Bhargav's IT Playground

Exchange Management Shell Error 500 – Internal Server Error

May 3

Posted by Bhargav in Exchange 2010, PowerShell | No Comments

I have come across this issue enough times that even if it is documented on TechNet it deserves mention here.

When you launch Exchange Management Shell or try to connect to an Exchange 2010 Server remotely using PowerShell, you get error “500 – Internal Server Error. There is a problem with the resource you are looking for, and it cannot be displayed.”

Error details also show the following:

For more information, see the about_Remote_Troubleshooting Help topic.

    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException

    + FullyQualifiedErrorId : PSSessionOpenFailed

The other possible errors you may see are the following:

The WinRM client cannot process the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.

Connecting to remote server failed with the following error message: The WinRM client received an HTTP server error status (500), but the remote service did not include any other information about the cause of the failure. For more information, see the about_Remote_Troubleshooting Help topic. It was running the command 'Discover-ExchangeServer -UseWIA $true -SuppressError $true'.

The WinRM client received an HTTP status code of 403 from the remote WS-Management service.

All of these issues relate to a problem with PowerShell virtual directory on given server not configured properly. If you were to run Exchange Best Practices Analyzer, it alerts about this issues as well.

The resolution is well documented on TechNet article “PowerShell Virtual Directory issues cause problems with Exchange Management tools”. I will let you read the solution there, however, I wanted to mention the oddity in my case.

Looking at the error I was getting and mapping it to solution in article didn’t resolve the issue. I had to configure kerberos authentication as mentioned in the article. Once KerbAuth was registered as native module, EMS and remote PowerShell sessions started working.

What my friend mentioned seems so relevant: “Why can’t our lives be just as predictable as computers? While there are some problems in a day, most of it is logical and if you know that logic, you can predict the outcome or fix the issue!”. Amen to that my friend.

Originally posted at http://blogs.technet.com/bshukla

Certificate revocation checked failed

Apr 30

Posted by Bhargav in Exchange 2010 | No Comments

Recently I came across a CAS server that was rebuilt. Think of it as a new server you are introducing in your environment.

Everything looked good except certificate that we imported. The certificate looked good when looking at validity, issuing authority certificate and other dependencies. However, Exchange Management Console complained:

“The certificate status could not be determined because the revocation checked failed.”

Since the error seemed clear enough, we checked and verified that we can reach CRL. We could successfully access it and download CRL. We also ensured that there was no proxy servers configured or required, which they weren’t.

However, the server had its own mind.

KB979694 wasn’t applicable since there was no proxy in the environment.

The only logical thinking here was, why is “Local System” account (which the service uses to get the revocation status) unable to get to CRL. To get to the answer, we needed to check proxy settings of Local System account. How do you do that? You can’t simply start IE as different user!

That exactly is the purpose of this post. I found bits and pieces of information that helped me resolve the issue but not a one step document. In this post, I am trying to put it all together so you have one stop solution.

Here’s how you can fix the issue:

Open up command prompt as Administrator
Run “sc create testsvc binpath= "cmd /K start" type= own type= interact”

This creates testsvc service which will run as local system and allow interaction with desktop

Run “sc start testsvc”

The error “[SC] StartService failed 1053” is expected and can be ignored safely

Locate “Interactive Services Detection” icon blinking in the taskbar and click “view message”
You are now in a command prompt window running as Local System and you will not see your desktop. The only other visible window is “Interactive Services Detection” window.
Launch Internet Explorer using the following command:

"c:\Program Files (x86)\Internet Explorer\iexplore.exe"

Internet Explorer may present Set up window. If it does, click “Ask me later”.
We will now check proxy settings. Go to Tools -> Internet options -> Connections -> Lan Settings.
Verify proxy and automatic configuration options and change them to match your environment. In my case we cleared all checkboxes since no proxy existed in environment.

In our case, either server build process or a setting from or a GPO was populating incorrect proxy settings.

Close Internet Explorer window and return to command prompt.
We will now clean certutil caches.
Run “certutil -urlcache ocsp delete”
Run “certutil -urlcache crl delete”
We’re almost done here. We now have to close and exit out of service.
Type “exit” and press enter to close command prompt that is running as Local System.
Now you should have only one “Interactive Services Detection” window.
Click “Return Now”.

You are now back to your desktop and we have corrected Internet Explorer settings for Local System (removing proxy configuration that was incorrect). After this, we restarted Exchange Management Console and verified certificate on CAS server in question. Certificate was no longer issuing the warning and we proceeded with assigning the certificate to appropriate services.

It is important to note that refresh time varies from immediate to more than few minutes so don’t fret over certificate still showing the same error. If, however, it takes more than 15 minutes, I would check if all steps were followed as mentioned above and configuration is correct for your environment.

Yet another issue put to bed. On to another.

