Exchange 2003: Decommissioning an Exchange 5.5 Environment

Perform checks to ensure clients are working as expected (setting the baseline):
1. Check that a client inside the site (administrative group) can download the OAB.
2. Check that a client inside the site can see free busy information within the site.
3. Check that a client outside the site can see free busy information within the site to be decommissioned.
Ensure the Site Replication Service is started on each Exchange 2003 SRS:
1. On each Exchange 2003 SRS server, open Services MMC console and ensure Microsoft Exchange Site Replication Service is started.
Verify no mailboxes remain on the Exchange 5.5 server (this is expected to have already been performed):
1. Open Microsoft Exchange Administrator on the Exchange 5.5 server
2. Expand the siteConfigurationServersExpand the server to be decommissionedPrivate Information StoreMailbox Resources.
3. Ensure there are no mailboxes listed other than System Attendant and Directory Service.
4. Remove any other mailboxes or move them to an Exchange 2003 server using Exchange System Manager.
Verify all required public folders have replicated to an Exchange 2003 server in the site (this is expected to have already been performed):
1. Log into the Exchange 2003 SRS server and open the EXDEPLOY folder from the Exchange 2003 installation files.
2. Run PFMIGRATE.WSF /S:EX55SVR /T:EX2K3SVR /R to determine if there are any public folders not yet replicated to 2003.
3. If necessary, run PFMIGRATE.WSF /S:EX55SVR /T:EX2K3SVR /A /N:100 to add Exchange 2003 to the replica list of any non-replicated public folders.
4. Replicate the ADC public folder agreement and then Active Directory
5. Open Exchange System ManagerAdministrative GroupsSite NameFolders.
6. For each of the folders that were updated (see the PFMIGRATE log file), check under the Status tab that the folder has the expected number of items listed.
Remove all public folders from the Exchange 5.5 server:
1. See http://technet.microsoft.com/en-us/library/bb124112(EXCHG.65).aspx
2. Log into the Exchange 5.5 server to be decommissioned.
3. Start Microsoft Exchange AdministratorSite NameServersServer to be decommissionedPublic Information StorePropertiesAge Limits.
4. Ensure there are no public folder instances listed except system folders.
5. If this is the last server in the site, there should only be site-specific folders listed.
6. If there are public folders listed then run PFMIGRATE.WSF /S:EX55SVR /T:EX2K3SVR /D to remove the public folder replicas from Exchange 5.5 wherever there is already a replica on Exchange 2003.
7. Recommended: Set the replication schedule on the public information store to always in order to speed up the process.
8. Repeat steps 1 – 5 to ensure the replicas have been removed.
Verify the Offline Address Book is replicated to an Exchange 2003 server in the site:
1. See http://support.microsoft.com/?kbid=152959
2. See http://support.microsoft.com/default.aspx?kbid=822450
3. Log into the Exchange 2003 server in the site.
4. Start Exchange System ManagerAdministrative GroupsSite NameFoldersView System Folders.
5. Expand Offline Address Book. The OAB should be in the format: EX:/O=ORG/OU=Site.
6. Select the OABPropertiesReplication tabVerify an Exchange 2003 server is listed.
7. If there are no replicas then click Add to add one.
8. Repeat steps 1-7 for OAB Version 2 if present.
9. Alternative method is to use PFMIGRATE.WSF /S:EX55SVR /T:EX2K3SVR /A /N:50 /SF to replicate this and all other system folders to Exchange 2003
Verify Schedule+ Free Busy Information have replicated to an Exchange 2003 server in the site
1. Repeat steps for the OAB above in order to ensure that there is an Exchange 2003 replica of the Schedule+ Free Busy folder for the site
Note: Free/busy may be unavailable for some users until it is generated by activity in their calendar. There should be at least one Exchange 2003 replica of free/busy for every Exchange site.
Verify the Organization Forms are replicated to an Exchange 2003 server in the site:
1. Repeat steps for the OAB above in order to ensure that there is an Exchange 2003 replica of the Organization Forms folder.
Move the Routing Calculation Server role to Exchange 2003 SRS:
1. Open Exchange 5.5 Administrator and connect to a server in the site.
2. Expand the Site NameConfigurationSite AddressingProperties.
3. Set the Routing calculation server to the Exchange 2003 SRS server in the site.
4. On the Routing tab, click Recalculate Routing.
5. To reflect the change immediately on the Exchange SRS, either restart the SRS service or open Exchange 5.5 Administrator > Select the SRS server > Microsoft Exchange Site Replication Service > Properties > Update Now
6. To reflect the change immediately in Exchange 5.5, open Exchange 5.5 Administrator > Select the SRS server > Directory Service > Properties > Update Now
7. To reflect the change in AD and Exchange System Manager, replicate the ADC Config_CA connections.
Move Replication Connector to an Exchange 2003 SRS server in the site:
1. See http://technet.microsoft.com/en-us/library/bb124174(EXCHG.65).aspx
2. See http://support.microsoft.com/kb/822450
3. Replicate connections and test mail flow between the site and another site after moving each connector across.
4. Log into the Exchange 2003 serverOpen Exchange Administrator for Exchange 5.5Site NameConfigurationDirectory Replication.
5. Open each Directory Replication Connector (except ADNAutoDRC) and change the local bridgehead server to the Exchange 2003 SRS server in the site. Also change the remote bridgehead for the partner Directory Replication connector in the other site.
Move connectors to an Exchange 2003 SRS server in the site by replacing them with Routing Group Connectors:
1. See http://technet.microsoft.com/en-us/library/bb124174(EXCHG.65).aspx
2. See http://support.microsoft.com/kb/822450
3. Open Exchange System Manager and create a Routing Group Connector that parallels every Exchanger 5.5 Site Connector in the site. For example, if there is a site connector between SiteA and SiteB then create a Routing Group Connector between SiteA and SiteB. Set the connector cost to “1”.
4. Log into the Exchange 2003 serverOpen Exchange Administrator for Exchange 5.5Site NameConfigurationConnections.
5. On each Site Connector to and from this site, change the cost to “2” or greater.
6. On each Site Connector from this site, set the Messaging Bridgehead to the Exchange 2003 SRS in the site.
7. On each Site Connector that connects to this site, set the Exchange 2003 SRS as the only remote bridgehead server.
8. Replicate this change through the organization and test mail flow immediately.
9. If mail flow stops working, reverse the changes made to the Site Connectors.
If there is an X400 connector or other connector then also update the bridgeheads on these connectors in both the local and remote sites.

If there is a “Connector for cc:Mail” or “MS Mail Connector” and they are not in use then these can be safely ignored and removed when Exchange 5.5 is uninstalled.
Verify that Internet e-mail connectors on the Exchange 5.5 server are moved to Exchange 2003:
1. Log into the Exchange 2003 serverOpen Exchange Administrator for Exchange 5.5Site NameConfigurationConnections.
2. Check for the presence of an Internet Mail Service.
3. Move any existing Internet Mail Service to Exchange 2003 by following http://support.microsoft.com/kb/883407/.

Verify expansion server for all distribution lists in the site are not set to an Exchange 5.5 server:
1. Open Exchange 5.5 Administrator.
2. Open each distribution list in the site and check that Expansion server is set to “Any Server In Site” or to the name of an Exchange 2003 server.
Force ADC replication on the Config CA connection agreement
1. Open the ADC management tool and replicate the Config CA connection agreements.
Force replication through Active Directory
1. Open Active Directory Sites and Services.
2. Replicate all connections.
Wait for public folders, Schedule+ Free Busy, and Organization Forms information to replicate before continuing.
1. Check in Exchange System Manager that Connector modifications have replicated.
2. Open Outlook and connect to a mailbox in the site to ensure that public folders appear as expected and free/busy data can be viewed for other users in the site.
3. Attempt to download the Offline Address Book. If it fails then force a rebuild of the OAB from Exchange System Manager.
4. Open organizational forms in Outlook and confirm that they open (if applicable)
Disable Exchange services and shutdown the Exchange 5.5 server for testing
See functional testing plan
Start the Exchange server
Restart the Exchange services
Remove Exchange 5.5 from the server:
1. Start the Exchange Server 5.5 CD and run setup.exe.
2. On the Microsoft Exchange Server Setup page, click Add/Remove.
3. Clear the checkbox for Microsoft Exchange Server and click Continue.
4. Use Exchange 5.5 Administrator to connect to another server in the site (the Exchange 2003 SRS server will be fine).
5. Confirm that the SRS service is running.
6. Select the server to be removed.
7. On the Edit menu, click Delete.
Remove the Exchange 5.5 server from the SRS database and Active Directory:
1. See http://technet.microsoft.com/en-us/library/bb124174(EXCHG.65).aspx
2. Open the Active Directory Connector Tool MMC console, right click the Config_CA_Site_Server_Name object, and then click Replicate Now.
3. Replicate Active Directory
See functional testing plan
Prepare final Exchange 5.5 server for removal:
1. See major task 1
See functional testing plan
Remove final Exchange 5.5 server:
1. See major task 3
See functional testing plan
Remove Exchange SRS:
1. Follow directions specified at http://technet.microsoft.com/en-us/library/bb124572(EXCHG.65).aspx
2. Do not remove the Config_CA connection agreement!
Remove any Directory Replication Connectors:
1. See http://support.microsoft.com/kb/272314/
2. Use Exchange 5.5 Administrator to connect to each SRS in the organization.
3. For each SRS, expand the local site name, expand Configuration, click Directory Replication Connectors.
4. Delete any Directory Replication Connectors that exist. Do not delete ADNAutoDRC connector listed under Directory Replication Connectors!
5. Allow time for Config_CAs to replicate the changes to Active Directory.
Remove all SRS in the organization:
1. Start Exchange System Manager and ensure no Exchange 5.5 server computers are displayed in any administrative group.
2. Navigate to the Tools container, click the Site Replication Services container.
3. Right click each SRS and then click Delete. This will remove the SRS and corresponding Config_CA.
4. Confirm that all SRS have been removed from the entire organization.
Remove the Active Directory Connector service by uninstalling it.

