verify edgesync synchronization results for a specific recipient using ldp.exe

If you want to verify the EdgeSync synchronization results for a specific recipient, you can use Ldp.exe to view the recipient properties that are stored in ADAM. You must locate the recipient by its Active Directory GUID and, because the data is sent hashed, you must also be able to interpret the information that is returned when you view the recipient details.

To verify the EdgeSync synchronization results for a recipient, follow these steps:
1.Determine the user name of the recipient for which you want to verify EdgeSync synchronization results.
2.Determine the GUID that is associated with the recipient in Active Directory. This GUID is represented as the recipient's canonical name (CN) in ADAM.
3.Determine the Active Directory value of the attributes that you want to verify for that recipient.
4.Use Ldp.exe on the Edge Transport server to retrieve information about that recipient from ADAM.
5.Use the Windows Calculator to translate the retrieved decimal attribute values to hexadecimal and determine the significant byte.
6.Compare the Active Directory attribute values and the ADAM attribute values, and verify that they match.

1.Start Ldp.exe on the Edge Transport server. By default, this tool is located at <System drive>\WINDOWS\ADAM\ldp.exe.
2.Click Connection on the menu bar, and then click Connect
3.In the Connect dialog box, type the name of the Edge Transport server in the Server field. In the Port field, type the ADAM LDAP port. By default, this port number is 50389. Do not select the Connectionless or SSL check boxes. Click OK.
4.Click Connection on the menu bar, and then click Bind.
5.If you are logged on as a local administrator, in the Bind dialog box, select Bind as currently logged on user. To enter administrator credentials, select Bind with credentials, and then enter a user name and password. Click OK.
6.Click View on the menu bar, and then click Tree.
7.In the Tree View dialog box, clear any entry in the BaseDN field. Click OK. You are now connected to the root of the ADAM directory.
8.Click Browse on the menu bar, and then click Search.
9.In the Search dialog box, use the drop-down box for the BaseDN field to select OU=MsExchangeGateway.
10.In the Filter field, enter search criteria that will find the recipient whose CN is equal to the GUID that you obtained from Active Directory. For example, if the GUID starts with 21664853, enter (cn=21664853*). Notice that you do not have to type the complete GUID. You can type the first several characters and then use the * wildcard character to search for all GUIDs that begin with those characters.
11.Select Subtree as the Scope. Click Run. The search results appear in the right pane of Ldp.exe.
12.You can change the list of attributes that are included in the search results. To do this, click Browse on the menu bar, and then click Search. Enter the BaseDN, Filter, and Scope options as instructed in the previous steps. Click Options.
13.In the Attributes field, enter a list of attributes to display. Separate each attribute by using a semicolon. For example, to list the SCL delete threshold and the SCL reject threshold, enter the following text:
MsExchMessageHygieneSCLDeleteThreshold;MsExchMessageHygieneSCLRejectThreshold
14.Click OK, and then click Run in the Search dialog box. The search results appear in the right pane of Ldp.exe. Attributes that have a null value do not appear.

handy app for listening of specified ports

Useful for testing

http://www.rjlsoftware.com/software/utility/portlistener/

miscrosoft exchange server studies

I've been reluctantly learning about exchange, this is where I will post some info.

Hub Server

• Most of the items we are interested are under organization conf, hub transport)
• Send connectors , none by default on a hub
• Recieve connectors (under server conf) defaults are "client" and "default" recieve connectors
• Anti-spam settings are not enabled by default on a hub, can be turned on
• Transport rules are enabled but none configured by default, can be configured
• Journal rules are there, nothing configured
• Edge subscriptions are there, nothing configured

Edge server

• Edge servers are not part of the domain by design
• Edge server should be in DMZ, hub server should be in internal network
• The edge server's console only has the one edge transport role
• It has the following:
• Anti-Spam is enabled
• Send connectors (nothing configured)
• Receive connectors (default internal receive connector is there by default)
• Transport rules (nothing configured)
• Accepted domains (nothing configured)

The edge server is supposed to sit in the DMZ and defend your organization from spam, virus and DDOS attacks. The hub handles all of the mail flow within the organization. Applies transport rules, journalling policies, delivers messages to mailboxes, if there is no edge it can send/receive emails to/from the internet.You can have multiple hub and edge servers. Hub servers sync settings with each other, edge servers do not but you can export/import settings.

Edge servers are not required, but it is best practice from Microsoft and anyone with experience  If you choose not to use one, you should use an antispam/virus checking service like mxsweep. You can enable antispam, configure transport rules and uses a 3rd party solution on the hub server.

