Name + " (" + $_.PrimarySMTPAddress + ")" | Add-Content $saveto

Distributed Ping

I found this useful tool while trying to isolate an issue with DNS not replicating correctly for a client.
One ISP was pointing to the wrong IP address, while everyone else was pointing to the updated IP.