Search This Blog

Thursday 30 September 2010

Renew Exchange 2007 SSL Certificate

Once your Exchange 2007 SSL Certificate is due for renewal you will need to perform the renewal process, this is slightly complex and requires the right steps to be taken.

1. First you need to request the new certificate from Exchange to generate the CSR that is needed for your SSL Provider. I use www.digicert.com as they have a nice wizard to generate the Exchange 2007 Shell command for you. In my instance I used this Shell command to generate my certificate

New-ExchangeCertificate -GenerateRequest -Path c:\mydomain.com.csr -KeySize 2048 -SubjectName "c=GB, s=West Midlands, l=Birmingham, o=My Company Limited, cn=mydomain.com" -DomainName server, server.mydomain.local, autodiscover.mydomain.com -PrivateKeyExportable $True

This now creates the CSR file you can send to the SSL provider for processing.

2. Once you have received your new SSL certificate you need to replace the expired or close to expired SSL certificate on your Exchange Server. You next need to run the Exchange Shell command

Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

This will output your existing certificates to a text file you can read, open the file and find the certificate with the "Not After" date that is the expiry date of your certificate. Make a note of the thumbprint information and copy this to the clipboard.

3. Next you will remove the existing certificate with the command below and the thumbprint information on the clipboard

Remove-ExchangeCertificate –thumbprint

Confirm you want to remove the certificate.

4. Now you can import your new Certificate from the CER file supplied by your SSL Provider

Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “owa.mydomain.com”

This will output the Thumbprint for the next Certificate and you need to make a note of this long file information.

5. You now need to enable the certificate for use in Exchange 2007 with the command

Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS

Replace the Thumbprint with the Thumbprint from your previous notes.

6. The Certificate is installed and enabled now, you can run the command

Get-ExchangeCertificate

This will show you the certificate and that it is enabled for Web Access with the "W" in the Services section.

Monday 27 September 2010

Disable IE8 Customisation Page with Regedit

Sometimes on a Terminal Server you dont want that Splash Screen for IE8 showing as the end users cannot find which options to choose and start calling the helpdesk, so you choose to disable it for them.

This is simple with Group Policy if you have a Windows 2008 or Windows 7 PC but what if you are all Windows XP and 2003? Then you need a custom ADM or a registry edit to achieve this.

HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Internet Explorer \ Main

Reg Dword - DisableFirstRunCustomize = 1

The branches above will not exist in the Registry so you need to create the last two manually first.

Thursday 23 September 2010

SBS 2008 Migration fails with "Source Server does not meet requirements"

We were performing a migration from SBS 2003 to SBS 2008 and when the answer file was being checked during the upgrade we saw this error displayed and the list showed that the source server did not meet the requirements for Active Directory Schema and Exchange Server Service Pack level.

We knew that the source server was correct and the BPA had passed all tests so I thought it must be a communication issue from the SBS 2008 Server to the source server, I opened Wireshark and could see traffic from the SBS 2008 Server to the source server so the next step was to see if the SBS 2008 Server could ping the source server by Netbios and FQDN as these are part of the answer file.

During SBS 2008 Server setup you can press SHIFT + F10 and have a command line load, this is invaluable for trouble shooting and a quick ping showed we could not ping the Netbios or FQDN of the source server. I edited the HOSTS file on the SBS Server and updated it to resolve the source server correctly and ran the answer file check again....

Bingo! The tests passed and the installation continued. Lesson learnt, always test your DNS and WINS before you start. In this case my engineer explained he had had to change the IP range on the source server from a class B address to a class C address and this then told me DNS had not updated correctly and this is why DHCP on the SBS Server 2008 did not resolve the names correctly.

Monday 20 September 2010

Delete files older than a certain age

I had a need to delete some backup images files from a share after a period of time so that the disk did not run out of space. This was because the backup application Acronis & Backup Recovery 10.0 was not able to correctly clean up older image files in the backup rotation.

So to create a simple way to delete all image files older than two days I used the FORFILES.EXE utility from the Windows 2003 Resource Kit.

The syntax for this is quite simple and allows you to search a location or sub folder for a file type and then take an action depending on the files found. So for my case I used

forfiles /P E:\myPath /M *.TIB /D -2 /C "cmd /c del /q @path"

This command uses the path E:\myPath and then finds TIB file extensions, it tests if they are older than 2 days and if it matches it then runs a del /q to delete these files using the full path.

Wednesday 15 September 2010

NtFrs Event ID 13566

I had a server that had the event ID below

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\winnt\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

To change this registry parameter, run regedit.

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above
.

I have had this error in the past and I have followed the registry edit to request FRS rescans for Active Directory changes, in this instance when I made the change the server had been in this state for so long it removed all files from the SYSVOL Share under SCRIPTS and POLICIES and rendered the server no longer a Domain Controller.

This was a pretty difficult situation as this was a SBS 2003 Server and this meant I had no other DCs to connect to bring AD back online.

I had to use the BurFlags registry changes to rebuild FRS again and start with an empty, to do this I had to perform an Authoritative Restore from this Microsoft KB article.

http://support.microsoft.com/kb/290762

Once this was complete I had the SYSVOL share back again after about five minutes but I had to manually recreate the SCRIPTS folder for this to be shared as NETLOGON. The Policies folder was missing from SYSVOL so I had no Group Policies and numerous UserEnv errors in the event log.

The next step was to rebuild the Default Domain Controller and Default Domain Policy, this can be done using the DCGPOFIX tool on the SBS Server, I ran this and accepted the Disaster Recovery options and this rebuilt the two Group Policies correctly.

Now I had to recreate all the SBS Custom Policies that no longer existed, for this I was able to export the policies from an existing SBS 2003 Server and then use the Import Settings option to rebuild the policies. As the polices do not reference any Security SIDS directly these policies could be imported.

This now returned the server to a state where the Event Logs were clear of errors, Exchange and SQL Server were working and I had only to recreate the logon script files in the NETLOGON share.

Thursday 2 September 2010

Change IP address from the command line

Here is a very simple way to change the IP address from the command line, very handy when you cannot get into the GUI and only cmd will load from task manager.

http://support.microsoft.com/?kbid=257748