Category Archives: Uncategorized

Scheduled Task to Update Your Federation Trust

Microsoft published an article this morning about keeping your federation trust up-to-date. This is really important if you are in a hybrid configuration or if you are sharing free/busy information between two different on-premises organizations using the Microsoft Federation Gateway as a trust broker. Microsoft periodically updates the certificates used by the Microsoft Federation Gateway and updating your federation trust keeps these certs up-to-date.



Exchange 2013 SP1 and later automatically updates the federation trust. If you’re running at least this version of Exchange 2013 (and you should), you’re good to go. If you’re an Exchange 2013 RTM/CU1/CU2/CU3 customer who hasn’t upgraded yet, read on…



In the article, Microsoft provides a command to run on one of your Exchange 2010 servers that creates a Scheduled Task to update the federation trust daily. This script only works on Exchange 2010. If you have a pure Exchange 2013 pre-SP1 environment, you can use this command to create a scheduled task:

Schtasks /create /sc Daily /tn FedRefresh /tr “%SYSTEMROOT%System32WindowsPowerShellv1.0powershell.exe -command “. $ENV:ExchangeInstallPathbinRemoteExchange.ps1; Connect-ExchangeServer -auto -ClientApplication:ManagementShell;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata” /ru System

Note that this version will also work on Exchange 2010 servers and also works in the rare occasion where PowerShell is not located on the C: volume.



Source: Expta

How to Perform an Extended Message Trace in Office 365

You can use Message Trace from the Exchange Admin Center in the Office 365 Portal to trace emails through Exchange Online. You can trace messages based upon a number of criteria including email address, date range, delivery status, or message ID.



To perform a Message Trace, click Mail Flow in the EAC and select Message Trace, then enter the trace criteria. The high-level results will output to a new browser window.



High-Level Message Trace Output

Click the “pencil” icon to see more details on the selected item.



Detailed Message Trace Output

A standard message trace is useful for basic message tracing. It answers the question, “Did the message get delivered?”, but that’s about it. If you want to see all the real details of message transport you need to perform extended message tracing.



The trick to perform an extended message trace using the EAC is you have to choose a Custom date range of 8 days or more. You will then see additional options for the trace at the bottom of the form. Note that Exchange Online keeps logs for the last 90 days.



Extended Message Trace Options


Click the checkbox for Include message events and routing details with report, otherwise the report will only include a few more details than a regular trace: origin_timestamp, sender_address, recipient_status, message_subject, total_bytes, message_id, network_message_id, original_client_ip, directionality, connector_id, and delivery_priority. It also won’t show each hop through Exchange online.



Note that including message events and routing details will result in a larger report that takes longer to process, so you will probably want to scope the message trace down to a particular sender or recipient. The following details will be included in the report: date_time, client_ip, client_hostname, server_ip, server_hostname, source_context, connector_id, source, event_id, internal_message_id, message_id, network_message_id, recipient_address, recipient_status, total_bytes, recipient_count, related_recipient_address, reference, message_subject, sender_address, return_path, message_info, directionality, tenant_id, original_client_ip, original_server_ip, and custom_data.



You have the option to choose the message direction (Inbound, Outbound, or All) and the original client IP address, if desired. You can also specify the report title and a notification email address. Note that the email address must be one for an accepted domain in your tenant. The mailbox does not have to be in the cloud.



The search will take some time, depending on the search criteria you entered and the volume of email. You can click View pending or completed traces at the top of the Message Trace form to view the status of the extended trace. When it completes you can click the link to Download this report or, if you configured the search to send a notification, click the report link in the notification email.






The extended message trace output is a CSV file that you can save and open in Excel. Here’s the best way to view it in Excel:

  • Select cell A1 and press Shift-Ctrl-End to highlight all the cells.
  • Click Insert > Table and click OK.
  • Click View Freeze Panes > Freeze Top Row.
  • Select the entire worksheet and then double-click the line between columns A and B to autosize the all the columns in the table.
Auto size the columns in Excel
You will then have an extended trace report showing all the transport details of the messages that match your search criteria. This report can be filtered by clicking the drop down arrows on the title row.

