Scheduled Task to Update Your Federation Trust

Microsoft published an article this morning about keeping your federation trust up-to-date. This is really important if you are in a hybrid configuration or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker. Microsoft periodically updates the certificates used by the Microsoft Federation Gateway and updating your federation trust keeps these certs up-to-date.

Exchange 2013 SP1 and later automatically updates the federation trust. If you’re running at least this version of Exchange 2013 (and you should), you’re good to go. If you’re an Exchange 2013 RTM/CU1/CU2/CU3 customer who hasn’t upgraded yet, read on…

In the article, Microsoft provides a command to run on one of your Exchange 2010 servers that creates a Scheduled Task to update the federation trust daily. This script only works on Exchange 2010. If you have a pure Exchange 2013 pre-SP1 environment, you can use this command to create a scheduled task:

Schtasks /create /sc Daily /tn FedRefresh /tr “%SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exe -command “. $ENV:ExchangeInstallPathbinRemoteExchange.ps1; Connect-ExchangeServer -auto -ClientApplication:ManagementShell;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata” /ru System

Note that this version will also work on Exchange 2010 servers and also works in the rare occasion where PowerShell is not located on the C: volume.

Source: Expta

How to Perform an Extended Message Trace in Office 365

You can use Message Trace from the Exchange Admin Center in the Office 365 Portal to trace emails through Exchange Online. You can trace messages based upon a number of criteria including email address, date range, delivery status, or message ID.

To perform a Message Trace, click Mail Flow in the EAC and select Message Trace, then enter the trace criteria. The high-level results will output to a new browser window.

High-Level Message Trace Output

Click the “pencil” icon to see more details on the selected item.

Detailed Message Trace Output
A standard message trace is useful for basic message tracing. It answers the question, “Did the message get delivered?”, but that’s about it. If you want to see all the real details of message transport you need to perform extended message tracing.
The trick to perform an extended message trace using the EAC is you have to choose a Custom date range of 8 days or more. You will then see additional options for the trace at the bottom of the form. Note that Exchange Online keeps logs for the last 90 days.
Extended Message Trace Options

Click the checkbox for Include message events and routing details with report, otherwise the report will only include a few more details than a regular trace: origin_timestamp, sender_address, recipient_status, message_subject, total_bytes, message_id, network_message_id, original_client_ip, directionality, connector_id, and delivery_priority. It also won’t show each hop through Exchange online.
Note that including message events and routing details will result in a larger report that takes longer to process, so you will probably want to scope the message trace down to a particular sender or recipient. The following details will be included in the report: date_time, client_ip, client_hostname, server_ip, server_hostname, source_context, connector_id, source, event_id, internal_message_id, message_id, network_message_id, recipient_address, recipient_status, total_bytes, recipient_count, related_recipient_address, reference, message_subject, sender_address, return_path, message_info, directionality, tenant_id, original_client_ip, original_server_ip, and custom_data.
You have the option to choose the message direction (Inbound, Outbound, or All) and the original client IP address, if desired. You can also specify the report title and a notification email address. Note that the email address must be one for an accepted domain in your tenant. The mailbox does not have to be in the cloud.
The search will take some time, depending on the search criteria you entered and the volume of email. You can click View pending or completed traces at the top of the Message Trace form to view the status of the extended trace. When it completes you can click the link to Download this report or, if you configured the search to send a notification, click the report link in the notification email.
The extended message trace output is a CSV file that you can save and open in Excel. Here’s the best way to view it in Excel:
  • Select cell A1 and press Shift-Ctrl-End to highlight all the cells.
  • Click Insert > Table and click OK.
  • Click View Freeze Panes > Freeze Top Row.
  • Select the entire worksheet and then double-click the line between columns A and B to autosize the all the columns in the table.
Auto size the columns in Excel
You will then have an extended trace report showing all the transport details of the messages that match your search criteria. This report can be filtered by clicking the drop down arrows on the title row.
If you plan to save the report, be sure to save it as an Excel Workbook (*.xlsx) or you will lose the formatting.

Source: Expta

EXPTA Gen5 Windows 2012 R2 Hyper-V Server for Around $1,000 USD – Parts Lists and Videos!

