Officially VCP 5 Today!

Just passed VCP510 exam today, yay!
Pretty difficult compare to the other exams

 

Exchange 2010 Distribution List Owner

I have been migrating user mailboxes from Exchange 2007 to Exchange 2010 lately. Apparently a user who has got the manage rights to a distribution list in Exchange 2007, might not be able to manage their DL anymore once his/her mailbox has been migrated to the Exchange 2010.

This is by design. Exchange 2010 by default does not allow individual users to create, modify, remove and add members to distribution groups they own

The user will get access denied if they were trying to add/remove a user from the DL they were managing. To fix this, you can tick the check box from the RBAC User Editor/Default Role Assignment Policy. However as you can see in the description of this option, it will also grant the user to add and delete the DL by them self.

If we were only want to enable them to only manage the DL their own, you need to use the following PowerShell script:

# Script for creating a Role that can manage distributions groups but can't create new ones 
#  
################################################################################# 
#  
# The sample scripts are not supported under any Microsoft standard support  
# program or service. The sample scripts are provided AS IS without warranty  
# of any kind. Microsoft further disclaims all implied warranties including, without  
# limitation, any implied warranties of merchantability or of fitness for a particular  
# purpose. The entire risk arising out of the use or performance of the sample scripts  
# and documentation remains with you. In no event shall Microsoft, its authors, or  
# anyone else involved in the creation, production, or delivery of the scripts be liable  
# for any damages whatsoever (including, without limitation, damages for loss of business  
# profits, business interruption, loss of business information, or other pecuniary loss)  
# arising out of the use of or inability to use the sample scripts or documentation,  
# even if Microsoft has been advised of the possibility of such damages 
# 
################################################################################# 
# 
# Written by Matthew Byrd 
# Matbyrd@microsoft.com 
# Last Updated 10.15.09 
 
 
# Parameter to get a different name than default for the new Role 
Param([string]$name="MyDistributionGroupsManagement",[string]$policy="Default Role Assignment Policy",[switch]$creategroup,[switch]$removegroup) 
 
# Help Function 
Function Show-Help { 
 
" 
This script is will create or manage a management role designed to allow users to modify groups that they already own 
but not create or remove any new distribution groups. 
 
Switches: 
-name           Name of the managment role you want to create or modify 
                    Defaults to: `"MyDistributionGroupsManagmenet`" 
                     
-policy         Name of the Role Policy you want to assign the role to 
                    Defaults to: `"Default Role Assignement Policy`" 
                     
-creategroup    Adds or Removes the ability of the Role to Create DLs 
 
-removegroup    Adds or Removes the ability of the Role to Remove DLs 
 
Examples: 
-------------------------------------------- 
This will Use the default names and Policy and will create a role that cannot 
Create or remove groups but can still modify them.  If the role already exists 
It will modify it by removing or adding the abiltity to create and remove groups 
based on the current state. 
 
Manage-GroupManagementRole -CreateGroup -RemoveGroup 
 
" 
 
 
} 
 
 
 
# Function to modify a role by removing or adding Role Entries 
# If no action is passed we assume remove 
# $roleentry should be in the form Role\Roleentry e.g. MyRole\New-DistributionGroup 
Function ModifyRole { 
 Param($roleenty,$action) 
     
    Switch ($action){ 
        Add {Add-ManagementRoleEntry $roleenty -confirm:$false} 
        Remove {Remove-ManagementRoleEntry $roleenty -confirm:$false} 
        Default {Remove-ManagementRoleEntry $roleenty -confirm:$false} 
    } 
} 
 
If (($creategroup -eq $false) -and ($removegroup -eq $false)){ 
    Show-Help 
    exit 
} 
 