If you plan to save the report, be sure to save it as an Excel Workbook (*.xlsx) or you will lose the formatting.




Source: Expta

EXPTA Gen5 Windows 2012 R2 Hyper-V Server for Around $1,000 USD – Parts Lists and Videos!


I’m very pleased to announce the release of my 5th generation Windows Server 2012 R2 Hyper-V lab server, the Gen5!




You can use this home server to create your own private cloud, prototype design solutions, test new software, and run your own network like I do. Nothing provides a better learning tool than hands-on experience!



This is faster and more powerful than my 4th generation server and costs about $200 less!





My Design Requirements


This design is the best of all worlds – super-fast performance with higher SSD capacity at less cost. My core design criteria:

  • Windows Server 2012 R2 Hyper-V capable. Hyper-V for Windows Server 2012 R2 requires hypervisor-ready processors with Second Level Address Translation (SLAT).
  • Minimum of 4 cores
  • 32GB of fast DDR3 RAM
  • Must support fast SATA III 6Gb/s drives
  • Must have USB 3.0 ports for future portable devices
  • Low power requirements
  • Must be quiet
  • Small form factor
  • Budget: Around $1,000 USD

In the land of virtual machines, I/O is king. SSDs provide the biggest performance gains by far. You can invest in the fastest processor and RAM available, but if you’re waiting on the disk subsystem you won’t notice much in performance gains. That’s why I focus on hyper-fast high-capacity SSDs in this build. Thankfully, SSDs have gotten bigger, faster, and cheaper over time. I’m going with brand new Crucial MX100 SATA3 SSDs in the Gen5 – one 256GB SSD for the OS and another 512GB SSD for active VMs. These drives provide up to 90,000 IOPS for random reads and up to 85,000 IOPS for random writes.


The second most important factor in Hyper-V server design is capacity. Memory, and to a smaller degree CPU, drives how many VMs you can run at once. Because I want a small form-factor, I need to go with a MicroATX motherboard and the maximum amount of memory that can be installed on these Intel-based motherboards is 32GB RAM. I chose 32GB Corsair XMS3 DDR3 RAM for this build. This is 1.5V PC-1333 RAM with a low Cas 9 latency and 9-9-9-24 timing. The single package includes four matched 8GB 240-pin dual-channel DIMMs.



The processor I chose is the new Intel I5-4590S Haswell-R Quad-Core CPU. Even though all four cores run at a quick 3.0 GHz, it still uses only 65W. It can be overclocked to 3.7 GHz, but it’s already plenty fast enough. The beautiful Intel aluminum heatsink and fan included with the processor keeps the CPU running cool and quiet without the need for exotic liquid cooling or extra fans. This processor includes integrated Intel HD Graphics 4600, so there’s no need for discrete video adapter.



I chose the ASRock B85M PRO4 Micro-ATX motherboard for the Gen5. I’ve used ASRock for previous builds and I think they produce some of the best motherboards available. This LGA 1150 mobo provides 4x SATA3 6Gbps ports (enough for all the drives in the Gen5) plus 2x SATA2 3Gbps ports. It also features the Intel B85 chipset, USB 3.0 and USB 2.0 headers, HDMI/DVI/VGA outputs, and an Intel I217V Gigabit NIC (which requires some tweaking – see my build notes below).



For mass storage I chose the tried-and-true Western Digital WD Blue 1TB SATA3 hard disk and a Samsung SH-224DB/RSBS 24X SATA DVD±RW drive. I use the WD Caviar Blue drive to store ISOs and VM base images. You can get a larger 2TB or 3TB version of the same drive for a few bucks more, but 1TB is plenty for most needs. Even so, I enable Windows Server 2012 R2 disk deduplication on all my drives to reduce the storage footprint. To save power, I configure Windows power settings to turn off the drive after 10 minutes of non-use.




