If you've ever stood up a Windows 2008 R2 server or Windows SBS 2011 server, you've likely encountered issues with DNS resolutions. In the past it's always been common practice to tell the server "don't use root hints" and then throw in some resolvers, such as the ISP's DNS server, Open DNS, Google's DNS, or Level 3's DNS. Well - I finally found the solution. 2 of them in fact.
A lot of DNS problems with Win2k8R2 have 2 main issues.
1) First the root hints: Microsoft even acknowledges there's a problem. And here's the hotfix: http://support.microsoft.com/kb/2616776
2) Second an resolution time out: You may or may not see from the client side that it seems slow for DNS resolution -OR- if you do something like nslookup, it times out, and then gets a non-authoritative reply. If you're seeing timeout problems, there's a fix for that too. "dnscmd /config /EnableEDNSProbes 0" This will turn off EDNS0 functionality, which has known to cause problems with firewalls and such because it uses and oversized UDP packet to gain information.
Friday, December 28, 2012
Friday, August 31, 2012
Exchange 2010 Offline Address Book Not Working
Exchange 2010 Offline Address Book Not Working - 500 Internal Server Error?
We know from past experiences that the 500 Internal Server Error is a very general HTTP status code that means something has gone wrong on the web site's server but the server could not be more specific on what the exact problem is. That's really not a lot of information to go on.
This error in Exchange has come up a few times recently. Best place to start troubleshooting is to find out if it's internal and/or external clients. Also, is it effecting one user, multiple users, or all users?
One thing a lot of engineers like to do is create 403 redirect pages with Exchange 2010 to simplify access for end uers. It's a great tool to be able to tell your clients to go to "https://mail.yourdomain.com" rather than https://mail.yourdomain.com/owa. Unfortunately, what this does is it creates a web.config file in the directory of where your OAB virtual directory points. Even more unfortunate, this breaks OAB. But - don't worry - there's an easy fix for this. Simply go to the security properties of the web.config file, assign Read and Read & Execute permission to Autheticated Users group then restart IIS using iisreset /noforce.
After this, you can download the address book for your users through Outlook. Still not working? If it's still not working on a few individual users, try this trick below.
Individual Users - Outlook 2007 or 2010 error (0x8004010F) operation failed. An object cannot be found.
Since Outlook 2007, the Offline Address book is downloaded via BITS and the sometimes the BITS job queue can get full. (Especially if it has a queue of erros)
Simply run BITSADMIN.EXE /RESET to fis the issue.
If you cannot find/run BITSADMIN, it's technically a depreciated command, here's a PowerShell equivilent. Note, you may need to run this multiple times: get-BitsTransfer -allusers | Remove-BitsTransfer
We know from past experiences that the 500 Internal Server Error is a very general HTTP status code that means something has gone wrong on the web site's server but the server could not be more specific on what the exact problem is. That's really not a lot of information to go on.
This error in Exchange has come up a few times recently. Best place to start troubleshooting is to find out if it's internal and/or external clients. Also, is it effecting one user, multiple users, or all users?
One thing a lot of engineers like to do is create 403 redirect pages with Exchange 2010 to simplify access for end uers. It's a great tool to be able to tell your clients to go to "https://mail.yourdomain.com" rather than https://mail.yourdomain.com/owa. Unfortunately, what this does is it creates a web.config file in the directory of where your OAB virtual directory points. Even more unfortunate, this breaks OAB. But - don't worry - there's an easy fix for this. Simply go to the security properties of the web.config file, assign Read and Read & Execute permission to Autheticated Users group then restart IIS using iisreset /noforce.
After this, you can download the address book for your users through Outlook. Still not working? If it's still not working on a few individual users, try this trick below.
Individual Users - Outlook 2007 or 2010 error (0x8004010F) operation failed. An object cannot be found.
Since Outlook 2007, the Offline Address book is downloaded via BITS and the sometimes the BITS job queue can get full. (Especially if it has a queue of erros)
Simply run BITSADMIN.EXE /RESET to fis the issue.