 
# Test if we have a role that already has that name 
If (([bool](Get-Managementrole $name -erroraction Silentlycontinue)) -eq $true){ 
    Write-Warning "Found a Role with Name: $name" 
    Write-Warning "Trying to Modify Existing Role" 
} 
Else { 
    # Create the new Management Role 
    Write-Host "Creating Managmenet Role $name" 
    New-ManagementRole -name $name -parent MyDistributionGroups 
} 
 
# Determine if we have the New and Remove Role Entries on the Role Already 
$create = [bool](Get-managementroleentry $name\New-DistributionGroup -erroraction Silentlycontinue) 
$remove = [bool](Get-managementroleentry $name\Remove-DistributionGroup -erroraction Silentlycontinue) 
 
# If we have the switch CreateGroup add or remove the RoleEntry for New-DistributionGroup 
If ($creategroup -eq $true){ 
    If ($create -eq $true){ModifyRole $name\New-DistributionGroup Remove;Write-Host "Removing ability to create distribution Groups from $name"} 
    elseif ($create -eq $false) {ModifyRole $name\New-DistributionGroup Add;Write-Host "Adding ability to create distribution Groups to $name"} 
} 
 
# If we have the switch RemoveGroup add or remove the RoleEntry for New-DistributionGroup 
If ($removegroup -eq $true){ 
    If ($remove -eq $true){ModifyRole $name\Remove-DistributionGroup Remove;Write-Host "Removing ability to create distribution Groups from $name"} 
    elseif ($remove -eq $false) {ModifyRole $name\Remove-DistributionGroup Add;Write-Host "Adding ability to create distribution Groups to $name"} 
} 
 
# Test if we have the assignment for the Role and Policy 
# If we do ... write a warning 
# If not create a new assignment 
If (([bool](get-managementroleassignment $name-$policy -erroraction SilentlyContinue)) -eq $true){ 
    Write-Warning "Found Existing Role Assignment: $name-$policy" 
    Write-Warning "Making no modifications to Role Assignments" 
} 
Else { 
    # Assign the Role to the Role Policy 
    Write-Host "Creating Managmenet Role Assignment $name-$policy" 
    New-ManagementRoleAssignment -name ($name + "-" + $policy) -role $name -policy $policy 
} 

Save the code to as MyDistributionGroupsManagement.ps1 file
Run the script:

MyDistributionGroupsManagement.ps1 -creategroup -removegroup

The script is basically create another role as a child role of the MyDistributionGroups and remove the ability to create and remove DL.
Once you have run the script, you will have the following Role:

Thanks to MS Exchange Team to share the script here

Netbackup Skipping Backup ID

Using Netbackup 7.5, recently we encountered the following error:

no images were successfully processed (191)

and

found no images or media matching the selection criteria (190)

and if you do "Search Now" in the Catalog with Action: Verify, you will get the following error:

To fix this issue, run the following command:

bpexpdate -backupid XXXXX_1338296403 -d 0 -force

this will force the problematic backup id to expire

ESXi 5 Install Offline Bundle

To install the ESXi 5 host with the Offline Bundle:

• Download the ISO file from VMware
• Extract the ISO file and find the offline-bundle ZIP file
• SCP this ZIP file to the ESXi host (e.g. /tmp/driver.zip)
  
• Run the following command

esxcli software vib install -d /tmp/offline-bundle.zip

Reboot

iPhoto Backup

I am using iPhone and taking photos with it. As you know it imports the photos automatically to the iPhoto when it is connected to the OSX. I created the following bash script to mount the Windows file share and copy the photos to the Windows Server

#!/bin/bash
mount -t smbfs //username:password@windowsserver/pictures /Users/laurence/Mount
rsync -urz /Users/laurence/Pictures/iPhoto\ Library/Masters /Users/laurence/Mount/iPhoto
umount /Users/laurence/Mount

Exchange ExMon

Exchange ExMon tool is an awesome tool! by using this tool, for each user session, you can view

• Number of packets
• Number of operations
• CPU Time
• CPU %
• Avg and Max Server latency
• Bytes In and Out
• Client Version and IP Address
• Read, PreRead and Dirtied Pages
• Log Bytes

The Log Bytes information is particularly very helpful if you want to find out who is filling up your Exchange Server Logs

The program can be downloaded from here

Sometime when you run it, it crashes :) and if you try to run it again, you will get the following error:

Then you should do the followings:

Open the Command Prompt and type in:

logman query -ets

As you can see in the picture above, the last line is: Exchange Event Trace
You need to stop this trace, by typing:

logman stop "Exchange Event Trace" -ets

Then you can run the ExMon again.

