Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Mierdaan
Sep 14, 2004

Pillbug

carlcarlson posted:

And this is what I'd like to do going forward so I don't have to deal with lovely PSTs any more. I've got a demo on Thursday with Message Logic, they have a VM ready archive product which seems like it could do the trick. He already sent a quote, so a 200-user per year license is $3,900. Compared to what we pay for other legal expenses it's a drop in the bucket, but that still seems like an awful lot of money. I imagine any other similar product would probably be along the same lines though.

If that's too pricey, look into GFI MailArchiver. That's what we use, just pulling right from a journaling mailbox into read-only (SQL-backed) Archive Stores based on quarter. You can feed your PSTs back into the journal mailbox to populate historical data - ask me about loading 7 years worth of historical email in from PSTs written to CDs/DVDs!

Adbot
ADBOT LOVES YOU

Swink
Apr 18, 2006
Left Side <--- Many Whelps
.

Swink fucked around with this message at 01:56 on Mar 12, 2014

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010

Mierdaan posted:

If that's too pricey, look into GFI MailArchiver. That's what we use, just pulling right from a journaling mailbox into read-only (SQL-backed) Archive Stores based on quarter. You can feed your PSTs back into the journal mailbox to populate historical data - ask me about loading 7 years worth of historical email in from PSTs written to CDs/DVDs!

I pushed really, really hard to get GFI deployed. We're deploying a much more expensive barracuda. GFI can get pricy as well, especially if you need to get another copy of SQL deployed.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Starting a migration from iMail, circa 2005, to Appriver next week.



So glad this lady doesn't work here anymore.

TKovacs2
Sep 21, 2009

1991, 1992, 2009 = Woooooooooooo

Bob Morales posted:

Starting a migration from iMail, circa 2005, to Appriver next week.



So glad this lady doesn't work here anymore.

My....my God.

That's gotta be some kind of record.

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
Holy testicle Tuesday

kiwid
Sep 30, 2013

That thing is the size of an SSD.

carlcarlson
Jun 20, 2008

Bob Morales posted:

Starting a migration from iMail, circa 2005, to Appriver next week.



So glad this lady doesn't work here anymore.

Holy poo poo, but I thought it was limited to 50 GB with Outlook 2010. Did the limit increase with 2013? The thought of having to run scanpst on that makes my eyes water.

Spudalicious
Dec 24, 2003

I <3 Alton Brown.
So after updating to Exchange 2010 SP3, we have a whole host of new issues. :woop:

Mainly that for some reason Outlook 2011 for OSX just stopped allowing users to authenticate. I'm thinking the service pack hosed up our certificates somehow but I can't seem to figure it out - no entries in event viewer anywhere regarding certificates. This domain is kinda ghetto, being a domain.local 2008 domain, but it was working fine before that update. Now we can get in to OWA, but trying to change password or authenticate to ECP gives an incorrect username/password error no matter what. To make matters worse if I use the OWA light client it allows me to change password. :psyduck:

At least it fixed our problem for our one user. Huzzah.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

carlcarlson posted:

Holy poo poo, but I thought it was limited to 50 GB with Outlook 2010. Did the limit increase with 2013? The thought of having to run scanpst on that makes my eyes water.

Some dipshit that worked here years ago changed a registry value that limits the size of a PST

http://support.microsoft.com/kb/832925

When time machines are invented, he will be tortured.

Spudalicious
Dec 24, 2003

I <3 Alton Brown.