I’m very pleased to announce the release of my 5th generation Windows Server 2012 R2 Hyper-V lab server, the Gen5!

You can use this home server to create your own private cloud, prototype design solutions, test new software, and run your own network like I do. Nothing provides a better learning tool than hands-on experience!

This is faster and more powerful than my 4th generation server and costs about $200 less!

My Design Requirements

This design is the best of all worlds – super-fast performance with higher SSD capacity at less cost. My core design criteria:

  • Windows Server 2012 R2 Hyper-V capable. Hyper-V for Windows Server 2012 R2 requires hypervisor-ready processors with Second Level Address Translation (SLAT).
  • Minimum of 4 cores
  • 32GB of fast DDR3 RAM
  • Must support fast SATA III 6Gb/s drives
  • Must have USB 3.0 ports for future portable devices
  • Low power requirements
  • Must be quiet
  • Small form factor
  • Budget: Around $1,000 USD

In the land of virtual machines, I/O is king. SSDs provide the biggest performance gains by far. You can invest in the fastest processor and RAM available, but if you’re waiting on the disk subsystem you won’t notice much in performance gains. That’s why I focus on hyper-fast high-capacity SSDs in this build. Thankfully, SSDs have gotten bigger, faster, and cheaper over time. I’m going with brand new Crucial MX100 SATA3 SSDs in the Gen5 – one 256GB SSD for the OS and another 512GB SSD for active VMs. These drives provide up to 90,000 IOPS for random reads and up to 85,000 IOPS for random writes.

The second most important factor in Hyper-V server design is capacity. Memory, and to a smaller degree CPU, drives how many VMs you can run at once. Because I want a small form-factor, I need to go with a MicroATX motherboard and the maximum amount of memory that can be installed on these Intel-based motherboards is 32GB RAM. I chose 32GB Corsair XMS3 DDR3 RAM for this build. This is 1.5V PC-1333 RAM with a low Cas 9 latency and 9-9-9-24 timing. The single package includes four matched 8GB 240-pin dual-channel DIMMs.

The processor I chose is the new Intel I5-4590S Haswell-R Quad-Core CPU. Even though all four cores run at a quick 3.0 GHz, it still uses only 65W. It can be overclocked to 3.7 GHz, but it’s already plenty fast enough. The beautiful Intel aluminum heatsink and fan included with the processor keeps the CPU running cool and quiet without the need for exotic liquid cooling or extra fans. This processor includes integrated Intel HD Graphics 4600, so there’s no need for discrete video adapter.

I chose the ASRock B85M PRO4 Micro-ATX motherboard for the Gen5. I’ve used ASRock for previous builds and I think they produce some of the best motherboards available. This LGA 1150 mobo provides 4x SATA3 6Gbps ports (enough for all the drives in the Gen5) plus 2x SATA2 3Gbps ports. It also features the Intel B85 chipset, USB 3.0 and USB 2.0 headers, HDMI/DVI/VGA outputs, and an Intel I217V Gigabit NIC (which requires some tweaking – see my build notes below).

For mass storage I chose the tried-and-true Western Digital WD Blue 1TB SATA3 hard disk and a Samsung SH-224DB/RSBS 24X SATA DVD±RW drive. I use the WD Caviar Blue drive to store ISOs and VM base images. You can get a larger 2TB or 3TB version of the same drive for a few bucks more, but 1TB is plenty for most needs. Even so, I enable Windows Server 2012 R2 disk deduplication on all my drives to reduce the storage footprint. To save power, I configure Windows power settings to turn off the drive after 10 minutes of non-use.

All these components reside in a cool IN-WIN BL631.300TBL MicroATX Slim Desktop case. This is a new chassis to me and I’m quite impressed. It’s smaller and lighter than the Rosewill Gen4 case and the build quality is great. Heavy gauge steel and no sharp edges. It includes a 300W power supply, which is more than enough. The total estimated power required for the Gen5 is normally 171W, and 191W with all drives running at the same time. The front panel has 4x USB 2.0 ports, audio outputs, and cool blue power light. I only wish the front USB ports were USB 3.0. I’ve actually found that it’s a lot more convenient to use a 6.5′ USB 3.0 A-Male to A-Female Extension Cable which I route up to my workspace, anyway.

