Exchange your Mind

"La connaissance ne vaut que si elle est partagée" / "An effective Knowledge is a shared one"

Exchange 2013 OWA Logging Issue is back ! : Owa the user or password you entered isn’t correct. Try entering it again.

Posted by Teruin laurent le septembre 18, 2014


HI All after executing the CU5 on one Exchange 2013; one multirole exchange 2013 Server refuse all OWA connections.


I decided to not lose too much time to search. We have encountered since 2 months some various instabilities with this service, so my script is ready let’s delete the main OWA Virtual directory and recreate it.

Remove-OwaVirtualDirectory -Identity « SRVEXXX\owa (Default Web Site) »
New-OwaVirtualDirectory -WebSiteName « Default Web Site »
set-owavirtualdirectory -identity « SRVEXXX\owa (Default Web Site) » -AdfsAuthentication $False -BasicAuthentication $true -WindowsAuthentication $false -DigestAuthentication $false -FormsAuthentication $true -LogonFormat PrincipalName

And to finalize : IISRESET /noforce

And works again !!

But if you decide to have a second Owa website for a basic authentication the SRVEXXX\owa (Default Web Site) will not works anymore.

I create a second website « ExchangeBasic » and tried to create a second OWA Directory to allow basic authentication

New-OwaVirtualDirectory -WebSiteName « ExchangeBasic »set-owavirtualdirectory -identity « SRVEXCXXX\owa (ExchangeBasic) » -ExternalAuthenticationMethods basic -BasicAuthentication $true -WindowsAuthentication $false -DigestAuthentication $false -FormsAuthentication $false
Issreset
And now you cannot log again on the SRVEXXX\owa (Default Web Site) the user name or password you entered isn’t correct.

The solution is to delete both and recreate the first one.

 

 

 

 

 


 

Posted in Exchange 2013 Issues | Leave a Comment »

Exchange 2013 : CU 5 Error installation : Web Management Service ask for an unknow certificat [Solved]

Posted by Teruin laurent le septembre 11, 2014


 

Error:

The following error was generated when « $error.Clear();
$keyPath = « HKLM:\Software\Microsoft\WebManagement\Server »;
if (!(Get-Item $keyPath -ErrorAction SilentlyContinue)) {New-Item $keyPath -Force}
Set-ItemProperty -path $keyPath -name « EnableRemoteManagement » -value 0x1 -Type DWORD -Force;
if (Get-Service WMSVC* | ?{$_.Name -eq ‘WMSVC’}) {Set-Service WMSVC -StartupType AutomaticStop-SetupService -ServiceName WMSVC ;Start-SetupService -ServiceName WMSVC}
 » was run: « Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException: Service ‘WMSVC’ failed to reach status ‘Running’ on this server at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl) at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target) at Microsoft.Exchange.Management.Tasks.ManageSetupService.WaitForServiceStatus(ServiceController serviceController, ServiceControllerStatus status, Unlimited`1 maximumWaitTime, Boolean ignoreFailures, Boolean sendWatsonReportForHungService) at Microsoft.Exchange.Management.Tasks.ManageSetupService.StartService(ServiceController serviceController, Boolean ignoreServiceStartTimeout, Boolean failIfServiceNotInstalled, Unlimited`1 maximumWaitTime, String[] serviceParameters) at Microsoft.Exchange.Management.Tasks.ManageSetupService.StartService(String serviceName, Boolean ignoreServiceStartTimeout, Boolean failIfServiceNotInstalled, Unlimited`1 maximumWaitTime, String[] serviceParameters) at Microsoft.Exchange.Management.Tasks.StartSetupService.InternalProcessRecord() at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b() at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed) ».

After searching i disicover that the Web Management Service could not start

PS C:\Windows\system32> Get-Service WMSVC* | ?{$_.Name -eq ‘WMSVC’}
Status Name DisplayName
—— —- ———–
Stopped WMSVC Web Management Service

And the error is the following

Process:WMSvc

User=NT AUTHORITY\LOCAL SERVICE
Event Xml:
<Event xmlns= »http://schemas.microsoft.com/win/2004/08/events/event »&gt;
<System>
<Provider Name= »Microsoft-Windows-IIS-IISManager » />
<EventID Qualifiers= »0″>1007</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<Data>IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE
Unable to read the certificate with thumbprint ‘31477a6e41f9ae4f8324154a3c9ac82b8feac1a8′. Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.
Process:WMSvc
User=NT AUTHORITY\LOCAL SERVICE</Data>

