When migrating mailboxes to Exchange 2013, you can run into an error the regarding maximum number of bad items. This causes the import to fail:
Error code: -2146233088
This mailbox exceeded the maximum number of corrupted items that were specified for this move request.
The message exceeds the maximum allowed size for submission to the target mailbox.
A bad item can be one whose size is a bit large. The New-MailboxImportRequest commandlet can be called with the -BadItemLimit option, specifying a number of items> when using that option you must also specify the -AcceptLargeDataLoss option. For example, to import a mailbox called john.doe using a pst of john.doe.pst, the command would look as follows:
New-MailboxImportRequest -Mailbox john.doe -FilePath "\\myserver\E$\john.doe.pst" -BadItemLimit 1000000 -AcceptLargeDataLoss
If you have a number of mailboxes that have already failed, use the Get-MailboxImportRequest commandlet and pipe the items that match the Failed Status setting to a Set-MailboxImportRequest option defining a larger -BadItemLimit setting as follows:
Get-MailboxImportRequest -Status Failed | Set-MailboxImportRequest -BadItemLimit 1000000
krypted April 30th, 2014
Posted In: Microsoft Exchange Server
Outlook Web Access (OWA) allows administrators to setup themes. I’ve noticed a lot of people configuring custom OWA themes these days. And when they do, they are always annoyed when users change the theme back to the default. So, let’s disable theme selection using the set-owavirtualdirectory cmdlet.
Here, we’ll do so on a server called krypted, on the default web site, for the default owa virtual directory using the -identity option. The option we’ll use is -themeselection enabled and we’ll set it to $false:
set-owavirtualdirectory -identity "krypted\owa (default web site)" -themeselectionenabled $false
To set it back, just swap $false for $true:
set-owavirtualdirectory -identity "krypted\owa (default web site)" -themeselectionenabled $true
krypted December 7th, 2013
By default, when you require an SSL certificate in IIS on an Exchange server, if users hit the page without providing an https:// in front they will get an error. Rather than require certificates, it’s better in most cases to redirect unsecured traffic to a secured login page. In order to do so, first configure the redirect. To do so, open IIS Manager and click on the Default Web Site.
At the bottom of the pane for the Default Web Site, click Features View if not already selected.
Then open HTTP Redirect. Here, check the box for “Redirect requests to this destination” and provide the path to the owa virtual directory (e.g. https://krypted.com/owa).
In the Actions pane to the right of the screen, click Apply. Then click on Default Web Site again and open the SSL Settings pane. Here, uncheck the box for Require SSL.
Next, edit the offline address book web.config file on the CAS, stored by default at (assuming Exchange is installed on the C drive) C:\Program Files\Microsoft\Exchange Server\\ClientAccess\oab. To edit, right-click web.config and click Properties. Then click Security and then Edit. Under Group, click on Authenticated Users. Then click Read & execute for Authenticated Users in Permissions. Then click OK to save your changes.
Finally, if you have any issues with any messages not working, start the IIS Manager. Then browse to the virtual directories and open HTTP Redirect. Then uncheck “Redirect requests to this destination” and click Apply. When you’re done, restart IIS again and test the ability to send and receive emails to make sure that mail flow functions without error from within the web interface.
krypted December 6th, 2013
When running mailbox exports, move requests, etc in Exchange 201x you might get an error. This is because the Management Role Assignments have changed ever so slightly. In order to provide an account the ability to do certain tasks, you can use the New-ManagementRoleAssignment powershell cmdlet to process a request. To do so, pick a user (in this case the username is kryptedadmin) using the -User option and choose roles to assign (in this case, mailbox, export and import) using the -Role option. The command then looks as follows:
New-ManagementRoleAssignment -Role "Mailbox Import Export" -User kryptedadmin
To see if your roles were properly applied:
Get-ManagementRoleAssignment -Role "Mailbox Import Export" | ft Identity
krypted November 2nd, 2013
Posted In: Microsoft Exchange Server
Exchange 2013 allows administrators to script Mail Contact creation and email enable those contacts. Let’s say you want to create a contact named Charles Edge and configure an External Email Address of firstname.lastname@example.org and set the Organization Unit to Enginnering. Well, that would look something a little like this:
New-MailContact -Name "Charles Edge" -ExternalEmailAddress "email@example.com" -OrganizationalUnit "Engineering"
And if you’ve never spent much time in Minnesota, the acronym for Database Availability Group is DAG. Just pronounce the A with an AE sound about 20 times and you’ll understand how awesome it can be. 🙂
krypted August 17th, 2013
Posted In: Microsoft Exchange Server
Previously, I covered installing the DNS role in Windows Server 2012. Once installed, managing the role is very similar to how management was done in Windows Server 2003 through 2008 R2. With the exception of how you access the tools. DNS is one of the most important services in Windows Servers, as with most other platforms. So it’s important to configure DNS.
To get into the DNS Manager in 2012 Server, first open Server Manager (you might get sick of using this tool in Server 2012, similar to how my Mac Server brethren have gotten tired of it in Lion and Mountain Lion Servers. Then from Server Manager click on DNS from the Tools menu.
Once the DNS Manager mmc is open, notice that you will have Forward and Reverse zones listed. The forward zones point names at IP addresses or other types of records and the reverse zones contain information about what the name is for a given IP address.