Originally posted at http://blogs.technet.com/bshukla

Stories of Autism

Feb 13

Posted by Bhargav in Announcements, autism awareness | No Comments

As I started taking interest in photography, I came in contact with professionals who I can learn a bit from. While doing this, I was recently introduced to Stories of Autism.

Stories of Autism is a non-profit organization profit organization dedicated to promoting the awareness, acceptance, and inclusion of those with autism spectrum disorders. Stories of Autism achieves this through the exhibition of portraits created by professional level photographers from around the US and Canada. Portrait is accompanied by a short writing from someone close to the subject (usually a parent) describing how autism has affected their lives. It has been featured in many photography trade magazines, websites, newspaper and television coverage, as well as some articles in a few medical journals.

After learning about them a bit more, I decided to join the annual event that coincides with National Autism Awareness Month.

I plan to be one of many photographers who will capture amazing moments of these special people and raise awareness to autism.

This is where I need your help. Here’s what you can do to help:

If you know someone with autism who is in Downingtown, PA (or within 25 mile radius), please let me know and I can get in touch with them.
Spread the word. This one is easy. Just use #autismawareness and @bhargavs in your tweets alongwith URL http://bit.ly/storiesofautism, put this on your Facebook or linked in, tell others when you meet then in person. Anything you can do will help me.
Donate! This is the first time ever that I have asked someone to donate through my site. It’s because it isn’t for me. Every dollar you donate will be matched 1:1 and will be donated to “Mission for Educating Citizens with Autism”. There is no minimum. Any amount you wish to donate makes a difference.

You might have the most important question, what’s in it for participants?

They will receive free 30 minute portrait session (only autistic subject, no family portraits)
They will receive single 8×10 portrait print of their choice from the session
Best of all, they will help a good cause

Pardon this out of ordinary post, I know this isn’t what you may have expected on a technical blog. I am sure you understand and I certainly hope I will get your generous support for this worthy cause.

Some important disclaimers:

I am not affiliated with any organizations listed above and will not benefit monetarily by posting this or helping them with portraits or donations
I will not profit from any donations received through the link posted here. For accuracy, please do not send any donations directly (bypassing posted link here).

RBAC and Principle of Least Privilege

Dec 15

Posted by Bhargav in Exchange 2010, PowerShell | No Comments

Exchange 2010 introduced RBAC as a mechanism to manage access to administrative tasks at granular level which was not possible in previous versions of Exchange.

While you may know how to use RBAC to create custom roles that maps to job functions in your environment, one particular feature tends to get easily overlooked, mostly because it is least understood I believe. It is Unscoped Top Level Management Roles.

So, I wrote a blog post on it detailing what it is, and how to configure it. It went live few days ago at Hey, Scripting Guy! blog.

You can read complete article here – http://blogs.technet.com/b/heyscriptingguy/archive/2012/01/13/use-powershell-and-rbac-to-control-access-to-exchange-server-cmdlets.aspx

Enjoy!

Originally posted at http://blogs.technet.com/bshukla

Updated – Verify Exchange Server Schema Version

Dec 15

Posted by Bhargav in Exchange 2010 | No Comments

This article was originally posted on my personal blog here. Since I don’t actively maintain it anymore, I am publishing it here.

When you run Exchange Setup to prepare schema, usually the very next question is, how do I verify schema was updated successfully? Verifying only the values of attributes as mentioned below is not a good verification of Exchange setup completion. This article is intended to only provide reference to attributes and their values.

Let’s start back at Exchange 2003 SP2.

One of the last actions setup /forestprep in Exchange 2003 is to set objectVersion attribute on Exchange organization container to a value of 6903. You can verify this using ADSIEdit and navigating to Configuration NC, Exchange organization object under services\Microsoft Exchange node.

On the other hand, when setup /domainprep is run, it sets the objectVersion attribute on Microsoft Exchange System Objects container to a value of 6936. You can verify this using ADSIEdit and navigating to Domain NC, Microsoft Exchange System Objects container.

In Exchange 2007, after successful run of Setup /PrepareSchema you will find that the attributes mentioned above are not changed! You need to verify the value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC. The value should be 10637.

It is only when you run Setup /PrepareAD the objectVersion attribute of Organization container in Configuration NC is updated to a value of 10666. You will also find that objectVersion attribute on Microsoft Exchange System Objects container in Domain NC is set to a value of 10628.

You will also notice that Setup /PrepareDomain does not have any effect on these attribute values.

Let’s briefly review what does Exchange 2007 SP1, SP2 and Exchange 2010 setup update these attribute values to.

Exchange 2007 SP1

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is set to 11116 when setup /PrepareSchema is run successfully.
Setup /PrepareAD sets the objectVersion attribute of Organization container in Configuration NC is updated to a value of 11221. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC is also set to the same value of 11221.
Setup /PrepareDomain does not have any effect on these attribute values.