Parts List

Here’s the complete parts list for the Gen5 including the necessary drive bay converter, cables, and adapters. As usual, I link to Amazon because they nearly always have everything in stock, their prices are very competitive, and Amazon Prime gets you free two-day shipping! If you don’t have Amazon Prime you can sign up here for a free 30-day trial and cancel after you’ve ordered the parts, if you want.

This time I’m including a handy “Buy from” button which allows you to put all the items into your cart with one click. That makes it easy to see the current price of all the items at once. Note that Amazon’s prices do change depending on inventory, promotions, etc. At the time I purchased these parts, the total came out to $1045.89 USD with free two-day shipping.


In-Win Case BL631.300TBL MicroATX Slim Desktop Black 300W 1×5.25 External Bays USB HD Audio

Sleek Micro ATX case with removable drive bay cage for
easy access. 1x external 5.25″ drive bay and 2x internal 3.5″ drive
bays. Includes quiet 300W PSU, 4x front
USB 2.0 and audio ports. Great build quality and smooth folded edges. 3 year limited warranty.

Intel Core i5-4590S Processor (6M Cache, 3.70 GHz) BX80646I54590S

This is a 4th generation LGA 1150 Haswell-R Intel processor
and includes Intel HD
Graphics 4600. Runs at 3.0 GHz, but can be overclocked up to 3.70 GHz.
Requires only 65W! Includes Intel aluminum heat sync and silent fan. 3 year limited warranty.

Corsair XMS3 32GB (4x8GB) DDR3 1333 MHz (PC3 10666) Desktop Memory (CMX32GX3M4A1333C9)

1.5V 240-pin dual channel 1333MHz DDR3
SDRAM with built-in heat spreaders. Low 9-9-9-24 Cas Latency. Great RAM at a great price.
Package contains 4x 8GB DIMMs (32GB). Lifetime warranty.

ASRock LGA1150/Intel B85/DDR3/Quad CrossFireX/SATA3 and USB 3.0/A&GbE/MicroATX Motherboard B85M PRO4

I chose this LGA 1150 Micro ATX motherboard because it has 4x
SATA 6Gb/s and 2x SATA 3Gb/s connectors. It uses the Intel B85 Express
chipset, has 1x PCI-E 3.0 slot, 1x PCI-E 2.0 slot, 2x PCI slots, HDMI/DVI/VGA
outputs, USB 3.0 and 2.0 ports, and an Intel I217V Gigabit NIC (see
below). It also has a great UEFI BIOS (see video). 3 year limited warranty.

Crucial MX100 256GB SATA 2.5″ 7mm (with 9.5mm adapter) Internal Solid State Drive CT256MX100SSD1
256GB SATA 6Gb/s (SATA III) SSD used for the Windows Server 2012 R2
operating system. New Marvell 88SS9189 controller with Micron Custom
Firmware. MLC delivers up to 85,000 IOPS 4KB random read / 70,000 IOPS 4KB random
write. 3 year warranty.

Crucial MX100 512GB SATA 2.5″ 7mm (with 9.5mm adapter) Internal Solid State Drive CT512MX100SSD1
512GB SATA 6Gb/s (SATA III) SSD used for active VMs (the VMs I normally
have running, like a Domain Controller, Exchange servers, Lync servers,
etc.). MLC delivers up to 90K IOPS 4KB random read / 85K IOPS 4KB random write speed.
Mwahaha! 3 year limited

WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache – WD10EZEX

Best selling 1TB Western Digital
Caviar Blue SATA 6Gb/s (SATA III) drive. Used
for storing ISOs, seldom used VMs, base images, etc. I usually configure
this drive to sleep after 10 minutes to save even more power. 2 year

Samsung SH-224DB/RSBS 24X SATA DVD±RW Internal Drive

Great quality 24x ±RW DVD burner. It’s cheap, too. Even though it’s
SATA2, I connect this to one of the
SATA3 ports on the motherboard for no particular reason. 1 year limited warranty.

SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH)

Metal mounting kit for 2.5″ SSD drives.
One mounting kit holds up to two SSD drives, stacked on top of each

StarTech 6in 4 Pin Molex to SATA Power Cable Adapter (SATAPOWADAP)

The IN-WIN’s 300W power supply has three SATA power connectors for
drives, which is one short of what we need. Use
this adapter to convert one of the two Molex connectors to SATA.

C&E CNE11445 SATA Data Cable (2pk.)

We need 4x SATA cables for this build. The ASRock motherboard comes with
two black SATA cables and the Samsung DVD burner comes with another red
SATA cable, so I need one more. This two-pack is cheaper than some
single cables and who doesn’t need an extra SATA cable anyway. Flat (not L shaped) connectors work best
for this build. FYI there’s no technical difference between SATA2 and
SATA3 cables.

Click the video below for a description of my 5th Generation Hyper-V Lab server. Sorry Apple device users, the videos and slideshow below use Flash. 🙁

Here’s a video demonstrating the blistering fast boot speed of this server:

Build Notes

Pictures speak louder than words. Here’s a slideshow showing how I assembled the Gen5 server with detailed photos where needed.

Once the components are put together you need to configure the UEFI BIOS before you can install Windows Server 2012 R2. Here’s a helpful video showing how to update and configure the ASRock’s UEFI BIOS:

Sweet! Now it’s time to install Windows Server 2012 R2, which takes about 8 minutes from DVD. Amazing!

How to install the Intel I217V NIC Driver

After you install the OS we need to update the drivers, but there’s a problem. Intel doesn’t want you to use their desktop-class I217-V gigabit network adapter in Windows Server, so they cripple the drivers so they won’t install on anything better than Windows 8.1. This is chicken poop, as far as I’m concerned, and shame on them! Lucky for you, I’ve done the hard work to remove this obstacle.

  • Run the following from an elevated CMD prompt:

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON

  • Reboot the server.
  • Download the latest network driver from the Intel Download Center.You’ll want the PROWinx64.exe file for Windows 8.1 x64.
  • Download the updated e1d64x64.inf driver file from my website.
  • Run the PROWinx64.exe file to extract the drivers and run the Intel(R) Network Connections Install Wizard. Do not click Next yet.
  • Right-click the Windows icon in the Taskbar and run %TEMP%. This will open File Explorer to the Temp folder used by Windows.
  • Open the RarSFX0 folder and drill down into the PRO1000Winx64NDIS64 folder.
  • Copy the e1d64x64.inf file you downloaded from my website to this folder, overwriting the existing file.
  • Now continue the Intel Network Connections Install Wizard to complete the installation of the new driver.
  • You will see a security warning that the updated INF file is not digitally signed. Click Install this driver software anyway.
  • The driver will install and the Intel adapter will be enabled.
  • Run the following from an elevated CMD prompt:

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF

  • Reboot the server and you’re done. Whew! Thanks a lot, Intel!!

Now you can install the other software and utilities from the ASRock motherboard DVD. The installer itself won’t work because it’s written for Windows 8, so just drill into the Drivers folder using File Explorer. I recommend installing the following software:

  • Intel Chipset Device Software (DriversINFIntel(v9.4.0.1026)
  • Intel Management Engine Components (DriversMEIntelv9.5.14.1724_5M)
  • Intel Graphics Driver (DriversVGAIntel(v15.
  • Intel Rapid Storage Technology (DriversRapid Storage TechnologyIntel(v12.8.0.1016))
  • RealTek Audio Drivers (DriversAudioREALTEK(7004))
  • Marvell MSU V4 (DriversSATA3Marvell(v4.1.0.2013))
  • ASRock Restart to UEFI (UtilitiesRestartToUEFIASRock)
  • ASRock A-Tuning Utility (UtilitiesA-TuningASRock)
After you’ve installed the configuration utilities you should see that there are no unknown devices in Device Manager. It’s time to install the Hyper-V role and start building out your home lab!

I’ll be presenting a session on building and managing this Hyper-V server at IT/Dev Connections in Las Vegas on September 17, 2014. There will be lots of great content delivered by MCMs, MVPs, and other independent experts. I really hope you can make it! Please contact me for a special discount code.