I fixed it, I think. We were having weirdness with OWA, so I found a guide on a technet forum post that basically said to disable forms-based authentication for the ecp, EWS, and owa IIS applications. To do so, you go to IIS Manager - Default site - [ecp, EWS, owa] - Authentication - Forms Authentication - Disabled. It fixed the osx outlook issue because osx outlook uses EWS to get email :downs:

The Electronaut
May 10, 2009

Spudalicious posted:

So after updating to Exchange 2010 SP3, we have a whole host of new issues. :woop:

Mainly that for some reason Outlook 2011 for OSX just stopped allowing users to authenticate. I'm thinking the service pack hosed up our certificates somehow but I can't seem to figure it out - no entries in event viewer anywhere regarding certificates. This domain is kinda ghetto, being a domain.local 2008 domain, but it was working fine before that update. Now we can get in to OWA, but trying to change password or authenticate to ECP gives an incorrect username/password error no matter what. To make matters worse if I use the OWA light client it allows me to change password. :psyduck:

At least it fixed our problem for our one user. Huzzah.

My last gig we had a handful of our CAS nodes poo poo the bed when going to SP3. Specifically in the config XMLs. We simply uninstalled and reinstalled SP3.

Edit: also had some issues with IIS screwing up the bindings (we had two sites for different authentication methodologies, one for internal and one for external connectivity). Nuking the incorrect binding resolved the binding issues.

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.

Spudalicious posted:

So after updating to Exchange 2010 SP3, we have a whole host of new issues. :woop:

Mainly that for some reason Outlook 2011 for OSX just stopped allowing users to authenticate. I'm thinking the service pack hosed up our certificates somehow but I can't seem to figure it out - no entries in event viewer anywhere regarding certificates. This domain is kinda ghetto, being a domain.local 2008 domain, but it was working fine before that update. Now we can get in to OWA, but trying to change password or authenticate to ECP gives an incorrect username/password error no matter what. To make matters worse if I use the OWA light client it allows me to change password. :psyduck:

At least it fixed our problem for our one user. Huzzah.

See if Basic Authentication is turned on on the EWS directory in IIS.

gallop w/a boner
Aug 16, 2002

Hell Gem
We have had a strange certificate-related problem occur seemingly out of nowhere.

Approximately 10% of our machines cannot access any of the HTTPS based Exchange Client Access services (OWA, availability, autodiscover etc).

They receive a odd certificate error. However this isn't a run-of-the mill chain or hostname error, and viewing the certificate properties doesn't show any problems. Event ID 11 (CAPI2) is logged in the client event log with the error "The certificate is not valid for the requested usage."

Bizarrely, the remaining 90% of our machines (all Windows 7 or Server 2008 R2 Terminal Services) are all fine. They don't get any errors.

I'm trying to determine if some sort of update has caused this issue but any advice is appreciated.

Spudalicious
Dec 24, 2003

I <3 Alton Brown.

The Electronaut posted:

My last gig we had a handful of our CAS nodes poo poo the bed when going to SP3. Specifically in the config XMLs. We simply uninstalled and reinstalled SP3.

Edit: also had some issues with IIS screwing up the bindings (we had two sites for different authentication methodologies, one for internal and one for external connectivity). Nuking the incorrect binding resolved the binding issues.

I'm guessing what happened is that this was configured this way before, and then upon service pack installation those configurations were lost and reverted somehow. Unfortunately, while I have a snapshot before that I could theoretically revert to and check if these were set before, I don't want to lose emails for the day and possibly cause more problems. I have fixed the things and the world is quiet again.

Syano
Jul 13, 2005

gallop w/a boner posted:

We have had a strange certificate-related problem occur seemingly out of nowhere.

Approximately 10% of our machines cannot access any of the HTTPS based Exchange Client Access services (OWA, availability, autodiscover etc).

They receive a odd certificate error. However this isn't a run-of-the mill chain or hostname error, and viewing the certificate properties doesn't show any problems. Event ID 11 (CAPI2) is logged in the client event log with the error "The certificate is not valid for the requested usage."

Bizarrely, the remaining 90% of our machines (all Windows 7 or Server 2008 R2 Terminal Services) are all fine. They don't get any errors.

I'm trying to determine if some sort of update has caused this issue but any advice is appreciated.

