Microsoft Exchange and Remote Desktop Services Specialists

SEMblog

Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

A New Take on the Exchange Management Shell Startup - Keberos Error

I was recently asked to look at an Exchange server giving the common PowerShell connection failure due to Kerberos authentication. 

The following error occurred while attempting to connect to the specified Exchange server 'rpi-exchange.rp.local':

"The attempt to connect to http://rpi-exchange.rp.local/PowerShell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The connection to the specified remote host was refused. Verify that the WS-Management service is running on the remote host and configured to listen for requests on the correct port and HTTP URL. For more information, see the about_Remote_Troubleshooting Help topic. "

The usual reasons for this error are well documented and I am not covering them here. After spending an hour going through the usual suspects, I started to look for anything else, as this was giving a Connection Refused error, which wasn't hugely documented past the Remote PowerShell permission. 

I then had a brainwave. I was working on a system in a school. Schools have pretty restricted Internet access in most cases. This usually means a proxy. 

Netsh winhttp show proxy 

That command immediately showed there was a proxy, running

Netsh winhttp reset proxy

Cleared the proxy settings and allowed the Exchange Management Console to start correctly. 

The client was then advised to check their proxy configuration settings, specifically the exceptions list so that the correct ones were in place, as I feared that next time Group Policy applied the proxy settings, the change would be reset. 

Exchange 2010 Service Pack Support Dates

From conversations with clients, it would appear that a lot of people are unaware that Exchange 2010 Service Pack 1 is no longer supported.

I am still seeing clients who haven't upgraded. These range from SBS users right up to multi site Enterprise clients. 

The Microsoft support policy on service packs is that when a new service pack is released, the previous service pack only is supported for a further 12 months. 

The support of Exchange 2010 SP1 ended in January 2013, Service Pack 2 ends in April of 2014. 

If you are still on the original release, known as RTM, then support ended in November of 2011. 

This shouldn't be confused with support of the product Exchange 2010, which will be supported (as long as it is on the latest service pack) until 2015, with extended support until 2020. 

The full table for support can be seen here:
http://semb.ee/e2010dates

If you are curious about Exchange 2007, then those dates can be seen here:
http://semb.ee/e2007dates

 

Free BES 5 Upgrade for BES 4.1 Users

Still using BES 4.1? Then this blog posting will be of interest to you. 

There were lots of announcements from Blackberry last week during their convention, but one that probably got buried in all of the handset news is probably of interest to Exchange administrators. 

If you are still on BES 4.1 then you can now get a free upgrade to BES 5. That is the full BES, not BES Express. 

http://uk.blackberry.com/business/blackberry-10/blackberry-10-ready/upgrade-path.html

You can use the transporter suite to migrate to the new version of BES with almost no downtime for the end users. 

Note - this is the full BES 4.1, not the older Professional or other free options. If you are using BPS then you should move to BES Express.

The reason for Blackberry doing this is to encourage moves to Blackberry 10 devices. One of the features of the BES 10 version is able to manage both Blackberry 10 and older devices from a single interface. However for that to work the older devices need to be on a BES 5 server. 

If you are using BES 4.1 now is the time to upgrade.

If you have devices still using OS 4.x then it would also be a good time to look at upgrading those, at least the OS, but preferably the device as well. 

If you are in the UK, then I can assist you with this upgrade, please use my business web site to contact me: http://www.sembee.co.uk/ 

 

Where to get free support for Microsoft Exchange Server

If you are having problems with your Exchange server, you have a number of sources for assistance. 

You can Google for the problem, and in many cases this will bring up something that can assist you.

If you have a fairly specific problem though, you might need to actually explain it to someone to get assistance. For that you have two main sources. 

1. Microsoft Support - this is of course a chargeable solution. 

2. Peer to peer support. 

The second option is very popular and is where you can get assistance from some of the top Exchange experts. Exchange MVPs (like myself) post in peer to peer locations, as do some Microsoft employees. 

Where to find peer to peer support

With the demise of the Microsoft Newsgroups, peer to peer support pretty much comes in two forms. 

  • Forums
  • Email Lists

Email Lists

One of the most active email lists was hosted by Sunbelt Software, who were acquired by GFI. GFI have now announced the lists are going away, so the new list can be found at "My IT Forum" http://myitforum.com/myitforumwp/services/email-lists/  

Yahoo Groups also have email lists for each version of Exchange, however these appear to be very low traffic. 

Use an Outlook.com account or a public folder to store the list traffic - they can get very busy and by putting the content in to a separate place it will keep it from your main email. 

Forums

There are lots of forums where you can get support for Microsoft Exchange. 

Microsoft Technet

Exchange 2013: http://social.technet.microsoft.com/Forums/en-US/category/exchangeserver

Previous Versions: http://social.technet.microsoft.com/Forums/en-US/category/exchangeserverlegacy 

Very busy forums, which are monitored by Microsoft staff. However there are a lot categories therefore working out where to post can be a challenge. 

