Archive

Posts Tagged ‘problem’

Exchange problem after 1/1/2022

January 2nd, 2022 No comments

Problem

Today I wanted to have day off, but customers with Exchange environments (2013/2016 and 2019) started to have a problem with e-mails delivery. They have started to receive following error in event viewer:

This event started to show couple minutes after 1.1.2022.

Messages stucked at queue and with error “Message deferred by categorized agent”:

Solution

So Antimalware has problem with date “22010100009” and error says it’s “too long”. It looks like Microsoft programmers use to record date 32b numbers and now this value is over variable limits. I think there is will hotfix pretty soon. Until hotfix we need to solve a problem. I just disabled Antimalware engine running following powershell script:

& $env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1

and restart MSExchangeTransport service afterwards:

Restart-Service MSExchangeTransport

And that’s all folks 🙂

Exchange 2010 to Exchange 2013/2016 autodisover problem

August 22nd, 2019 No comments

Problem: There is a known error in Exchange 2013/2016 when you migrate user’s mailbox. After the migration is done use cannot access her new mailbox. It is possible after some time (max 15 minutes).

Cause: This is caused by outdated data cached by Autodiscover process on Exchange server. It’s called MSExchangeAutodiscoverAppPool.

Solution: You need to set application pool responsible for creation autodiscover XML file to recycle more often. You can do Recycle manually from IIS console after migration is done:

Manual Recycle

Or you can configure automatic recycling on specific condition. I most of the time configure Recycling on every minute. When all users are migrated I disable this rule:

Have a nice day,

Upgrade na Windows 10

July 31st, 2015 No comments

Prisiel ten cas ked je Windows 10 vonku a vela ludi sa chysta na migraciu. Danu aktualizaciu z Windows 8.1 na Windows 10 som absolvoval aj ja. Ak sa vam nechce cakat na to, aby vas vas operacny system vyzval k danej aktualizacii, tak si mozete danu aktualizaciu vynutit. Vynutit sa da stiahnutim cca 20 MB suboru z tejto stranky.

Spusti sa vam sprievodca, ktory vam ponukne stiahnut data pre vytvorenie DVD/USB media alebo spustenie aktualizacie. Ja som sa rozhodol spustit aktualizaciu. Stahovalo to cely windows na C: disk:

Windows 10 downloading

A nasledne sa spustila aktualizacia. Lenze mna zarazilo nasledovne okno:

Windows 10 selection

Mozno cislo jedna bola vysedena a nebolo mozne ju vybrat. Microsoft, bohuzial, dovoli pouzit prvu moznost len pre Windowsy, ktore su v jazykoch: Anglicky, Brazilsky, Portugalsky a jednoducha Cinstina. Je to smutne ale je to tak. Skusal som zeditovat aj instalacku a jej nastavenia ale nic nepomohlo. Taktiez som skusal zmenit nastavenia Windowsu na inu ako Slovensku lokaciu a taktiez nepomohlo. Vyzera, ze pri stahovani aktualizacie si dana aplikacia stiahla slovensku verziu aktualizacie a aj instalacky:

Windows 10 Slovak

Takze neostavalo nic ine ako ist na tuto stranku a stiahnut anglicku verziu instalacky. Ked sa po stiahnuti dana instalacka pustila, tak vsetko slo ako po masle:

Windows 10 Eng

Vsetky nastavenia mi ostali. Par aplikacii bolo potrebne preinstalovat (VPN klienti) ale inak vsetko funguje ako ma a uz fungujem na Windows 10:

Windows 10 ver

Nemam odskusane ci pri instalacii anglickej verzie Windows 10 sa zanecha slovenske prostredie alebo treba este doinstalovat slovencinu.

Dufam, ze dany navod pomoze niekomu dalsiemu 🙂

Thumbs.db locked DFSR

May 21st, 2014 3 comments

Problem

I had one problem with DFSR. I had two servers. Server01 in located in Location01 and Server02 located in Location02. There is DFSR Replication Group configured between those two servers. Replication worked in one direction – from Server01 to Server02, but it didn’t work from Server02 to Server01.