All these components reside in a cool IN-WIN BL631.300TBL MicroATX Slim Desktop case. This is a new chassis to me and I’m quite impressed. It’s smaller and lighter than the Rosewill Gen4 case and the build quality is great. Heavy gauge steel and no sharp edges. It includes a 300W power supply, which is more than enough. The total estimated power required for the Gen5 is normally 171W, and 191W with all drives running at the same time. The front panel has 4x USB 2.0 ports, audio outputs, and cool blue power light. I only wish the front USB ports were USB 3.0. I’ve actually found that it’s a lot more convenient to use a 6.5′ USB 3.0 A-Male to A-Female Extension Cable which I route up to my workspace, anyway.





Parts List


Here’s the complete parts list for the Gen5 including the necessary drive bay converter, cables, and adapters. As usual, I link to Amazon because they nearly always have everything in stock, their prices are very competitive, and Amazon Prime gets you free two-day shipping! If you don’t have Amazon Prime you can sign up here for a free 30-day trial and cancel after you’ve ordered the parts, if you want.



This time I’m including a handy “Buy from Amazon.com” button which allows you to put all the items into your cart with one click. That makes it easy to see the current price of all the items at once. Note that Amazon’s prices do change depending on inventory, promotions, etc. At the time I purchased these parts, the total came out to $1045.89 USD with free two-day shipping.






Item Description
 
In-Win Case BL631.300TBL MicroATX Slim Desktop Black 300W 1×5.25 External Bays USB HD Audio
Sleek Micro ATX case with removable drive bay cage for easy access. 1x external 5.25″ drive bay and 2x internal 3.5″ drive bays. Includes quiet 300W PSU, 4x front USB 2.0 and audio ports. Great build quality and smooth folded edges. 3 year limited warranty.
 
Intel Core i5-4590S Processor (6M Cache, 3.70 GHz) BX80646I54590S
This is a 4th generation LGA 1150 Haswell-R Intel processor and includes Intel HD Graphics 4600. Runs at 3.0 GHz, but can be overclocked up to 3.70 GHz. Requires only 65W! Includes Intel aluminum heat sync and silent fan. 3 year limited warranty.
 
Corsair XMS3 32GB (4x8GB) DDR3 1333 MHz (PC3 10666) Desktop Memory (CMX32GX3M4A1333C9)
1.5V 240-pin dual channel 1333MHz DDR3 SDRAM with built-in heat spreaders. Low 9-9-9-24 Cas Latency. Great RAM at a great price. Package contains 4x 8GB DIMMs (32GB). Lifetime warranty.
 
ASRock LGA1150/Intel B85/DDR3/Quad CrossFireX/SATA3 and USB 3.0/A&GbE/MicroATX Motherboard B85M PRO4
I chose this LGA 1150 Micro ATX motherboard because it has 4x SATA 6Gb/s and 2x SATA 3Gb/s connectors. It uses the Intel B85 Express chipset, has 1x PCI-E 3.0 slot, 1x PCI-E 2.0 slot, 2x PCI slots, HDMI/DVI/VGA outputs, USB 3.0 and 2.0 ports, and an Intel I217V Gigabit NIC (see below). It also has a great UEFI BIOS (see video). 3 year limited warranty.
 
Crucial MX100 256GB SATA 2.5″ 7mm (with 9.5mm adapter) Internal Solid State Drive CT256MX100SSD1
256GB SATA 6Gb/s (SATA III) SSD used for the Windows Server 2012 R2 operating system. New Marvell 88SS9189 controller with Micron Custom Firmware. MLC delivers up to 85,000 IOPS 4KB random read / 70,000 IOPS 4KB random write. 3 year warranty.
 
Crucial MX100 512GB SATA 2.5″ 7mm (with 9.5mm adapter) Internal Solid State Drive CT512MX100SSD1
512GB SATA 6Gb/s (SATA III) SSD used for active VMs (the VMs I normally have running, like a Domain Controller, Exchange servers, Lync servers, etc.). MLC delivers up to 90K IOPS 4KB random read / 85K IOPS 4KB random write speed. Mwahaha! 3 year limited warranty.
 
