The below procedure explains the steps involved in fetching free busy information of E2K3 mailbox from Exchange 2007 environment.

1. User initiates a Meeting Request using Outlook 2007 and adds the Exchange 2003 recipient as attendee
2. CAS is responsible for fetching the free/busy information, so Outlook waits for CAS response
3. CAS queries active directory for E2K3 user legacyExchangeDN attribute and also queries for the list of Exchange 2003/2000 servers in the AG to which legacyExchangeDN value points to.
4. CAS forms a http query for free busy information and passes that to one of the servers it identified in AG. There is no specific order AFAIK, it does the selection randomly.
5. If it gets a response, it passes that to Outlook and outlook displays the information for user.
6. If CAS didn’t gets any response for its HTTP query, it makes the query to another server in AG and continues with remaining list till finds a server which responds to the query
7. If none of the servers in AG are responding to the HTTP query, it logs an event in event viewer (event id: 4004 and Event Category: Availability Service) and tries to pass the query to a random server in Exchange Organization as a last attempt.
8. If the CAS gets response at last attempt(as said in step 7), it passes that information to Outlook
9. You will see gray lines in Meeting request scheduling Tab, if CAS is unable to get Free/Busy information of E2K3 user from any of the servers which are in AG and if the last attempt to random server also fails.

Because of this behavior, MS recommends adding all the servers in a AG to free/busy public folder of that AG. If your organization is not meeting this criterion, then you will see availability related errors (event id 4003) in your CAS event log.

Please note that, above procedure is valid only for meeting requests initiated from Outlook 2007 using Exchange 2007 mailbox to Exchange 2003 mailboxes. If your scenario is not same, then the procedure will change. I will come-up with details about this in my next post. So, stay tuned J

Happy Learning,
Sitaram Pamarthi

In this post, I am giving the powershell commands to configure OWA authentication mechanism as per your needs usign powershell cmdlets. Please write to me (in comments sections) if you need any clarifications.

Configure Exchange 2007 OWA to take default domain name:

Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat UserName -DefaultDomain mydomain.com

Configure Exchange 2007 OWA to accept only “domain nameUser Name” format:

Set-owavirtualdirectory -identity "owa (default web site)" -LogonFormat fulldomain

Configure Exchange 2007 OWA to use form-based authentication:

Set-owavirtualdirectory -identity "owa (default web site)" -FormsAuthentication:$true

Configure Exchange 2007 OWA to use integrated authentication:

Set-OwaVirtualDirectory -Identity "owa (Default Web Site)" -WindowsAuthentication $true

Happy Learning,
Sitaram Pamarthi

In Exchange 2003, you need to go to “Diagnostic logging tab” in Exchange server properties to enable required logging. This has been simplified in Exchange 2007 and now you can do it through Exchange Shell.

List Logging Levels (Get-EventLogLevel)

To get the current logging levels of a Exchange 2007 server, run the below command. You put your server name after “-server”. If you don’t specify any it will display the logging levels of local server. The logging level list varies depending on the role of the Exchange 2007 server (MBX, CAS, HTS).

Get-EventLogLevel -Server MYSERVER

Set Logging Level (Set-EventLogLevel)

You can increase the logging level of any listed identify to one of the below values. Below levels are self explanatory and I am hoping no need of further descriptions of them.

• Lowest
• Low
• Medium
• High

For example, if I want to change “MSExchange ADAceessValidation” Logging level to low. I will use the below command.

Set-EventLogLevel "MSExchange ADAceessValidation" -Level High

You can do it remaining for identities as well in similar way. Good Luck and Happy Learning..

Sitaram Pamarthi

I  wrote a enhanced function to get the disk space. You can find it at https://techibee.com/powershell/check-disk-space-of-remote-machine-using-powershell/430

Subject says it all. This code helps you to findout the disk space of remote machine.

Code(save it into a file with ps1 extension):

$hostname=Read-host "Enter the computer name"

get-wmiobject -computer $hostname win32_logicaldisk -filter "drivetype=3" | ForEach-Object { Write-Host  Device name : $_.deviceid; write-host Total space : ($_.size/1GB).tostring("0.00")GB; write-host Free Spce : ($_.freespace/1GB).tostring("0.00")GB }

Output

PS C:temp> .CheckSpace.ps1

Enter the computer name: MyRemotePCDevice name : C: Total space : 232.75 GBFree Spce : 130.51 GBPS C:temp>

This I learned today.

I really liked the way Microsoft designed it. The procedure outlook 2007 uses for connecting to it’s nearest CAS server is something similar to DCLOCATOR process in Active Directory. When you install a Exchange 2007 CAS in a forest, it creates a SCP (service connection point) in Active Directory. The no. of CAS SCPs is directly proposal to no. of CAS servers you have in Exchange organization. That means, each exchange CAS role installation creates a SCP in active directory. This SCP object will have information about auto discovery URL (ex: https://cas01.yourdomain.com/autodiscover/autodiscover.xml) and the active directory site name to which CAS server belongs to along with other parameters. This site information plays key role in making outlook 2007 connect to it’s nearest CAS server. Go through the below steps for process outlook 2007 follows for connecting to Auto Discovery Service.