Exchange 2007 SP2

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is set to 14622 when setup /PrepareSchema is run successfully.
Setup /PrepareAD sets objectVersion attribute of Organization container in Configuration NC to a value of 11222. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC remains unchanged at value of 11221.
Setup /PrepareDomain does not have any effect on these attribute values.

Exchange 2007 SP3

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is set to 14625 when setup /PrepareSchema is run successfully.
objectVersion attribute of Organization container in Configuration NC remains unchanged at a value of 11222. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC remains unchanged at value of 11221.
Setup /PrepareDomain does not have any effect on these attribute values.

Exchange 2010

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is not changed from 14622 when setup /PrepareSchema is run successfully.
Setup /PrepareAD sets objectVersion attribute of Organization container in Configuration NC to a value of 12640. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC remains unchanged at value of 12639.
Setup /PrepareDomain does not have any effect on these attribute values.

Exchange 2010 SP1

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is not changed from 14726 when setup /PrepareSchema is run successfully.
Setup /PrepareAD sets objectVersion attribute of Organization container in Configuration NC to a value of 13214. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC is changed to value of 13040.
Setup /PrepareDomain does not have any effect on these attribute values.

Exchange 2010 SP2

Value of rangeUpper attribute of ms-Exch-Schema-Version-Pt object in Schema NC is changed to 14732 when setup /PrepareSchema is run successfully.
Setup /PrepareAD sets objectVersion attribute of Organization container in Configuration NC to a value of 14247. objectVersion attribute on Microsoft Exchange System Objects container in Domain NC remains unchanged at value of 13040.
Setup /PrepareDomain does not have any effect on these attribute values.

When reading this article, consider the fact that the lab setup I used was upgraded from Exchange 2003 schema to Exchange 2007 schema and then to Exchange 2010/SP1 schema. Service Pack 2 was tested in Exchange 2003 environment with no Exchange 2007 or Exchange 2010 Service Pack 1. This should not affect any attribute values mentioned above however I cannot guarantee since I have not tested it.

Originally posted at http://blogs.technet.com/bshukla

New pre-requisites for Exchange 2010 Service Pack 2 and CAS Role

Dec 6

Posted by Bhargav in Exchange 2010 | No Comments

With release of Service Pack 2 for Exchange Server 2010, you gain few new features such as Cross-Site Silent Redirection for OWA, Address Book Policies, Mailbox Auto-Mapping and few other additions (What’s new in Exchange 2010 SP2).

With it, comes new pre-requisites if you are installing/updating Client Access Server (CAS) role.

You will need to install the following components on the server that will be running CAS role (or existing CAS you are planning to update):

ISAPI Filters – Web-ISAPI-Filter
IIS 6 WMI Compatibility – Web-WMI
ASP.Net – Web-Asp-Net

You can install them as described in Exchange 2010 Prerequisites article. If you want to install these components on existing CAS server before upgrade to SP2, you can launch PowerShell as Administrator and then run:

Import-Module ServerManager
Add-WindowsFeature Web-ISAPI-Filter,Web-WMI,Web-Asp-Net

Note this post refers only to Windows 2008 R2. I haven’t checked if requirements are different for Windows 2008 (without R2) servers. They are, however, detailed in the TechNet articles linked above.

Enjoy!

Originally posted at http://blogs.technet.com/bshukla

Script to configure static ports on Exchange Server 2010

Oct 21

Posted by Bhargav in Exchange 2010, PowerShell | No Comments

There is nothing new about this. If you have been reading about Exchange Server 2010 or have it deployed with hardware load balancer, chances are, you have read how to configure static ports on Exchange Server 2010 on TechNet Social wiki for Exchange 2010. Chances are that you have also used my script (referenced in the post above) to set static ports on your servers. Lastly, chances are that you have read all about it on my previous post here.

If so, why am I even talking about it today?

Well, if you haven’t noticed a few things already, the way you change ports is different in RTM and SP1. My script didn’t account for SP1 originally when it was written. Was SP1 even existed then?

The other reason is my nature of always learning something and making things better! I noticed how my code was inefficient now that I know a few more things about PowerShell (yeah that’s not funny). I decided to write it more efficiently and that basically meant a complete overhaul of my old script.

The new script is now more user friendly! It uses cmdletbinding and comment based help. It means, for you as a user, you can just type:

Get-Help Set-StaticPorts.ps1 –examples

Get-Help Set-StaticPorts.ps1 –Full

The script now validates parameters using ValidateRange and ValidateScript. I think that’s cool! It also uses 59531 and 59532 by default now. How about using recommended ports instead of random ones I used in my previous script? I think that’s even more cool!

The script uses all the right write-* cmdlets now instead of write-host. So now you can use tee-object and won’t end up with empty output file. Yes you loose cool colors I used with write-host but hey, you are trying to set ports on your Exchange Server 2010. For colors you would go see Macy’s Fireworks on New Year, right? Smile

Oh and last but probably the most important change is inclusion of –auto and –whatif functionality!