I ve checked all certificats in this server no service are binded to this expected certificate with the thumbprint : 1477a6e41f9ae4f8324154a3c9ac82b8feac1a8′

I add a certificat in the Management Service and the service start. The CU5 installer could continue. ;-)

 


Posted in EXCHANGE 2013 | Leave a Comment »

KEMP Load Balanced can not send email through Exchange 2013 [Solved]

Posted by Teruin laurent le septembre 5, 2014


HI all

Today i v to cope with a little issue with my favorite HLB solution. Kemp. I want to set email alerte with 2 Virtuals Load Balancer. To do This i set the Load Balancer to directly send mail to the Ip address of the Exchange server on 25 Port as the picture display.


But when i check the log of the kemp vm i found this : Error Processing MAIL CMD on smtp server. Status Code = 501


BY inspecting the log of the receive connector i found this :

2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,3,10.100.20.11:25,10.100.20.15:32836,<,EHLO SrvHlb01,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,4,10.100.20.11:25,10.100.20.15:32836,>,250-serverexc01.xxxxxxxx.loc Hello [10.100.20.15],
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,5,10.100.20.11:25,10.100.20.15:32836,>,250-SIZE 37748736,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,6,10.100.20.11:25,10.100.20.15:32836,>,250-PIPELINING,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,7,10.100.20.11:25,10.100.20.15:32836,>,250-DSN,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,8,10.100.20.11:25,10.100.20.15:32836,>,250-ENHANCEDSTATUSCODES,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,9,10.100.20.11:25,10.100.20.15:32836,>,250-STARTTLS,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,10,10.100.20.11:25,10.100.20.15:32836,>,250-X-ANONYMOUSTLS,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,11,10.100.20.11:25,10.100.20.15:32836,>,250-AUTH NTLM,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,12,10.100.20.11:25,10.100.20.15:32836,>,250-X-EXPS GSSAPI NTLM,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,13,10.100.20.11:25,10.100.20.15:32836,>,250-8BITMIME,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,14,10.100.20.11:25,10.100.20.15:32836,>,250-BINARYMIME,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,15,10.100.20.11:25,10.100.20.15:32836,>,250-CHUNKING,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,16,10.100.20.11:25,10.100.20.15:32836,>,250 XRDST,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,17,10.100.20.11:25,10.100.20.15:32836,<,MAIL FROM:<INFO-Logger.SrvHlb01@[Unknown Domain]>,
2014-09-05T09:14:04.394Z,serverexc01\Default Frontend serverexc01,08D196FF590038B1,18,10.100.20.11:25,10.100.20.15:32836,*,Tarpit for ‘0.00:00:05′
,

The kemp do not use a domain sufix which by default is not allowed in Exchange 2013

I try to add the local domain in the smtp configuration on the kemp interface and it works correctly !

Regards Laurent


 

Posted in KEMP HLB | Leave a Comment »

Lync 2013 Edge : The Buffer supplied to a function was too small [solved]

Posted by Teruin laurent le septembre 4, 2014


HI all

Today i cope with a strange behavior on edge server by assigning a public certificat from comodo


By inspecting the log a found this


The cetificat is well imported in the computer certificat container have a private key and the certification path is correct.


By using the following Certutil.exe command i v got this result

 

C:\Users\Adm-teruin>Certutil.exe -v -store my « 4bf5f126f5011c9dad6b737439f4e0b4″
my « Personal »
================ Certificate 2 ================
X509 Certificate:
Version: 3
Serial Number: 4bf5f126f5011c9dad6b737439f4e0b4
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=COMODO High-Assurance Secure Server CA
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
Name Hash(sha1): fde74a84a2cc6dd61ec4743bfbbf8abe4a38a458
Name Hash(md5): 193edeb04bee0820e2bde6b731cfe1be

NotBefore: 6/11/2014 2:00 AM
NotAfter: 6/12/2015 1:59 AM
Subject:
CN=access01.XXX.BBB
OU=0002 790043954
O=XXXX
Name Hash(sha1): 0b9997d9949687Fe9440f77789a8f1d87a494365eaa
Name Hash(md5): c9052776583d9038fb42d079e1999777d9e846857
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00

 