WD Blue 1 TB Desktop Hard Drive: 3.5 Inch, 7200 RPM, SATA 6 Gb/s, 64 MB Cache – WD10EZEX
Best selling 1TB Western Digital Caviar Blue SATA 6Gb/s (SATA III) drive. Used for storing ISOs, seldom used VMs, base images, etc. I usually configure this drive to sleep after 10 minutes to save even more power. 2 year warranty.
 
Samsung SH-224DB/RSBS 24X SATA DVD±RW Internal Drive
Great quality 24x ±RW DVD burner. It’s cheap, too. Even though it’s SATA2, I connect this to one of the SATA3 ports on the motherboard for no particular reason. 1 year limited warranty.
 
SABRENT 3.5-Inch to SSD / 2.5-Inch HDD Bay Drives Converter (BK-HDDH)
Metal mounting kit for 2.5″ SSD drives. One mounting kit holds up to two SSD drives, stacked on top of each other.
 
StarTech 6in 4 Pin Molex to SATA Power Cable Adapter (SATAPOWADAP)
The IN-WIN’s 300W power supply has three SATA power connectors for drives, which is one short of what we need. Use this adapter to convert one of the two Molex connectors to SATA.
 
C&E CNE11445 SATA Data Cable (2pk.)
We need 4x SATA cables for this build. The ASRock motherboard comes with two black SATA cables and the Samsung DVD burner comes with another red SATA cable, so I need one more. This two-pack is cheaper than some single cables and who doesn’t need an extra SATA cable anyway. Flat (not L shaped) connectors work best for this build. FYI there’s no technical difference between SATA2 and SATA3 cables.



Click the video below for a description of my 5th Generation Hyper-V Lab server. Sorry Apple device users, the videos and slideshow below use Flash. :(






Here’s a video demonstrating the blistering fast boot speed of this server:







Build Notes


Pictures speak louder than words. Here’s a slideshow showing how I assembled the Gen5 server with detailed photos where needed.








Once the components are put together you need to configure the UEFI BIOS before you can install Windows Server 2012 R2. Here’s a helpful video showing how to update and configure the ASRock’s UEFI BIOS:








Sweet! Now it’s time to install Windows Server 2012 R2, which takes about 8 minutes from DVD. Amazing!




How to install the Intel I217V NIC Driver




After you install the OS we need to update the drivers, but there’s a problem. Intel doesn’t want you to use their desktop-class I217-V gigabit network adapter in Windows Server, so they cripple the drivers so they won’t install on anything better than Windows 8.1. This is chicken poop, as far as I’m concerned, and shame on them! Lucky for you, I’ve done the hard work to remove this obstacle.

  • Run the following from an elevated CMD prompt:

bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON

  • Reboot the server.
  • Download the latest network driver from the Intel Download Center.You’ll want the PROWinx64.exe file for Windows 8.1 x64.
  • Download the updated e1d64x64.inf driver file from my website.
  • Run the PROWinx64.exe file to extract the drivers and run the Intel(R) Network Connections Install Wizard. Do not click Next yet.
  • Right-click the Windows icon in the Taskbar and run %TEMP%. This will open File Explorer to the Temp folder used by Windows.
  • Open the RarSFX0 folder and drill down into the PRO1000Winx64NDIS64 folder.
  • Copy the e1d64x64.inf file you downloaded from my website to this folder, overwriting the existing file.
  • Now continue the Intel Network Connections Install Wizard to complete the installation of the new driver.
  • You will see a security warning that the updated INF file is not digitally signed. Click Install this driver software anyway.



  • The driver will install and the Intel adapter will be enabled.
  • Run the following from an elevated CMD prompt:

bcdedit -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING OFF

  • Reboot the server and you’re done. Whew! Thanks a lot, Intel!!