Exchange 2003: Issues (including migration)

Outlook is unable to download the offline address book (OAB)
Check that the folders OAB Version 2 and OAB Version 3a exist under /o=Org/cn=addrlists/cn=oabs/cn=Default Offline Address List

If they do not exist then you can recreate them by forcing a rebuild of the offline address list: -
Exchange System Manager > Recipients > Offline Address Lists > Right click the offline address list > Rebuild

If the address list does not exist at all then recreate it according to http://blogs.msdn.com/b/dgoldman/archive/2007/04/19/outlook-oab-download-fails-with-0x80004005-and-0x8004010f.aspx.

Check that there is either a replica in the administrative group / routing group, or that public folder referrals is enabled across each relevant routing group connector

See http://technet.microsoft.com/en-us/library/aa996531(EXCHG.65).aspx for further details.

Unable to see OAB for Exchange 5.5 users (co-existence)
Check that the Exchange 5.5 OAB has been generated

Open Exchange 5.5 Administrator > Site Name > Configuration > in the right hand pane open DS Site Configuration > Offline Address Book tab > Generate All

Once it is generated it will appear in the system folders under Exchange Administrator > Folders > System Folders > OFFLINE ADDRESS BOOK > EX:/=Org/ou=Site Name. It will be called OAB Version 2.

Unable to see Free/busy for Exchange 5.5 users in Exchange 2003

Ensure there is an Exchange 2003 replica of Exchange 5.5 free busy folders. This may need to be replicated to all Exchange 2003 routing groups, or else check that the routing group connectors allow public folder referrals.

Allow End Users (owners) to Manage Distribution lists

To allow end users to manage distributions lists in Exchange 2007, open the distribution list in Active Directory Users and Computers. On the security tab, click Advanced. Add the user or group into the list and on the Properties tab, select the Read Members property and Write Members property.

To do this via the Exchange Management Console, run the following command:

Add-ADPermission - ID "Name of distribution list" -User "Name of user or group to provide permissions to" -AccessRights WriteProperty -Properties Member

Add-ADPermission - ID "Name of distribution list" -User "Name of user or group to provide permissions to" -AccessRights ReadProperty -Properties Member

For Exchange 2010, you can configure the owner of groups to be able to manage distribution lists by using RBAC and the following instructions: http://sysadmin-talk.org/2010/06/omg-allowing-end-users-to-manage-distribution-group-membership-in-exchange-2010-2/. Indications are that the previous methods do not work on Exchange 2010.

Application Packaging

Uniphi 1.3.02
This one was a crazy program to package. Firstly the upgrade doesnt work well from the previous version, and even getting it to work stand alone was difficult when running on Windows 7. To cut a long story short, it was determined that Uniphi would crash when trying to execute the program- but only if Office is installed.

To troubleshoot the issue, I installed Office and Uniphi on a single machine and ran up process monitor. Filtering through 65000 lines of junk is not fun. So jumpstarted the process by searching for the term "Office" which turned up a single instance where Uniphi was trying to start a program under the OFFICE14 folder in common files. The program turned out to be the Microsoft Office XML viewer. Also going back in the processes prior to this, I could see that it was using the registry HKEY_CLASSES_ROOT to determine the XML program to run. This led to following the different trails of CLSIDs until I finally come to an "text/xml" key under HKEY_CLASSES_ROOT\PROTOCOLS\Filter.
This looked interesting. Anything that is filtering the XML could cause problems! I removed this key and this time the program cranked up with no errors!
It turns out that Office installs an XML MIME filter that runs even for custom programs (such as uniphi) and it is this filtering that Uniphi has a problem with.
You'd think people would test their programs against a computer where other common programs are installed.

Exchange: Migration Issues

Interorganizational Migration Issues

Issue: Mailbox is migrated from Exchange 2007 to Exchange 2010. The console says that the migration is completed. The user cannot access their mailbox through OWA or the Outlook client. OWA returns stack trace report.
Resolution: Suspect due to Active Directory replication and the System Attendant. If the system attendant has not been able to run over the users then they will not be able to access the mailbox until it does. This may be a 2 hour waiting window and even longer if AD is not fully in sync.
- Check that CAS servers are using domain controllers in their own site.

Issue: Mailbox is migrated from Exchange 2007 to Exchange 2010. Users clicking on Calendar in Outlook receive an error saying that Exchange must be online to connect.
Resolution: Wait until all items have been downloaded and completed syncing the offline copy. To track the progress, right click the icon in the system tray and select Connection Status... Select Local Mailbox tab to determine what is currently syncing. In some cases it is simply a case of waiting for AD replication and System Attendat activities to happen.

Issue: Mailbox is migrated from Exchange 2007 to Exchange 2010. Users are unable to set OOF or have issues with other availability services such as free/busy, calendaring, scheduling, etc.
Resolution:
Run the "Test E-mail Autoconfiguration" from the client and check if it is receiving autodiscover.xml. If not, determine why this is the case. If you are connecting to Outlook from a computer that is not logged into the target domain, then it will need to be able to connect to autodiscover.domain.com in DNS. You should not make this change in DNS when you are performing interorganizational migrations. This can cause users who have not been migrated across to pick up the new autodiscover and start trying to use some servers that are in the target Exchange organization. This will mean users are prompted to provide credentials to servers that they may not yet have access to. A better solution is to create a autodiscover host name in a local HOSTS file to point to the CAS server so that the change is not global.

Issue : Users are unable to access calendar immediately following migration of mailbox – rest of mailbox is accessible
This issue resolves resolved itself on all occasions within an hour of migrating the mailbox and once mail is fully cached in the OST.

Issue: prompted for second password when accessing calendar within the migrated mailbox.
This issue can be resolved by adding autodiscover to the local host file.

Issue: Users are unable to access OOF from Outlook internally.
This issue is only proven to affect Outlook 2007 at this stage as a number of users are using this function fine with Outlook 2010. This issue can be resolved by adding autodiscover to the local host file. A workaround is to use OWA to connect directly to a CAS server/array in the same site as the mailbox.

Issue: Primary email address is set incorrectly on migrated mailboxes.
Create a new email address policy to set the correct email address on mailboxes as they are migrated. A email policy based on OU can only be created if there are no Exchange 2003 servers in the organization. Otherwise you can use "State or Region" or another identifer.

Issue: One of the SiteA CAS servers is pointing to SiteB domain controllers.
One of the SiteA CAS servers is pointing correctly to the local domain controllers in the site, however the other one is pointing to SiteB Domain Controllers. A suspected impact of not resolving this issue is that mailboxes may take longer to become available to end users following migration. It is possible to force a CAS server to use a specific set of domain controllers however this is not a desirable configuration for the long term. Look in the application event log of the Exchange server in question and find the information message that is logged by the Exchange Topology Generator. Check firstly that Exchange thinks the correct servers are "in-site". Then check the numbers to ensure the local DCs are seen as GC's, and that the SACL digit is set to "1" (true). If Exchange cannot read the SACL on a domain controller then it will refuse to use that domain controller. DSAccess does not use any domain controller that does not have permissions to read the SACL on the nTSecurityDescriptor attribute in the domain controller. To check this, check the local security policy and also the Default Domain Controllers Policy for the Computer Settings\Windows Settings\Security Settings\User Rights Assignment. Open the "Manage auditing and security log" and ensure that Exchange Servers and Enterprise Exchange Servers are assigned this right either locally or through Group Policy. If assigned through group policy, then ensure group policy is applied using GPResult /R, and that computer configuration is not disabled within the group policy. The Exchange DomainPrep process should complete this process automatically however if there is an issue then this may not have applied to some domain controllers. See http://support.microsoft.com/kb/316300 for more detailed information on resolving issues that are detected with the Exchange Topology generator event log entry. Also see http://support.microsoft.com/kb/314294/EN-US/.

Issue: Users are unable to access Options section of OWA using most Internet Browsers
This issue affects all migrated users in a particular site. Based on errors in the event log on the CAS in the central site, you may find errors that it was unable to proxy ECP traffic to the CAS servers in the local site due to Windows authentication being disabled. Recommendation is to change the ECP virtual directories on the local sites CAS servers to allow Windows Authentication. If this does not work, then Windows Authentication may also be required on the CAS in the central site.

Issue: Mailboxes in the console stop migrating and return errors if you view the properties of the move request, or try to remove the move request.
This issue is most likely due to the log drive running out of space. When this happens on Exchange 2010, it will stop sending and receiving email, and users will also lose connection to their mailboxes. You will find about 4MB of free space left on the drive, which Exchange will try to maintain in order to prevent corruption of the logs.
Resolutions: If your database is part of a DAG then your options are limited. If not part of a DAG however, you can move the log files to another drive that contains more space. If part of a DAG, your best option is to shutdown the servers in the DAG and expand the log drive if this is possible. If either of these options is not available then you can use ESEUTIL to determine the checkpoint and manually move any previously committed log files to a backup drive. Another option would be to switch the database to circular logging however this will limit your options for a recovery should one be required. If you switch to circular logging you may need to restart the IS on the mailbox servers. This last option has not been tested by me in this particular scenario where space has already been depleted.

Interorg migration refuses to migration because the mailbox in question does not have an msExchMasterAccountSID attribute
Resolution. Either set the msExchangeMasterAccountSID (associated owner) or enable the account for the migration.

Mailbox has been prepared for interorg migration however when trying to migrate the mailbox it complains that the msExchangeGuid is missing
This can happen if Exchange is pointing to a DC in a different site (this is an issue in itself). Try replicating all pertinent Active Directory connections.