To solve this issue

  1. Export the certificate with PFX format from the Edge server
  2. import it on Firefox (my machine was Windows 8.1)
  3. export it from Firefox with the format P12
  4. Remove on the edge the assignement on the concerned certificat
  5. Remove the certificat on the edge server from the certificat store
  6. import the new formated certificat with the P12 format.
  7. Assign it to the edge

It should works

 

Posted in 2- LYNC-2013, Lync 2013 -Edge | Leave a Comment »

Lync 2013 Citrix VDI HDX Engine crash after May 2014 Lync Update

Posted by Teruin laurent le septembre 1, 2014


HI all for your information this post describe a update of our attempt to delivered a stable Lync 2013 Citrix Vdi environment to our users on Xendesktop 7.5

A complete history could be found here: http://unifiedit.wordpress.com/category/2-lync-2013/lync-2013-vdi/

Since a while, we try to stabilize the Citrix VDI environment with Lync 2013 on Xendesktop 7.5. The last issue before delivering this solution to our User pilot was to fix the Ctrl Alt Tab issue (for more information see this article). http://unifiedit.wordpress.com/2014/03/07/lync-2013-vdi-citrix-alt-tab-issue-is-back/. For this a Microsoft Case has been opened and the last action was to update the Lync 2013 client with a May 2014 patch (http://support.microsoft.com/kb/2880980). As the following picture display

Figure 1 : Component on the Physical Box


After applying the update we can observe that the Ctrl Tab Issue is no more present
but when the user close the session the Ucvdi.dll of HDx Engine crash.

Figure 2 : Hdx crash when user exit from the session

Regards

Laurent Teruin


 

Posted in 2- LYNC-2013, Lync 2013 - Vdi Citrix | Leave a Comment »

Exchange 2013 UM : An error occurred while accessing the user’s mailbox. Details: Client found response content type of ‘text/html; charset=utf-8′, but expected ‘text/xml’.

Posted by David ANDRE le août 8, 2014


Hello,  

I’m currently experiencing an issue with Exchange 2013 UM. I can’t access to UM user information or activate a new exchange user for UM.

Here’s the Exchange topology:
We’re currently migrating Exchange 2010 to 2013.

Exchange 2013 Details:

-              2 Exchange 2013 FRONT-END

-              2 Exchange 2013 BACK-END

-              All are Virtual Machines under Hyper-V 3

-              OS Windows Server 2012 (no R2)

-              Exchange 2013 SP1 (CU4)

My problem is mainly with the UM part. As a reminder, under Exchange 2013, UM is present on both the FRONTEND (for the routing part UM: UMCallRouter) but also on the BACKEND (UM services).

UMCallRouter services and UMServices are active, respectively on the active FE and BE. Services are running as I have assigned the Exchange 2010 UM DialPlans to the 2013 services: so the service is fully functional on that end.

The problem is when I want to access information from a UM user via the ECP (Exchange Control Panel) I get the following error: 

Unified Messaging cannot validate or generate a PIN for UM mailbox ‘Exakis@domain.com': An error occurred while Accessing the user’s mailbox.
Details: Client found response content type of ‘text / html; charset = utf-8 ‘goal expected’ text / xml ‘.

Here is the Error returned by the ECP:


From what I understand, Exchange 2013 relies on the WebServices (EWS) of the back-end for managing security PINs.

We also have several events that I think are related to this problem in the event viewer of the active back-ends:

-              ASP.NET 4.0.30319.0                 ID : 1309

-              MSExchange Common                ID : 4999

-              MSExchange Web Services          ID : 29



 

So, i’m still searching a solution… L

 

David ANDRE

Posted in Exchange 2013 Issues | Leave a Comment »

Exchange 2013 : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network

Posted by Teruin laurent le août 7, 2014


HI all this morning i cope with an error message on exchange 2013 powershell

VERBOSE: Connecting to AAABBBCCCS01.xx.bb.loc.
New-PSSession : [AAABBBCCCS01.xx.bb.loc] Connecting to remote server AAABBBCCCS01.xx.bb.loc failed with the
following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that
the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows
access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote
computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ConnectionURI « $connectionUri » -ConfigurationName Microsoft.Excha …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.Manageme….RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin gTransportException
+ FullyQualifiedErrorId : WinRMOperationTimeout,PSSessionOpenFailed

The weird thing is that I’ve got 4 new other exchange servers installed with the same sources running on the same OS (Windows 2012 R2, exchange SP1) on vm made with the same template, on the same subnet without any issue.