There was a critical update last night that updated a certificate up the trust chain and for some reason it corrupted the chain or the cert or both on those clients. Do a system restore on the machines this affected and they will be fine. Source: been working on it all day

Syano fucked around with this message at 21:34 on Mar 12, 2014

hatelull
Oct 29, 2004

I am in the process of taking our Exchange environment from 2010 SP1 to SP3 RU5 (Build 123.4).

I updated the CAS and HTs without issue. Today I tried my first passive mailbox server and while the update completed successfully, I'm seeing a handful of database copies set to 'Disconnected and Healthy' copy status.

Rebooting the server did nothing to alleviate the situation, and I've tried suspending the database and waiting a few minutes before Resuming but after a refresh or two it will revert to 'Healthy and Disconnected' status. Even more disconcerting, refreshing the Database Copies tab for that mailbox server shows that several of the DB's are bouncing around between healthy and the 'disconnected and healthy' state.

At this point, I'm not sure if it's worth it to reseed the passive copy through the EMC. Database sizes range from 20-50 GB for the mailboxes, but our archive databases are ridiculously large with most being easily 150GB.

So, I suppose my question is ... what would be the best route? I have no problem removing the passive database copy and re adding it, but if it fails that opens a completely DIFFERENT problem.

Thoughts?

Hawkline
May 30, 2002

¡La Raza!
What are they results of a test-replicationhealth? Any peculiar events in your cluster or event logs? Is your DAG network all okay?

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
The main mailbox server may have to be SP2 or better - lots of changes between SP1 and SP3 of Exchange 2010.

hatelull
Oct 29, 2004

quote:

What are they results of a test-replicationhealth? Any peculiar events in your cluster or event logs? Is your DAG network all okay?

My DAG network doesn't scream about any problems. Test-replicationhealth passes except for DBDisconnected on the server yelling at me.

quote:

The main mailbox server may have to be SP2 or better - lots of changes between SP1 and SP3 of Exchange 2010.
All the mailbox servers were SP1 vanilla. The Exchange consultant that we gave monies for a weeks worth of hours really only dinged us on lack of updates. There were suggestions that creating a separate replicating DAG network on a VLAN would improve performance, but there were no red flags. He also specifically told us that there were no issues going from SP1 to SP3 RU5 so long as we updated the CAS first, then the HT's and do the mailbox servers last (obviously, updating the passive then failing that over so that the active could update).

The Electronaut
May 10, 2009
I recall there being database updates in one of the SPs, I can't remember if was RTM->* or SP1->*. That might be the cause of your issue.

Hawkline
May 30, 2002

¡La Raza!
there were database schema changes in RTM -> SP1 but I don't see how that would disconnect the passive copy.

I recently did a SP1 RU3 -> SP3 vanilla on one of my accounts and didn't experience this myself in a 3 member DAG. I've also recently done a SP2 RU2 -> SP3 RU2 and did SP3/reboot/RU2 updates sequentially per multirole DAG member with no problem.

Does the BPA tell you anything is off?

Syano
Jul 13, 2005

gallop w/a boner posted:

We have had a strange certificate-related problem occur seemingly out of nowhere.

Approximately 10% of our machines cannot access any of the HTTPS based Exchange Client Access services (OWA, availability, autodiscover etc).

They receive a odd certificate error. However this isn't a run-of-the mill chain or hostname error, and viewing the certificate properties doesn't show any problems. Event ID 11 (CAPI2) is logged in the client event log with the error "The certificate is not valid for the requested usage."

Bizarrely, the remaining 90% of our machines (all Windows 7 or Server 2008 R2 Terminal Services) are all fine. They don't get any errors.

I'm trying to determine if some sort of update has caused this issue but any advice is appreciated.

Probably going to hit the rest of your machines today. I am guessing you have your cert through entrust? If you dont mind letting me know if you found another easy fix I would appreciate it

Crackbone
May 23, 2003

Vlaada is my co-pilot.

We've got a test environment with receive connector issues.