When trying to queue a new mailbox move request, it times out with an error similar to did not receive a reply within the configured timeout (00:01:00).
This means that too many requests are most likely being backlogged through the CAS server. This error message is related to NET.TCP port sharing service and can be resolved by modifying the SMSvcHost.exe.config in the Windows Foundation folders on the CAS server where you are running the command. Note that on 64-bit Windows there is a x64 folder and an x86 folder. I would suggest making any changes to both of these files. Make sure to backup the files first, and note that you cannot edit the files in place as they are constantly in use. You will need to copy elsewhere, make the modifications, then copy it back to the location again. Note that any changes to this file will affect all services that use the NET.TCP port sharing service. No services need to be restarted and the change takes effect almost immediately.
The option that will generally be changed is the maxPendingAccepts which is set by default to a conservative 2. You can try upping this amount to 10 instead.

For more information about this file, see:
http://msdn.microsoft.com/en-us/library/aa702669.aspx
http://blogs.msdn.com/b/andreal/archive/2009/04/05/net-tcp-ip-port-sharing.aspx

According to the second URL, you can also try setting maxPendingConnections to 1000 and the listenBackLog to 100.
"As far as concerns the maxPendingConnections and maxPendingAccepts settings, our defaults are intentionally conservative so that customers must opt-in to allowing large amounts of work into the system. "
"It's hard to recommend some values, because it depends on the applications running on the system; you have to keep into account the user could have some other services using TCP Activation with WAS, which your application has to share SMSvcHost.exe resources with. According to the Product Team, you shouldn't increase “maxPendingAccepts” too much. 5-10 would be a good number. It means it spawns 5-10 concurrent threads to pull connections.
Feel free to increase the maxPendingConnections value according to your needs (you can also set 1000, even though I'd wonder why if you needed so many connections. 100-200 can be considered a good choice). "

Basically, look at the SIDs to see what services are allowed to use the NET.TCP port sharing and then determine how many connections each service may require. This can be used to give a more educated figure than the suggestions above.

When assigning send as permissions through the EMC, it does not take effect on the client
Use the EMS: -
get-mailbox "mailbox name" Add-ADPermission -ExtendedRights "Send As" -User "Name of user"

Needed an easy way to assign Send On Behalf of permissions for shared mailboxes and distribution lists.
Powershell provides the -GrantSendOnBehalfTo attribute for Set-Mailbox and Set-DistributionList command lines. You might use the following command to grant users permissions on a number of shared mailboxes:

Get-Recipient -PropertySet ConsoleLargeSet -ResultSize '1000' -SortBy Display
Name -RecipientType 'UserMailbox' -Filter '((DisplayName -like ''*shared1*'' -or DisplayName -eq ''shared2''))' Get-Mailbox Set-Mailbox -GrantSendOnBehalfTo "User1","User2"

New email address policy is created in the target which applies email address that is shared between the two organizations. Email stops flowing to the source organization.
When you set an accepted domain to authoritative, it will never try to deliver mail to that domain outside of the Exchange organization. There is a catch however. If there is no email policy referencing that accepted domain, then the Exchange organization will still try to deliver outside the organization. As soon as an email address policy is created, this authoritative nature then appears to take effect and preventing the delivery outside the organization.

Exchange 2010: Troubleshooting the Exchange services

Introduction
These are some resolutions that may assist when you are unable to start the Exchange services.

1. Check the event log. If you are receiving a number of DSAccess warnings then you can bet that it is related to Active Directory. Check for event 2080 to see which domain controllers are listed. Ensure they can all be pinged. Check in the DSAccess warnings to see which domain controllers it is trying to access. Try pinging these domain controllers to ensure they are online and accessible.

2. If it is trying to access DCs that are not online then you may have enabled staticdomaincontroller settings on the Exchagne server that is failing. You can see the settings by running Get-ExchangeServer | Format-List.
Unfortunately even if something is set as a static domain controller, it doesnt show up. Try resetting them all to $NULL even if they already appear to be so. You can also try statically exluding the domain controllers that are non-existent.

3. Check that IPv6 is either enabled, or properly disabled via the registry. Microsoft has articles on how to do this.

4. Check that the Exchange server is member of the correct groups in Active Directory.

5. Run BPA scans on the affected server to check for configuration issues.

CMD As User

This application (CMDAsUser) allows you to run installations or applications as the SYSTEM account and see an interactive desktop. This can be useful in testing applications that are deployed through a product such as ITCM or SCCM using the SYSTEM account.

I found that the following privileges were required even if the calling account has Administrative rights: -

"Act as part of the operating system" (SeTcbPrivilege),
"Bypass traverse checking" (SeChangeNotifyPrivilege),
"Increase quotas" (SeIncreaseQuotaPrivilege),
"Replace a process level token" (SeAssignPrimaryTokenPrivilege).

This is the recommendation on the Internet, however personally I added "Act as part of the operating system" and "Replace a proecss level token" and it works.

Configuring and troubleshooting WPAD

This is not an exhaustive reference to WPAD. WPAD provides automatic configuration to Internet clients such as the firewall client and Internet Explorer. Internet Explorer has a number of options to either manually specify the WPAD.dat file or to automatically detect the wpad.dat file using either DHCP or DNS. When both DHCP and DNS are configured with the WPAD URL, DHCP clients will only try the DNS URL if the URL has not been configured in DHCP.

When using TMG, WPAD can be distributed in two ways: -
1. By using the TMG default mechanism. This does not use IIS in any way.
2. By manually distributing the WPAD file on an IIS server.

Manual distribution via IIS
To distribute via IIS, firstly attain the WPAD file that you want to distribute. It should be called wpad.dat. Place in in the IIS website. In order to allow clients to download wpad.dat, you will need to add a MIME type into the IIS website as follows:
Extension: .dat
Content Type(MIME): application/octet-stream

If you are unable to download the WPAD.dat: -
1. Check that the MIME type is correctly configured. If you rename the extension to .html then does it become downloadable? If so, then the MIME type is not correctly configured.
2. Perform basic IIS troubleshooting to ensure it is serving pages correctly.

Distributing via TMG
When distributing via TMG, the WPAD file is automatically created. It is administered by changing the settings within the TMG console. You can select the port that TMG will distribute the WPAD file on. You should be able to acces the WPAD using the URL http://TMGserver/wpad.dat.

If you are unable to download the WPAD.dat at all then ensure the TMG WPAD service is not conflicting with any of the following:
1. An IIS server on the same server. If you are serving WPAD on port 80 and IIS is also configured to listen on port 80 then you will not be able to access WPAD. Stop the IIS website and change the port from 80 to 81 (just in case someone starts it up again). The assumption here is that IIS is not required for any purpose. TMG itself does not require IIS to be started.
2. A Web Listener configured in TMG to listen on the same port and on the same network. For example, if a Web Listener is listening on port 80 on the Internal interface, then you will not be able to publish WPAD on port 80.
3. Another third party service is listening on port 80.
4. A firewall may exist between the client and the TMG server.

If you are able to download the WPAD.dat but clients are not able to use it to access the Internet - it could be due to a bug in TMG 2010! If you configure VPN access to use an internal DHCP server, it will assign an internal IP address to the RRAS interface on the TMG server. VPN clients will also receive an internal IP address. Because the RRAS IP address is in the range of IP addresses listed on the "internal" network object, TMG will generate the WPAD.dat using the RRAS IP address. This means clients will be unable to connect to the Internet. Check the WPAD.dat for the IP address that is used. The workarounds are as follows: -
1. Use a static pool for VPN clients instead. This means the IP addresses are not in the internal IP address range.
2. Maintain the WPAD.dat on an IIS website - this requires manually updating the WPAD.dat each time a change is required.
3. 3. Run a short vbscript on the server that makes TMG generate the WPAD using the FQDN of the server instead. You then need to make sure that this FQDN resolves to the correct IP address for WPAD clients. This issue is mentioned here http://social.technet.microsoft.com/Forums/en-US/ForefrontedgeIA/thread/2c4e342f-0ab7-4cd7-b007-0f2b0c559704. The solution script is here http://blogs.technet.com/b/isablog/archive/2008/06/26/understanding-by-design-behavior-of-isa-server-2006-using-kerberos-authentication-for-web-proxy-requests-on-isa-server-2006-with-nlb.aspx.

This is the script that needs to be run on the TMG server. It causes the firewall service to restart shortly after the script is run. This script has been tested by us and confirmed to resolve the issue.

Const fpcCarpNameSystem_DNS = 0
Const fpcCarpNameSystem_WINS = 1
Const fpcCarpNameSystem_IP = 2

Dim oISA: Set oISA = CreateObject( "FPC.Root" )
Dim oArray: Set oArray = oISA.GetContainingArray
Dim oWebProxy: Set oWebProxy = oArray.ArrayPolicy.WebProxy

If fpcCarpNameSystem_DNS = oWebProxy.CarpNameSystem Then
WScript.Echo "ISA is already configured to provide DNS names in the WPAD script"
WScript.Quit
End If

oWebProxy.CarpNameSystem = fpcCarpNameSystem_DNS
oWebProxy.Save true

WScript.Echo "ISA was configured to provide DNS names in the WPAD script..."

Troubleshooting

Following are some good resources on universal troubleshooting:

The Universal Troubleshooting Process (UTP)
http://www.troubleshooters.com/tuni.htm

Exchange: Outlook and OWA attachment issues

Outlook client does not display attachments

There are a number of reasons why this might be the case.