After verification, i can ping all servers and the connection to Local domain controller is ok and on all exchange server the firewall is off for all connection public domain and private.

g Name: Application
Source: MSExchange ADAccess
Date: 8/7/2014 9:03:30 AM
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: AAABBBCCCS01.xx.bb.loc
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2472). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)
In-site:
AAABBB001.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBBPDC005.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBB002.ad.local        CDG 1 7 7 1 0 1 1 7 1
AAABBBPDC006.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBBPDC007.xx.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBBPDC008.xx.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBB003.xx.bb.loc        CDG 1 7 7 1 0 0 1 7 1
AAABBBPDC009.xx.bb.loc        CDG 1 7 7 1 0 1 1 7 1
AAABBB004.xx.bb.loc        CDG 1 7 7 1 0 0 1 7 1
Out-of-site:
XXXrtd001-dc.xx.bb.loc        CDG 1 7 7 1 0 0 1 7 1
XXXMOS002.xx.bb.loc        CDG 1 7 7 1 0 1 1 7 1
XXXmos001.xx.bb.loc        CDG 1 7 7 1 0 1 1 7 1

 

On another Exchange Server where I don’t have the issue the value of this event is correct. So the problem should not be linked to a GC Access.

 

After verifications Winrm seams to works well:

C:\Users\TERUIL-EXT>WinRM QuickConfig
WinRM service is already running on this machine.
WinRM is already set up for remote management on this computer
.

After looking on the system log I found multiple events like this

log Name: System

Source: Microsoft-Windows-Security-Kerberos

Date: 8/6/2014 8:31:46 PM

Event ID: 7

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: AAABBBCCCS01.xx.bb.loc

Description:

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client AAABBBCCCS01$ in realm XX.BB.LOC could not be validated.

 

The documentation to this event is here : http://technet.microsoft.com/en-us/library/dd348751(v=ws.10).aspx

 

I restart the computer this event is not present but still have the issue But I discover this event

Log Name: System

Source: Microsoft-Windows-WinRM

Date: 8/7/2014 10:01:58 AM

Event ID: 10149

Task Category: None

Level: Warning

Keywords: Classic

User: N/A

Computer: AAABBBCCCS01.xx.bb.loc

Description:

The WinRM service is not listening for WS-Management requests.

  User Action

If you did not intentionally stop the service, use the following command to see the WinRM configuration:

 
 

After verification the Windows Remote Management (WinRM) service was running. Try to stop a start in case of…

I check the winrm enumerate and the result was successfull

C:\Windows\system32>winrm enumerate winrm/config/listener

Listener

Address = *

Transport = HTTP

Port = 5985

Hostname

Enabled = true

URLPrefix = wsman

CertificateThumbprint

ListeningOn = 10.101.30.5, 127.0.0.1, ::1

 
 

 C:\Windows\system32>ipconfig

 Windows IP Configuration
Ethernet adapter PreProduction:

Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 10.101.30.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.101.30.254

Tunnel adapter isatap.{B10CE70A-20F2-4904-9576-15EE459CB728}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

On the server where I don’t have this issue the result is this one

 

C:\Windows\system32>winrm enumerate winrm/config/listener
Listener
Address = *
Transport = HTTP
Port = 5985
Hostname
Enabled = true
URLPrefix = wsman
CertificateThumbprint
ListeningOn = 10.101.30.6, 127.0.0.1, ::1

From the server who have the issue I will try to telnet this port just in case of Firewall issue and it works!

telnet AAABBBCCCS02.xx.bb.loc 5985

I tried the inverse. From the server without any issue I will try to telnet the server who have this issue

telnet AAABBBCCCS01.xx.bb.loc 5985

and it works too. So the problem should not be linked to any firewall issue

IP config of the bad server

[PS] C:\Windows\system32>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : AAABBBCCCS01
Primary Dns Suffix . . . . . . . : xx.bb.loc
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xx.bb.loc
bb.loc
ll
Ethernet adapter PreProduction:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-89-62-C7
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.101.30.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.101.30.254
DNS Servers . . . . . . . . . . . : 10.101.0.186
10.101.0.187
10.101.0.129
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B10CE70A-20F2-4904-9576-15EE459CB728}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