Findings

When I looked into backlog of Server02 using command:

dfsrdiag backlog /rgname:Rep_Group /rfname:Rep_Folder /SendingMember:SERVER02 /Receivingmember:SERVER01

I found out that there is lots of files stuck in queue – backlog. All of them were called Thumbs.db. These files are used by Windows Explorer to store thumbnails of files in directories.

Solution

I fixed issue by clearing conflict directory using following commands. I had to find out GUID for my replication folder:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderconfig get replicatedfolderguid,replicatedfoldername

And then run procedure to clear conflict directory:

wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where “replicatedfolderguid=’GUID’” call cleanupconflictdirectory

After directory clearance replication stared to work.

But I wanted to prohibit to create Thumbs.db files on network shares. I don’t know about any setting that would disable it on client machines so I had to restrict creation on servers. I decided to create File Screen to prohibit Thumbs.db creation on servers.

1. On server go to Server Manager — Roles — File Services — Share and Storage Management — File Server Resource Manager — File Screening Management:FS01

2. Right-click on File Groups and create new File Group:

– Name it

– Include file “Thumbs.db” into list

FS02

3. Right-click on File Screen Templates and create new screen template:

– Name it

– Make sure you have selected Active screening

– Select new created group “Thumbs.db”

FS03

4. Enable file screening on directory. Right-click on File Screens and create file screen.

– Select Path where File Screen should apply

– Select new created File Screen Template

FS04

And screen file is sucessfully set.

One more step I took was delete all Thumbs.db files from server’s disk. I run following powershell command in share directory:

Get-ChildItem -Force -Recurse | where { $_.Name -like “Thumbs.db”  } | Remove-Item -Force

And that’s all for today play with DFSR.

RemoteApp Name problem

February 26th, 2014 No comments

At one customer I have implemented RemoteApp on Windows Server 2012 R2. Clients connecting to RemoteApp were Windows 7. Everything worked fine besides one computer. When I launched RemoteApp from application provided automatically using Control Panel, I received following error (This RDP file is corrupted. The remote connection cannot be started.):

When I tried to run application using Web portal everyhing worked fine.

Names of the RemoteApp contained diacritics and name was displayed in bad form:

So I tried to disable all diacritics in RemoteApp names and everything started to work as it should.

Weird things are:

  • There are not limits defined on web for RemoteApp names
  • There are not errors logged anywhere with saying anything about “bad name” in RemoteApp

So remember not to have any other characters in RemoteApp names besides clasis english ones.

Have a nice day,

 

Quickie: Nice utility to check DNS in AD

November 19th, 2013 No comments

Where there is a problem with AD replication, there is most of the time problem with DNS. Most of the time there are bad DNS records or missing DNS records. There is cool utility to check DNSLint.exe from Microsoft. It is designed to do all manual check I do when trying to solve AD replication problems.

You can download it from here and also read more about it.

It’s bad it’s not included into operating system by default.

ESET Smart Security makes problems when migrating computers between domains

April 13th, 2013 6 comments

I was facing weird problem with computers when I was trying to migrate computer accounts between two active directory domains. When you use ADMT to migrate computer accounts, ADMT installs ADMT Agent on computer and this ADMT Agent makes all changes during computer account migration.

Problem

When there was computer with ESET Smart Security installed I had following problems. First problem was that migration failed and in ADMT log file I received following error:

2013-04-12 16:29:54 The Active Directory Migration Tool Agent will be installed on CENTRALA.DOMAIN.LOCAL
2013-04-12 16:29:59 WRN1:0000 Could not open SCManager on \\CENTRALA.DOMAIN.LOCAL : GetLastError() returned 5
2013-04-12 16:29:59 WRN1:7015 Failed to connect to the service control manager on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.
2013-04-12 16:29:59 ERR2:7006 Failed to install agent on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.

 So error number 5 means I have no rights somewhere. After reading couple pages of ADMT documentation I found out that ADMT installs ADMT Agent using Admin share called ADMIN$. So I tried to access ADMIN$ share on computer CENTRALA.DOMAIN.LOCAL. I received following error:

Problem with NETLOGON service

I have never seen such an error:”An attempt was made to logon, but the network logon service was not started.”. I checked services on computer CENTRALA.DOMAIN.LOCAL and Windows was right. Service NETLOGON was Disabled!

