Lantranet [dot] com

This Blog is a non profit, private site with technical stuff on it, partially based on the the Knowledge Base of Microsoft Technet and preperation materials of the according exams.

Goals of this site:

…having quick access to often used properties and configurations (like a cheat-sheet) of Server 2008, Exchange 2007 and other stuff arround the server-client landscape.

To view this side optimally, the following requirements must be fulfilled:

– Screen Resolution min. 1024×768
– JavaScript must be enabled (get it here => java.com)
– actual version of Adobe Flashplayer (get it here => adobe.com)

• Make sure Outlook is not running.
• Press Windows-R.
• Type „%localappdata%\Microsoft\Outlook“ (Using Windows 2000 or XP, use „%appdata%\Microsoft\Outlook“ instead.)
• highlight the extend.dat file
• delete it

basierend auf Microsoft Technet: http://support.microsoft.com/kb/325349/en-us

sc \\dc2003 start spooler
sc \\dc2003 stop spooler
sc \\dc2003 query spooler

ACL Status eines Dienstes anzeigen lassen:

subinacl /service \\dc2003\spooler /display

Allow the user „sscpl1“ Full Access to the „Printer Spooler“ service (use its short name: „Spooler“)

subinacl /verbose=1 /service spooler /grant=sscpl1=F

Version 5.xx required

benötigt das W2k3 Ressource Kit Tool SUBINACL: http://download.microsoft.com/download/1/7/d/17d82b72-bc6a-4dc8-bfaa-98b37b22b367/subinacl.msi

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

andere Beispiele mit SUBINACL aus Foren:
http://www.robvanderwoude.com/subinacl.php

Yes, it is possible to establish a OpenVPN Connection for users / User Accounts without Administrative Privileges….

1.) You need one of the following programs for each CLient: SETACL or SubinACL
2.) Set ACLs for  OpenVPN-Service, so that Users can start/stop the service: 

3.) You also have to add the specific user to the „Networkconfiguration Operator“ Group in order to allow an unprivileged  user the rights to set the routes

Show Access Rights: 

Set ACLs for  OpenVPN-Service, so that Users can start/stop the service: 

start service via CMD: 

stop service via CMD: 

If you want to start your favorite VPN Connection automatically, you’ve to change this in the registry:
HKLM\SOFTWARE/Microsoft\Windows\CurrentVersion\Run den openvpn-gui

Then you’ll be prompted for your credentials at logon  (z.B. for Base1).

If you do a certificate request /renew at IIS7, following error pops up:

Complete Certification Request
There was an error while performing this operation

Microsoft KB Article Statement to the known issue:
Note: There is a known issue in IIS 7 giving the following error: „Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.“ You may also receive a message stating „ASN1 bad tag value met“. If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press „F5“ to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR.

After creating a new CSR, login to your account where you have ordered your Certificate and click the re-key button for your certificate. => haha

==> at this point, you have no chance to export the private key of the certificate, cause the option is greyed-out in the mmc console, and otherwise you also have no chance via IIS Console 🙂

==> without certificate’s private key, it is also not possible to renew the e.g. wildcard certificate at TMG/ISA

Nun, wenn nur noch wenig Zeit übrig bleibt, weil das alte Zertifikat in Kürze bereits am Ablaufen ist, dann will man die eventuell auftretende Wartezeit nicht riskieren…selbst ist der Mann/ die Frau….und wir fixen die „broken private Key Zuordnung zwischen dem RSA Cryptographic Provider Container und dem damals erstellten CSR Request“:

If there is not so much time left for requesting a new certificate, and the old certificate is valid only few days, we won’t risk this time period.
The problem is the „broken private key assignment between the RSA Crytographic Provider Container and the formerly created CSR Request.
We fix this problem self:

1.) we open the imported certificate from the certification mmc => local computer \ private  Certification Store and copy the Serialnumber (e.g.: 00ff1d744647ad0709f4c13fd9c999ffc2)
2.) we open a CMD with administrative privileges and do a: Certutil –repairstore my 00ff1d744647ad0709f4c13fd9c999ffc2
3.) he will list up some detail infos from the certificate….and if the formerly command was successfully, he will brong back something like:

Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully

4.) we switch back to the cert-mmc and é voila, the key symbol appears at the certificate
( the private key assignement is repaired successfully, and we have our cert with the right assigned private key back
5.) Now you can export the certificate in a normal order and complete the open CSR request.