 

Ip config of a good server

[PS] C:\Windows\system32>ipconfig /all

Windows IP Configuration
Host Name . . . . . . . . . . . . : AAABBBCCCS04
Primary Dns Suffix . . . . . . . : xx.bb.loc
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xx.bb.loc
bb.loc
ecoval.local

Ethernet adapter Production:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-89-03-B2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.101.30.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.101.30.250
DNS Servers . . . . . . . . . . . : 10.101.0.42
10.101.0.43
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{AC13A358-1780-4CCB-AB59-B19AE7C3CEF4}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

 

After checking the GPO on both server. All have the same GPO group membership L

 

From the server without issue I’ve got this
[PS] C:\Windows\system32>Test-WSMan -ComputerName AAABBBCCCS02

wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft Corporation
ProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

[PS] C:\Windows\system32>Test-WSMan -ComputerName AAABBBCCCS01
wsmid : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
ProductVendor : Microsoft CorporationProductVersion : OS: 0.0.0 SP: 0.0 Stack: 3.0

From the server with the connection issue I ve got this

PS C:\Windows\system32> Test-WSMan -ComputerName AAABBBCCCS02
Test-WSMan : <f:WSManFault xmlns:f= »http://schemas.microsoft.com/wbem/wsman/1/wsmanfault &raquo; Code= »2150859046″
Machine= »AAABBBCCCS01.xx.bb.loc »><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits ccess to remote computers within the same local subnet. </f:Message></f:WSManFault>

PS C:\Windows\system32> Test-WSMan -ComputerName AAABBBCCCS01
Test-WSMan : <f:WSManFault xmlns:f= »http://schemas.microsoft.com/wbem/wsman/1/wsmanfault &raquo; Code= »2150859046″ Machine= »AAABBBCCCS01.xx.bb.loc »><f:Message>WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. </f:Message></f:WSManFault>

I try this on the failed computer

S C:\Windows\system32> Enable-PSRemoting
winRM Quick Configuration running command « Set-WSManQuickConfig » to enable remote management of this computer by using the Windows Remote management (WinRM) service.

This includes:
1. Starting or restarting (if already started) the WinRM service
2. Setting the WinRM service startup type to Automatic
3. Creating a listener to accept requests on any IP address
4. Enabling Windows Firewall inbound rule exceptions for WS-Management traffic (for http only).

Do you want to continue?
Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is « Y »): A
winRM is already set up to receive requests on this computer.
winRM is already set up for remote management on this computer.

Uninstalling Exchange server….. Reboot and reinstall exchange server reboot…… and …. Same issue!

By examining the IIS I have remarked this configuration different The wrong server have a SITE_2 stopped.


When I want to delete it


Binding for the default website are the same on left the wrong server on the right a functional server


Binding for the Backend website are the same……


Finally I find a way to delete this second site but I’ve got still the issue on server 01

As I said the Firewall is off but the service is running. Try to stop the service and try to connect with Exchange Managemnt Shell


Downloading wireshark pfouuuuuu…..

In the dialog I can see a kerberos error


Let see in the event viewer on the server if we can find some relevant information.

Changing the Kerberos Log Level on the Server and reboot (http://support.microsoft.com/kb/262177)


And .. just after a simple reboot . Whaou !!


Let see what is inside

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 8/8/2014 9:18:38 AM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: AAABBBCCCS01.xx.yyy.loc
Description:
A Kerberos error message was received:
on logon session xx.yyy.loc\AAABBBCCCS01$
Client Time:
Server Time: 7:18:39.0000 8/8/2014 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error:
Client Realm:
Client Name:
Server Realm: xx.yyy.loc
Server Name: krbtgt/xx.yyy.loc
Target Name: krbtgt/xx.yyy.loc@xx.yyy.loc
Error Text:

Let see if I have the same behavior with other functional server. And I can observe that I ve the same even but the EMS works


I found a very interesting article about Kerberos error and especially KDC_ERR_PREAUTH_REQUIRED Issue last Night. http://blogs.technet.com/b/makeiteasy/archive/2013/01/14/kdc-err-preauth-required-vs-kdc-err-preauth-failed.aspx

I will forget the Kerberos Track because I can see any KDC_ERR_PREAUTH_FAILED in the Wireshark dialog or in the event log.. The issue should be more linked to Winrm EMS.