• See http://knicksmith.blogspot.com/2007/03/exchange-2007-and-outlook-2003-where.html. An issue was resolved by Microsoft in Exchange 2003 Service Pack 1 where Exchange 2007 was incorrectly causing Outlook 2003 to hide inline attachments. Even though you could not see the attachment, if you flagged the email, or clicked forward on the email, the attachment would appear correctly. Also if you selected Save attachments from the file menu, it would still save the attachments. OWA is not affected by this.
• See http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/478c326b-486b-461c-9141-dd544b245c75. Symptoms: You can see the attachment in OWA but not in any of the current versions of Outlook. Outlook blocks the attachment completely and there is no way to retrieve it through this interface. This is also more likely to happen when an inhouse application has been programmed to send email with attachments. if the MIME is formatted incorrectly then Outlook will not display it. RFC 2387 describes the intended use of multipart/related:
  http://www.ietf.org/rfc/rfc2387.txt:
  "The Multipart/Related media type is intended for compound objects consisting of several inter-related body parts. For a Multipart/Related object, proper display cannot be achieved by individually displaying the constituent body parts."
  Steps to resolve this issue involve changing the MIME header to Multipart/Mixed instead of Multipart/Related. Multipart/Related will cause the attachment to be considered inline by Outlook. As there is no reference to the attachment in the body, it will then effectively be ignored. OWA has more smarts and is able to determine if an attachment is really inline or not. If it finds no reference to the attachment in the body of the email then it displays the attachment as a separate entity.

Exchange 20xx: Autodiscover and availability Issues

You receive the message: Allow this website to configure server settings?
You test e-mail autoconfiguration and it fails for no apparent reason.

The reason you receive the above error message is because the autodiscover website has been configured to redirect to a different website. For example, you might want to use https://webmail.domain.com/autodiscover/autodiscover.xml as your autodiscover URL. In this case you would redirect http://autodiscover.domain.com/ to that URL.

You may also receive this message if your autodiscover SSL website is not working correctly and fails. In this case, it will try http:// instead of https://. If you happen to have http:// redirected to https:// then you will also receive this message as this counts as a redirect.

You should be able to click the "Dont ask me about this website again" to make the message disappear for good.

Troubleshooting autodiscover messages:

• Use testexchangeconnectivity.com. It is there to help you find out if problems exist in Exchange client access from the Internet.
• If the user's primary email address is @domain1.com then is there an autodiscover record configured for this domain (either via an autodiscover website, redirection website, or a SRV record)
• Check the version of Outlook being used. If it is Outlook 2007 SP1 or RTM then the first thing to do is to update to Outlook 2007 SP2. This can fix a number of issues and also fixes an issue where the e-mail autoconfiguration autodiscover test errors out with 0x8004005 immediately after a line where it appears to succeed (returns a 500 response).
• Check whether the workstation is joined to the domain. This can determine the status of password storage and determine how you go about troubleshooting this issue.
• Check the user account credentials stored in the Windows profile. If credentials are stored for Exchange and yet the password has been updated since, you may get a series of password prompts and possibly autodiscover prompts appearing. In Windows XP you can access this by typing UserControl2 into the Start-->Run dialog box.

Using multiple email domains can affect autodiscover
Another issue that can occur with autodiscover is if your organisation uses different email domains. If autodiscover is configured on http://domain.com/ and the email address for the user is @anotherdomain.com then autodiscover will not be resolved. You might want to create SRV records for these domains to redirect users to the autodiscover website.

Authentication on web services and autodiscover virtual directories can affect autodiscover

Another issue that may occur if autodiscover is receiving errors (0x8004005) and Out of Office is returning an error "the server is unavailable". This may be because Windows Authentication may not be enabled on the web services:

get-webservicesvirtualdirectory | Set-WebServicesVirtualDirectory -WindowsAuthentication:$true

How Autodiscover works

A client attempts to connect to the SCP to get an autodiscover URL. If the client is not domain-connected then this will fail.

A client attempts to connect to domain.com and autodiscover.domain.com based on the user's primary SMTP address. It tries https first and then http.

See http://technet.microsoft.com/en-us/library/bb124251.aspx for a more detailed description.

Basic troubleshooting steps

When auto-discover stops working, you may find that your Out-Of-Office and Free/Busy (availability) stop working too.

Start the Outlook client. Hold CTRL and right click the OL icon in the system tray. Select Test Email Auto-configuration. Enter the email address and password. Select "Use Autodiscover" but deselect all the Guessmart checkboxes. Click Test. On the XML tab, ensure it is connecting to the correct autodiscover URL. You may receive one of the following errors as defined by Microsoft.

0x80072EE7 – ERROR_INTERNET_NAME_NOT_RESOLVED
This error is usually caused by a missing host record for the Autodiscover service in the Domain Naming service.

0X80072F17 – ERROR_INTERNET_SEC_CERT_ERRORS
This error is usually caused by an incorrect certificate configuration on the Exchange 2007 computer that has the Client Access server role installed.

0X80072EFD – ERROR_INTERNET_CANNOT_CONNECT
This error is usually caused by issues that are related to Domain Naming service.

0X800C820A – E_AC_NO_SUPPORTED_SCHEMES
This error is usually caused by incorrect security settings in Outlook 2007.

- If this is a workstation connected to the domain and able to reach Active Directory, ensure it gets a URL from the SCP in Active Directory and is able to connect to it. If it retrieves a URL but fails in using it, check that the URL can be accessed by pasting it into an Internet Explorer window. It may be that TMG or the proxy is blocking access to that server. The resolution in this case may be to add the URL to the proxy exceptions list.

- If this is a workstation that is not domain-connected, check that the correct URL is returned. If not, it has not been configured correctly as the external URL on the internet facing CAS server(s). If the URL is correct then try to paste the auto-discover URL into Internet Explorer and see if the autodiscover XML pops up.

- If you have an issue with seeing free/busy data for other users then try to enable logging in Outlook 2007 > Tools > Options > Other > Advanced Options > Select Enable logging (troubleshooting) > OK > Restart Outlook > Try to view free / busy information for another user > Go to the %temp% folder and open olkdisc.log file and locate the files in the olkas directory. These files can often provide information about which service is not functioning correctly.

- If you have an issue with seeing free/busy data for other users then review the event log for event id's: 4001, 4003, 4005, and 4011. Possible solutions for these errors are contained at http://technet.microsoft.com/en-us/library/bb397225(EXCHG.80).aspx

- Use the test-OutlookWebServices cmdlet to troubleshoot the availability service. For example, Test-OutlookWebServices -id:user1@mydomain.com -TargetAddress: user2@mydomain.com

- If you have an issue with seeing free/busy data for other users then check if there are any cross-forest timeout issues. Details are contained in the URL http://technet.microsoft.com/en-us/library/bb397225(EXCHG.80).aspx

- Check the SCP point in Active Directory Sites and Services by enabling the "View Services Node" option. It is under Services > Microsoft Exchange > Org Name > Administrative Groups > Admin Group Name > Servers > Server Name > Protocols > Autodiscover. These SCP points can be administered using the Set-ClientAccessServer cmdlet.

- If the issue is with external users, then use the website http://www.testexchangeconnectivity.com/ to check that your configuration is correct.

- If you have issues and you are using multiple SMTP namespaces then you will want to check out http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html

- Check that IIS is started on all servers

- Check that the OWA application pool, OAB application pool, and EWS application pool are all running and started with no errors.

- If you receive an authentication error (such as 500 service not availabile or 400 login time-out) then you may need to rebuild the virtual directories.

Verify Configuration
Ensure you have configured the following: -
- Configure your internal URLs for all virtual directories. These should be automatically configured as the server name. Configure external URLS only on your Internet facing CAS servers. See http://technet.microsoft.com/en-us/library/bb691323(EXCHG.80).aspx for details on how to do this. The external URL will either be the name of a CAS server or an NLB that is sitting in front of a number of CAS servers.
- Configure certificates on each Exchange servers and TMG servers as required. These should be trusted by clients.
- Add all Exchange CAS servers to a proxy exceptions list - generally either using WPAD or Group Policy.

What would I have on my computer?

Microsoft Office (or Open Office if I want a free version)
Microsoft Visio and Project
iTunes (for the iPhone)
VMWare Workstation or Virtual PC
PDF 995 (Print to PDF documents)
Adobe Acrobat Reader
Infrarecorder (CD Burner)
Shockwave / Flash Player
Comodo Firewall and AV
Daemon Tools
Firefox
Notepad++
Irfan Viewer
Open Movie Editor
FileZilla
CMD Prompt Here
.Net Framework

Active Directory: Reset the DSRM password in Active Directory

If you are still able to log into the server through normal operation, you can reset the DSRM password using NTDSUTIL. See http://support.microsoft.com/kb/322672 for Windows Server 2003.

If you cannot access the server in normal mode, you will need to use a hacking tool to reset the DSRM password on that server. Try using a tool such as http://www.ubcd4win.com/ or http://www.hiren.info/pages/bootcd.

Outlook 2007: Outlook prompting for password issue

Symptoms: Outlook 2007 clients are prompting for password when connecting to Exchange 2007.

Possible solutions if affecting single users:

• Open the profile settings and make sure there is no checkbox in "Always prompt for user name and password" on the Security tab
• Check credential manager. It may be storing an incorrect password for the user and Outlook may be using this to connect to Exchange. Run control userpasswords2. On the Advanced tab, select "Manage Passwords". Remove any entries to the Exchange server. Alternatively, erase the server name and enter "S1" or the simple name of your global catalog server and leave the password blank. If prompted again, enter your username and password and check off "remember my password" one last time and it should not prompt again.
• Try typing in the username by including the domain name. i.e. DOMAINNAME\Username. This has been known to resolve the issue.
• In the task tray, hold down CTRL Key and right click the Outlook icon and select Test Email Auto Configuration. Uncheck Use Guessmart and Secure Guessmart Authentication. Click Test. When the test is completed, view the XML results.
• Check that the autodiscover URLs are in the proxy exceptions list.
• Open the following path: In Vista: \Users\YourUserName\AppData\Roaming\Microsoft Once open you will see numerous folders including a “protect” folder. Delete the “protect” folder. When you have deleted the protect folder, restart Outlook. You will be requested to enter your password again, but it will be the last time.
  Check that an Internet security product is not blocking a port.