Internal clients can send/receive no problem. But I cannot get our external connector to work.

Testing via telnet, everything works perfectly until the final "." to denote message end. The Exchange server just ends the connection, and the message is never received by Exchange (no records in message tracking or smtp logs). This same config works perfectly in production and the firewall isn't doing anything to inbound smtp other than NAT.

Any suggestions on where to go next for troubleshooting? Is there something in Exchange that would create this specific behavior (ie, act like everything is fine and then sent a RST/ACK flag with no error message after composing the message)?

The Electronaut
May 10, 2009

Crackbone posted:

We've got a test environment with receive connector issues.

Internal clients can send/receive no problem. But I cannot get our external connector to work.

Testing via telnet, everything works perfectly until the final "." to denote message end. The Exchange server just ends the connection, and the message is never received by Exchange (no records in message tracking or smtp logs). This same config works perfectly in production and the firewall isn't doing anything to inbound smtp other than NAT.

Any suggestions on where to go next for troubleshooting? Is there something in Exchange that would create this specific behavior (ie, act like everything is fine and then sent a RST/ACK flag with no error message after composing the message)?

SMTP aware firewall in between?

bull3964
Nov 18, 2000

DO YOU HEAR THAT? THAT'S THE SOUND OF ME PATTING MYSELF ON THE BACK.


Entrust actually has a thing up about it. Apparently they were chaining to a 1024 bit RSA key and microsoft removed the 1024 bit RSA roots with this latest update.

http://www.entrust.net/knowledge-base/technote.cfm?tn=8780

Syano
Jul 13, 2005
We have just been blowing away the local stores. Seems to work. Cause I have read that entrust post about 14 times now and I am not quite sure what exactly they are saying to do

Syano fucked around with this message at 16:42 on Mar 13, 2014

TKovacs2
Sep 21, 2009

1991, 1992, 2009 = Woooooooooooo
Is anyone aware of a tool that will document all of the non-default configuration settings in an onsite Exchange server?

gallop w/a boner
Aug 16, 2002

Hell Gem
Yep, it was the Entrust root CA as a few people have correctly guessed. I figured it out, and then approx 15 minutes later an email dropped into my inbox from Entrust with a new intermediate certificate.

The thing that really caught me out was that I did not realize that the root CA update process for Windows is not dependent on Windows Update. It basically can trigger whenever any user uses HTTPS (?) I knew that the affected machines had not received any updates so I could not figure out how their behavior had changed.

gallop w/a boner
Aug 16, 2002

Hell Gem

Syano posted:

We have just been blowing away the local stores. Seems to work. Cause I have read that entrust post about 14 times now and I am not quite sure what exactly they are saying to do

Grab the new intermediate cert from https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=94 and load into the local computer certificate store on your Exchange CAS boxes. This should fix the issue.

Make sure that any upstream (probably non-Windows) devices have the 2048-bit root CA installed. We had to manually add it to a PGP appliance that acts as a smarthost so that it could still connect to it via TLS'd SMTP.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Anyone know why our Exchange host (Appriver) asked us to export a users mailbox to a PST and import that, instead of just importing the PST that's already on their machine? The exported PST's are usually quite a bit smaller so maybe they just aren't 'compacted' or something?

Syano
Jul 13, 2005

gallop w/a boner posted:

Grab the new intermediate cert from https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=94 and load into the local computer certificate store on your Exchange CAS boxes. This should fix the issue.

Make sure that any upstream (probably non-Windows) devices have the 2048-bit root CA installed. We had to manually add it to a PGP appliance that acts as a smarthost so that it could still connect to it via TLS'd SMTP.