 

I get back to Windows remote Management and I observe this


 

 

 

 

 

Posted in Exchange 2013 Issues | 3 Comments »

LYNC 2013 – Le Cumulative Update 5 est disponible !

Posted by David ANDRE le août 6, 2014


Bonjour,

Microsoft vient de mettre à disposition le Cumulative Update 5 (Aout 2014) pour Lync Server 2013. Pour rappel, le dernier CU était celui de Janvier 2014 (CU4).

Plus d’informations ici : http://support.microsoft.com/kb/2809243

Disponible au téléchargement à l’adresse suivante : http://www.microsoft.com/en-us/download/details.aspx?id=36820

Pour rappel, l’application d’un CU doit être effectuée avec précaution. Il faut privilégier son installation dans un environnement de test/pré-production. Nous ne sommes jamais à l’abri d’une version 2 de ce CU.

Voici un aperçu des corrections et amélioration apportées par ce CU :

Update for Windows Fabric August 2014

  • 2967486 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013

Update for Standard or Enterprise Edition server (Front End Servers and Edge Servers) August 2014

  • 2937310 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013 (Front End Server and Edge Server)
    • 2976568 Address book delta files are not generated in a Lync Server 2013 Enterprise Edition environment
    • 2967626 Error « creating procedure RtcResetAbAttributes » when you run « Install-CsDatabase » for rtcab database in Lync Server 2013
    • 2967629 Significant bandwidth usage increase by SIP traffic in a Lync Server 2013 environment
    • 2967630 Callee receives a missed call notification after answering a call on an IP telephone in a Lync Server 2013 environment
    • 2979931 Error « I can’t find the meeting with that number » when PSTN user dials in to conference in Lync Server 2013 environment

Update for Unified Communications Managed API 4.0, Core Runtime 64-bit August 2014

  • 2937311 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013, Unified Communications Managed API 4.0 Runtime
    • Improves the reliability, stability, and performance of Microsoft Lync Server 2013, Unified Communications Managed API 4.0 Runtime

Update for Web Components server August 2014

  • 2937297 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013, web components servers
    • 2978444 Update for Lync Server 2013 to disable Lync Web App users’ ability to upload and show PPT in online meetings
    • 2976906 Incorrect time zone is displayed when you create a meeting by using Web Scheduler in a Lync Server 2013 environment
    • 2967623 Error « This content cannot be displayed » or blank webpage when you click a dial-in URL in a Lync Server 2013 environment
    • 2967624 HD video stutters in a Lync Server 2013 based video conference in Lync 2013
    • 2967628 Telephone numbers are missing in a contact card in a Lync Server 2013-based Lync mobile client 

Update for Core Components August 2014

  • 2937305 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013, core components
    • 2967621 Error 404 when Lync phones sign in to Lync Server 2013 front-end servers during SBS failure recovery
    • 2967631 Error «  »DistributionGroupAddress » and « AgentsByUri » must be set. » when you migrate the RG service to Lync Server 2013

Update for Administrative Tools August 2014

  • 2967486 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013, Administrative Tools
    • 2983199 « Limited functionality is available due to outage » in Lync client when Lync Server 2013 replication queue is full 

Update for Web Conferencing server August 2014

  • 2937314 August 2014 Cumulative Update 5.0.8308.733 for Lync Server 2013, Web Conferencing Server
    • Improves the reliability, stability, and performance of Microsoft Lync Server 2013, Web Conferencing Server

Have Fun !

David ANDRE

Posted in Lync 2013 Mise à Jour | Leave a Comment »

IPDirection : une offre sérieuse pour Lync 2013 !

Posted by Teruin laurent le août 5, 2014


Bonjour

Un petit post pour faire un peu de publicité à nos amis d’ IPdirection avec lesquels nous avons travaillé. Pour avoir effectué plusieurs chantiers avec eux, qui se sont tous soldés par des véritables succès, et pour votre information Ipdirection est une société dynamique et innovante, professionnelle, rapide bref en un mot efficace. Aujourd’hui elle propose plusieurs services autour de Lync qui je pense mériteraient votre attention.