Possible solutions if affecting a large number of people:

• Open IIS on theExchange server and checked the following directories under the default website: the root site, oab, autodiscover. Under the directory security tab, click Edit in the Secure Communications section. If you have "require SSL" checked and the 128 bit encryption, but under Client Certificates, it is set to ignore, then this may be the problem. Change this to "Accept" for each of the folders and restart IIS. This may not be a satisfactory solution for everyone.
• Try to connect to the autodiscover URLs listed in the SCP and in Exchange Management Console.
• Make sure the OABurl is set to https and not http
• In the task tray, hold down CTRL Key and right click the Outlook icon and select Test Email Auto Configuration. Uncheck Use Guessmart and Secure Guessmart Authentication. Click Test. When the test is completed, view the XML results. If the URL for the OAB is starting with HTTP instead of HTTPS then you may need to change this from the Exchange Management Console. Do an iisreset and test again.
  Make sure integrated security is enabled on the virtual directories where required.
• Ensure Offline Address Book has been migrated to Exchange 2007.
• Look at the properties of the autodiscover virtual directory and ensure a version of ASP is selected. If none is selected, clients may be prompted for password.
• Ensure Windows authentication is enabled on the Autodiscover virtual directory.
• See http://support.microsoft.com/kb/236032

If the problem exists when using RPC over HTTP:

If you are working RPC over https you are using or basic, or NTLM authentication, you need to be sure you are working NTLM. Now in order to ensure that outlook not uses any cached password we need to do the following. Go to Control Panel>User AcountsPress on Advanced Tab button. Click on Manage Passwords button. Review stored passwords , and if you see IP address of your mail server you should delete it.
Now we need to patch te registry
Click StartRun
Type regedit and press enter
Go to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
Find lmcompatibilitylevel DWORD parameter
Double-click on it and change its value to 3

Outlook: Outlook Signature is corrupted

Symptoms:
Any text that is not bold would turn out bold when creating a new email, and visa versa.

The following steps did not resolve the issue:
Creating a new Outlook profile or creating a new signature.

Outlook can be configured to use Word as the text editor for new emails. This means that the normal.dot configuration will apply to these emails. If the signature is doing something funny when you go to create a new text file, it will most likely be an issue with this file.

Resolution:
Close all office programs. Rename normal.dot which for Outlook 2003/Windows XP is under the user profile under Application Settings\Microsoft\Templates. Start Outlook again and create a new email. The issue should now be resolved.

Note: This may cause a Word instance to appear in the background. Close Outlook, start Word, close Word, start Outlook. This has resolved this issue.

Outlook: Offline Folder (OST) issues

This article lists many of the ways in which you can troubleshoot an issue with the Outlook offline mail file. This file is often refered to as an OST.

Determine more about the issue:

• Record the error messages that are appearing.
• An error at the beginning that asks if you would like to start in online or offline mode indicates that Outlook believes there is a discrepancy between the information in the OST and the mailbox.
• Record the steps taken in order to receive the error condition. In some cases, the computer has to be shutdown, disconnected from the network and restarted before the OST issue will reveal itself.
• Have the user log onto another computer and perform the tests using the same version of Windows and Office if possible.
• Create a new test user with mailbox on the computer where the fault occurs, and see if the same issues occur.

Try the following steps to resolve an OST issue:

• Ensure the user has read/write access to the OST file location.
• Create a new profile and at the same time, change the location of the OST. If there is autoconfiguration involved, there may be a %username% in the location. Remove this and replace with a real path instead, as well as setting a name for the OST that does not already exist in that location. When it asks to create a new OST, click Yes. Finish the profile creation and set it to open when Outlook is next opened. The error message should generally be resolved by this step.
• Shutdown Outlook and rename the OST file. Restart Outlook and check if the issue reoccurs. Note: If the user has been writing to their OST and it has not been synchronised to the server, you will lose this information. Try to determine first if this is the case.
• Create a new Outlook profile.
• If the user is running Outlook 2003, you may try upgrading to Office 2007. This has been proven to resolve some OST issues (where the OST itself does not appear to be at fault).
• Try performing an uninstall and reinstall of Office. This has been proven to not resolve some OST issues.
• Empty out the deleted items folder. Deleted items may have become corrupted or too large.
• Remove any delegates on the mailbox. Delegates may have become corrupted and/or orphaned.
• Export any inbox rules and then delete what is there. Rules can become corrupted. These can be re-imported when testing is complete.
• Right click on a folder in Outlook and select properties. Select the synchronisation tab and check if the folder has synchronised successfully. If the synchronisation tab is not available then you may not be in cached mode. See KB842284. To synchronise all folders, press Send/Receive All. To synchronise just a single folder, select the folder and select Send/Receive this folder only.
• Replace the Exchange server service support files for Outlook. In Office 2007, rename the C:\Program Files\Microsoft Office\Office12\emsmdb32.dll. Go to Add/Remove Programs, select Reinstall or repair, then Reinstall. In Offce 2003 you should rename emsabp32.dll, emsmdb32.dll, emsui32.dll, then reinstall Office. See KB842284.
• Try running the OSTScan tool to check for corruption. Run without the automatic repair first. It will create a report in the deleted items folder. Check the report for issues. Rerun the tool in repair mode if required. See http://office.microsoft.com/en-us/outlook-help/scan-and-repair-corrupted-outlook-data-files-HA010075831.aspx?pid=CH100788841033#BM2
• Try moving the mailbox to a new Exchange server if this is an option.

iPhone: Configure Internet Tethering

This is how to tether your iPhone to make it act as a gateway to the Internet for your PC or laptop.

1. Configure the following settings on the iPhone:
General --> Network -->Internet Tethering = On
General --> Bluetooth --> Bluetooth = On

2. Configure the iPhone as a paired device on the PC / Laptop:
Start --> Control Panel --> Bluetooth Devices --> Add wireless device
Select the iPhone from the list and follow the instructions to pair the device. You will need to put the PIN in on the iPhone when requested.

Note: No need to add drivers if required. Just cancel this dialog box.

3. Configure the iPhone as an Internet Access Point from the PC / laptop:
Right click the iPhone connection in the list (still in Bluetooth Devices under Control Panel)
On the Services tab, select "Wireless iAP" from the list.

4. Connect to the iPhone Personal Area Network:
Right click the Bluetooth icon in the system tray and select "Join Personal Area Network"
Select the iPhone device from the list and click "Connect"

5. Access the Internet!!

Powershell: Waiting for input from the keyboard

This code waits for a keyboard press. It passes back the character that is pressed, and you can then enact scripts based on the key pressed.

Script follows below:


Write-Host "Press the c key to continue to create a contact with the above variables"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

#Exit if the "c" character is not pressed.
if ($x.Character -ne "c")
{
write-Host $x.Character
exit
}
#Continue with rest of code

PowerShell: Exchange 2007: Create Mail Enabled Contacts from a Spreadsheet

Script is below. This script can be modified to work with almost anything. What it demonstrates is reading from a spreadsheet and enacting commands against the data.

Script follows: -


#Fields contained in spreadsheet:
#FirstName LastName FullName JobTitle Division BU Department StreetAddress Suburb State
#PostCode Country Telephone Mobile Fax UserID Password Email PerkinsEmail
#HomMailServer AccountType ErrorCount ErrorMessages


#
#
$LIST=IMPORT-CSV C:\BULKUPDATE.CSV
#
# Go through EACH item in the list (Header row is treated as variable names by default)
#
FOREACH ($USER in $LIST) {
#
#
$Firstname=$USER.Firstname
$Lastname=$USER.Lastname + " (Perkins)"
$Fullname=$USER.FullName + " (Perkins)"
$BU=$USER.BU
$USERID=$USER.USERID
$ForwardingAddress=$USER.PerkinsEmail


write-Host
write-Host "Full name: " $FullName
write-Host "Firstname: " $Firstname
write-Host "UserID: " $UserID
write-Host "Forwarding address: " $ForwardingAddress
write-Host

Write-Host "Press the c key to continue to create a contact with the above variables"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
if ($x.Character -ne "c")
{
write-Host $x.Character
exit
}
#
#
# Enter your commands here that will work with the variables above.
New-MailContact -Name $Fullname -DisplayName $FullName -FirstName $Firstname -LastName $Lastname -Alias $UserID -ExternalEmailAddress $ForwardingAddress -OrganizationalUnit "User-Contacts-Imported" | Set-MailContact -HiddenFromAddressListsEnabled $true

#
#
}


Other commands that have proven useful with this routine are: -

• GET-USER $MailboxUserName | SET-MAILBOX -ForwardingAddress $ForwardingAddress

Here is another sample script which creates resource mailboxes and turns off the autoaccept agent. This is good for resource mailboxes where the users want to directly update the calendar. Note: It is not best practice to update calendars directly however this is what some people like.