Now you can install the other software and utilities from the ASRock motherboard DVD. The installer itself won’t work because it’s written for Windows 8, so just drill into the Drivers folder using File Explorer. I recommend installing the following software:

  • Intel Chipset Device Software (DriversINFIntel(v9.4.0.1026)
  • Intel Management Engine Components (DriversMEIntelv9.5.14.1724_5M)
  • Intel Graphics Driver (DriversVGAIntel(v15.33.1.64.3277)
  • Intel Rapid Storage Technology (DriversRapid Storage TechnologyIntel(v12.8.0.1016))
  • RealTek Audio Drivers (DriversAudioREALTEK(7004))
  • Marvell MSU V4 (DriversSATA3Marvell(v4.1.0.2013))
  • ASRock Restart to UEFI (UtilitiesRestartToUEFIASRock)
  • ASRock A-Tuning Utility (UtilitiesA-TuningASRock)
After you’ve installed the configuration utilities you should see that there are no unknown devices in Device Manager. It’s time to install the Hyper-V role and start building out your home lab!



I’ll be presenting a session on building and managing this Hyper-V server at IT/Dev Connections in Las Vegas on September 17, 2014. There will be lots of great content delivered by MCMs, MVPs, and other independent experts. I really hope you can make it! Please contact me for a special discount code.



As always, if you have any questions or comments please leave them below. I hope you enjoy reading about these server builds and take the opportunity to make this investment in your career.



Source: Expta

Outlook Connection Status Shows "Clear [Anonymous]" and "SSL [No]"

If your mailbox is hosted in Office 365 Exchange Online you may be surprised to see that the Outlook Connection Status shows Authn “Clear [Anonymous]” and Encrypt “SSL [No]“, as shown below.



Outlook Connection Status

Note: You can view the Outlook Connection Status by ctrl+right-clicking the Outlook icon in the Windows Taskbar when Outlook is open or by running Outlook /rpcadmin from the Run menu.




Ctrl + Right-Click the Outlook Icon to view Connection Status



While “Clear [Anonymous]” authentication and “SSL [No]” encryption may look scary, understand that both authentication and encryption are enabled in the Service. 



The “Clear [Anonymous]” authentication method refers to the inner authentication channel that is no longer used in Office 365 since it only uses RPC over HTTPS. Technically, it should probably show either “n/a” or the external auth method (if Outlook can even see that). Just know that all authentication is performed at the HTTP layer now, which is encrypted via SSL.



The “SSL [No]” encryption method may well be a UI bug. I have a case open with Microsoft to look into it. In the meantime, I configured a Network Monitor trace to confirm that Outlook is using HTTPS to encrypt the authentication and connection with Office 365.

Here, we see a connection between Outlook 2013 and Exchange 2013.

Exchange 2013 NetMon Trace
The trace shows Outlook on the source computer (MAILGATE) starting up and connecting to the Exchange 2013 CAS (EX1).  In the first three frames we see Outlook negotiating with EX1 using HTTPS port 443. The next two frames show the SSL handshake and the certificate exchange with the target server, EX1. Note in the detail of frame 116 that the certificate being used to encrypt the conversation is a wildcard cert (*.theguillets.com) from DigiCert. From there on, we see that all communication is encrypted using TLS on port 443. All further authentication and application data transferred from EX1 is encrypted and cannot be read in the NetMon trace, proving that the entire conversation is encrypted.

Now let’s take a look at the same process when Outlook 2013 connects to Exchange Online in Office 365:

Office 365 NetMon Trace
This trace shows the identical sequence of events. MAILGATE negotiates with the Office 365 CAS (OFFICE365) in the first three frames using HTTPS port 443. The next two frames show the SSL handshake and the certificate exchange with the target server, OFFICE365. Note in the detail of frame 576 that the certificate being used to encrypt the conversation is a SAN cert (outlook.office365.com) from Microsoft IT. Just like the connection with Exchange 2013, the entire conversation is encrypted and cannot be read by NetMon.