If you cannot find/run BITSADMIN, it's technically a depreciated command, here's a PowerShell equivilent. Note, you may need to run this multiple times: get-BitsTransfer -allusers | Remove-BitsTransfer
Wednesday, August 8, 2012
Slow DFS Sharing - Several Seconds Before Root Directory Access
I recently installed a new DFS setup for a client. With this DFS setup, everything was working great. That is until end users started accessing everything. Immediately we noticed that any access to any share would take up to 10 seconds to access the initial root folder. From then on it worked great. Turned out to be this little problem. When you have a DNS only space, Windows tries accessing servers and folders NOT by using DNS first.
http://support.microsoft.com/kb/244380
Special thanks to this article for finding it:
http://serverfault.com/questions/50789/long-pause-when-accessing-dfs-namespace
http://support.microsoft.com/kb/244380
Special thanks to this article for finding it:
http://serverfault.com/questions/50789/long-pause-when-accessing-dfs-namespace
Monday, July 30, 2012
Exchange 2010 RPC/HTTP Proxy and Autolook Anywhere
Sometimes Outlook Anywhere doesn't function correctly. I always start by using "Exchange Analyzer". Recently using this I found an issue where IIS was returning a 500 Authentication error. Here's what worked for me.
Connect to the Exchange Client Acces Server
Ensure the RPC over HTTPs feature is installed and that Outlook Anywhere is enabled.
Browse to the follwoing location:
C:\Windows\System32\RpcProxy
Copy the web.config file to web.config.backup.
Open web.config in Notepad.
Replace the following section:
<system.webServer>
<modules>
</modules>
</system.webServer>
With:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Save the file and restart iis via a command prompt: IISRESET
You should now be good to go!
Exchange 2010 Forms Based Auth Crashing
In Exchange 2010, it seems like a lot of Small Business Server installations cause the Forms Based Authentication Service to crash. Microsoft has identified this issue and it is because Exchange is installed on a Global Catalog Server. While best practice identifies that Exchange should never be installed on a Domain Controller or Global Catalog Server, this is not a practical solution to customers using Small Business Server.
Microsoft has a "Fix it" solution for this. This solution changes some of the dependencies for the Microsoft Exchanges services to be sure that the dependent services start first.
Microsoft has a "Fix it" solution for this. This solution changes some of the dependencies for the Microsoft Exchanges services to be sure that the dependent services start first.
| Microsoft Exchange SA | EventLog, RPCSS, LanmanWorkstation, LanmanServer, Netlogon |
| Microsoft Exchange AD Topology | Net Logon |
| Microsoft Exchange IS | Net Logon |
Here's the link to the KB with the "Fix It" download: http://support.microsoft.com/kb/940845
Sunday, January 22, 2012
SharePoint Post Windows Updates
So if you use SharePoint and you've recently done updates (or installed Service Pack 1), you may have gotten an annoying message after you've rebooted the server. Oddly, there is not much online for documentation on what you need to do and the link in the dialog box is not helpful either.
This message occurs because the update requires 2 parts. First, the binary update part which it does on its own. Then, the database needs to be updated. The database is a manual command you'll have to run.
To perform the update, you'll need to open an elevated SharePoint PowerShell console. Once you've opened PowerShell, you can run the following command to see if the update is needed: (get-spserver $env:computername).NeedsUpgrade
To Perform the Update, you'll need to change your directory
CD "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\BIN"
And then run the PSConfig Utility.
PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures
After running the PSConfig utility, you may need to reboot your server to get rid of the warning message. If it does not disappear upon reboot, you can open the Group Policy Management Console - gpmc.msc - and look for the policy "SharePoint Psconfig Notification Policy".
Tuesday, December 6, 2011
How secure is your password??
I find people asking me how complex their password needs to be all the time. This is a genuinely valid question. Sometimes this is a matter of opinion from network engineers, so here's my opinion on what I've found.
(A Complex Answer / Microsoft Recommendation) Microsoft recommends:
A) Password does not contain any part of a user's name (Display Name/Account Name/etc.)
B) Must be at least 7 characters
C) Should be changed every 42 days, minimum
D) Must contain 3 of the 5 following: An uppercase, a lowercase, a digit, a symbol, and/or a unicode character.
(My simple answer) I recommend:
Passwords need to be secure, but easy to remember. Of course "T8iL#)iuwr*3A~~!!" is going to be very secure, but who's going to remember that? So, of course, you're going to document that somewhere right? Sheet of paper? Excel document? Notepad document? When you need to document it, how do you secure that document?
So, what is more secure? "T8iL#)iuwr*3A~~!!" or "D0g...................." (Capitol D, Zero, g, +20 periods)? Which one are you going to remember better? Believe it or not, "D0g...................." (23 characters) is going to take quite a bit longer than "T8iL#)iuwr*3A~~!!" (17 characters) to crack.
Here's a nice site I stumbled upon a few weeks ago that shows you just how long it might take to crack a password: https://www.grc.com/haystack.htm
Enjoy!
Subscribe to:
Posts (Atom)