30 October 2012

How to assign a user the permission to create new contacts in Exchange 2010

Let’s say you’re tired to create new external contacts and want to assign this right to another user. Or the user is tired to wait for an administrator to make a mail contact. Typical use of external contacts is inside mail distribution groups, because you cannot simply add an e-mail address to the group.

First of all you need to find the right role which contains the right command. In this case the needed command is New-MailContact. You can search the right role with the following command in Exchange Management Shell:

Get-ManagementRole | Get-ManagementRoleEntry | where {$_.name -eq "new-mailcontact"}

The result will look like this:

image

So the role which contains the right to add new contacts is “Mail Recipient Creation”. This role contains a lot of other commands. To see, what commands are available for this role:

Get-ManagementRole "Mail Recipient Creation" | Get-ManagementRoleEntry

You will get a lot of commands:

image

For this task you don’t need all those entries. You need only New-MailContact and Get-MailContact. But in fact you need also Get-Recipient, because without this your end user cannot see the Organization Administration part in the Outlook Web App. So you need to create a new role, which is a little bit more restrictive. To accomplish this, use this command:

New-ManagementRole -Name "Contact Editor Role" -Parent "Mail Recipient Creation"

This will make a clone or sub role to the existing recipient creation role. To remove unnecessary commands from the new role, use this command:

Get-ManagementRole "Contact Editor Role" | Get-ManagementRoleEntry | where {$_.name -ne "get-recipient"} | Remove-ManagementRoleEntry
Add-ManagementRoleEntry "Contact Editor Role\Get-MailContact"
Add-ManagementRoleEntry "Contact Editor Role\New-MailContact"

First line removes all possible commands except get-recipient. After that I add two extra commands: Get-MailContact and New-MailContact.

Now, when Role is created with correct tasks available (Role Entry), you need to create a role group. This is best done using OWA or ECP logged on as Exchange Administrator. ECP can be accessed in OWA using the Options menu:

image

Choose “Manage” and from there “My Organization”:

image

Choose Roles & Auditing and click New… button:

image

Fill in Role Group name, add previously created “Contact Editor Role” and choose members (user, who can add new contacts):

image

Optionally you can choose Organization Unit, but it’s useless, because in ECP the user can create MailContacts only to /Users folder. It’s not even an OU.

Now log on to OWA with the end user account. Go to Options, choose to manage “My Organization” and voila! The “New” button is available in Contacts section.

image

As you notice, you cannot delete or modify contacts. For that, you can add more role entries. For changes to get in effect, you need to close end-user browser and reopen it to see new buttons to appear.

18 October 2012

How to get computer vendor, product type and serial number programmatically

This article will be one of the shortest. Use this command:

wmic csproduct get vendor & wmic csproduct get name & wmic bios get serialnumber

image

How to change Windows file server name properly

Lets go through few scenarios, where you can use the procedure described in this article:

  1. Change physical hardware of the file server. The new server will get new name because you probably don’t want a huge service outage. At some last stage you copy all files from old server to new one and shut down old server. So how old shortcuts will work, if the name is not accessible.
  2. Move data from several file servers to one. You keep share names and consolidate data, but old server names should be accessible.
  3. You migrate to (or from) DFS (Distributed File System).
  4. Maybe DFS or file server name seems a little awkward and you want to change it.
  5. Maybe some other cases, you name it

Ok, you have one of those stories. What’s next.

First of all you need to create a CNAME record on your DNS server. If your old file server name was OLDFS and new one is NEWFS (you need to use \\OLDFS to access the same stuff available on \\NEWFS), then you need this kind of record:

oldfs in cname newfs (it depends on DNS implementation, how it will be exactly). On Microsoft DNS you will create a record similar to the following picture:

image

If the name OLDFS is referring to a DFS, then you need to point to DFS namespace (for example FQDN of your windows domain).

So, the name resolution problem is solved – the desired server name refers to right server(s).

Next one you need to do is to have SPN (Service Principal Name) in place. For that you need a single command executed on your DC (maybe it will work on other computers as well).

setspn -a cifs/oldfs newfs

This command instructs newfs to accept oldfs as the server name for file server protocol. Or maybe it instructs the client computer. But anyway, this step is necessary (at least in some cases). The result of this command will remain in Active Directory.

