Role Based Access Control (RBAC)

Role Based Access Control (RBAC) is the new permissions model in Exchange 2010. If you have not heard about RBAC here are the links to get familiar with it.

If you have just done installing Exchange 2010 and wondering how are you going to give Exchange rights to your network administrators here is the quick way to get to Role Based Access Control (RBAC) user editor, Open your EMC on your exchange 2010 server and drill down to Toolbox, click on RBAC.

As soon as you click you will get to ask to log into OWA (-:, use administrator account ( or account you use to install Exchange 2010) to login.

Click on “administrator Roles”

Click on organization management ( In this example I am going to give rights to my own account to manage the organization settings, the nice things about this new windows is, it is very informative , you can literally read the description of the group and will find out what privileges the group preserves.

Make the proper changes and click on save button.

Information Rights Management Role
http://technet.microsoft.com/en-us/library/dd876934.aspx
Understanding Role Based Access Control
http://technet.microsoft.com/en-us/library/dd298183.aspx
Permissions Cmdlets
http://technet.microsoft.com/en-us/library/dd297953.aspx
http://technet.microsoft.com/en-us/library/dd638181.aspx
Managing Administrator and Specialist Users
http://technet.microsoft.com/en-us/library/dd335101.aspx

Cheers

Advertisements

Recover Failed Exchange Server with /M:RecoverServer Switch

Scenario:

One of your Exchange CAS box crashed, and you have no way of getting it back. As many of you know bringing another Exchange server with same name and IP address wont simply work because the information in regards to failed exchange server is still does exist in Active directory and Exchange utilize Domain, Configuration and Schema partitions in the .DIT database.

So we will use fallowing switch to perform installation, if this is a mailbox server please read the article Henrik wrote

You may ask yourself why are we using recovery switch, again we want setup to go to AD and read the information about failed server and make the new server we are bringing *** We use same IP and same server name***

Steps taken:

. Install fresh Server ( in this case Windows 2008 Sp1)
. Give same IP and Same computer name as previous failed Exchange server, Join domain and make sure your account is added into Local administrator and you have proper Exchange administrator rights.
. Reset computer account in AD
. Make sure Server is identical as the failed one, keep same drive letters etc
. Copy Exchange installation binaries onto this server
. Drill to that directory and use fallowing switch

>Setup.com /M:RecoverServer

**** if you are receiving fallowing errors, fallow the additional steps before you move on ****

“You must perform disaster recovery using the same version of Exchange as the last installed version. The current installed version is ‘8.1.240.6’ the last installed version was ‘8.2.176.2’

This translated into , simply The failed Exchange Server version number is SP2, you are using Exchange CD with SP1 and trying to run recovery switch.

As you can see setup is going to AD and reading attribute called “SerialNumber” from failed server object so what we will have to do little trick in AD and modify this attribute

?????? At site

Open ADSIedit or ADExplorer to

Configuration
Services
Administrative Groups
CN=ServerName

Find the attribute called SerialNumber and modify it.

?????? At site

if you are receiving this “

The current installed version is 8.1.240.6 the last installed version was 8.2.176.2”

Current Version 8.2 (Build 30176.2) (SP2)
installed version is 8.1.240.6 ( build 30240.6) (SP1)

?????? At site

?????? At site

Check out the build numbers.

http://support.microsoft.com/kb/158530

Change the version number to , allow the setup to run, without complaining

http://www.msexchange.org/tutorials/Recovering-Exchange-2007-Server-RecoverServer-switch.html

http://technet.microsoft.com/en-us/library/bb123496(EXCHG.80).aspx

Exchange 2010 blank OAB

Users might get a blank OAB/GAL in Outlook with exchange 2010. It took me a week to figure this out since there was no traces found on the internet.

Error message:

Exception Exception type: System.NullReferenceException

Exception message: Object reference not set to an instance of an object.

This is how I resolved it:

1. Install support tools and open ADSIEDIT

2. Expand the Configuration container and navigate to this location–Exchange–Organisation name

4. Go to the properties of organization name

5. Double click on the attribute: MSExchResourceAddressLists

6. Here, we are looking for an entry which has deleted items in it. This would be an address list entry which was not deleted properly. In my case, it was:

CN=Printer mailboxesBAFAB:3a62e7b2-32c2-513a-c2c3-2bbd316324fc,CN=Deleted Objects,CN=Configuration,DC=Zulu,DC=Main,DC=com

7. Delete this entry, restart your IIS and confirm.

Exchange 2010 ActiveSync user fails with event id 1104

Exchange ActiveSync fails with event id 1104 for a user who has been moved from Exchange 2003 or Exchange 2007.

We receive this event id in the application logs:

Log Name: Application
Source: MSExchange ActiveSync
Date: 2/1/2010 8:11:09 PM
Event ID: 1104
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: E14-zulu
Description:
Exchange ActiveSync experienced an error when it tried to perform Active Directory operation for user “MSEXCHANGE\zulu”. If this event occurs infrequently, no user action is required. If this event occurs frequently, check network connectivity using PING or PingPath. You can also use the Test-ActiveSyncConnectivity cmdlet.