Source: Expta

Reporting Outlook Client Versions Using Log Parser Studio

Earlier, I wrote an article referencing Chris Lehr’s Log Parser script to identify and report which Outlook client versions are being used to access Exchange. You can read that article here.



Today, I’m showing you how to do the same thing with Log Parser Studio using a configuration written by my friend Lars Eber, an Exchange Premier Field Engineer at Microsoft. Log Parser Studio 2.0 is a customizable GUI tool that greatly simplifies creating complex Log Parser 2.2 command-line queries and presents the output natively in an easy to read fashion.






If you don’t have Log Parser 2.2 or Log Parser Studio 2.0 installed yet, you will need to do so. Just follow the links to download and install them (you’ll need both). Then run LPS.EXE from the C:LPSV2.D1 folder to run Log Parser Studio.



Download Lars’ ExchangeClientVersion.zip configuration from my website and unzip it to a temporary location. In Log Parser Studio, click File > Import > .XML to Library, select the ExchangeClientVersion.XML file you just extracted, and click the Merge Now button.



To run the query, first configure Log Parser with the log folder location. Click the yellow folder icon and browse to the folder where the IIS logs exist. Normally, this is \servernamec$Program FilesMicrosoftExchange ServerV15LoggingRPC Client Access. Then select the Exchange Client Version Overview query in the library and click the red exclamation point icon to run it.



Log Parser Studio will run the query and provide easy to read results showing the user name, DN, client software, version, client mode (cached or online), client IP address, and the protocol used. Very useful!



Source: Expta

Don’t Deploy Exchange 2013 CU6 If You’re a Hybrid Customer






I have confirmed With Microsoft that there are significant bugs in Exchange 2013 Cumulative Update 6 for hybrid customers.

Update #1: Microsoft just published a new article, Exchange Server 2013 databases unexpectedly fail over in a co-existence environment with Exchange Server 2007, which describes a different issue where Exchange 2013 databases unexpectedly fail over between the nodes of database availability groups. A hotfix is available for this issue, but you have to call Microsoft Support to get it.

Update #2: Microsoft just published another new article, Exchange Online mailboxes cannot be managed by using EAC after you deploy Exchange Server 2013 CU6, which provides a script that fixes the problems described in this article. Thankfully, you do not need to contact Microsoft Support to obtain the script, but you do need to configure PowerShell script execution to run it and you should know script resets IIS without prompting.  Run “Set-ExecutionPolicy -ExecutionPolicy unrestricted” to allow the script to run.

Hybrid deployments are used to bridge the gap between Exchange on-premises and Office 365. An Exchange hybrid server is used as the on-prem MRS endpoint for mailbox moves to Office 365, provides rich coexistence (free/busy sharing), and provides encrypted TLS mail flow between on-prem and Office 365.



Both Exchange 2010 and Exchange 2013 support hybrid servers. If the on-prem environment is Exchange 2010, the existing Exchange 2010 Hub/CAS servers can be used as hybrid servers, or new Exchange 2013 servers can be deployed. Exchange 2007 customers must deploy at least one new hybrid server and they usually deploy Exchange 2013.



Microsoft has maintained that customers will always be able to manage their hybrid environments from on-prem. Hybrid servers are supposed to bridge the administrative gap, providing a single pane of glass through which customers can manage both on-prem and Exchange Online environments.



That was until Exchange 2013 CU6…



With CU6, admins can no longer use the Exchange Admin Center (EAC) to create new Office 365 mailboxes, move mailboxes to Exchange Online, or create In-Place Archive mailboxes. Admins either need to use the Exchange Management Shell (EMS) or logon to the Office 365 Portal to perform these actions. In addition, when you click the Office 365 tab it normally takes you to the Office 365 signon portal so you can manage your Office 365 tenant  Instead, it opens a new website for the Office 365 marketing page. These are huge problems for most hybrid customers and there’s no mention of this anywhere in the CU6 release notes.