Mail flow
Mail will flow in/out of hub and edge transport servers.

Edge transport servers will never see emails that goes between internal users.

To connect the hub and edge you need to create an edge sync subscription
The edge transport role is designed to protect, its not part of the domain,

it can cut down the spam at the front door

A 3rd party solution can be just as good or better than the edge server.

A combination of forefront, ISA server and edge transport server can offer pretty good protection.

Send/Receive connectors

Connectors are like train tracks one going in and one going out.

You can have more than one outgoing or incoming tracks.

When you have 2 hub servers, there are invisible send connectors between the hub servers.
The edge transport role is configured automatically to receive email from the internet.

The hub transport server must be configured to do this.

Anti-Spam/Virus

The edge server has it turned on by default

The hub server you need to turn it on

Should use AV internally (Forefront / modusGate from Vircom / other 3rd party hosted)

Transport rules

You can make rules that applies to incoming/outgoing mail while in transit

The differences between the hub and egde transport rules

The edge (edge rules agent) is more for message hygiene, stops virus attack, DDOS etc

The hub (transport rules agent) is more for message compliance and policy enforcement, message classifications, disclaimers etc

you can make a transport rule to attach a disclaimer to emails that go out of your organization but internal emails will not have it attached.

Transport rules are built upon three components:

Conditions , exceptions and actions

Edge Sync subscription

Install hub and edge servers.

Make sure to set the DNS suffix correctly on the edge server during installation.

For the hub this is done automatically because it is part of the domain.

The edge should be in the DMZ, so it wont be in DNS automatically.

You may have have an internal network card on the edge server also.

Configure a host/A record on the DNS server that the edge server uses to point to the hub server

Configure a host/A record on the DNS server that the hub server uses to point to the edge server

Alternatively you can edit the hosts file (C:\windows\system32\drivers\etc\hosts) on each server

• 192.168.1.10 edge.domain.com
• 192.168.1.35 hub.domain.com

Ensure hub and edge can take to each other through DNS name resolution

From hub server

• ping edge.domain.com

From edge server

• ping hub.domain.com

Port LDAP TCP:50389 Secure LDAP TCP:50636 must be open between the two servers(best practice to have a firewall between them).

• telnet edge.domain.com 50389
• telnet edge.domain.com 50636
• telnet hub.domain.com 50389
• telnet hub.domain.com 50636 

On edge, create the subscription file (in the EMS run New-EdgeSubscription –file “C:\edgesub.xml")

Copy the xml file to hub and import it (in the EMC, Organization Configuration > Hub Transport> Create New Edge Subscription)

It can be difficult to get the subscription file off the edge if the network is locked down. You may have to get the restrictions lifted temporarily

or get the file off with a USB.

The application log should not show any errors, it should say it completed successfully

Two default send connectors will be created on the hub server

Start the EMS on hub, run

Start-EdgeSynchronization

Test-EdgeSynchronization (we should see sync status normal)

Test-EdgeSynchronization -VerifyRecipient user.name@domain.com (RecipientStatus)

On Edge we should see the two send connectors were created in the EMC
Test mailflow by sending and reciving email to/from an external email address, from a client inside your network.

Transport Layer Security (TLS)

Exchange 2010 by default uses self signed certs for all internal message transfers (also called direct trusts).

Exchange 2010 it will try to use TLS with a remote server, if it doesn't work it will use SMTP.
You can configure Mutual TLS between external organizations. You need to purchase a public cert for this.

Remember TLS only protects data in transit.

You can only ensure one hope is encrypted, but not the next hop.

You may need to speak with your third party vendors to see if they support TLS.

The exchange toolbox

In the EMC there are a lot of tools there by default that can help troubleshooting

You can add extra useful tools (Jetstress / Load Generator)

One of the most important tools to run is the best practices analyser.

You should run it after install, after any upgrades, and perhaps schedule it at least once a year.

Mail flow trouble shooting tool is also very good.

Details templates editor - will probably never be used

Remote connectivity analyser (should be run on edge if you are using one)

Monitoring tools in the exchange management shell

You can do more with the shell than you can with the GUI

Get-Command Test* (show all the test commands)

Test-Mailflow

Test-ServiceHealth

Test-MapiConnectivity

don't forget get-help [command]

Get-MailboxStatistics (-server -identity -FolderScope)

Get-MailboxFolderStatistics

Get-MailboxDatabase

Get-TransportPipeline (needs to be run on the hub server)

PowerGUI has an exchange 2010 powerpack that you can download and add to powergui.