Experts Exchange

The Exchange section is very active and is one of the main places you will find me posting. Contrary to popular belief, you don't need to pay to either see the solutions or post a question. A free account can be created here: http://semb.ee/ee

Petri

Exchange 2000/2003: http://www.petri.co.il/forums/forumdisplay.php?f=12 

Exchange 2007/2010/2013: http://www.petri.co.il/forums/forumdisplay.php?f=36  

Another forum where you will find me posting, I also moderate the Exchange forums. Not quite as busy as some, but knowledgeable people post. 

Msexchange.org

http://forums.msexchange.org/ 

Another forum divided in to categories. 

There are other forums out there, but have very low traffic, which means your question may go unanswered. 

You can also find groups on Linked In, if you have an account there. 

More ways to get assistance can be found on my list of Exchange resources at http://exbpa.com/ 

DMARC

You may have heard of an email initiative called DMARC, which is supported by many of the major email providers. What is DMARC and how does it benefit Exchange server administrators.?

What is DMARC?

DMARC - Domain-based Message, Authentication, Reporting and Conformance is basically a standardisation of how is email is handled by a number of email authentication mechanisms such as SPF. 

As an email server admin the interesting part it introduces is the reporting aspect. 

History

Little bit of history to begin with. 

Spam has been an on-going problem for over 20 years and it was identified that one of the most common issues with spam is spoofing - where an email is sent with the From address being inaccurate. 

One of the initial ways to try and deal with that issue was SPF - Sender Policy Framework, also known as Sender-ID. This uses DNS records to indicate what IP address and hosts can send email for a domain - the idea being that by putting additional records in your own DNS, you can tell the world where your email should be coming from.  

As an email server admin, SPF had a number of drawbacks. 

The first one was that it had zero effect on the amount of spam that you received yourself. For most email server administrators, that is all they are worried about. 

The other major drawback is that if you did implement the SPF DNS records, you had no way of knowing if it was effective or not. The lack of feedback means that most SPF records are very conservative in configuration, so that people don't block legitimate email. 

DMARC Features

There are two key features of DMARC.

First, it tells the major providers what to do with email messages that are protected by SPF records in a standard way. It takes the guesswork out of the process. 

Secondly, is to provide the administrator of the email domain with reports (in a standard XML format) of whether email has been blocked or not. Reports come from a number of major email providers, including Google, Hotmail, Yahoo and AOL. It also tells the major providers what to do with email if they fail the SPF records checks. 

DMARC also supports Domain Keys, but their implementation is limited so not covered in this article. 

DMARC protects over 60% of consumer mailboxes, so if you are emailing a lot of home users then you will get results from deploying it. 

Setting up DMARC to get the reports

The reports are probably the most interesting aspect and this is what this blog is mainly about. 

There are three steps to the process. 

1. Setup your SPF records correctly.

2. Setup an email address for receiving the reports.

3. Setting up the DNS records. 

SPF Record Setup

For DMARC to work correctly, you need to have SPF records setup in the correct way. A lot of SPF records have been configured with ~all parameter, which basically means that any server can send email for that domain. That needs to be replaced with specifics. 

The easiest way to get the SPF records setup correctly is to use a tool: http://spfwizard.com/

You need to list everything that could send email as your domain. If you are hosting your own server, then using the MX record method might be enough. However if you send email via a smart host, then the smart host will need to be listed. Don't forget to include any web servers that might be sending email based on scripts. 

You can then setup the records to effectively report only, so take no action. That will allow you to build up a picture of what is happening before you implement blocking procedures. That DMARC standard was written to allow this exact scenario, so that you can build up confidence in the results. 

Email address for the reports

The email address that receives the reports goes in to DNS entries so could be queried and then used to send spam (oh the irony). Therefore I would suggest that you setup a specific alias or group (dmarc@example.com) which can be changed if it starts to be abused. 

There are actually two types of messages that you can receive - reports and status messages. You can use the same email address for both. 

DNS records

The final step is to configure the DNS record. Again an online wizard is the easiest way to do this, which will generate the record in the correct format. 

http://www.unlocktheinbox.com/dmarcwizard.aspx 

With the record text created, you just need to create a new TXT record in your domain and paste the text. Watch that some DNS providers do not want the record enclosed in "". 

After about 48 hours, you will start to get report emails. These will be zipped up and attached to the email. 

Reading the Reports

The reports are XML, so might not make a huge amount of sense. Fortunately web sites which can interpret these reports have been created. 

The way that these web sites are designed to work is to put an email address they provide in to your DMARC record. What I prefer to do is take that email address and put it in to a mail enabled contact in Exchange, then add it to the group I created in the second step above. This group can then include an internal recipient as well so I can see the reports are coming in. 

DMARC Analysis

http://dmartian.com/ 

http://www.dmarcanalyzer.com/

What to do with the results

After you have had DMARC running for a little while you will be able to see if email is coming from other places and needs to be included in the SPF records. As you refine the PSF records and your message delivery you will be able to move to DMARC settings that say to reject the messages. 

However the results can also give you a good idea of how your domain is being used.

I implemented DMARC with a client in late 2012. After a few weeks we noticed that a Dutch server was coming up as a source. The client identified that an ex member of staff was sending out email using addresses on their domain. They were able to stop this, plus using DMARC able to ensure the messages were blocked. 

More Information

The dmarc project web site is at http://www.dmarc.org/ 

The FAQ explains in more depth what the project does: http://www.dmarc.org/faq.html