Here’s the experience in Exchange 2013 CU5:



CU5 – Create New Office 365 Mailbox



CU5 – Move Mailbox to Exchange Online




CU5 – Create In-Place Archive Online



Exchange 2013 CU6 hybrid customers are greeted with an entirely different experience:

CU6 – Admins Can Only Create On-Prem Mailboxes



CU6 – Admins Can Only Move Mailboxes to Another On-Prem Mailbox



CU6 – Admins Can Only Create On-Prem Archive Mailboxes



And here’s what Admins see when they click the Office 365 tab in the EAC:



CU6 – Office 365 Tab



I expect Microsoft to publish an article soon regarding these bugs, but with a long Labor Day weekend ahead of us I wouldn’t expect anything sooner that Tuesday. I do expect that CU7 will correct these bugs. In the meantime, I recommend that hybrid customers do not deploy CU6 at this time.  If you’ve already deployed CU6 in your environment, there’s no way to role back.



What do you think Microsoft should do? Pull CU6? Release an Interim Update, like they did for the CU5 hybrid bug? Leave your comment below.




Source: Expta

Thycotic Secret Server Product Review

I don’t normally do product reviews, but I like to share when I find something that works well.



I’ve been using Thycotic Secret Server for a while now to store my personal account information, passwords and account notes. It acts as a secure vault for for this important information. Prior to this, I’m ashamed to say, I was using the same username and password for most of my accounts. Obviously this is a terrible practice, especially in this day an age where banks, stores, and websites are frequently under attack for this information.



The Heartbleed Bug in OpenSSL brought this to the forefront for me. I knew I had to change all my passwords with new complex passwords, but the challenge of trying to remember all those passwords was an impossible task. I tested several different password management solutions, but none of them worked as well and as trouble free as Secret Server.



The following are the list of requirements I needed in a password management program:



  • Easy to use
  • Available remotely
  • Automatic complex password generation
  • Automatic login to password protected websites
  • Must work in the browsers I use (Internet Explorer and Chrome)
  • Must work with my iOS devices (iPhone and iPad)


Secret Server is just one of Thycotic’s security products aimed at securing your personal and private data. Thycotic offers a free* Express Edition of Secret Server for private use, and this is what I’m running. OK, technically it’s not “free” – it costs $10 per year, but Thycotic donates this to charity. Not only is this super cheap compared to other password management solutions, it also shows what a nice bunch these Thycotic folks are. Other editions have additional features and capabilities, such as the ability to change network passwords remotely, service account management, and provide high availability. I should also mention that all versions of Secret Server (including Express Edition) include full online support!



I installed Secret Server Express Edition on a dedicated Windows Server 2012 R2 web server, but you can also install it on an existing web server. You will need to install the IIS role and features, the .NET Framework 4.5.1, and Microsoft SQL Server 2012 Express. After that, the installation is a simple 5-step process and you can manage your passwords (secrets) right away. The comprehensive Secret Server Installation Guide walks you through the entire process, including prerequisites.



Once installed, you can access Secret Server through the IIS website you created. To add a new secret, select the Secret Template dropdown box in the upper right corner. The template you select contains all the relevant fields for the secret. I use the Web Password template for most of my secrets. This template allows me to use the Web Password Filler (described below).







Once a Web Password secret has been saved with the logon URL, username, and password, it’s easy to have Secret Server log you in to the website with the unique complex password. Simply add the Web Password Filler applet to the Favorites on your web browsers:




Then click the Web Password Filler favorite when you want to logon to the website. You will need to login to the Secret Server if you aren’t already, then Secret Server will automatically log you on to the website.  for example, here’s the automatic logon for Amazon:




Thycotic also has a free Secret Server app on the Apple App Store so you can access your secrets and passwords from iOS devices. It doesn’t offer the same auto sign-in feature, but it does provide easy access to launch logon URLs and copy complex passwords.







There are many other features that Secret Server provides, but I honestly haven’t had a need to use them myself. Some of these advanced features include:



  • Roles-based access controls
  • Full auditing and reports
  • Email notifications

If you’re looking for a full featured password management solution I encourage you give Secret Server a try. They offer a 30-day free trial.




