Pages

Sunday, December 15, 2013

Disabling Exchange 2010 ActiveSync, OWA, POP, IMAP or MAPI access for mailboxes with PowerShell

I’ve recently been asked by an administrator at a school to suggest the best way of preventing students from setting up an Outlook profile for their mailboxes.  The first thought that I had was that we could simply disable MAPI access via the Mailbox Features tab in the Exchange Management Console

image

Enable or Disable MAPI for a User Mailbox
http://technet.microsoft.com/en-us/library/bb124497(v=exchg.141).aspx

The challenge was that there are thousands of students in the school and manually clicking in the GUI to disable the MAPI feature wasn’t the best choice so we turned to PowerShell.

The 2 cmdlets we’ll be using to turn off MAPI access are the following:

Get-Mailbox
http://technet.microsoft.com/en-us/library/bb123685(v=exchg.141).aspx

Set-CASMailbox
http://technet.microsoft.com/en-us/library/bb125264(v=exchg.150).aspx

The first Get-Mailbox is to retrieve the mailboxes which will then be piped into the Set-CASMailbox cmdlet.

The following is an example of retrieving all of the mailboxes from a mailbox database then piping it into the set cmdlet to disable MAPI:

Get-Mailbox -Database "Students Database" | Set-CASMailbox -MAPIEnabled $false

image

Note that if you have more than 1000 objects returned from the Get-Mailbox cmdlet then you will receiving the warning:

WARNING: By default, only the first 1000 items are returned. Use the ResultSize parameter to specify the number of items returned. To return all items, specify "-ResultSize Unlimited". Be aware that, depending on the actual number of items, returning all items can take a long time and consume a large amount of memory. Also, we don't recommend storing the results in a variable. Instead, pipe the results to another task or script to perform batch changes.

I’ve ran this cmdlet in a few environments and noticed that it applies the changes to more than 1000 objects but just to be the safe, I usually run it with the additional -ResultSize unlimited switch:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Set-CASMailbox -MAPIEnabled $false

image

From here, you can randomly select users to ensure the MAPI feature is turned off

image

Note the warning message:

There are more results available than are currently displayed. To view them, increase the value for the ResultSize parameter.

You can change this limit of 1000 objects returned setting as shown in the following article:

http://technet.microsoft.com/en-us/library/ee332311.aspx

Click on the Recipient Configuration node on the left Modify the Maximum Number of Recipients link on the right:

image

Then change the vaue for Maximum recipients to display:

image

The GUI may not be the most optimal way of reviewing the configuration change so going back to PowerShell, you can use the following cmdlet to list all of the recipient objects in a store with their mailbox feature settings:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox

image

If the list is too long, you can either use the | more command at the end as such:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox | more

… or simply pipe the output to a text file:

Get-Mailbox -Database "Students Database" -ResultSize unlimited | Get-CASMailbox > C:\mailboxfeatures.txt

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note that to disable or enable the other features, simply replace -MAPIEnabled with any of the following:

  • ActiveSyncEnabled
  • OWAEnabled
  • PopEnabled
  • ImapEnabled

Quick way to adjust send and receive connector limits in Exchange 2010 and 2013

I find myself referencing a note I have in my drafts to quickly change send and receive limits for connectors on Exchange 2010 and 2013 so just in case I ever lose that the draft email I have, I thought I’d just blog the commands so I can reference it if I don’t have access to my mailbox.

Use the following cmdlets to quickly set send and receive size limits on all connectors configured on an Exchange server:

Set-TransportConfig -MaxSendSize 100MB -MaxReceiveSize 100MB

Get-ReceiveConnector | Set-ReceiveConnector -MaxMessageSize 100MB

Get-SendConnector | Set-SendConnector -MaxMessageSize 100MB

Saturday, December 14, 2013

Attempting to move a mailbox from Exchange 2003 server throws the error: “Mailbox database ‘2d14e873-68fc-4475-acf6-1eb3f3909753’ is offline.”

Problem

You attempt to move a mailbox from Exchange 2003 server with the New Local Move Request but receive the following error:

image image

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:05

KAKnights-Fubler
Failed

Error:
Mailbox database '2d14e873-68fc-4475-acf6-1eb3f3909753' is offline.

MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=1010)
Diagnostic context:
    ......
    Lid: 11672   dwParam: 0x6D9      Msg: EEInfo: NumberOfParameters: 4
    Lid: 8856    dwParam: 0x6D9      Msg: EEInfo: prm[0]: Unicode string: ncacn_ip_tcp
    Lid: 8856    dwParam: 0x6D9      Msg: EEInfo: prm[1]: Unicode string: BBSexch01.someSchool.someNetwork.bm
    Lid: 12952   dwParam: 0x6D9      Msg: EEInfo: prm[2]: Long val: -545057711
    Lid: 12952   dwParam: 0x6D9      Msg: EEInfo: prm[3]: Long val: 382312662
    Lid: 45169   StoreEc: 0x824    
    Lid: 44273 
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=110]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x3F2][length=56][latency=0]
    Lid: 56945 
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=110]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x3F2][length=56][latency=15]
    Lid: 59505   StoreEc: 0x3F2    
    Lid: 52465   StoreEc: 0x3F2    
    Lid: 60065 
    Lid: 33777   StoreEc: 0x3F2    
    Lid: 59805 
    Lid: 52209   StoreEc: 0x3F2    
    Lid: 56583 
    Lid: 52487   StoreEc: 0x3F2    
    Lid: 19778 
    Lid: 27970   StoreEc: 0x3F2    
    Lid: 17730 
    Lid: 25922   StoreEc: 0x3F2    
Click here for help...
http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.3.158.1&t=exchgf1&e=ms.exch.err.ExC2B9A8

Exchange Management Shell command attempted:
'someSchool.someNetwork.bm/BBS Students/S4 Students/KAKnights-Fubler' | New-MoveRequest -TargetDatabase 'BBS Alumni Database'

Elapsed Time: 00:00:00

 Solution

While there are various reasons why this error would be thrown, one of them is that the Exchange 2003 server’s mailbox store does not have proper permissions.  Check the permissions on the store’s properties to ensure that the Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here. is selected:

image

image

image

Sunday, December 8, 2013

Configuring Netscaler VPX appliance throws the error: “Java Applet could not be loaded”

Environment:

NetScaler VPX Version: NS10.1: Build 121.10.nc, Date: Oct 18 2013, 10:25:05

image

Internet Explorer Version: 9.0.8112.16421

image

Java Version: Java 7 Update 45

image

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

I don’t think I’ve ever been as frustrated with web administration consoles that are browser based and rely on Java as the NetScaler VPX appliance, Compellent and Cisco UCS.  Earlier versions of Java last year was easily to fix as all you needed to do was uncheck the Keep temporary files on my computer then delete the files:

image image

image

… but the later versions with the error:

Downloading Applet…

image image

… then after being stuck at 1% for a period of time, the following is presented:

Cannot load Applet

Java Applet could not be loaded

Details

Possible reasons:

JRE(Java Runtime Environment) not installed.

JRE is installed but not running.

Java browser plug-in is not installed or not enabled.

image

I’ve gone on to try disabling verification as some forums suggested:

image image

… or looking for the security option to switch to a lower medium level which does not appear to be present for the latest Java version I downloaded today (December 8, 2013).

After spending over 30 minutes researching solutions which non corrected the issue, I went ahead and tried Google Chrome 31.0.1650.64 which ended up working.  

image

Not exactly the best solution but it was enough for me as all I wanted was to make a small change to the NetScaler VPX appliance.

Thursday, December 5, 2013

Unable to search GAL with less than 4 characters via Exchange Server 2010 ActiveSync

Problem

You attempt to search the Global Address List (GAL) via a phone that uses Exchange Server 2010 ActiveSync but notice that the search fails when you search with 3 characters or less:

image image image

**Note that the screenshots above are from a Blackberry z10 device’s Look up… feature.

Searching with 4 characters or more works as expected:

image image image

Reviewing the IIS Logs on the CAS server in the directory:

C:\inetpub\logs\LogFiles\W3SVC1

image

Reveals the following:

2013-12-05 14:11:43 10.64.16.20 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Search&DeviceType=BlackBerry&User=contoso.com%5CKAB&DeviceId=BB24D90407&Log=V140_LdapC8_LdapL15_RpcC14_Pk4017638333_Error:SearchStringTooShort_Pic0_SrchL2_As:AllowedG_Mbx:contosoBDAMS01.contoso.com_Dc:contosoBDADC01.contoso.com_Throttle0_Budget:(A)Conn%3a0%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f1%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5Ffafb1bd7-839a-4db2-b37c-7ef5a58823d0%2cNorm_ 443 contoso.com\KAB 10.64.16.17 RIM-Z10-STL100-1/10.1.0.4633 200 0 0 265

image

The text that identifies the search string too short in the log is:

Error:SearchStringTooShort

Solution

A bit of research on the internet revealed that in Exchange Server 2010, the default minimum amount of characters required to search the GAL via ActiveSync is 4 characters instead of 2 which is the default setting for Exchange 2003 (the Exchange 2007 organization I had to troubleshoot also exhibited the same behavior). As a result of this change, attempting to search with 3 or less characters on a BES 10 device which uses a BES 10 server that uses ActiveSync to retrieve information from Exchange Server 2010 would fail.  To correct this issue, edit the web.config file on all of the CAS servers at the following directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Sync

image

Backup the web.config file prior to making the change:

image

Locate the <appSettings> section:

image

Add the following text with the appropriate value desired (we’ll use 2 for this example to allow searching with 2 characters) between the <appSettings> and </appSettings> tag as such:

<!-- Sets the minimum number of characters required for searching -->

<add key="MinGALSearchLength" value="2"></add>

image

Perform a iisreset command on the CAS server once the changes have been made:

image

Searches with 2 characters should now work:

image image image

Hope this helps anyone who may come across this issue.