 

Exchange 2010 Recovery

Recently I had to recover my Exchange 2010 Servers. One of them was the Mailbox server role part of the DAG and the other one was the CAS, Hub and UM server. Those 2 servers were totally gone, unrecoverable due to RAID controller failure

CAS + Hub + UM Server Recovery

• Build the server, Windows 2008 R2 SP1, name it EXACTLY the same name with the failed server name
• Add all the Windows Server role + features required for CAS+Hub+UM
• Patch it
• Join to the domain
• Extract the Exchange 2010 SP2 to the temp directory (e.g. C:\temp)
• Run setup.com /m:RecoverServer
• Reboot and check the configuration

Mailbox Server Recovery

• Build the server, Windows 2008 R2 SP1 (Enterprise), name it EXACTLY the same name with the failed server
• Add the Windows Server role + features required for Mailbox role
• Patch it
• Join to the domain
• Remove the database copy from this failure Mailbox server (e.g. do this from the running Exchange 2010 Server)

Remove-MailboxDatabaseCopy DB1\MBX1

• Remove the failed server's configuration from the DAG

Remove-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer MBX1 -ConfigurationOnly

• Extract the Exchange 2010 SP2 to the temp directory (e.g. C:\temp)
• Run setup.com /m:RecoverServer
• Reboot
• Add the server back to the DAG

Add-DatabaseAvailabilityGroupServer -Identity DAG1 -MailboxServer MBX1

• Add the database copy

Add-MailboxDatabaseCopy -Identity DB1 -MailboxServer MBX1

Trixbox + CUCM + Exchange UM + SP3102 + SRP527W Part 1

I have setup the voice network @home as per below picture

As you can see, there are a lot of SIP trunks between them. I will try to put the configuration for each of them

Exchange UM - CUCM

For Exchange UM and CUCM connection configuration, just follow the document published by Microsoft: http://www.microsoft.com/download/en/details.aspx?id=13591

The following is the CUCM Media Resource Group

The following is the CUCM Media Resource Group List

The following is the CUCM Configuration for the SIP Trunk to Exchange UM (e.g. mx01.domain.local), use the Media Resource Group List created above

CUCM - Trixbox

Create a new SIP Trunk Security Profile

Create a SIP trunk from CUCM to Trixbox, use the SIP Trunk Security Profile created above

Create a new Route Group

Create a new Route List

Create a new Route Pattern

I have extension 1499 and 1500 for Exchange UM Pilot and Auto Attendant respectively

I created a Route Pattern for default route to Trixbox when dial starts with 9. I also do exactly the same Route Pattern to the default route when dial starts with 0. The purpose for this is to use VOIP when dial with 9 and to use PSTN when dial with 0 first (configuration later on Trixbox)

Trixbox - CUCM

To be continue...

NetScaler MAC Based Forwarding

In the situation where you have deployed your NetScaler with 2 NICs, one connected to the DMZ network and the other one is connected to your Internal network, depending on your configuration, you might need to enable the MAC Based Forwarding on NetScaler

You probably assign the NSIP on your Internal Network, MIP on your Intenal Network, SNIP and VIPs on your DMZ Network (for example for publishing CAG/SSL VPN). You then trying to access your NetScaler services from your Internal Network. This means your traffic from the Internal network goes to your default gateway (e.g. the firewall) which then forwarded to the VIP on DMZ Network. NetScaler then accept the traffic, however, the returning traffic will not going back to through the firewall (e.g. NetScaler default gateway), it will be going to the other NetScaler's NIC that connects to Internal network. This will create asymmetric routing, and most router/firewall will drop the packets.