Source: Expta

Fix for MSExchange Mailbox Replication EventID 1121 Error Every Minute

I found that an error was being reported every 60 seconds from the MSExchange Mailbox Replication service with eventID 1121 on an Exchange 2013 CU5 server.

Log Name:      Application
Source:        MSExchange Mailbox Replication
Date:          8/15/2014 12:01:15 PM
Event ID:      1121
Task Category: Request
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SACEXCH01.Domain.local
Description:
The Microsoft Exchange Mailbox Replication service was unable to process a request due to an unexpected error.
Request GUID: ‘b451acde-8d08-4a9a-a248-6bc4ca144aa2′
Database GUID: ‘ed87ca06-6ce2-448a-9a3b-2c9984b067a5′
Error: Database ‘aad284ae-7777-4896-93a5-cbc5e479841c’ doesn’t exist.
Stack trace:
   at Microsoft.Exchange.MailboxReplicationService.MapiUtils.FindServerForMdb(Guid mdbGuid, String dcName, NetworkCredential cred, FindServerFlags flags)
   at Microsoft.Exchange.MailboxReplicationService.MoveJob.ReserveLocalForestResources(ReservationContext reservation)
   at Microsoft.Exchange.MailboxReplicationService.MoveJob.AttemptToPick(MapiStore systemMailbox)
   at Microsoft.Exchange.MailboxReplicationService.SystemMailboxJobs.<>c__DisplayClassc.<ProcessJobsInBatches>b__6()
   at Microsoft.Exchange.MailboxReplicationService.CommonUtils.ProcessKnownExceptionsWithoutTracing(Action actionDelegate, FailureDelegate processFailure).

There are no open mailbox move requests, export requests, import requests, or migration batches.  I set diagnostic logging to expert, but nothing more than this single event every minute to nearly the second.



ed87ca06-6ce2-448a-9a3b-2c9984b067a5 resolves to an active database on this server.
aad284ae-7777-4896-93a5-cbc5e479841c does not resolve to any database in the org (obviously).



The fix is to remove the move request manually with the following cmdlet:

Remove-MoveRequest -MoveRequestQueue “ed87ca06-6ce2-448a-9a3b-2c9984b067a5″ -MailboxGuid “b451acde-8d08-4a9a-a248-6bc4ca144aa2″

Immediately, the MSExchange Mailbox Replication event 1121 errors stopped.


Source: Expta

Poll: Which new Hyper-V lab server build would you be more likely to buy?

I am preparing to create my 5th generation Super-Fast Hyper-V Lab Server build. As usual, I will create a parts list, photos, videos, and tips about the build on this blog, but I need your help.




I normally stick to a small Micro ATX form factor which currently supports a maximum of 32GB RAM. I currently run this build at home and I’m happy that it doesn’t take much room and uses less power. 32GB RAM is enough to run 6-7 medium/large servers at once 24×7.



Some IT Pros have asked for a build that supports 64GB RAM so they can run more or larger VMs. A 64GB build requires me to use a traditional ATX form factor motherboard with more DIMM slots. This will use more power and will cost about $900 more.



I realize cost is more of factor than size to most folks, but this website shows a comparison of ATX vs. Micro-ATX case sizes if you’re not aware. The microATX case I usually go with is the same form factor as the “barebones” case shown on the website.



I created the poll below so I can determine which build you would like me to go with for my 5th generation server. I really appreciate your input.





Which new Hyper-V server build would you be more likely to buy?













I will be speaking at the IT/Dev Connections conference September 15-19 in Las Vegas. There, I will be hosting two sessions, “Build Your Own Super-Fast Exchange Lab for Under $2,000!” and an open mic forum entitled “Ask the Exchange Experts,” a Q&A session about Exchange and Office 365 migration tips and tricks with fellow MVP Tony Redmond.



I will be bringing my latest Hyper-V lab server build to the lab session and will provide tips on how to build, manage, and use the server to advance your IT career. I hope to see you there!



Source: Expta