En voici quelques-uns : pour en savoir plus : http://www.voice365.fr/

Cordialement
Laurent Teruin

Posted in Lync 2013 - Solutions Tierces | Leave a Comment »

Exchange 2013 SP1 : Unable to connect with PS and ECP on a fresh Exchange installation [SOLVED]

Posted by Teruin laurent le juillet 21, 2014


Version : Exchange 2013 SP1
PLateform : 2012 Std R2 Us
Language : US


HI we just install a fresh copy of Exchange 2013 SP1 without any issue and warning. But we can’t connect on Exchange with ECP and Powershell

We got this : EBSMEYDEVA06.d1.ad.local


The endpointconfiguration with the http://schemas.microsoft.com/powershell/Microsoft.exchange identifier is not in a valid initial session state on the remote computer

After checking the exchange setup log we found this

Start installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.This option is not supported on this version of the operating system. Administrators should instead install/uninstall ASP.NET 4.5 with IIS8 using the « Turn Windows Features On/Off » dialog, the Server Manager management tool, or the dism.exe command line tool. For more details please see http://go.microsoft.com/fwlink/?LinkID=216771.Finished installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.

The worse is that no warning appears during the installation process. We decided to uninstall Exchange 2013 and follow the http://go.microsoft.com/fwlink/?LinkID=216771

Our Error ?? We just go to technet and copy and paste the following cmd let

linstall-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Set automatic mode for (Was disabled by the customer Windows 202 R2 Master)

Computer browser
Internet connexion Sharing
Offlinefiles
Routing and remote access
Smartcard
Ssdp discovery
Upnp Device host
WinMgmt,

Adding ASP.net 3.5 As the article http://go.microsoft.com/fwlink/?LinkID=216771 precise. And reboot the server and try to install again exchange 2013 SP1

After one hour … we have edited the Setup log and find again this : not particularly encouraging !!!! waiting for the end of the setup process.

07/21/2014 14:28:13.0482] [2] Active Directory session settings for ‘Start-SetupProcess’ are: View Entire Forest: ‘True’, Configuration Domain Controller: ‘EBSMEY003.d1.xxx.xxx, Preferred Global Catalog: ‘EBSMEYXXX.d1.xxx.XXX, Preferred Domain Controllers: ‘{ EBSMEYXXX.d1.xx.XXX }’
[07/21/2014 14:28:13.0482] [2] User specified parameters: -Name:’C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe’ -Args:’-ir -enable’
[07/21/2014 14:28:13.0482] [2] Beginning processing Start-SetupProcess
[07/21/2014 14:28:13.0498] [2] Starting: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe with arguments: -ir –enable
[07/21/2014 14:28:13.0638] [2] Process standard output: Microsoft (R) ASP.NET RegIIS version 4.0.30319.33440
Administration utility to install and uninstall ASP.NET on the local machine.
Copyright (C) Microsoft Corporation. All rights reserved.
Start installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net.
This option is not supported on this version of the operating system. Administrators should instead install/uninstall ASP.NET 4.5 with IIS8 using the « Turn Windows Features On/Off » dialog, the Server Manager management tool, or the dism.exe command line tool. For more details please see http://go.microsoft.com/fwlink/?LinkID=216771.
Finished installing ASP.NET (4.0.30319.33440) without changing existing web applications to use this version of ASP.Net
.
[07/21/2014 14:28:13.0638] [2] Process standard error:
[07/21/2014 14:28:13.0638] [2] Ending processing Start-SetupProcess

After rebooting we try to log on on ECP and after waiting we’ve got this

Server Error in ‘/ecp’ Application.

Request timed out.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Request timed out.
Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpException (0x80004005): Request timed out.]

 

I have searched in the event log and found this

Log Name: ApplicationSource: MSExchange ADAccess
Date: 7/21/2014 7:56:45 PM
Event ID: 4027
Task Category: General
Level: Error
Keywords: Classic
User: N/A
Computer: EBSMEYDEVA06.d1.xx.xxxx
Description: Process w3wp.exe (RemotePS) (PID=8508). WCF request (GetServerFromDomainDN DC=xx,DC=xxx,DC=xxx) to the Microsoft Exchange Active Directory Topology service on server (TopologyClientTcpEndpoint (localhost)) failed. Make sure that the service is running. In addition, make sure that the network ports that are used by Microsoft Exchange Active Directory Topology service are not blocked by a firewall. The WCF call was retried 3 time(s). Error Details

System.TimeoutException: This request operation sent to net.tcp://localhost:890/Microsoft.Exchange.Directory.TopologyService did not receive a reply within the configured timeout (00:02:00). The time allotted to this operation may have been a portion of a longer timeout. This may be because the service is still processing the operation or because the service was unable to send a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel and setting the OperationTimeout property) and ensure that the service is able to connect to the client.