Remember to test send/receiving email from outlook, owa etc.
After a system outage exchange should be the last server to start up.
Generally we  want to start DCs, SQL servers and then exchange. Exchange services take some times to start up.


RAID
You should use RAID 10 on the disk groups that you store databases on for optimal performance.

Perfmon
You can use start -> perfmon to monitor performance aspects of Exchange.
First see if you can match spike in average disk queue length for all disks (under physical disk) to a single disk. Then for that disk monitor the average reads/writes per second. The values should be below 20ms most of the time with spikes to 50ms.

Some good articles on using perfmon are here
http://www.computerperformance.co.uk/HealthCheck/Disk_Health.htm
http://www.windowsnetworking.com/articles_tutorials/Windows-Server-2003-Performance-Tuning.html

Get largest mailboxes
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(MB)";expression={$_.TotalItemSize.Value.ToMB()}},ItemCount

Creating a new self signed certificate

New-ExchangeCertificate -DomainName servername,sername.domain.local, mail.domain.ie,owa.domain.ie -lPrivateKeyExportable:$true
enable-ExchangeCertificate -Thumbprint [copy from output above] -services "SMTP,POP,IIS,IMAP"
On edge server
enable-ExchangeCertificate -Thumbprint [copy from output above] -services SMTP

Remember you can't use the same certificate on the hub and the edge server, the same goes for third party certs.

Exporting a cert

• From the certificates snapin
• personal -> certificates
• right click all tasks - > export
• tick export the private key
• Personal Information exchnage
• tick include all certificates in the
• tick export all extended properties
• type a password
• browse for where you want to save the file

Importing a cert

• Export the cert on hub server as detailed above
• Copy the cert to edge
• Import-ExchangeCertificate -Path c:\certificates\ExportedCert.pfx -Password:(Get-Credential).password
• type anyusername
• type the password that was used to export the cert
• enable-exchcertificate -services SMTP

 restart topology service on hub server.

Databases and transaction logs

Emails come in over the network, first they enter RAM on the server, then they are moved into the transaction logs. The transactions logs are written into the database. Checkpoint files (.chk) are used to keep track of which transaction logs have been written into the database and which have not. Transactions logs are 1MB in size and more and more are created as more emails come in. You should be able to tell from the checkpoint files which emails have been written to the database. JRS files are reserved transaction log files (only used when the disk runs out of space, but they are only 1MB in size so they are useless these days).

If the disk a database is on runs out of space that's bad. It can't be mounted/debugged. When the disk gets to 1 GB of space left it will stop the transport service to that database. E00 is the current log, when it fills up it will be renamed and a new log is started. Circular logging can be turned on which writes over the transaction logs once they have been written into the database. Also many backup solutions delete the transaction logs after a full backup completed successfully.

DB files should be kept on separate disks from transaction logs. They should also be kept separate from the system partition and where exchange is installed. Take for example, you have the OS, exchange install, the DB and the transaction logs all on a single non-redundant physical disk. If that disk fails we have lost everything. Even with a full backup from the night before we will miss out on all the mails in between. This is why we want to use redundant disks or a SAN for storage. Lets say we set up 3 redundant disks, the OS and exchange are installed on disk1, the DB is on disk2, the transaction logs are on disk3. This way if we lose a disk, we just replace it without any interruption. If some how we actually lose one, we just need to restore that disk from back up everything else is in place.

Transactions logs should be on a mirrored volume RAID 1 at least (depending on what you can afford) Database files should be on RAID5 or RAID10 (depending on what you can afford)
Think about if you are using physical disks in the server or are you using virtual disks on a SAN ?

The MS exchange team have created an "Exchange 2010 Mailbox Server Role Requirements Calculator" its a spreadsheet that can help you calculate how much disk space you need. What ever answer you get always add some more, no doubt you'll need it some day.

Exchange standard supports 5 databases. (small medium businesses)
Enterprise supports 100 databases. (enterprise)

some exchange power shell commands

To test if your edge sync is working
test-edgesynchronization

Start edge sync
start-edgesynchronization

Display useful information on exchange server, useful for getting versions
get-exchangeserver | fl

Get a list of the certs on the server
get-exchangecertificate

telnet to exchange server displays error message 220 *****

When telneting to an exchange server you get the following errorr:
220 *******************
When you run EHLO you get the following error
500 5.3.3 Unrecognized command

This can happen when a cisco device is using
"fixup protocol smtp 25"
or
"inspect esmtp"

Also AV's have been known to cause these issues.