#
#
$LIST=IMPORT-CSV C:\TAGPFIMPORT2.CSV
#
# Go through EACH item in the list (Header row is treated as variable names by default)
#
FOREACH ($USER in $LIST) {

$MailboxName=$USER.MailboxName
$Alias=$USER.Alias
$UPN=$Alias + "@tollgroup.local"
$ResourceType=$USER.ResourceType
$Database=$USER.Database
$OUName=$USER.OU
$Database=$USER.Database
$ResourceAdmin1=$USER.ResourceAdmin1
$ResourceAdmin2=$USER.ResourceAdmin2
$ResourceAdmin3=$USER.ResourceAdmin3
$AutomateProcessing=$USER.AutomateProcessing
$DeleteNonCalendarItems=[System.Convert]::ToBoolean($USER.DeleteNonCalendarItems)

write-Host
write-Host "Mailbox name: " $MailboxName
write-Host "UPN: " $UPN
write-Host "Resource Type: " $ResourceType
write-Host "ResourceAdmin1: " $ResourceAdmin1
write-Host "ResourceAdmin2: " $ResourceAdmin2
write-Host "ResourceAdmin3: " $ResourceAdmin3
write-Host "AutomateProcessing: " $AutomateProcessing
write-Host "DeleteNonCalendarItems: " $DeleteNonCalendarItems
write-Host "Database: " $Database
write-Host "OU: " $OUName
write-Host

Write-Host "Press the c key to continue to create a resource mailbox with the above variables"
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
if ($x.Character -ne "c")
{
write-Host $x.Character
exit
}
#
#
# Enter your commands here that will work with the variables above.
write-Host New-Mailbox -UserPrincipalName $UPN -database $Database -Name $MailboxName -OrganizationalUnit $OUName -DisplayName $MailboxName -ResetPasswordOnNextLogon $TRUE Set-Mailbox -Type $ResourceType
New-Mailbox -UserPrincipalName $UPN -database $Database -Name $MailboxName -OrganizationalUnit $OUName -DisplayName $MailboxName -ResetPasswordOnNextLogon $TRUE Set-Mailbox -Type $ResourceType

Get-Mailbox $MailboxName Add-MailboxPermission -AccessRights FullAccess -User $ResourceAdmin1
Get-Mailbox $MailboxName Add-MailboxPermission -AccessRights FullAccess -User $ResourceAdmin2
Get-Mailbox $MailboxName Add-MailboxPermission -AccessRights FullAccess -User $ResourceAdmin3
write-host SET-MAILBOXCALENDARSETTINGS $MailboxName -AutomateProcessing $AutomateProcessing -DeleteNonCalendarItems $DeleteNonCalendarItems

SET-MAILBOXCALENDARSETTINGS $MailboxName -AutomateProcessing $AutomateProcessing -DeleteNonCalendarItems $DeleteNonCalendarItems


}

SMTP and Internet mail toubleshooting

Issues with Internet mail delivery

If your mail is getting rejected:

• Check your mail domain is configured correctly in external DNS at http://www.intodns.com/
• Check that your mail domain has not been blacklisted at http://www.mxtoolbox.com/
• Check that your domain has a PTR record in public DNS
• Check that your domain has an SPF record. Absense of this record will make other mail systems more likely to reject mail or classify it as spam. See http://www.openspf.org/Why for more information or to test SPF.

If mail is getting rejected by hotmail, check http://postmaster.live.com/.

Issues with scanning to email

If you are scanning mail to your inbox but it is not arriving, or other email is not arriving consistently:

• Check if other people are able to receive mail from the scanner
• Find the IP address and name of the scanner, and try to manage it remotely through HTTP or HTTPS
• Check junk email folder. If they are going into junk email, add the scanner "from" address to the safe senders list on the Outlook client.

Issue sending to Exchange 2007 distribution lists from external

If you are sending to a distribution list that is hosted in Exchange and you sending from external, you may receive the following very helpful error messages: -

• Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.
• #550 5.7.1 RESOLVER.RST.AuthRequired; authentication required ##rfc822;travnatad@smtpex.toll.com.au

The answer is generally quite simple. An Exchange 2007 distribution list requires senders to be authenticated by default. To disable this, go into the distribution list properties and on the Mail Flow tab, select Message Delivery Restrictions. Uncheck the box that says "Require that all senders are authenticated". Then mail will start to flow.

Exchange: Outlook client and OWA issues and resolutions

General resolution steps

• Determine version and Service Pack of Outlook installed: http://support.microsoft.com/kb/928116
• Compact OST.
• Try moving the OST file (in the profile offline folder settings)
• Try creating new Outlook profile
• Try creating new Windows profile
• Try logging into the computer as yourself and creating a profile to see if the issue reoccurs
• Try doing Offie Diagnostics from Help menu
• Try doing a Repair
• Try Doing a Office Add/Remove Components and select a new component - this can sometimes do something that a repair does not.
• Download the freeware "OutlookTools" which shows information about your Outlook installation and allows you to empty Outlook temporary folders, run scanpst, scanost, set startup switches, configure Desktop Alert, modify list of blocked attachments and so forth.

Try uninstalling and reinstalling Outlook.

Problem: Client cannot send to a personal distribution list that is in their Outlook contacts and receives "an unexpected error has occured".

Resolutions:

1. Most commonly this is because the entry in the nickname cache has become corrupted. Simply delete the cached entry from the list when it appears.
2. Another reason might be that the personal distribution list has become corrupted. Try renaming the distribution list, which may resolve the issue. Also try recreating the distribution list.

Problem: Client is trying to book a meeting room and receives the error: "Resource declined your meeting because it is recurring. You must book each meeting separately with this resouce". You may not necessarily be booking a recurring meeting.

Resolutions:

1. Issue is most likely that the delegates have been corrupted on the resource mailbox. Open the resource mailbox in question. Remove the delegates and save the changes. Readd the delegates again with the required permissions. This should resolve the issue.
2. Check Rules and Alerts for any rules that may be forwarding meeting requests. This can cause an email to be returned to the sender that says the email was forwarded to such and such.
3. Is is potentially free/busy corruption of the resource mailbox calendar. This is a resolution provided by Microsoft PSS according to http://69.33.231.210/blog/2004/12/cannot-book-resource-outlook-thinks.html. PSS says this can occur if multiple people directly update a calendar at roughly the same time. This causes a number of attempts to simultaneously update the free/busy which then corrupts free/busy. PSS says users should not be directly updating calendars in resources, but through meeting requests. To resolve, change a resource scheduling parameter from Outlook. For instance, uncheck "Decline conflicting meeting requests". This generates fresh free/busy info for the resource. You can then go back and check it again - the free/busy info will get refreshed yet again.
4. Try regenerating free/busy data for the resource mailbox by creating an Outlook profile for it. Run Outlook /cleanfreebusy.
5. If you are running Outlook 2002 (XP) you should check out the article http://support.microsoft.com/kb/817420 to check whether a fix applies.
6. As per MS KB 312433, try adding the user back in as a delegate, and try to add the same permissions as they previously had. If the original delegate has been removed, try adding another user instead. Restart Outlook. Clear the "Send meeting requests and responses only to my delegates, not to me" Remove the delegate that you previously added. Restart Outlook. Send a meeting request and check if the problem is resolved.
7. See KB 252800 if Schedule+ 97 is installed.
8. If using Exchange 5.5, Exchange 2000, or Exchange 2003, follow the instructions as per MS KB 312433 to use mdbvu32.exe to remove the hidden delegate from the mailbox. Download mdbvu32.exe from http://www.microsoft.com/downloads/details.aspx?FamilyID=3d1c7482-4c6e-4ec5-983e-127100d71376&displaylang=en or http://www.chicagotech.net/exchange/exchange2007tools.htm.
9. If using Exchange 2007, use MFCMAPI instead which can be downloaded from http://mfcmapi.codeplex.com/releases/view/45245.
10. Download MFCMAPI. Create an online profile in Outlook. Open MFCMAPI and select the profile to use. Double click the mailbox name. In the left hand pane, expand root container then Top of Information Store. Right click the Inbox and select Display Rules Table... In the top pane, find the rule that contains "Schedule+ EMS Interface" in the PR_RULE_PROVIDER column, and double click it. In the bottom pane, right click PR_RULE_ACTIONS.... and select Edit Property. Copy and paste the contents to notepad and do a search for the ghost delegate. If the ghost delegate exists in here, delete the entire "Schedul+ EMS Interface" rule. This will disable all delegates and they will need to be readded to Outlook. If the ghost delegate is not here, search all other rules in the rules table for the name of the ghost delegate. In my case, I found a rule with the conspicuous name "which is a meeting invitation or update". When searching the PR_RULES_ACTION property for the ghost delegate, I was able to find it there. This is the rule that you should then consider deleting in order to resolve the issue.
11. Allen Song on an MS forum had this to say: To troubleshoot it, please first verify the non-existent user has been deleted completely by using ADSI Edit tool. If no clue in there, please turn to the delegate issue. Please understand that the delegate is represented by a rule that is hidden in the mailbox.
    The solution consists of two parts: Deletion of the delegate rules in the "Schedule" folder and secondly, removing the receive folder specification for the IPM.SCHEDULE.MEETING class.
    1, Remove the old delegate rules by:============a. Launch MFCMapi against the mailbox with an Online mode profileb. Choose Session -> Logon and Display Store tablec. Choose the Profile and choose OKd. Double click the mailbox storee. Expand Root Containerf. Right-click "Schedule" and choose "Open Associated Contents Table"g. Delete any messages in this table.
    2, Remove the ReceiveFolder Association by:============a. Launch MFCMapi against the mailbox with an Online mode profileb. Choose Session -> Logon and Display Store tablec. Choose the Profile and choose OKd. Double click the mailbox storee. Expand Root containerf. Ensure the Receive Folder association is set by going to MDB -> Display -> Receive Folder Table.f1. If the mapping is set, you should see one object in this list with the Message Class of IPM.SCHEDULE.MEETINGf2. Close the Receive Folder Tableg. Right-click "Schedule" and choose "Set Receive Folder"h. Enter "IPM.SCHEDULE.MEETING" in the box (without the quotes)i. Click "Delete Association"j. Click OK.k. Repeat step "f" above to ensure that the IPM.SCHEDULE.MEETING association is gone.
    After both of these steps, if you have set new delegate, you may still have to re-establish the new delegation one time to have it take effect.