To avoid this, usually enabling the MAC Based Forwarding (MBF) will fix this.

The following is the definition of MBF:

With MAC-based forwarding (MBF) enabled, when a request reaches the NetScaler appliance, the appliance remembers the source MAC address of the frame and uses it as the destination MAC address for the resulting replies. MAC-based forwarding can be used to avoid multiple-route/ARP lookups and to avoid asymmetrical packet flows. MAC-based forwarding may be required when the NetScaler is connected to multiple stateful devices, such as VPNs or firewalls, because it ensures that the return traffic is sent to the same device that the initial traffic came from.

To enable it, from the NetScaler Console:

enable ns mode mbf

XenServer 6.0 Kill Dead VM

Sometime when you try to restart or shutdown the VM, its status get stuck with the yellow status on XenCenter.

To forcely kill that VM:

•  Login to the XenServer console where the VM is hosted
• Get the VM Dom ID 

xe vm-list name-label={VM Name} params=dom-id

• Get the list of live domains and see if the Domain ID of your VM is listed there

list_domains

• If your Domain ID VM is there, run the killing script

/opt/xensource/debug/destroy_domain -domid <dom id>

• Do another list_domain to check the Dom ID is gone
• Reset the power state of that VM

xe vm-reset-powerstate vm={VM Name} force=true

• If that still does not work do

xe-toolstack-restart

SharePoint 2010 - Get Logged In User Details

To get the user details using JavaScript from SharePoint 2010, use the following code:

the SP.JS file should be available from the standard installation folder of SharePoint 2010

FreeNAS 8 and Time Machine

I have just finished setting up the FreeNAS 8 on Hyper-V to backup my MAC using Time Machine.

Tricky bits settings up FreeNAS 8 on Hyper-V:

• Remove the default NIC when creating VM
• Add a new NIC, must be legacy NIC
• FreeNAS 8 does not recognize SCSI disks, only IDE
• After installed, change the IP to static
• do: ifconfig to find out the adapter name
• do: ifconfig down
• do: ifconfig up

Once the FreeNAS is up and running, go to its web console:

• Create a group called: backup-group
• Create a user called: backup-user, with primary group ID: backup-group, enter the password
• Go to Services, enable AFP
• Go to AFP Settings, make sure Local Access is ticked
• Go to Storage, and Create ZFS Data Set, called backup-apple
• Once it is created, edit its permissions, make sure owner-user is changed to backup-user and owner-group is changed to backup-group. Tick the option to have the Group the write access
• Go to Share, add Apple Share. Name it backup, path: /mnt/data/backup-apple. Make sure the Disk Discovery is ticked, Disk Discovery Mode is set to Time Machine. 

From my MAC, start Finder:

• Click Go, and select Connect to Server
• Enter Server Address: afp://freenas-ip
• It will ask you for the username: backup-user, password: password
• Start Console, type:defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1
• Start Time Machine and Select Disk, select the backup

Thanks for reading :)

Exchange 2010 SP2 Upgrade

Just done my Exchange 2010 upgrade to SP2, which includes the following steps:

• Login to Active Directory Server which holds schema master, as schema master and enterprise admin user, and run: setup.com /ps and setup.com /p
• Upgrade all the Hub/CAS
• Upgrade all the UM
• Upgrade all Mailbox Servers:

1. Enable maintenance mode on the DAG of the server to be upgraded:

.\StartDagServerMaintenance.ps1 -server server1

1. Upgrade to SP2
2. Disable maintenance mode

.\StopDagServerMaintenance.ps1 -server server1

Sharepoint 2007 Access User Profile

To access user profile details from a page within SharePoint, you need the following:

Download the latest jQuery SPServices JavaScript from here
Upload the JavaScript to your SharePoint site
Add a Content Editor Web Part to the page
Edit the Content Editor Web Part, include the following:

The userName and Email have got the value of the logged on user

Passed Citrix XenServer 5.6 Exam

Yay! today I passed 1Y0-024 Citrix XenServer 5.6 Exam - 2 more to go to get the CCEE for Virtualization

ESXi 4.1 NIC Driver Update

To update the ESXi 4.1 host with the latest NIC driver

• Download the ISO file from VMware
• Extract the ISO file and find the offline-bundle ZIP file
• SCP this ZIP file to the ESXi host (e.g. /tmp/driver.zip)
  
• Run the following command

esxupdate –bundle=/tmp/driver.zip update

reboot

AppSense Upgrade from 8.0 to 8.1

Recently I have to upgrade AppSense from version 8.0 to 8.1

Our 8.1 environment was messy, the Outlook profile (e.g. registry entries) was stored in both Managed application registry and Desktop Settings registry. This caused a lot of problems, like secondary mailbox not being retained, unable to use "Send To Email" from any other application, etc.

To fix this, I had to do the following:

After the upgrade was done to 8.1, before the users start using Outlook, I exported all the users from EM personalisation DB, using the SQL query bellow:

SELECT [Name]

FROM [AppSensePersonalizationDB].[dbo].[User]

WHERE [DomainName] = 'DOMAIN'

Please note, my DB name is AppSensePersonalizationDB, yours probably has different name

Then save the result as a txt file, e.g. users.txt, which has entry like the following:

user1

user2

user3

You have to install AppSense EM Manager Tools to be able to use the EMPRegUtil. Once installed, create a batch file:

@echo off

SET EMPRegUtilConnectionString=Data Source=EMDB;Initial Catalog=AppSensePersonalizationDB;Integrated Security=SSPI

for /f "tokens=*" %%i IN (users.txt) DO call:doit %%i

:doit

if "%~1" == "" goto end

@echo %~1

@echo exporting MS Office 2010 Outlook profiles...

EMPRegUtil EXPORT DOMAIN\%~1 "Production" "MS Office 2010" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook" C:\temp\%~1.reg

@echo deleting MS Office 2010 Outlook profiles...

EMPRegUtil DELETE DOMAIN\%~1 "Production" "MS Office 2010" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem"

@echo deleting Session Data Outlook profiles...

EMPRegUtil DELETE DOMAIN\%~1 "Production" "Session Data" "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem"

@echo importing to Session Data Outlook profiles...

EMPRegUtil IMPORT DOMAIN\%~1 "Production" "Session Data" C:\temp\%~1.reg

:end

Please note:

my database server name is: EMDB

Run the batch script, it will export the Outlook profile from Managed application, delete the registry from managed application, delete the registry from session data and import the registry back to session data

Exchange 2007 Restore

Had to restore someone else mailbox today - using NetBackup 7.

Steps involved:

• Create the Recovery Storage Group
  
• Restore the Storage Group that has the database of the mailbox to be restored to the Recovery Storage Group
  
• Mount the database in that Recovery Storage Group
• Create an empty mailbox (AD User + Mailbox)
• Restore the mailbox to the new mailbox

Restore-Mailbox -RSGMailbox 'Doe, John' -RSGDatabase 'Recovery Storage Group\Mailbox Database 01' -id 'new mailbox' -TargetFolder 'myFolder'

Passed CCA for XenDesktop 5

Passed CCA for XenDesktop 5 - Next will be CCA for XenServer

Active Directory DNS Waiting for Initial Replication

When you boot the 1st domain controller within the environment which has more than 1 DC, by default the DC is waiting for initial inbound replication from the other DC. But because this is the first DC you boot, this is going to take a while

To avoid this, add the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

Add Reboot!
Do not use this method in the producation environment