See this page for more detail:
http://www.binarywar.com/2009/11/cisco-pixasa-causes-smtp-banner-corruption/

getting the shared key from a cisco device for the VPN

You may need to set up a cisco remote access VPN connection but you don't have the shared key

try running the command
more system:running-config

Alternativly copy the config off the device, open in in wordpad and see if you can read it there.

export putty settings

the command to export putty settings

regedit /e “%userprofile%\desktop\putty.reg” HKEY_CURRENT_USER\Software\Simontatham

sick of running reports in vmware,exchange,scvmm

check out vcheck

http://www.virtu-al.net/

snmpwalk for windows

http://sourceforge.net/projects/net-snmp/

snmpwalk -v 1 -c community-here 127.0.0.1

powershell script to check the cluster volume storage usage

Another powershell script to check the disk usage on the CSV's

Import-Module FailoverClusters

#Function to send an email
function sendMail($body)
{
    $smtpServer = "192.168.1.25"
    $emailFrom = "ClusterStorageScript@email.ie" 
    $emailTo = ("alerts@email.com")
    $subject = "Cluster disk space usage"
    Send-MailMessage -From $emailFrom -To $emailTo -Subject $subject  -Body $body -SmtpServer $smtpServer
}


#Set up required arrays
$objs = @()
$alerts = @()

#code snippet to get cluster information
$csvs = Get-ClusterSharedVolume
foreach ( $csv in $csvs )
{
   $csvinfos = $csv | select -Property Name -ExpandProperty SharedVolumeInfo
   foreach ( $csvinfo in $csvinfos )
   {
      $obj = New-Object PSObject -Property @{
         Name        = $csv.Name
         Path        = $csvinfo.FriendlyVolumeName
         Size        = $csvinfo.Partition.Size
         FreeSpace   = $csvinfo.Partition.FreeSpace
         UsedSpace   = $csvinfo.Partition.UsedSpace
         PercentFree = $csvinfo.Partition.PercentFree
      }
      $objs += $obj
   }
#If there is less than 25% free add an alert to our alert array
#set sendalert to 1
   if ($csvinfo.Partition.PercentFree -le 25) 
   {
        $75alert =  "Warning 75% or more disk usage on " + $csv.Name + "`r`n"
        $alerts += $75alert
        $sendalert = 1
   }
#Similar as above adds alert for less than 20% free
   if ($csvinfo.Partition.PercentFree -le 20) 
   {
       $80alert =  "CRITICAL!!! 80% or more disk usage on " + $csv.Name + "`r`n"
       $alerts += $80alert
       $sendalert = 1
   }
     
}
#If send alert is set to 1 above then do the following
if ($sendalert -eq 1)
{
#Put all the alerts into a string $smsg
$a = 0
$smsg = ""
while ($a -le $alerts.count)
{
$smsg += $alerts[$a] + "`r`n"
$a++
}
#Put the full output of the cluster information into a string $msg
$objs2 = $objs | ft Name,@{ Label = "Size(GB)" ; Expression = { "{0,8:N2}" -f ($_.Size/1024/1024/1024) } },@{ Label = "FreeSpace(GB)" ; Expression = { "{0,13:N2}" -f ($_.FreeSpace/1024/1024/1024) } },@{ Label = "UsedSpace(GB)" ; Expression = { "{0,13:N2}" -f ($_.UsedSpace/1024/1024/1024) } },@{ Label = "PercentFree" ; Expression = { "{0,11:N2}" -f ($_.PercentFree) } }
$msg = out-string -inputobject $objs2 -width 85
#append new lings to $smsgm
$smsg += "`r`n`r`n"
#crate a new string comprised of the alerts and the full information
$emailmsg = $smsg + $msg
write-host $emailmsg
#email all of the information using the function at the top of this script
sendMail($emailmsg)

}

powershell script to check for hyper-v snapshots and email if they are found or not

Simple powershell script to check for hyper-v snapshots and email if they are found or not

function sendMail1($body)
{
    $smtpServer = "192.168.1.25"
    $emailFrom = "snapshots@email.ie" 
    $emailTo = ("alerts@email.com")
    $subject1 = "No .avhd files (snapshots) found"
    Send-MailMessage -From $emailFrom -To $emailTo -Subject $subject1  -Body $body -SmtpServer 

$smtpServer
}

function sendMail2($body)
{
    $smtpServer = "192.168.1.25"
    $emailFrom = "snapshots@email.ie" 
    $emailTo = ("alerts@email.com")
    $subject = "ALERT!! snapshots found - Urgent action required"
    Send-MailMessage -From $emailFrom -To $emailTo -Subject $subject -Body $body -SmtpServer 