Solution

I had to temporary turn off ESET Smart Security (I would preffer not use this software at all 🙂 ) and also enable and start service NETLOGON.

Conclusion

Every computer I migrated and had installed ESET Smart Security had the same problems. So IMHO ESET Smart Security has changed service NETLOGON to Disabled. I really don’t understand why this is necessary, but I think it’s not right way “smart security product” should protect your computer.

I found one article about disabling NETLOGON service as security practice. It’s maybe good security practice, but there is also pitfall stated on websie:

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

I’m wondering what other functions are not available when NETLOGON disabled (besides not accessible ADMIN$ share) on domain member computer.

I hope this helps someone 🙂

Exchange 2010 and aditional Active Directory sub-domain/child domain

April 13th, 2013 No comments

We had Active Directory domain called DOMAIN.LOCAL. There was Exchange 2010 installed. It was fully functional. After some time I added new sub-domain/child domain SUB.DOMAIN.LOCAL and migrated users with mailboxes from DOMAIN.LOCAL to SUB.DOMAIN.LOCAL.

Problem

When users from SUB.DOMAIN.LOCAL logged into OWA they received following view:

OWA Error

Error stated: Exception message: Could not find any available Domain Controller in domain DC … so problem is probably in the way Exchange locates domain controllers. When users clicked F5 or refreshed website, he could see his e-mails normally.

There was also event 2130 logged on Exchange server saying Exchange Active Directory Provider could not find an available domain controller in the domain.

Solution

When you want to install Exchange into Active Directory domain, you need to prepare forest and also domain before you install it. You use setup.com (from installation DVD of Exchange) with some switches (for example /PrepareSchema, /PrepareAD,…). So new added domain SUB.DOMAIN.LOCAL to existing AD Forest was not prepared for Exchange implementation. I ran following command setup.com /PrepareDomain:SUB.DOMAIN.LOCAL:

PrepareDomain

If you have more then one domain to prepare for Exchange, you can use command setup.com /PrepareAllDomains.

The best way to run /PrepareDomain or /PrepareAllDomains is:

  • to be logged domain controller with role Schema Admin
  • to be member of Enterprise Admins group
  • to be member of Schema Admins group

I hope you will not make same mistake as I did 🙂

 

Very very bad support from Meinberg getting better?

November 23rd, 2012 No comments

Last two weeks I had to update some NTP servers from one German company. When I requested new firmware I received following e-mail:

Dear Sir,
 unfortunately, I cannot provide a new firmware since your compact flash card is too small and the action might end up in a system’s inconsistency.
Thus, you are also not the only customer who is affected by this, we offer bigger compact flash cards for 65€ each. Please let me know whether this is of interest for you and if you need an official offer.
Mit freundlichem Gruß / With kind regards
 

So this made my very upset. To be able to upgrade to the newest version of firmware I had to pay 65EUR for new flashcard. So I wrote couple e-mail to this company. I wanted to know the reason why I need to invest more to NTP server. I found out that firmware got big and it cannot be uploaded into flash which came with NTP server. This looked weird to me. Why would I have to invest into device if manufacter’s engineers made a mistake. I already decided not to sell manufacter’s devices. And I though that was end of the story.

Today I received following e-mail:

Dear Ondrej,
 
I just wanted to let you know that we dramatically improved our update procedure and, after an intensive clean-up, released
the new firmware version 5.34h which can be installed on 64MB compact flash cards without any problems. The new release is 4 MB (~25%) smaller (!) than the previous version without removing any features.
 
Although you already expressed your extreme dissatisfaction with our products and decided for yourself to not recommend or
buy Meinberg products in the future, your feedback helped us to improve our software and I sincerely thank you for that.
 
Best Regards,
 Heiko
 

So it’s funny how some angry and mad e-mails can change such a things. Now we can upgrade our devices. But I don’t think we will offer them anymore to customers 🙂

Internet Explorer Proxy Settings via GPO not working

October 22nd, 2012 2 comments

One of our customer just released the beauty and power of GPO. They started to use it more and more. Couple days ago they set brand new GPO with following settings:

  • Proxy IP was set with port 3128 for all protocols
  • Exceptions for couple websites and local addresses

 

IE Proxy GPO

Read more…