Author Archive
Public Folder problem caused by Client-side Outlook Security update
Posted by: | CommentsJust a heads up. If any of your clients have a user that complains that they can’t access public folders, they may be having a problem with a recent client-side Outlook 2007 security update. If they attempt to access public folders and are getting this error:
Cannot expand the folder. The attempt to log on to Microsoft Exchange has failed
It’s likely that they recently installed KB980376. As of today, the only known fix is to uninstall that security update from the client machine so that they can get into public folders.
Giving one user access to another’s mailbox via PowerShell
Posted by: | CommentsThere are plenty of reasons why you might want to give one user access to another user’s mailbox. The first user may be in the hospital, or under HR review, or maybe they’ve been dropping the ball lately and management need to make sure that certain projects have been followed up on. It’s not really our job to care. The fact is, Bill in management has requested that you give Paul Stanley access to Gene Simmon’s mailbox, and for various reasons, logging on to Gene’s mailbox to set these permissions up is not a good option. For one, you’d only be able to delegate access to certain primary folders, not to the whole mailbox, and second, you’d have to know Gene’s password to do that. Because you are a smart admin, you tell Bill you can take care of it easily from the server. And here’s how you do it with Exchange 2007 or Exchange 2010:
Using this powershell command, you can give one user the permission to open and view another user’s entire mailbox. They won’t be able to send mail from that mailbox though, unless you add the SendAs permission:
Add-MailboxPermission user1 -User user2 -AccessRights fullaccess
So if you wanted to give Paul Stanley access to Gene Simmons’ mailbox, you would do this:
Add-MailboxPermission gsimmons -user pstanley -AccessRights fullaccess
To add sending functionality, you would do this:
Add-MailboxPermission gsimmons -User pstanley -AccessRights sendas
Make sure you run the Exchange Management Shell as Admin (escalated) or you may not get the results you were expecting.
If you want to verify the permissions you’ve given Paul, you can run this command:
Get-MailboxPermission gsimmons -User pstanley | fl
After you tell Bill that you’ve taken care of it, he asks you what Paul is supposed to do to view the mailbox. You send him the following instructions:
In Outlook, go into Tools -> Account Settingss and open up the properties on your Exchange email account. Choose More Settings, and when you get to the tabbed window, choose the Advanced tab.
On the Advanced tab, you will see the option to open additional mailboxes. Click Add and type the name of the user whose mailbox you want to open. In this case, Paul could type “Gene Simmons” or “gsimmons”. OK all the way out, and you should see another root mailbox for Gene Simmons added to Paul’s Outlook.
And yes, this can be done in the Exchange Management Console, but PowerShell is quicker!
Interested in SBS 2008 Training?
Posted by: | CommentsLast month TrainSignal released a new video course course I created, and I thought I’d talk about it a little bit here, since I wrote it with the SMB consultant audience in mind.
I think that if I was looking for a course to take myself, I’d want to know that it did two things: cover all the essentials and additionally give me some beyond-the-basics expertise to add value to my consulting. Beyond that, I’d also want it to efficiently cover a given topic in a demo-driven way so that instead of having to plow through the whole course, I’d be able to sit down for 45 minutes or so with a specific topic and walk away feeling more prepared to implement.
That’s pretty much what I’ve put together, and when you add up all the content, it comes to over 17 hours of video, including segments covering SharePoint customization, certificates, WSUS, SBS 2003-2008 migrations, Exchange disaster recovery and much more.
TrainSignal typically sells scenario-driven courses, so there’s usually a fictitious company with fictitious characters whose needs the course is built around, and as part of the course, we field management requests from our “client” and translate them into technological solutions. In this course we are working for Mal Falconi, who runs KingFish Private Investigations, and she wants to set up a solution that maximizes her decentralized office strategy. Many videos begin with a description of a “business need” and we move on to craft and implement a solution that meets that need. I had a lot of fun building the course.
You can check out a larger overview here.
If you’ve already looked at the course, I’d be glad for any feedback you might have.
User can’t log into OWA
Posted by: | CommentsSometimes a strange situation crops up in which a user can access his Exchange 2003 email from an Outlook client without trouble, but can’t successfully log into Outlook Web Access. You will get the standard, “You could not be logged on to Outlook Web Access” error message.
Chances are this user recently had a password change, or maybe the users account was deleted and then recreated again. But you’ve checked everything: the password, the OWA feature turned on for that user, the ability to log on with other user accounts, the temporary internet files cache, IISRESET. But nothing works–no matter which workstation you use to access OWA, you can’t log on as that user.
If you really press on and actually reboot the server, you find that the problem is resolved, but you are left uneasy. What actually happened, and why did it take a server reboot to fix it? Very unsatisfactory.
The problem is actually related to how IIS caches credentials when it uses Forms Based Authentication. If you change a user password or delete and recreate a user account, sometimes IIS has a different SID/password cached for that user and any attempts to authenticate will fail until that cache is emptied. An IISRESET will not resolve the problem, but a reboot will.
But there’s another way to resolve this without a reboot.
1. Open up the Exchange System Manager and drill down into the Server section and down into Protocols.
2. Open the HTTP folder and get properties on Exchange Virtual Server.
3. Go into the Settings tab and uncheck the Enable Forms Based Authentication checkbox. Apply it.
4. Go to the command-line and do an IISRESET.
5. Now go and recheck the Enable Forms Based Authentication checkbox.
That’s it. You should be able to log into OWA with that user now.
Avoiding Trouble with Windows Updates
Posted by: | CommentsDo you ever wonder why there are so many sporadic one-off problems with Windows Update? Someone runs a .Net update and it breaks a lot of things, even though thousands of other admins have run that same patch without problems?
I think I might have an inkling why.
How many times have you been checking on a server right before lunch and saw an optimization you could easily make, made the change and then saw that the server wanted a reboot? It wasn’t that critical a change, and you can’t restart the system during business hours, so you add a task to your list to restart the server that evening. Or do you? Did you ever actually get around to it?
Maybe you download a patch for a known issue and then it calls for a reboot, and you decide that you might as well run some other updates before the reboot to get your downtime’s worth.
Both of these situations are much more likely to result in failed Windows Updates, since there are unresolved .dll, file and registry changes underway.
The best practice is to restart a server BEFORE you run Windows Update or any significant patches. You would do this in order to ensure that there are no subsystems that can’t be patched properly due to their already holding their breath for a reboot. So a good Windows Update procedure would involve at least two server restarts: one before the updates are run, and another after.
The truth is, if your servers run for 30+ days between reboots, it’s fairly common for them to begin to accumulate some of these “pending reboot” situations, and if you don’t resolve those before doing any serious patching, you may end up with unpredictable results.
—
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support 
Blog 
Twitter 
Facebook 
LinkedIN
Setting up an external Autodiscover record for SBS 2008
Posted by: | CommentsWhen you migrate to SBS 2008 and you already have a domain name, you don’t need to use the domain registration wizard that is built into the SBS 2008 Setup process.
This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client autoconfiguration. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS).
The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here:
1. Get rid of any CNAME or A records for “autodiscover”
2. Build the SRV record to look like this:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.smallbizco.net
Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows:
- https://domainname.com/autodiscover/autodiscover.xml
- https://autodiscover.domainname.com/autodiscover/autodiscover.xml
- http://autodiscover.domainname.com/autodiscover/autodiscover.xml
Because your cert is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server. An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed.
Got it? Great!
—
So who wrote this blog and what do they do for a living anyway?
We’re Third Tier. We provide advanced Third Tier support for IT Professionals.
Get Support Blog Twitter Facebook LinkedIN