• Outlook 2007 sends a LDAP request to Active Directory for list of CAS SCPs
• Outlook 2007 divides the received list of CAS servers into two lists namely, “in-site” list and “out-of-site” list of CAS servers. The “in-site” list is the one which has CAS servers belongs to Active Directory site from where Outlook 2007 is initiated and “out-of-site” list will have remaining all CAS servers in Exchange organization.
• After sorting the “in-site” list, outlook starts connecting to each CAS server through Auto Discover URL. It goes to next server if incase of errors with first one. Like this it completes the list until it finds a responding server. If none of the servers are responding, it will sort the “out-of-site” list by SCP creation order and tries to connect to them one by one until it finds a responding server.
• The outlook will continue to fetch free/busy, OAB, and other information if it finds a CAS server which is online.
• In case of failures of above attempts, outlook will try by connecting to predefined URLs(https://autodiscover. yourdomain.com/autodiscover/autodiscover.xml or https:// yourdomain.com/autodiscover/autodiscover.xml) using DNS name resolution. If it still fails, it tries to query using SIP DNS records and it cannot do any more if that also fails J

Refer to white paper on Exchange Discovery service to know more about it.

Happy Learning..,

Sitaram Pamarthi

There are many tools available over internet to record the activities done in interactive windows screen, but for the first time, I came across a utility which can record all RDP sessions in a windows server and play the recorded sessions when you want. The most exciting part of it is ..it’s FREE
J

Visit this link to download

Tags: record windows screen, record terminal services

Here in this post, I am *NOT* going to talk about the protection of active directory from external/internal intruders rather I would be talking about protecting Active Directory from Accidental Delete/Move/modify operations.

Sounds weird? But you have to believe that every organization faces the problem of accidental OU/Object deletions by privileged users (I mean administrators mostly). Though it is not intentional, but the damage costs the company. And again, sysadmin is the one who has to break their heads for proper restoral of objects or need to depend on costly restoral software’s.

So, in this post, I will take you through procedures for protecting an OU from moving and deleting

HIGH-ALERT: THIS PROCEDURE IS CONTAINING DENY PERMISSIONS FOR EVERYONE TO ACTIVE DIRECTORY OBJECTS. SO THE READER/FOLLOWERS OF THE DOCUMENT SHOULD BE MUCH CAREFUL WHILE FOLLOWING THE STEPS. AND I CANNOT GUARANTEE THAT IT WORKS IN THE SAME WAY AS I DESCRIBED AND IT DEPENDS ON YOUR AD INFRASTRUCTURE. USE THIS AT YOUR OWN RISK. I AM (SITARAM PAMARTHI) NOT RESPONSIBLE FOR ANY DAMAGES CAUSED BECAUSE OF THIS POST.

Protect from Deletion.

1. Open dsa.msc(a.k.a Active Directory Users and Computers) and select the properties of Organization Unit you want to protect
2. Switch to Security Tab and click Advanced to get advanced security settings page
3. Click on ADD and type Everyone and then click OK to close the window
4. On permissions entry page, select this object only from Apply onto drop down box and select deny option (or check box) for DETELE and DELETE SUBTREE permissions
5. Click OK to come out of permissions entry page(click Yes for the warning you message you receive explaining the deny functionality) and click OK on Advanced Security page and OU properties page.
6. This completes OU protection process from Deletion

Refer to this TechNet page for details on protection and in future if you want to really delete the OU which is protected, you need to follow the Remove protection procedure which is described in same TechNet page

Protect from Moving

We can deal with AD permissions similar to Deletion operation for blocking moving, but I don’t suggest that because of complexity involved in doing it. Rather, I would just disable the drag-drop functionality in dsa.msc to achieve this. I think this should suffice the requirement of protecting from moving. If any admin really wants to move OU, he can right click and select move operations.

I don’t want to describe steps here, but I will point to this KB article which is very straight forward.

Happy Learning…,
Sitaram Pamarthi

Tags: prevent OUs from deletion, protect OU’s in active directory, prevent OUs from moving

I know, there are various methods and scripts available in web to get the list of domain controllers information in a domain. Still I want to write this post to present simplest way of doing it from a windows XP/Windows 2003 machine using my favorite command nltest.

Syntax: nltest.exe /DCLIST:<domain name>

Example : nltest.exe /DCLIST:pamarths.com

Here pamarths.com is my domain name and executing this will give DC name, and the site to which it belongs to. Please note that you need to install windows support tools package to get nltest command. You can do numerous other things with this command. I will write another post when I find some time.

Happy Learning…,
Sitaram Pamarthi