If you hang up at step 3.) then you’re knocked out, and theres’s no possible other step than re-key your certificate or simply do  a new CSR Request.

Error @ opening all microsoft management console based admin tools:

mmc could not create the snap-in. CLSID: FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb} error

http://social.msdn.microsoft.com/Forums/en-US/winserver2008appcompatabilityandcertification/thread/eb317c2f-ebf1-42fe-8fcc-a61a1246f5d9

Solution:
Copy the „good“ <machine.config> file from a server with same architecture (x86 or x64) from path:

c:\WINDOWS\Microsoft.Net\Framework\v2.0.50727

over your broken <machine.config> file.

Hier gibt es mal ein paar, für mich nützliche, Powershell-Befehle, die einige Verschachtelungen bieten und in der GUI nicht abgefragt werden können

Automapping für deaktivieren (ab 2010 SP2)
Get-Recipient | ?{$_.recipientTypeDetails -like „RoomMailbox“} | Add-MailboxPermission -User USER -AccessRights FullAccess -AutoMapping $true

TrackingLog per Powershell durchsuchen – Probleme bei der Erweiterung eines Verteilers finden
Get-MessageTrackingLog -EventID „Expand“ -ResultSize Unlimited -Start „20.12.2011 12:00:00“ | where {$_.RecipientStatus -eq „250 2.1.5 RESOLVER.GRP.Expanded; distribution list expanded“ -and $_.RecipientCount -eq „0“}|ft Time*,Sender,Relat*,messagesubject

Anzeigen aller User, die OWA nutzen:
Get-Mailbox| where-object {$_.ProtocolSettings -like „*owa§1*“}|sort-object alias

Anzeigen aller User, die ActiveSync nutzen:
Get-CASMailbox | where-object {$_.ActiveSyncEnabled -like „True“}|sort-object name

Übersicht über ActivSyncDevice mit erfolgreichem Sync in den letzten Wochen
Get-Mailbox -ResultSize:Unlimited | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox:$_.Identity} | Where {$_.LastSuccessSync -gt ’11/30/2011′}|ft Id*,LastSuccessSync*

Anzeigen aller User aus einer bestimmten OU:
Get-Mailbox| where-object {$_.OrganizationalUnit -like „test.local/User „}|sort-object alias

Anzeigen bestimmter Mailboxstatistiken:
Get-MailboxStatistics | ft displayname,*ItemCount,total* -GroupBy StorageLimitStatus

Anzeigen der Mailboxstatistiken in MB:
Get-mailbox -database aegis| Get-MailboxStatistics |ft displayname, @{label=“Total Size (MB)“;expression={$_.TotalItemSize.Value.ToMB()}},@{label=“Items“;expression={$_.ItemCount}}

Anzeigen bestimmter Mailboxstatistiken für User einer definierten OU:
Get-Mailboxstatistics| where-object {$_.storagegroupname -like „user“}|ft displayname,itemcount,totalitemsize

Gesamten Forrest berücksichtigen:
$AdminSessionADSettings.ViewEntireForest = $True

Verschieben der Mailboxen aller User, die in einer bestimmten OU sind (2007 > 2010 new-mailboxmoverequest):
Get-Mailbox| where-object {$_.OrganizationalUnit -like „test.local/User“ -and $_.database -notlike „EX07\User\User“}|move-mailbox -TargetDatabase „EX07\User\User“

Alle Mitglieder aller Verteilerruppen auflisten:
foreach ($group in Get-DistributionGroup) {get-distributiongroupmember $group | ft alias, @{label=’Test1′;expression={$group.name}}}

spezielle Rechte Abfragen
Get-MailboxPermission User| Where-Object {($_.AccessRights -eq ‚Fullaccess‘)}

Get-ADPermission User| Where-Object {($_.ExtendedRights -eq ‚Send-As‘)}

spezielle Rechte Abfragen – DB
Get-Mailbox -Database Test|Add-MailboxPermission -user SG_Mailbox_FullAccess -AccessRights FullAccess