Then in a separate posting, Allan Song wrote:

1. Please check whether the below thread can help you:http://social.technet.microsoft.com/forums/en-US/exchangesvrclients/thread/df98a5f6-74f6-4550-9e42-0b226f788199/Additionally, I would like to share the steps about how to delete Schedule+EMS Interface with you as below:
   1. Download MFCMAPI using the following link:http://www.microsoft.com/downloads/details.aspx?FamilyID=55fdffd7-1878-4637-9808-1e21abb3ae37&DisplayLang=en
   2. Launch MFCMAPI Editor3. From the Session Menu, choose Logon and dispaly store table4. Double click the mailbox (Mailbox-)5. Expand Root container, and Top of Information Store6. Right click the Inbox, and choose "Display Rules Table"7. This will open a new windows and will display the rules configured on this mailbox. The rules will be listed in the top half of this window. 8. In the top window of the Rules table, under "PR_Rule_Provider"column delete the entry with display name "Schedule+EMS Interface"10. Right click the Delegate Rule mentioned above ("Schedule+EMS Interface") and then chose Delete. This will delete the rule from the mailbox.

Problem: You receive the following error message:

---------------------------
Microsoft Office Outlook
---------------------------
Cannot start Microsoft Office Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The file d:\data\outlook\misos\outlook1.ost cannot be accessed. You must connect to Microsoft Exchange at least once before you can use your offline folder file.

Problem: You receive messages when starting Outlook in cached mode that Outlook is entering recovery mode. If you press "continue" it will continue to open the mailbox but in Online mode, not cached mode.

Resolutions:

• Ensure "full" permissions are assigned to the user in question on the OST file and the folder containing it.
• If running Office 2003, upgrading to Office 2007 has been shown to resolve this issue.
• Exit Outlook and rename the OST file. Open Outlook and let it recreate the OST file.
• Move the OST to another location (Edit the Outlook profile and select "Offline folder settings" button to do this.
• Try recreating the Outlook profile
• Try recreating the Outlook profile and in the midst of creating the profile, check the path that the OST will be created at. If it contains a %username% or other variable in it, try replacing the path with one that contains no variables. Also make sure the destination has "full" access for the user.

Problem: Only a couple of recent emails, or no emails are appearing when in OWA. However all emails are appearing in the full Outlook client.

• Almost guaranteed this is because Outlook somewhere (or a mobile device) is configured to download new emails into a PST file rather than the Inbox on the server. So in actual fact there are no emails on the server to be seen.

Problem: Issues connecting to Outlook via a VPN connection:

• The firewall or network device on the home network may not be passing NetBIOS traffic. It is also possible to be a name resolution issue with DNS or WINS.

Problem: Unable to connect to OWA

OWA issues can be difficult to pick up sometimes. The errors however can give a clue as to the issues. Here are some common solutions to OWA issues:

• If OWA is coming up with authentication issues, ensure that ISA and Exchange are talking the correct authentication protocol. For example, if ISA is using FBA then ensure Exchange OWA / ECP virtual directories are set to Basic + Windows Integrated rather than FBA.
• If OWA is looping when trying to load the page (and sometimes also returns an authentication error message), this is a classic symptom of the webpage HTTP redirector being set incorrectly. Ensure the HTTP redirector is not trying to redirect back to itself. This is a common mistake that people make in their attempt to redirect HTTP to HTTPS on the IIS on the Client Access Server. Turn off the HTTP redirection and try again.
• If OWA complains about chain of certificates not being trusted, then you know most likely the ISA/TMG server does not trust the certificate that is on the Exchange server. If you browse to the Exchange website from the ISA/TMG server, it may appear to work (importing a certificate in one manner appears to make the error disappear in Internet Exporer, but does not mean ISA/TMG will trust the certificate) so do not use this as a reliable testing method. Go directly into the "Certificates" MMC console and check the Trusted Root Authorities for the certificate in question. If it is not a self-signed certificate, then also make sure all certificates in the chain are listed in the Trusted Root Authorities.

Problem: Outlook client returns error "Not specified" when trying to send/forward/create an email message.

Error message indicates a compatibility issue. In this case it may be that two versions of MS Word are installed, and Outlook is trying to use the wrong one. In this case it may not find the libraries that it needs. Try uninstalling the older version of Word and make sure it is the same version as Outlook that is left installed, if possible.

Problem: Outlook client returns error "Not implemented" when trying to send/forward/create an email message.

This may be that the installation has been corrupted or maybe some components missing? Maybe some prerequsites?

This has been resolved by repairing the product that is installed. Doing a complete uninstall and reinstall should also do the trick. Repair may not always work.

Problem: Outlook client returns error "an internal support function returned an error" when trying to send/forward/create an email message.

• Try reading http://support.microsoft.com/kb/222329 - this issue may be caused by a DL in the Outlook Address Book having the same name as a DL in the GAL. This would be resolved by renaming the DL in the OAB.
• Try reading http://support.microsoft.com/kb/259182 - this issue may occur if the user does not have read permissions on all OABs that are listed when you open the Global Address List and display address lists from the drop-down list.. This is resolved by either providing the permissions to the OAB in question or by removing the OAB from being displayed in the address book.

Problem: "MSVCR71.DLL was not found" error when starting Outlook 2007.

This issue occurs because the MSVCR71.dll and MSVCP71.DLL are missing from the computer.

• Copy these files across from a computer that is working. Preferably this computer would be running same version of Windows and Outlook. Restart Oulook. This time no error should appear on startup.

Note from http://msdn.microsoft.com/en-us/library/abx4dbyh(VS.71).aspx:

What is the difference between msvcrt.dll and msvcr71.dll?
The msvcrt.dll is now a "known DLL," meaning that it is a system component owned and built by Windows. It is intended for future use only by system-level components. An application should use and redistribute msvcr71.dll, and it should avoid placing a copy or using an existing copy of msvcr71.dll in the system directory. Instead, the application should keep a copy of msvcr71.dll in its application directory with the program executable. Any application built with Visual C++ .NET using the /MD switch will necessarily use msvcr71.dll.

Unable to find a mailbox in the address book or connect to a shared mailbox

• Check that the "Hidden from Address Book" is not checked on the mailbox
• If the mailbox has been created recently and is residing on Exchange 2003 or earlier, you will need to wait for the RUS to update the object, or manually kick off the RUS.
• If the mailbox is on Exchange 2007 and has been migrated recently, it may have not updated its status correctly. Make a slight change on the object, such as adding or removing a space from the Address and click Apply. This should cause the object to come back into the GAL.

Outlook blocked access to the following potentially unsafe attachments

This is due to certain attachment types being blocked in Outlook. Level 1 attachments are blocked and level 2 attachments require you to save to disk first. This "issue" can occur in Office 2000 SR1 or any later version of Office. The security was vamped up in Office 2003 SP3 and again in Office 2007. The reasoning given by Microsoft can be found at http://office.microsoft.com/en-us/outlook-help/blocked-attachments-in-outlook-HA001229952.aspx

Potential solutions:

• Use a file share to share files that may be considerec http://support.microsoft.com/kb/284414/
• Modify the registry or create a group policy using the Office ADM files to downgrade a level 1 attachment to level 2 so it can be saved to disk. See http://support.microsoft.com/kb/926512/ and http://support.microsoft.com/kb/829982
• If you are trying to open an Outlook message template (.OFT) then see the next section in this document.

Outlook blocked access to the following potentially unsafe attachments

The custom form could not be opened. An Outlook form will be used instead

• If you are trying to open an Outlook message template (.OFT) in Office 2007, you will find that you cannot open it directly. Even if you save to disk first, you cannot double click the OFT file and open it. There is currently no known workaround other than opening it using the following steps:
  
  1. Right click on the .OFT attachment and select "Save as..."
  2. Save to a location such as "Desktop"
  3. In Outlook, select the File menu --> New --> Choose Form...
  4. Select "User Templates in File System" from the drop-down list
  5. Click "Browse" and browse to the folder containing the new form and click OK. E.g. "Desktop"
  6. Select the Outlook template from the list that is displayed and click Open.
  
• If you are trying to open an Outlook message template (.OFT) in Office 2003 SP3, you will also find that you cannot open it directly. You can however revert the security settings to what was in Office 2003 SP2 and therefore allowing you to open the template file:
  
  Create the following keys in HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Options\Mail"
  AllowTNEFtoCreateProps"=dword:00000000"
  AllowMSGFilestoCreateProps"=dword:00000001

Meeting request shows "on behalf of" the message organizer

This occurs if a recipient of a meeting request then forwards the meeting request. This is considered normal behaviour. It is best practice to not forward meeting requests if you are not the meeting organizer. Replying to a meeting request does not show "on behalf of".

• http://msmvps.com/blogs/outlook/archive/2007/09/21/organizing-meetings.aspx
• http://support.microsoft.com/kb/899704

Logging in to OWA using the /exchange extension results in an error when accessing an Exchange 2007 mailbox.

You get this 500 - Internal Server error while you access Outlook Web Access from https://CASServer.domainname.com/exchange while https://CASServer.domainname.com/owa works fine.

This happens when you have seperate Exchange 2007 Mailbox and CAS servers. Ideally the request should be redirected to /owa but you get 500 - Internal Server Error right after typing in your credentials in the forms login page.

This happens due to the fact that redirection is not working because ISAPI Extensions are not installed on the Mailbox Server. ISAPI extensions handle specific incoming requests to the IIS server. Extensions are loaded when they are first needed and kept in memory until the host process shuts down.

To fix this issue, please install the ISAPI Extensions on the mailbox server. Here is the command that you have to run from the EMS to install them:

ServerManagerCmd -i Web-ISAPI-Ext

Make sure to do an IISRESET after this.

(from http://smarthost.blogspot.com/2008/07/500-internal-server-error-when-using.html)

This solution has been confirmed to be a solution.

WinZip: Network ZIP file locking issue

Issue: Trying to delete WinZip files from a network share can sometimes cause an error:"Error Deleting File or Folder - Cannot Delete [filename]: It is being used by another person or program."