-WhatIf is obvious. Script will tell you what it is doing without actually making any changes.

-Auto will automatically find all your Exchange 2010 CAS servers and Exchange 2010 Mailbox servers that are hosting Public Folders. It will then change ports on CAS Server for RPC CA service and Exchange AB service. On Mailbox servers it will only change RPC CA ports as Exchange AB service doesn’t exist on Mailbox only role.

If you combine all this with –Force, you can also silence the script. It won’t ask you for any confirmation and will change ports you specify (or use defaults) and restart the services! Isn’t that awesome!

So go download the script from here: Set-StaticPorts.ps1 and give it a go. As always, let me know if you find any issues and I will be happy to fix it.

Originally posted at http://blogs.technet.com/bshukla

PowerShell script to edit remote registry

Oct 21

Posted by Bhargav in PowerShell | 1 Comment

Did you ever wanted to modify your registry or add a key/value pair to registry? Wished there was a script to help you do that? Even better, wished it can run remotely without PowerShell WinRM listener configured on target server?

I had custom script that would modify certain registry entry but it was inflexible and in my recent rewrite of another script, I wanted more flexibility. So out of necessity, I decided to rewrite my registry script and made it independent script with lot of flexibility.

Using this script, you can now run it like this:

.\Set-RemoteRegistry.ps1 -Key SYSTEM\CurrentControlSet\services\AudioSrv\Parameters -Name ServiceDllUnloadOnStop -Value 1 -Type DWord

If you want to suppress prompts, you can use –Force parameter like this:

.\Set-RemoteRegistry.ps1 -Key SYSTEM\CurrentControlSet\services\AudioSrv\Parameters -Name ServiceDllUnloadOnStop -Value 0 -Type DWord –Force

This script is also a good example of cmdletbinding and support of whatif. I still think use of Whatif in scripts has its limitations as apprarent in this script (without adding more code to it to work around that limitation).

The script is also a good example of how you can use parameter validation right in the parameter declaration. This way you can avoid if..then code blocks to validate parameter inputs. What a wonderful discovery, I gotta thank PowerShell team for this.

So go ahead, get the script Set-RemoteRegistry.ps1 here and if you find any issues, let me know. Have Fun!

Originally posted at http://blogs.technet.com/bshukla

Mythbusters–Exchange Server 2010 and PowerShell Remoting

Sep 27

Posted by Bhargav in Exchange 2010, PowerShell | No Comments

A misconception that WinRM listener needs to be configured in order to be able to connect to Exchange Server 2010 had popped up a couple times in my conversations recently so I decided to clear the confusion. Guest blogging for my friends at IT Pro Africa, I have written the details on the blog post here: http://itproafrica.com/technology/exchange/exchange-server-2010-and-powershell-remoting/

Check it out and feel free to post comments either there or directly here.

Originally posted at http://blogs.technet.com/bshukla

Remembering 9/11/2001

Sep 11

Posted by Bhargav in General | No Comments

While it is easy for us grown ups to get used to all the chatter on radio and television and not pay enough attention to anything that isn’t of utmost importance to our personal lives or goals, my 5 yr. old today reminded me of why a 5 yr. old is better than grown ups.

While driving him around town on errands, as I usually do, I was listening to the public radio broadcast on WHYY. While it was good conversation, it was more or less a blur to my grown up brain and while sobering, it wasn’t heartfelt. But to my 5 yr. old it was a lot more. I sensed that as soon as he started asking endless questions. All very innocent, all very touching. He asked me what memory meant when he heard “sonic memorial” on radio. He asked me why they won’t build two towers now. And when I ignorantly I said I don’t know, he said because they have built a fountain there. That’s when it struck me how ignorant I was. While he was listening to same radio and watching same news on TV as I was, he was actually the one paying attention!

What touched me the most is when he said when he grows up, he wants to start a company in L.A. (not sure why he picked that) and will build twin towers everywhere except in New York city because they have fountain there! It send a shockwave through me. How a kid, who has no idea of the magnitude of the events that unfolded on that unforgettable morning, wanted to do so much for a memory!

That’s when I woke up and decided create a picture to tell the story.

I am not an artist so I have used pictures I came across from image search on search engines and if I am violating any copyrights unknowingly, I hope the authors will understand that I have no intention of making this image available for sale. I just want to do this for my child and his endless curiosity. God bless him.

What I am sharing here are some outcomes of my numerous attempts with two formats; one for desktop wallpaper and one for print (8×10 format). Feel free to download for personal use. Please do not try to sell out of respect for the victims. I claim no copyright to these photographs. If I have used your photograph and you don’t want me to use it for this good cause, let me know and I will immediately remove it.