$smtpServer
}
$output = Get-ChildItem C:\ClusterStorage\ * -include *.avhd -recurse

If ($output -eq $NULL)
{
#Do nothing
#$msg = "No .avhd files (snapshots) found"
#sendMail1($msg)
}
Else
{
#send the email
$msg = out-string -inputobject $output
sendMail2($msg)
}

add user to cisco vpn on pix

conf t
username [usernme] password [password] privilege 2

unable to access samba share from windows 7

Open gpedit.msc

Local Computer 
Policy->Computer Configuration->Windows Settings->Security 
Settings->Local Policies->Security Options

Find the 
policy:

Microsoft network client: Digitally sign 
communications (always)

If this is enabled, change it to 
Disabled. Be sure and restart your machine for the change to take effect

trouble shooting tips for hyper-v VMs

Just a few points I picked up from watching a MS engineer do his thing.

Gather a list of the VM guests affected by the issue, their VM hosts and the cluster volume shares their disks are located on and msinfo32 from each VM.

Start -> Admin tools -> Failover cluster shows the cluster. You can see which VMs are highly available under the applications and services.

On the vm's affected start -> run eventvwr. Filter the current log, look for 1001, 6008, 41. You should be able to find the time it shutdown or crashed.

Check C:\Windows\ for memory.dmp. If the date is recent on it you can look into opening it and reading it. I didn't have a mem dump.

Run a validate on the cluster. Choose only tests I select, uncheck the whole storage section. If you leave this on you can take the cluster offline.

Collect C:\Windows\Cluster\Reports\cluster.log from each VM host

start -> run -> cmd. run "cluster . log /gen" this collects logs from all nodes in the cluster.

start -> run -> fltmc. when you type fltmc.exe a list of filter drivers appears. Filter drivers are often the cause of blue screen's. Not sure how to use this command.

He noted there was a FileServer running on the cluster resources and that it should not be there. Only the cluster IP and the quorm should appear.

Networks should be named. Heartbeat, public, iSCI 1 and iSCSI 2.

You should have a dedicated NIC for live migration.

You should set up the preferred owners so in the event of an issue VMs will migrate to the vm hosts you select other wise they will choose themselves.

Network binding should be host, heartbeat

Any network connections not in use should be disabled.

export all pages in visio 2010 to jpg

I was working on a diagram in visio that had 20 pages. I needed to export all of them to jpg but I didn't want to click file -> save as 20 times. I found a bit of code online and it just needed to be changed slightly for visio 2010.

In visio click View -> Macros. Type the name of the macro (I called mine saveallpages) and click the Create button. The code should look like this.

Public Sub saveallpages()

  Dim i As Integer

  Dim formatExtension As String

  formatExtension = ".jpg"

  

  '// Init folder, doc and counter:

  folder = ThisDocument.Path

  Set doc = Visio.ActiveDocument

  i = 1

  '// Loop through pages:

  For Each pg In doc.Pages

    '// Setup the filename:

     FileName = Format(i, "000") & " " & pg.Name

    '// Append '(bkgnd)' to background pages:

     If (pg.Background) Then FileName = FileName & " (bkgnd)"

    '// Add the extension:

    FileName = FileName & formatExtension

    '// Save it:

     Call pg.Export(folder & FileName)

    i = i + 1

    

    Next

End Sub

User running commands with SUDO fails with sudo: must be setuid root

Issue

User running commands with SUDO fails with sudo: must be setuid root .

Example:

200013630@trstlprnbumst01 ~]$ sudo ls  sudo: must be setuid root.

Solution

1. Checked the permissions:
   [200013630@trstlprnbumst01 ~]$ ls -l /usr/bin/sudo  ---s--x--x 2 root root 150832 Jan  6  2009 /usr/bin/sudo  [200013630@trstlprnbumst01 ~]$ls -ld /usr  drwxr-xr-x 14 root root 4096 Apr  2 15:30 /usr  
   Permissions looks perfect.
2. Checked the /etc/suoders file.
   ## Allows people in group wheel to run all commands  %wheel  ALL=(ALL)       ALL  200013630 ALL=(ALL)     ALL  
   Everything looked fine.
3. Checked the /etc/fstab file. Found nosuid options enabled for mount points.
   Example:
   /dev/VolGroup00/lvHome /home   ext3,nodev,nosuid    defaults  1 2
   nosuid disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.

Removing nosuid option fixed the problem.