After veryfing .. the Exchange server have access to a DC .. net view is working and DSA.MSC is working well from the Exchange Server

We also checked the site and service configuration and the site is correctly declared with the correct subnet.

State of Exchange Service


JULY 22 2014

We stop the Windows FW but the issue is the same .

We discover that the Msexcange ADservice discover correctly the Domain controllers in the site

Log Name: Application
Source: MSExchange ADAccess
Date: 7/22/2014 3:06:53 PM
Event ID: 2080
Task Category: Topology
Level: Information
Keywords: Classic
User: N/A
Computer: XSBMEYDEVA06.xx.xx.xxx
Description:
Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2188). Exchange Active Directory Provider has discovered the following servers with the following characteristics:
(Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)

In-site:
XSBMEY001.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC005.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEY002.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC006.xx.xxxx    CDG 1 7 7 1 0 1 1 7 1
XSBMEYPDC007.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEYPDC008.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEY003.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEYPDC009.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1
XSBMEY004.d1.xx.xxxx    CDG 1 7 7 1 0 0 1 7 1

This is below some explanation.

  • Server name: The first column indicates the name of the domain controller that the rest of the data in the row corresponds to.
  • Roles: The second column shows whether or not the particular server can be used as a configuration domain controller (column value C), a domain controller (column value D), or a global catalog server (column value G) for this particular Exchange server. A letter in this column means that the server can be used for the designated function, and a hyphen (-) means that the server cannot be used for that function. In the example that is described earlier in this article, the Roles column contains the value CDG to show that the service can use the server for all three functions.
  • Reachability: The third column shows whether the server is reachable by a Transmission Control Protocol (TCP) connection. These bit flags are connected by an OR value. 0x1 means the server is reachable as a global catalog server (port 3268), 0x2 means the server is reachable as a domain controller (port 389), and 0x4 means the server is reachable as a configuration domain controller (port 389). In other words, if a server is reachable as a global catalog server and as a domain controller but not as a configuration domain controller, the value is 3. In the example that is described earlier in this article, the value 7 in the third column means that the server is reachable as a global catalog server, as a domain controller, and as a configuration domain controller (0x1 | 0x2 | 0x4 = 0x7).
  • Synchronized: The fourth column shows whether the « isSynchronized » flag on the rootDSE of the domain controller is set to TRUE. These values use the same bit flags connected by an OR value as the flags that are used in the Reachability column.
  • GC capable: The fifth column is a Boolean expression that states whether the domain controller is a global catalog server.
  • PDC: The sixth column is a Boolean expression that states whether the domain controller is a primary domain controller for its domain.
  • SACL right: The seventh column is a Boolean expression that states whether DSAccess has the correct permissions to read the SACL (part of nTSecurityDescriptor) against that directory service.
  • Critical Data: The eighth column is a Boolean expression that states whether DSAccess found this Exchange server in the configuration container of the domain controller listed in Server name column.
  • Netlogon Check: The ninth column (added in Exchange 2000 SP3) states whether DSAccess successfully connected to a domain controller’s Net Logon service. This requires the use of Remote Procedure Call (RPC), and this call may fail for reasons other than a server that is down. For example, firewalls may block this call. So, if there is a 7 in the ninth column, it means that the Net Logon service check was successful for each role (domain controller, configuration domain controller, and global catalog).
    OS Version: The tenth column (added in Exchange 2003) states whether the operating system of the listed domain controller is running at least Microsoft Windows 2000 Service Pack 3 (SP3). Exchange 2003 only uses domain controllers or global catalog servers that are running Windows 2000 SP3 or later. A Boolean expression of 1 means the domain controller satisfied the operating system requirements of Exchange 2003 for use by DSAccess.

IT appears that none of the DC in the Domain where Exchange 2013 is running have the value 1 for SACL right

We just discover that a Legacy Domain controller Gpo was responsible for this situation. After removing this GPO and relaunch the MS Exchange AD Service the issue was solved .


 

Posted in Exchange 2013 Issues | Leave a Comment »

 
Suivre

Recevez les nouvelles publications par mail.

Rejoignez 225 autres abonnés