Thursday, November 28, 2013

Connecting to VMware View 5.1.2 desktop via PCoIP displays a black screen when in full screen

Problem

You’ve just added a new existing virtual machine into a VMware View pool and attempt to connect to it via the VMware View client but the following black screen:

image

What you notice is that if you restore the size of the VMware View client to a window instead of full screen, you are able to see the virtual desktop’s login screen properly.  Everything else works as expected when working in side this resized window:

image

You’ve confirmed that the resolution of the monitor you’re using which is 1920 x 1080:

image

… is either smaller or the same as the VMware View pool settings:

image

Note that the pool settings is configured with:

Max number of monitors: 2

Max resolution of any one monitor: 1920 x 1200

The settings for the virtual desktop indicates that VMware View has set the configuration to:

Number of displays: 2

Total video memory: 35.19

image

You notice that if you try to shutdown the virtual machine, change the video memory to 40MB, View would quickly change it back to 35.19MB.

Solution

What’s important to note is that it is expected behavior for View to change the video memory back to 35.19MB as that is the predefined settings for the monitoring configuration set in the pool and the only way to increase the memory for the desktops is to actually change the pool settings as such:

Max number of monitors: 4

Max resolution of any one monitor: 2560 x 1600

image

Once the pool settings are in, VMware View would reconfigure all of the desktops regardless of whether they’re powered on or off to the following settings:

Number of displays: 4

Total video memory: 125

image

What solved my issue was to increase the resolution in the pool settings to be higher than the resolution of monitor, wait till View has completed the changes to the video card, restart the virtual machine once so that the new video card settings are in effect, then shutdown the virtual machine and then power it back on.  Note that I’ve tried restarting the virtual machine multiple times but still received the black screen which I suspect is related to the description in the following KB:

Configuring PCoIP for use with View Manager (1018158)http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1018158

I didn’t get to try restarting the virtual machine via the vSphere client but I believe it probably would have worked if I did.

Wednesday, November 27, 2013

Removing and adding a renamed desktop into a Citrix XenDesktop 5.6 Existing pool throws the error: “The computer domain\computername could not be imported because User domain\computername could not be found.”

Problem

You have a desktop in a Citrix XenDesktop 5.6 Existing pool that you need to rename so you proceed with the following:

  1. Remove it from the existing desktop group
  2. Delete it from the desktop catalog
  3. Clone the virtual machine in vCenter to a new name so that the flat files corresponds to the virtual machine name
  4. Log into the new virtual desktop and rename the Windows name
  5. Restart the desktop
  6. Right click on the same Existing catalog and select Add Machines
  7. Select the newly cloned virtual machine

What you notice is that as you get to the prompt where you select a Active Directory computer account and select the new renamed computer account, you receive the following error:

The computer domain\computername could not be imported because User domain\computername could not be found.

Clicking the OK button displays another window with the error:

Sequence contains no elements

Solution

I’m not exactly sure why but this has happened to me twice over the past month and the resolution for both incidents was to restart the DDCs.  Once the DDCs are restarted, I am then able to add the machines with the new account.

Sunday, November 17, 2013

Citrix XenApp and XenDesktop Pass-Through Authentication works with website authentication but not application or desktop authentication

To follow up with my previous post:

Connecting to Citrix XenDesktop 5.6 virtual desktops through a Web Interface configured with pass-through authentication fails after flashing a black screen
http://terenceluk.blogspot.com/2013/11/connecting-to-citrix-xendesktop-56.html

I finally found some time over the weekend to sit down and perform some uninterrupted troubleshooting to determine the root cause of why the environment’s pass-through authentication worked for authenticating the user through the Web Interface portal but does not work when launching an application where it would display the following prompt:

image

… or while launching a XenDesktop VDI (with the help of the registry key to disable enforce auto logon):

image

What ended up being the issue after combing through the configuration as I referenced an older blog post I wrote:

Lessons learned with Citrix Web Interface 4.6 Pass-Through Authentication
http://terenceluk.blogspot.com/2012/01/lessons-learned-with-citrix-web.html

… was that the Active Directory GPO with the Citrix pass-through authentication only had the Computer Configuration portion configured:

image

… but not the User Configuration.  Once I got the User Configuration portion configured, pass-through authentication began functioning as it should:

image

Hope this helps anyone out there who may come across the same symptoms in their environment.