We went through and updated our mail servers along with all our RDP servers this morning by installing the new certificate. Still have a lot of clients with the same issue. Any clues?

metallyca
Oct 26, 2004
So I'm in the process of migrating Exchange 2010 to Exchange 2013 and have a problem where the Exchange 2013 server is listing users that have been deleted in my Active Directory for at least 5 years now. The users that no longer exist are listed as "Legacy" under "Mailbox Type"and if I attempt to edit them through the console I get an error message that they cannot be found on the domain controller. I've searched through ADSIEdit and also searched for lingering objects using the repamin /removelingeringobjects DC DCGUID dc=domain,dc=root /advisory_mode and it finds 0 objects. I cannot for the life of me find where the hell Exchange 2013 is finding these users. My Exchange 2010 server DOES NOT see these users at all. Anyone have any ideas?

Forest and Domain Functional Level
2008 R2

Exchange 2010 SP3 Update Rollup 5

Exchange 2013 SP1

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
Did you run setup.com /preparead or setup.com /prepareschema (I think those are the commands) before installing either Exchange version?

Exchange fuckyness like that is usually related to someone not updating the AD schema along the way (even way back in Exchange 5.5 if your domain is that old :stonk: )

metallyca
Oct 26, 2004

Gyshall posted:

Did you run setup.com /preparead or setup.com /prepareschema (I think those are the commands) before installing either Exchange version?

Exchange fuckyness like that is usually related to someone not updating the AD schema along the way (even way back in Exchange 5.5 if your domain is that old :stonk: )

Definitely did with Exchange 2013 but not sure about 2010 since I didn't install it. I was under the impression though that when you run Exchange setup it automatically did this anyway.

If it wasn't run for Exchange 2010 or earlier what should I do, run these commands for 2010?

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
I've never been in that sort of scenario before so I can't say with certainty. If, by chance, you're on VM and can do a snapshot before/after of all your VMs, that is your best bet just to be safe.

metallyca
Oct 26, 2004
My coworker actually opened an incident with Microsoft using his TechNet subscription, so I'll see if they'll be of any help.

The Electronaut
May 10, 2009

metallyca posted:

So I'm in the process of migrating Exchange 2010 to Exchange 2013 and have a problem where the Exchange 2013 server is listing users that have been deleted in my Active Directory for at least 5 years now. The users that no longer exist are listed as "Legacy" under "Mailbox Type"and if I attempt to edit them through the console I get an error message that they cannot be found on the domain controller. I've searched through ADSIEdit and also searched for lingering objects using the repamin /removelingeringobjects DC DCGUID dc=domain,dc=root /advisory_mode and it finds 0 objects. I cannot for the life of me find where the hell Exchange 2013 is finding these users. My Exchange 2010 server DOES NOT see these users at all. Anyone have any ideas?

Forest and Domain Functional Level
2008 R2

Exchange 2010 SP3 Update Rollup 5

Exchange 2013 SP1

Define listing users. Get mailbox? Do you have mailbox database maintenance issues?

Syano
Jul 13, 2005

Syano posted:

We went through and updated our mail servers along with all our RDP servers this morning by installing the new certificate. Still have a lot of clients with the same issue. Any clues?

Had to 100 percent redo our certificate environment today. Been a crazy 6 hours or so. We imported the updated certificate from Comodo and it just flat didnt work. So we basically started from scratch, generated a new unified communications CSR and reissued the certificate through comodo. 6 hours later we now have shiny new certificates on all our mail and remote desktop servers.

Adbot
ADBOT LOVES YOU

metallyca
Oct 26, 2004

The Electronaut posted:

Define listing users. Get mailbox? Do you have mailbox database maintenance issues?

Meaning I open EAC on my Exchange 2013 server and under Recipients, there are users showing up that have been deleted from AD for a very long time now. The mailbox type is listed as Legacy and if I click on any of the users I get an error that states "The operation couldn't be performed because object 'GUID' couldn't be found on 'DC'.". If I try to Get-Mailbox from EMS for one of these users I get the same error as EAC.

I have no database maintenance issues that I'm aware of. No errors in Event Viewer. Can't find any errors with replication between my DCs, repadmin /showrepl shows successful on everything.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply