Sembee | Sembee - BlogBlog of Exchange Consultant Simon Butler

0

Exchange 2016, Windows 2016 and Macs

Now starting to see more implementations of Windows 2016 and Exchange 2016, so odd issues are starting to come to light.

One that I have seen a few times is a problem with Macs connecting to EWS on the 2016 versions of Exchange and Windows.

Going through the logs, there are 401 errors (unauthorised), yet the same credentials work with OWA.

Further troubleshooting with the web server and a hint on an Apple forum suggested that Windows 2016 was using HTTPS 2 by default and that the Mac was having some problems working with that for authentication.
The fix was to downgrade to HTTP 1.1.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

New DWORD values

EnableHttp2Cleartext
EnableHttp2Tls

Set both to a value of 0.

The first one is for HTTP, the second for HTTPS. I set both, even though in most cases only HTTPS is allowed to the server and being used.

Reboot the server (restarting the IIS services does not appear to work).

Here is the registry value content to create a reg file for easy installation:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"EnableHttp2Tls"=dword:00000000
"EnableHttp2Cleartext"=dword:00000000

From an operational point of view, I cannot see any loss of functionality. OWA is designed to work with Windows 2012 R2 which still uses HTTP 1.1. In very large environments you might see a small performance hit because of the loss of the optimisations provided by HTTP 2, but most systems will not see anything.

0

Exchange 2016 DAG - Move Active Database Failed

Spent most of the week dealing with a flapping DAG database - flipping between two servers, which turned out to be a bad network cable.

Anyway, while trying to get the databases to activate correctly during troubleshooting I hit this lovely error (real server name/database changed).

Error: Mailbox Database 1

An Active Manager operation failed. Error: The database action failed. Error: Move for database 'Mailbox Database 1’ was suppressed because too many moves have happened recently. 3 moves have happened within 01:00:00. [Database: 'Mailbox Database 1', Server: exch1.example.com]

Basically tried to activate a database three times in a hour and Exchange stops it from happening again.

Off to PowerShell and skip the checks:

Move-ActiveMailboxDatabase -Identity "Mailbox Database 1" -SkipMoveSuppressionChecks -ActivateOnServer exch1.example.com

Fixed

0

Greylisting and Honeypot IP Whitelists - Vamsoft ORF

Many years ago I wrote about how I was getting good results with the anti-spam technique greylisting. It is still a technique I use with many clients.

However with the increasing use of cloud based services, I have found that greylisting can delay legitimate traffic, because the email can be delivered from different IP addresses on each attempt.

While Vamsoft does have an option to Accept delivery retries from the same 24 subnet, this is not always effective because the large providers have bigger IP address pools.

Therefore I have started whitelisting the major providers within the Vamsoft product.

Another feature I use with Vamsoft is their Honeypot function - the same lists for greylisting I am using with this feature as well - as a single bad address will cause a lot of senders to get blocked.

Getting the Lists of IP Addresses

The first thing to do is get the IP addresses. I am putting in Office365, Google Apps, Mimecast and Amazon SES. If you have senders on other cloud providers then you should add those addresses as well.

For Office365 and Mimecast, the list of IP addresses is on their web site.

Office365: https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Mimecast: https://community.mimecast.com/docs/DOC-1134

Google Apps

For Google apps, you need to do an NSLOOKUP to get the current list.

First query their SPF record:

nslookup -q=TXT _spf.google.com 8.8.8.8

Then query each result, which at the time of writing was this:

nslookup -q=TXT _netblocks.google.com 8.8.8.8

nslookup -q=TXT _netblocks2.google.com 8.8.8.8

nslookup -q=TXT _netblocks3.google.com 8.8.8.8

Although at the time of writing, Netbblocks 2 is ipV6, which you may not need.

Amazon SES:

Similar to Google, query their DNS records:

nslookup -type=TXT amazonses.com | find "v=spf1"

Entering the Lists in to Vamsoft

Once you have the lists, you are ready to put them in to Vamsoft. The GUI I find is a little cumbersome for this task, and if you have lots of servers will take a long time. Therefore modify the configuration file instead.

First, check whether you have any IP addresses in the white list - Blacklists --> Greylisting --> IP Exceptions. If you don't, add one, as this will create the relevant part of the configuration file and the format.

Next, option an elevated command prompt and enter this:

notepad "c:\Program Files (x86)\ORF Fusion\orfent.ini"

Then look for the section

[GreylistingHostExceptions]

The following the format, add the IP addresses like this:

101=V5"23.103.132.0/22","Office365"

The number at the start has to be unique. I usually start at 101 as it will ensure it doesn't conflict with any existing entries - usually creating it in a separate Notepad file and then copying the result in to the configuration file.

Save the configuration file and close it. Finally start the Vamsoft Administration tool and check the list has your addresses in it. If it does, save the file, which will sort out the numbering for you correctly. For the Honeypot feature, repeat above, but instead put the same list of IP addresses in to the section headed

[HoneypotIpExceptions]

Check the lists regularly - as the providers will add additional IP addresses and you need to update them.

0

Self-Contained Exchange Server - Mixing Cloud and On Premise

Over five years ago I wrote about a self-contained environment I built for a small business where they had no office of their own. A new client recently contacted me and asked if I had done anything similar recently, but using more up to date technologies. With the growth of cloud tech, Office365 etc, things have moved on.

This particular request was to provide Exchange for a project which was quite sensitive and the client didn't want to put the data in to Office365, but was quite happy to put it in to a private cloud using a dedicated server. It needed to be completely self-contained. No problem, as that is how I build my labs, so it was just scaled up. This is what I proposed and was deployed at the beginning of September.

Hardware
Dedicated Server rented from a major host here in the UK (I can actually tell you where the server is located). Fairly standard specification, dual RAID 1 arrays, 32gb of RAM.

Software
Installed on to the physical server was VMWARE 6.x.

VM Guests
Into that VMWARE server I installed the following guests

Pfsense. This provided the firewall for the entire environment, and once the builds were complete, the VMWARE admin console was put behind this as well.
Windows 2012 R2 DC (8gb RAM) Fairly obvious one - separating the Exchange server and the domain controller.
Windows 2012 R2 Exchange 2016 (16GB RAM) This was the main Exchange server.

Exchange 2016 Latest version of Exchange, naturally.
GFI Mail Essentials Providing malware, spam and attachment filtering, plus automatic signatures.
SSL Certificate - from http://certificatesforexchange.com/

Observium monitoring appliance from Turnkey Linux (open source) This provides a good overview of the virtual machines. The host was also kind enough to setup a read only user on the IPMI interface of the server.
Windows 10 Pro workstation (4gb RAM) This had Office 2016 installed on it, along with some other tools to allow testing of the implementation from the server itself. It also provides a landing point should one of the end users need to access the server and doesn't have the tools available immediately.

The Windows servers also got the various monitoring tools I use with my Exchange clients. Backup to the cloud, using Exchange aware backup application was also provided.

Microsoft Office

Shortly after deployment, it became apparent that the clients were a complete mixture of Office versions, some of which didn't support the latest version of Exchange. Therefore I proposed, and was accepted, that we used Office365 Business subscription. This provided Microsoft Office for both the Windows machines used by the users, plus their tablets and phones. I integrated the domain I built with their new Office365 subscription providing a single username and password experience - the size of the deployment didn't justify a single sign on implementation. Should someone leave the project, we simply un-licence their Office installation.

Costs?

All numbers correct at the time of writing (September 2016) and are excluding VAT.

Hosted Server: £140 a month
Per user licences: £25 a month (covers Exchange, Windows Server etc)
Office365: £7 a month per user
Server management Fee: £350/month
Setup: £1500 (includes hosting company setup charge and my time).
SSL Certificate: £35/year.

Conclusion

The client has a solution that they can scale up and down as the project progresses, which fulfils their requirements of being a self-contained standalone solution, without the cost of the hardware and software up front. It is also managed for them by Sembee Ltd with responsive monitoring.

0

Removing a Database from Exchange 2010, 2013 and 2016

If you have attempted to remove a database on Exchange 2010 and higher, no doubt you will have seen this error message:

"This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes or arbitration mailboxes, Audit mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database . To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database -Archive. To get a list of all public folder mailboxes in this database, run the command Get-Mailbox -Database -PublicFolder. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database -Arbitration. To get a list of all Audit mailboxes in this database, run the command Get-Mailbox -Database -AuditLog. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox . To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox -Archive. To disable a public folder mailbox so that you can delete the mailbox database, run the command Disable- Mailbox -PublicFolder. To disable a Audit mailbox so that you can delete the mailbox database, run the command Get-Mailbox -AuditLog | Disable-Mailbox. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest . If this is the last server in the organization, run the command Disable-Mailbox -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan -Database ."

This is probably one of the most useless errors in Exchange. It doesn't list all of the command required to check the database is empty, it also listed commands not available in the on premise version of Exchange.

The list of commands to check, is as follows:

get-mailbox -database "Databasename"

get-mailbox -database "Databasename" -archive

get-mailbox -database "Databasename" -arbitration

get-mailbox -database "Databasename" -publicfolder

get-mailbox -database "Databasename" -monitoring

get-mailbox -database "Databasename" -auditlog

Where "Databasename" is the name of the database you are trying to remove and not all commands work on all versions of Exchange.

If any of those come back with results, then you need to move the mailbox off:

Get-Mailbox -Database "Mailbox Database 1" -AuditLog | new-moverequest –targetdatabase "Mailbox Database 2"

After allowing the domain to replicate, you should then be able to drop the database.

SEMblog