Steps tried to resolve issue:
Determined issue is on multiple computers and under different user accounts.
Determinied issue is only if WinZip is installed and associated with zip files.
"Unlocker" says there is no program locking the zip file, when it says "file in use". In some cases it says explorer.exe is the culprit.
Determined that long path name was not the issue.
Removed Antivirus and the issue still occured.
Tried to delete using both UNC and drive name - same issue.
Tried using shares on other servers - same issue.

In the end, used Sysinternals Process Monitor to determine if there were any locks - which I couldn't find any. I then used Process Explorer to see what processes were running. Because I knew Explorer.exe was the process that locked it (unlocker had returned this a couple of times), I had a browse through the handles under Explorer.exe process. One such process was WZSHLSTB.DLL. I went through the registry and found the shell extension location under the following location:

[HKEY_CLASSES_ROOT\CLSID\{E0D79305-84BE-11CE-9641-444553540000}\InProcServer32]@="C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL"

After deleting this key, the WinZip context menu disappeared, but the issue also disappeared. This led me to believe that WinZip must be the culprit. I went through the WinZip Configuration settings to see what might cause a lock on the file on network drives.

Solution:
And this is where I found the solution...

A couple of options caused WinZip to do some analysis of associated zip files when the mouse hovered over the file, or the file was right clicked to display the context menu. These options are:

Configuration --> Explorer Enhancements --> Display comment tool tips for Zip files: On other drives (eg. network drives)
Configuration --> Explorer Enhancements --> Check for self-extracting CAB files: On other drives (eg. network drives)

After turning off the first of these configuration items, the issue did not reappear.

Excel 2007: Date formats

Ever tried copying dates into Excel, to have Excel refuse to format them as a date?

If you press F2 on the cell containing the date and press enter, it may then update to the format, but what if you have a 1000 dates to update?

Well, you could always record a Macro that does ActiveCell.Value = ActiveCell.Value and then moves to the next line to do the same thing. However there is a "bug" with this. Excel VBA will always interpret dates as a US format, unless it encounters a date that cannot be US e.g. 25/12/2005, in which case it will interpret it as dd/mm/yyyy. Ouch!

Solution:
1. Set an empty cell to the date format that you require.
2. Set the cells containing the dates to the date format that you require.
3. Copy the empty cell, and "Paste Special" over the cells containing dates. Select "All" and "Add" then click OK.

Excel: Grabbing primary SMTP address from an Exchange 5.5 export

This is an Excel function that allowed me to grab the primary SMTP address from an Exchange 5.5 export of users: -

=IF(ISERROR(MID(R18,FIND("SMTP",R18)+5,FIND("%",R18,FIND("SMTP",R18)+5)-FIND("SMTP",R18)-5)), RIGHT(R18,LEN(R18)-FIND("SMTP",R18)-5), MID(R18,FIND("SMTP",R18)+5,FIND("%",R18,FIND("SMTP",R18)+5)-FIND("SMTP",R18)-5))

Exchange 2007: Remove and add public folder permissions recursively

When adding permissions to public folders in Exchange 2007, if one of the permissions to be assigned already exists, it will throw an error and not work. To work around this, you can remove the permissions for the user and then add back in the correct permissions.

a) Remove permissions recursively for anonymous

get-publicfolder \PublicFolder1\Airport -recurse | Get-PublicFolderClientPermission -user anonymous | remove-publicfolderclientpermission -confirm:$false


b) Remove permissions recursively for default

get-publicfolder \PublicFolder1\Airport -recurse | Get-PublicFolderClientPermission -user default | remove-publicfolderclientpermission -confirm:$false


c) Add permissions recursively for default

get-publicfolder \PublicFolder1\Airport -recurse | add-publicfolderclientpermission -user Default -AccessRight PublishingEditor

Exchange 2007: Report on Exchange statistics in Exchange 2007

a)
Get-MailboxServer | where {$._Name -Like "*EX*"} | Get-Mailbox | export-csv -Path C:\Mailboxes.csv

b)
Get-MailboxServer | where {$._Name -Like "*EX*"} | Get-Mailbox | Get-User | export-csv -Path C:\MailboxADProperties.csv

c)
Get-MailboxServer | where {$_.Name -Like "*EX*"} | get-mailboxstatistics | export-csv -Path C:\Mailboxstat.csv

Use Excel to match up the results of a) and b) and c).

There is apparently a way to do all this matchup in Powershell but I haven't looked into these options yet. One such suggestion on a forum was:

Get-Mailbox MBXName | Select-Object name,primarysmtpaddress, DisplayName,Database,@{n="Size(MB)";e = {$MBXstat = Get-MailboxStatistics $_.name; $MBXstat.totalItemsize.value.toMB()}},@{n="Items"; e = {$MBXstat = Get-MailboxStatistics $_.name ; $MBXstat.itemcount}}

Exchange: Check if email addresses are or are not on a mailbox in Exchange 2007

These scripts check whether a mailbox does or does not contain an email address. This is a great way to find out which mailbox in an organisation contains a certain email address.

Check if an email address is on a mailbox:

get-mailbox | where {$_.EmailAddresses -like "*@emailaddress.com"}

Check if an email address is NOT on a mailbox:
get-mailbox | where {-not ($_.EmailAddresses -like "*@emailaddress.com")}

Another way to check that an email address is not on a mailbox is to cycle through the EmailAddresses array:
Get-Mailbox | foreach {
For ($i=0;$i –lt $_.EmailAddresses.Count;$i++)
{
$address = $_.EmailAddresses[$i]
If($address.SmtpAddress –like "*@test.com")
{
Write-Host $_.Name
Break
}
}
}

ADMT: Configuring source and target domains for ADMT

This document deals with the prerequisites for configuring ADMT to migrate between two domains.

For this example, DOMAINA is the source domain. DOMAINB is the target domain.

When performing these steps in a production environment you should ensure that your networks are routable and firewall requirements have been met.

DOMAINB: Install ADMT
1. Install ADMT on a Windows Server 2008 server in the target domain
2. Configure the ADMT database to a central SQL Server in order for it to be backed up
3. Ensure the ADMT database is backed up
4. Ensure the ADMT server is backed up if possible

DOMAINA: Create ADMT Migrator account
1. Create ADMT Migrator account
2. Add ADMT Migrator account to DOMAINA\Domain Admins group
3. Ensure ADMT Migrator account is enabled

DOMAINB: Configure ADMT Migrator account
1. Add ADMT Migrator account to DOMAINB\Administrators group
2. Add ADMT Migrator account to ADMT Server local Administrators group
3. Add ADMT Migrator account to ADMT_Migrator, Account Migrator, Resource Migrator and Data Reader on the ADMT SQL database

DOMAINA: Source domain prerequisites
1. Do not create the DOMAINA$$$ group as ADMT sometimes does not like this group to be pre-created. ADMT will create this group automatically
2. Modify the registry on DOMAINA PDC Emulator
a. Browse to HKLM\SYSTEM\CurrentControlSet\Control\LSA
b. Add new DWORD value: TcpipClientSupport and set it to value: 1
3. Configure Audit Account Management
a. Open the Default Domain Controllers group policy
b. Browse to Computer ConfigurationàWindows SettingsàSecurity SettingsàLocal PoliciesàAudit Policy
Select Audit Account Management and enable for both Success and Failure
Click OK and close the Group Policy
Run gpupdate /force on all domain controllers in DOMAINA
Run rsop.msc on each domain controller in DOMAINA and confirm that the setting has applied successfully

DOMAINB: Destination domain prerequisites
4. Configure Audit Account Management
g. Open the Default Domain Controllers group policy
h. Browse to Computer ConfigurationàWindows SettingsàSecurity SettingsàLocal PoliciesàAudit Policy
Select Audit Account Management and enable for both Success and Failure
Click OK and close the Group Policy
Run gpupdate /force on all domain controllers in DOMAINB
Run rsop.msc on each domain controller in DOMAINB and confirm that the setting has applied successfully

DOMAINB: Configure PES (Password Encryption Service)
1. Create a user account to act as the PES service account called DOMAINA\SVC_PES
2. Generate PES encryption key on ADMT migration server
3. Log into the ADMT server
4. Run admt key /option:create /sourcedomain:DOMAINA /keyfile:c:\Folder /keypassword [Password ]
5. [Password] – Decide on a password to enter here and write it down – this password will need to be entered when importing the encryption key.

DOMAINA: Configure PES (Password Encryption Service)
1. Copy the encryption file to the PDC Emulator in the DOMAINA domain
2. Deploy PES on the PDC in DOMAINA domain:
Download pwdmig.msi to the PDC Emulator in DOMAINA domain
Execute pwdmig.msi
Click Next, accept the license agreement, click next
Browse for the encryption file and click next
Specify the password that was set on the file earlier
Specify the account to run the PES service under – this will be DOMAINA\SVC_PES
i. Use the password provided
Restart the PDC emulator to activate the PES and registry changes
Create 3 test users in NDS and have them replicate to DOMAINA
Create 3 test groups in DOMAINA and add the replicated test accounts to the 3 groups, which will be for testing the ADMT migration process

DOMAINB: Perform test migration using ADMT
Perform migration of a test group from DOMAINA to DOMAINB using ADMT and ensure successful migration of SID History
Make sure to log into migration server as the migration user DOMAINA\ADMT_migrator
Perform migration of the selected group using ADMT
Check the logs to see that SID history was successfully migrated
Check the migrated user account in ADSIEdit.msc to ensure SIDHistory is attached
Test for successful end to end migration by migrating a test account from DOMAINA to DOMAINB and merging the corresponding eDirectory accounts using an NDS Migrator console, and testing for group membership, password migration, SID History migration and access to resources as applicable