By default there are no zones, so click on New Zone from the Action menu to bring up the New Zone Wizard. From here, click on Next. If the zone is a new zone, click on New Zone. Otherwise, choose Secondary Zone if the server will be acting as a secondary name server for a given zone (make sure the primary allows zone transfers from the IP of the system you’re configuring) or select Stub Zone if the server will host a partial list of records. Click Next when you’ve selected the type of zone to create.
At the New Zone screen, enter a name for the zone. For example, krypted.com. Once entering the new Zone name, click Next.
At the Zone file screen, enter a name for the file that information about the new zone will be stored in and click on the Next button.
At the Dynamic Update screen, choose whether the zone will allow dynamic updates. Here, you can choose whether clients can update DNS information in zones and if so, who can do so. I usually just leave this at the default (unless I’m preparing to install AD into the zone) and click on the Next button.
At the Completing the New Zone Wizard screen, click on the Finish button (provided of course that the settings match your desired configuration for the zone).
Once you see the domain name in DNS Manager, double-click on it. You’ll see the NS and SOA records. Usually you won’t ever end up touching these. Next, create records for your domain. Using the Action menu, select to create a new A Record, CNAME, etc. In this example, we’ll create a basic A Record, selecting the checkbox to automatically create a PTR with the record. Click
Continue creating your records until they’re all built and go ahead and take this time to test them as well, as they’re being created. I usually like to run a flushdns between each creation/change:
Once you’re done with all of the records, I usually like to restart DNS with net stop:
net stop dns
And of course, start it back up.
net start dns
At the DNS Manager screen, right-click (control-click if you’re using a Mac) on the name of the server and then click on Properties. From the Properties screen, you’ll initially see the interface screen. Here, uncheck the box for any of the interfaces you don’t wish to have a listener for the DNS service (port 43).
Click on the Forwarders tab. Here, define servers that your server uses to resolve DNS. DNS is kinda’ like a pyramid scheme like that. You shouldn’t need to use these too often, but there are some great options here for conditional forwards, where your server looks to a specific server for a given DNS domain.
Click on the Advanced tab. Here, you can configure a variety of server options. A common security task would be to disable recursion. If this server is an Active Directory integrated DNS server doing so would not disable additional Active Directory DNS servers from communicating with one another as they receive their DNS information from Active Directory, as can be seen in the Load zone data on startup field of this screen. The Enable BIND secondaries allows a Mac to act as a secondary DNS server for the records stored on this server. This doesn’t work too well with Active Directory service records, in my experience, but works pretty well with anything else provided you define each zone to cache.
Click on Root Hints. If you need to edit these then you might be doing something wrong. Root hints are the root DNS servers that sit atop the DNS pyramid scheme. I’ve only ever needed to edit these once, at the instruction of Microsoft during a support call for an environment that was in a walled garden. If the server connects to the Internet then chances are it should use the Forwarders to resolve names as opposed to Root Hints.
Click on the Monitoring tab. Here, you can configure a small monitor that will run queries against the DNS server (or with recursion as indicated with the second option) and you can automate the test to run every so often and show the results.
Click on the Event Logging tab. By default, all events are logged. Here, you can decrease logging so that the server only logs errors, warnings or even nothing at all.
Click on the debug logging. This is like a special rockin’ tcpdump for DNS logs. You can log packets of various types with regards to name resolution, filter the output by IP address(es) and dump information out to a file. This is extremely detailed logging so you also have the option to indicate a maximum size of your log files.
You also have more more granular controls for each domain. In the DNS Manager, right-click on your new domain and then click on Properties. Here, you’ll see the information you provided when configuring the zone in the first place (btw, zone is pretty much the same thing as domain, except each subnet of IP addresses for PTR records is also considered a zone). At the General tab you can pause a domains DNS, change the zone from a primary to a secondary if needed, etc. You can also define a different name for your zone file and enable dynamic updates. If the zone is a primary zone, click on the Aging button if you’d like to configure stale record scavenging. There, you can define when records that become stale are automatically deleted.
Click on the SOA tab. Here, you can define the serial number for the domain. Those are automatically provided but you can override them if needed. You can define primary servers if the zone is a secondary and then provide an email address/username of the user who manages the domain. Here, you also configure TTL for the domain, domain record expiry, retry intervals for the domain, etc.
At the Name Servers tab, you can add servers that this zone can be hosted on.
Click on the WINS tab. If you are integrating WINS with DNS then chances are you missed flannel going out of style. But that’s ok, since provided you’re wearing your flannel with super tight jeans that require a can opener to get off, it’s just fine to wear a flannel. Anyway, if you use WINS with DNS, you’ll need to install WINS with Server Manager. When you go to add WINS it’s a feature, not a role.
Click on Zone Transfers. This is where you define what IP addresses are able to perform a zone transfer for the domain you’re configuring. By default, all hosts from the Name Servers tab can be accessed. To open it up for everyone (not the best security option) click “To any server”, or to use a separate list than the Name Servers use the “Only to the following servers” button and then use the Edit button to populate the list.
Once you’ve configured the properties for your zone as granularly as you’d like, click Apply and then finish populating the zone with any other required records and testing all the settings. I also like to restart my DNS again after all that fun stuff.
krypted June 12th, 2013