As always, if you have any questions or comments please leave them below. I hope you enjoy reading about these server builds and take the opportunity to make this investment in your career.

Source: Expta

Outlook Connection Status Shows "Clear [Anonymous]" and "SSL [No]"

If your mailbox is hosted in Office 365 Exchange Online you may be surprised to see that the Outlook Connection Status shows Authn “Clear [Anonymous]” and Encrypt “SSL [No]“, as shown below.

Outlook Connection Status
Note: You can view the Outlook Connection Status by ctrl+right-clicking the Outlook icon in the Windows Taskbar when Outlook is open or by running Outlook /rpcadmin from the Run menu.
Ctrl + Right-Click the Outlook Icon to view Connection Status
While “Clear [Anonymous]” authentication and “SSL [No]” encryption may look scary, understand that both authentication and encryption are enabled in the Service. 
The “Clear [Anonymous]” authentication method refers to the inner authentication channel that is no longer used in Office 365 since it only uses RPC over HTTPS. Technically, it should probably show either “n/a” or the external auth method (if Outlook can even see that). Just know that all authentication is performed at the HTTP layer now, which is encrypted via SSL.
The “SSL [No]” encryption method may well be a UI bug. I have a case open with Microsoft to look into it. In the meantime, I configured a Network Monitor trace to confirm that Outlook is using HTTPS to encrypt the authentication and connection with Office 365.

Here, we see a connection between Outlook 2013 and Exchange 2013.

Exchange 2013 NetMon Trace

The trace shows Outlook on the source computer (MAILGATE) starting up and connecting to the Exchange 2013 CAS (EX1).  In the first three frames we see Outlook negotiating with EX1 using HTTPS port 443. The next two frames show the SSL handshake and the certificate exchange with the target server, EX1. Note in the detail of frame 116 that the certificate being used to encrypt the conversation is a wildcard cert (* from DigiCert. From there on, we see that all communication is encrypted using TLS on port 443. All further authentication and application data transferred from EX1 is encrypted and cannot be read in the NetMon trace, proving that the entire conversation is encrypted.

Now let’s take a look at the same process when Outlook 2013 connects to Exchange Online in Office 365:

Office 365 NetMon Trace

This trace shows the identical sequence of events. MAILGATE negotiates with the Office 365 CAS (OFFICE365) in the first three frames using HTTPS port 443. The next two frames show the SSL handshake and the certificate exchange with the target server, OFFICE365. Note in the detail of frame 576 that the certificate being used to encrypt the conversation is a SAN cert ( from Microsoft IT. Just like the connection with Exchange 2013, the entire conversation is encrypted and cannot be read by NetMon.

Source: Expta

Reporting Outlook Client Versions Using Log Parser Studio

Earlier, I wrote an article referencing Chris Lehr’s Log Parser script to identify and report which Outlook client versions are being used to access Exchange. You can read that article here.

Today, I’m showing you how to do the same thing with Log Parser Studio using a configuration written by my friend Lars Eber, an Exchange Premier Field Engineer at Microsoft. Log Parser Studio 2.0 is a customizable GUI tool that greatly simplifies creating complex Log Parser 2.2 command-line queries and presents the output natively in an easy to read fashion.

If you don’t have Log Parser 2.2 or Log Parser Studio 2.0 installed yet, you will need to do so. Just follow the links to download and install them (you’ll need both). Then run LPS.EXE from the C:LPSV2.D1 folder to run Log Parser Studio.

Download Lars’ configuration from my website and unzip it to a temporary location. In Log Parser Studio, click File > Import > .XML to Library, select the ExchangeClientVersion.XML file you just extracted, and click the Merge Now button.

To run the query, first configure Log Parser with the log folder location. Click the yellow folder icon and browse to the folder where the IIS logs exist. Normally, this is \servernamec$Program FilesMicrosoftExchange ServerV15LoggingRPC Client Access. Then select the Exchange Client Version Overview query in the library and click the red exclamation point icon to run it.

Log Parser Studio will run the query and provide easy to read results showing the user name, DN, client software, version, client mode (cached or online), client IP address, and the protocol used. Very useful!

Source: Expta