Ergebnisse exportieren:
Get-Mailbox | Export-Csv c:\test.csv

Get-Mailbox | Out-File c:\test.txt

wichtige Operatoren bei Abfragen
-lt — „Kleiner als“

-le — „Kleiner als“ oder „Gleich“

-gt — „Größer als“

-ge — „Größer als“ oder „Gleich“

-eq — „Gleich“

-ne — „Ungleich“

-like – „Gleich“; verwendet Platzhalterzeichen für Musterübereinstimmung

leere Abfrage
-notlike “

Dateioperation – erste Zeile und letztes Zeichen in der Zeile Löschen
$Quelle=“d:\test.txt“

$Ziel=“d:\testneu.txt“

$Datei = Get-Content $Quelle

Get-Content $Quelle| foreach-object {$_.TrimEnd(‚;‘)| Out-File -FilePath $Ziel -append}

get-content $ziel | select -Skip 1 | set-content „$ziel-temp“

move „$ziel-temp“ $ziel -Force

siehe auch:

http://msg-blog.de/2008/05/22/das-kleine-exchange-powershell-1×1/#comments
http://www.msxfaq.de/code/powershell.htm
http://www.microsoft.com/germany/technet/scriptcenter/topics/msh/cmdlets/where-object.mspx

Autodiscover SRV Record

> _autodiscover._tcp.domainname.com SRV service location:

>> priority = 0
>> weight = 0
>> port = 443
>> svr hostname = mail.domainname.com

Get-ClientAccessServer | fl
Get-RpcClientAccess | fl
Get-ActiveSyncVirtualDirectory | fl
Get-WebServicesVirtualDirectory | fl

[PS] C:\Windows\system32>set-WebServicesVirtualDirectory -Identity „SRVDC\EWS (Default Web Site)“ -InternalUrl https://mail.domainname.com/EWS/Exchange.asmx -ExternalUrl https://mail.domainname.com/EWS/Exchange.asmx

BEISPIEL 1
In diesem Beispiel wird für die Authentifizierungsmethode die Standardauthentifizierung für das virtuelle Verzeichnis „EWS“ auf dem Server „Contoso“ festgelegt. Darüber hinaus werden die externe und die interne URL für dieses virtuelle Verzeichnis festgelegt.

Set-WebServicesVirtualDirectory -Identity Contoso\EWS(default Web site)-ExternalUrl https://www.contoso.com/EWS/exchange.asmx -BasicAuthentication $true -InternalUrl https://contoso.internal.com/EWS/exchange.asmx

BEISPIEL 2
In diesem Beispiel wird anstelle der Standardwebsite (wie es in Beispiel 1 der Fall war) ein Platzhalterzeichen verwendet.

 Set-WebServicesVirtualDirectory -Identity Contoso\EWS* -ExternalUrl https://www.contoso.com/EWS/exchange.asmx

BEISPIEL 3
In diesem Beispiel wird MRSProxy auf der EWS-Standardwebsite aktiviert. MRSProxy ist der Dienst, der das Verschieben von Remotepostfächern unterstützt.

Set-WebServicesVirtualDirectory -Identity „EWS (Default Web Site)“ -MRSProxyEnabled $true

Minimal Requirements:

minimal iOS Version:  3.1+
minimal Mac OS X Version:  10.6.+

Guide:

follow the Link on the avm.de website for a step-by-step Guide

http://www.avm.de/de/Service/Service-Portale/Service-Portal/VPN_Interoperabilitaet/16206.php

Szenario:

Exchange 2010 SP1 and microsoft.exchange.search.exsearch.exe process is chewing up 100% CPU

It is possible that there is a bug wiht the Default Mailbox DB 1234567980 (number randomly generated)

Solution:

• Stop the Microsoft.Exchange Search Indexer Service.
• Delete (or move) the folder under Mailbox\(Database name)\CatalogData-…
  (The CatalogData folder holds the index catalog.)
• Start the Microsoft.Exchange Search Indexer Service.

The CPU will stay at around 100% for 15 – 20 minutes while the index catalog rebuilds. A new CatalogData folder is created in your database folder. When this is complete, the CPU should drop down to the normal load.

Problem solved. The CPU is now steady around 5%

delete upper & Lower key’s:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
Die Treibersignierung abschalten:
# Eine Command Shell als Admin aufmachen
# Eingabe von “bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS” (das DD ist kein Tippfehler)

Erst die Cd-Dvd Treiber über den Gerätemanager deinstallieren lassen…kein Reboot sondern oben genanntes
…dann neu starten und die Treiber neu erkennen lassen.