Solution is pretty simple:

1. Log into AD users and computers

2. Locate the user and goto properties

3. Click on the Security tab and then click advanced

4. Check the box “Allow inheritable permissions from parent”

Windows Server 2008 Core Initial Setup and RODC Installation

 

Hi,

My first blog post will give you an intro about Windows Server 2008 Core Edition and the required commands needed to configure a Server Core  in your domain and add it as a DC.

As from Microsoft, “The Server Core installation option is a new option that you can use for installing Windows Server 2008. A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles”. I think there is no need to further explain..

Windows Server Core does not support all the Windows Server 2008 Roles & Features. The supported Roles & Features are:

Supported Server Roles

Supported Server Features

  • Active Directory Domain Services (AD DS)
  • Active Directory Lightweight Directory Services (AD LDS)
  • DHCP Server
  • DNS Server
  • File Services
  • Hyper-V
  • Print Services
  • Streaming Media Services
  • Web Server (IIS)*
  • Failover Clustering
  • Network Load Balancing
  • Subsystem for UNIX-based applications
  • Backup
  • Multipath IO
  • Removable Storage
  • Bitlocker Drive Encryption
  • Simple Network Management Protocol (SNMP)
  • Windows Internet Name Service (WINS)
  • Telnet client

* As for Web Services, a Server Core installation does not support all Web Services and functionality. New Web Services enhancements will probably be available in Windows Server 2008 R2.

So, after this brief intro, here are the commands needed for your Server Core initial setup:

Set password for local admin –

Choose 'Other User' at the logon screen> type 'Administrator' with no password and press Enter > Follow the instruction to create a new password.

Run Sysprep (For deployment) –

Navigate to 'C:\windows\system32\sysprep' and run – sysprep /OOBE /Generalize /shutdown.

Disable/Enable Screen Saver and Screen Saver Lock –

Regedit: Navigate to HKEY_CURRENT_USER\Control Panel\Desktop and modify the 'ScreenSaverActive' & 'ScreenSaverIsSecure' Keys (0 to Disable, 1 to Enable).

Rename the Server –

netdom renamecomputer <ComputerName> /NewName:<NewComputerName>

Setup IP Configuration –

View Interfaces: netsh interface ipv4 show interfaces

Set IP for Interface: Netsh interface ipv4 set address "InterfaceName" static 17.17.0.2 255.0.0.0 17.17.0.1

Set DNS Server Addresses: netsh interface ipv4 add dnsserver name="InterfaceID" address="DNSIPAddress"

Run again for additional DNS Servers.

Join the computer to Domain –

netdom join "ComputerName" /domain:"DomainName" /userd:"UserName" /passwordd:*

When prompt for password, enter to domain user password.

EnableWindows Update –

Cscript c:\windows\system32\scregedit.wsf /au 4

Net stop wuauserv

Net start wuauserv

This will set the default configuration for Windows Update – 3AM update check. If you want to force update check run: Wuauclt /detectnow

Enable Remote Management on Firewall –

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes

To disable the windows firewall –

netsh firewall set opmode disable

To enable the windows firewall –

netsh firewall set opmode enable

Enable Windows Remote Management (WinRM) –

winrm qc

Enable Remote Desktop –

cscript C:\Windows\System32\ Scregedit.wsf /ar 0

If Firewall Enabled –

netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes

OK, so the above commands are needed for the initial setup of the server.

As far as I think, you, the IT person who will deploy Server Core, use it for mainly for two reasons: Domain Controller and Hyper-V.

As for Domain Controller, if you install Server Core as a DC, you probably use it in a site with poor physical security, and if so, you will probably want to configure it as RODC (Read Only Domain Controller).

Oh, I must know that a Read Only Domain Controller, require an operating Windows Server 2008 Full DC…

Now, here are the commands needed for the installation of a Windows Server 2008 Core RODC:

Install DNS –

start /w ocsetup DNS-Server-Core-Role

Prepare Schema for RODC –

On the Schema Master navigate to the following folder on Windows Server 2008 Media and run the following command:

X:\sources\adprep>adprep /rodcprep

Run Dcpromo with an unattended file for RODC Installation –

(dcpromo /unattend:<unattendfile>)

Sample of Unattended File for RODC Installation:

[DCInstall]

InstallDNS=Yes

ConfirmGc=Yes

CriticalReplicationOnly=No

DisableCancelForDnsInstall=No

Password=

RebootOnCompletion=Yes

ReplicaDomainDNSName= DomainDNSName

ReplicaOrNewDomain=ReadOnlyReplica

ReplicationSourceDC=SRV2008DC.DomainDNSName

SafeModeAdminPassword=

SiteName=Default-First-Site-Name

UserDomain=DomainDNSName

UserName=Administrator

You Server Core Initial Setup and RODC are Done!