If the OLDFS name will refer to DFS namespace, you need to run this command several times:

setspn -a cifs/oldfs DC1
setspn -a cifs/oldfs DC2

setspn -a cifs/oldfs DCN

If your infrastructure has a lot of domain controllers, you probably want to automate this. I suggest to use PowerShell commands:

import-module ActiveDirectory
Get-ADDomainController -filter * | foreach {setspn -a cifs/oldfs $_.name}
Get-ADDomainController -filter * | foreach {$_.name; setspn -L $_.name | findstr cifs}

First line imports AD module (did you remembered to run this command on DC?). Next one lists all domain controllers and for each of them runs the setspn command to add Service Principal Name. Last line lists SPN-s with cifs in the name, so you can check whether the name addition/update was successful.

And at last you need on your file server a little registry change on your file server:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]
"DisableStrictNameChecking"=dword:00000001

image

In case of DFS, the change needs to be done on all domain controllers. For that you can use Group Policy on Domain Controllers OU. The registry change can be done in Group Policy Preferences section as seen on following screen shots:

image

image

And now you are ready to access \\oldfs, which will redirect you to new file server or to your DFS.

09 October 2012

Change Exchange 2010 incoming/outgoing message size limit

Default incoming/outgoing message size limit in an Exchange environment is typically 10MB. If you need to send or receive larger attachments, you will run into problems. As today for example gmail.com allows 25MB attachments, you probably want to allow those e-mails to reach your users.

The limit is present in Exchange configuration in several places:

  1. Organizational limit
  2. Receive Connector limits
  3. Send Connector limits

There are a lot of more places to look at, if those don’t work. In this case look first http://technet.microsoft.com/en-us/library/bb124345.aspx for more information.

To get current configuration quickly, you can use following commands on Exchange Management Shell:

Get-TransportConfig | ft MaxReceiveSize,MaxSendSize -a
Get-ReceiveConnector | ft Name,MaxMessageSize -a
Get-SendConnector | ft Name,MaxMessageSize -a

To change the sizes to one particular number (25MB for example):

$m=25MB
Get-TransportConfig | Set-TransportConfig –MaxReceiveSize $m
Get-TransportConfig | Set-TransportConfig –MaxSendSize $m
Get-ReceiveConnector | Set-ReceiveConnector –MaxMessageSize $m
Get-SendConnector | Set-SendConnector -MaxMessageSize $m

image

Afterwards you should check the results with the first 3 commands:

image

And you should be able to send and receive e-mails with larger attachments now. Of course, if you have 3rd party systems on the path of your e-mail, you must change those also.

04 October 2012

Backup of Hyper-V virtual machine unsuccessful using DPM 2010 or DPM 2012

You can have a problem backing up a virtual machine using DPM 2010 or DPM 2012. In my case, the backup ended with error:

An unexpected error occurred while the job was running. (ID 104 Details: The parameter is incorrect (0x80070057))

After investigating the issue using VSSADMIN I realized that everything in VSS is ok. Creation of manual snapshots in guest and host computer were successful.

The commands to try manual snapshot are:

  • vssadmin create shadow /for=C:
  • vssadmin list shadows
  • vssadmin delete shadows /for=C:

image

So finally I found out that in the virtual machine configuration the path for VHD file contained double-backslash.

image

After removing the extra backslash, everything worked like a charm.

03 October 2012

Migrating server and agents from DPM 2010 to DPM 2012

Before DPM Server installation, make sure, that your Time Zone is correct. To change Time Zone after DPM installation, follow the instructions (http://technet.microsoft.com/en-us/library/hh758055.aspx):

  1. Change Time Zone on Windows Server
  2. net stop msdpm
  3. DPM Console – Options, Auto Discovery. Change the schedule (this triggers the recalculation of time zones on all jobs)

For server migration, install a new server with Windows Server 2008 R2 and DPM Server 2012 (currently I’m having problem with Windows Server 2012, restore operation is unavailable).

For client migration (use the following steps in this sequence):

  1. Stop dpm agent on client machine (net stop dpmra)
  2. Uninstall dpm agent from client machine using appwiz.cpl (Add/Remove Programs) or by command line (usable on Core Editions):
    Windows 2008
    MsiExec.exe /X{5EB850FE-84F7-4856-A203-0F80BC93C66A}
    Windows 2003
    MsiExec.exe /X{3EC7C770-9F3F-4177-A754-EBFF04A1AFF2}
  3. Remove Protection Group from old DPM Server (you probably will retain the data, since new data is not yet available)
  4. Disable firewall on client machine
  5. Uninstall agent from old DPM Server and remember those things:
    1. don’t install the new agent before this step
    2. the uninstall will throw error message because we already removed it, this is ok, if the agent disappears from Agents list on DPM Server
    3. please remove client manually and stop the service before the manual uninstall, this way you can avoid the restart of client machine
  6. Install the agent from new DPM Server
  7. Enable the firewall on client machine (if it was disabled in step 4)
  8. Create new Protection Groups and enjoy the game