Exchange 2007: MSExchangeIS 9554

I encountered this error in the Application log of an Exchange 2007 server:
EntryType          : Warning
EventID            : 9554
Message            : Unable to update Mailbox SD in the DS. Mailbox Guid: 1d8768d9-cd02-4746-9c16-d6a212b4e5ea. Error Code 0x8004010f
Category           : General
CategoryNumber     : 6
ReplacementStrings : {1d8768d9-cd02-4746-9c16-d6a212b4e5ea, 0x8004010f}
Source             : MSExchangeIS
TimeGenerated      : 09.11.2007 12:23:22
TimeWritten        : 09.11.2007 12:23:22
UserName           :
To find the mailbox causing this error you can use the following Exchange Management Shell command:
Get-MailboxStatistics | where { $_.MailboxGuid -eq ‘1d8768d9-cd02-4746-9c16-d6a212b4e5ea’ } |ft displayname,mailboxguid
Change the GUID in the command to match the code you get in the error.
I love PowerShell!

DS Inconsistency?

DCDiag (included in Windows Server 2003 Support Tools) reported a stange error at a site the other day:
C:>dcdiag
Domain Controller Diagnosis
Performing initial setup:
***ERROR: There is an inconsistency in the DS, suggest you run dcdiag in a few moments, perhaps on a different DC.
This was accompanied by the following event in the Directory Services log on all DCs in the forest:
EntryType          : Error
EventID            : 1550
Message            : The following site has no NTDS Site Settings child object.
Site: CN=SITE1,CN=Sites,CN=Configuration,DC=domain,DC=com
User Action
Create an NTDS Site Settings object for this site using Active Directory Sites and Services.
Category           : Knowledge Consistency Checker
CategoryNumber     : 1
ReplacementStrings : {CN=SITE1,CN=Sites,CN=Configuration,DC=domain,DC=com}
Source             : NTDS KCC
TimeGenerated      : 11/28/2007 5:41:06 PM
TimeWritten        : 11/28/2007 5:41:06 PM
UserName           : NT AUTHORITYANONYMOUS LOGON
Sure enough, the NTDS Site Settings and, altough not reported in the log, the License Site Settings object were missing from the site. After I recreated them and replicated the forest, DCDiag ran successfully and the messages in the Event log dissapeared.
As a footnote, the missing NTDS Site Settings object also resulted in the site not having an ISTG server and thus not being able to create inter-site replication objects. The site could only replicate with the other sites because of the existing connection objects, new objects could not be created.

IFilters and Windows Vista x64

I’m a big fan of x64, and that’s why I’m running Windows Vista x64 on all my computers (which support it). The support for x64 from hardware vendors and ISVs is very good, but unfortunately there are some things that are not ready yet. One of those things are IFilters. IFilters are used by the Windows Search service on Windows Vista, and by Desktop Search on Windows XP. There are a lot of IFilters out there, but unfortunately no IFilters compiled for x86 will work on x64. For me, that means that I loose the ability to index, among other things, TIFF files. That represents a major problem for me because I have a very large document library in TIFF format. The real kicker is that Microsoft’s own IFilters that are included with Office 2007, are still x86 and will not work with x64. According to Microsoft, they are working on a fix, but no one knows when this will be available. In the meantime, I have been able to track down a few x64 filters, e.g. the ZIP IFilter to index ZIP archives, and an x64 IFilter for PDF from Foxit Software.
Get them here:
UPDATE: Microsoft have just released a filter pack for several file formats. The packages comes for both x86 and x64. It is supported for installation on Exchange 2007, MOSS 2007, WSS 3.0 etc. Get it here:
Morgan

What do Ctrl+C and USB connectors have in common?

Nothing, except that I had a major revelation regarding each of them recently. It’s almost embarrassing to admit this, but here goes:

Ctrl+C copies the text from a dialogue box to the clipboard

This feature has been a part of Windows for a long time, but I have not known about it. Whenever a message box is displayed, pressing Ctrl+C copies the entire text from the box, with formatting, to the clipboard. What a tremendously useful feature!

USB connectors should always have the USB logo pointing up

It’s always a hassle plugging in USB devices. I always try to insert the connector the wrong way the first time, without fail. I have always been amazed that the USB group didn’t come up with a better system for this, given the popularity of USB. Turns out, they have. Every USB device is required to have the USB logo on its connector, and that logo should always be pointing up when inserting the connector. If the socket is mounted vertically, the logo should always be towards you. After learning about this I quickly discovered that a couple of my devices were non-compliant and did not feature a USB logo at all. I’m not the only one that wasn’t aware of this requirement, apparently.

So there you have it. Two incredibly useful bits of information, and I didn’t know about either of them. I’ll go and hide now…

Slow performance in Outlook Web Access when published through ISA Server 2006

I recently had a strange experience at one of my customers. Suddenly the performance of OWA when accessed through their ISA 2006 server was horrible. Using OWA to read messages was possible, but creating a new message with an attachment was impossible. The operation would hang with the message Uploading you attachments indefinitely. After a looking at all the logs, the ISA policies and the IP settings I checked the speed and duplex settings on the NICs. We had recently switched the NICs in this server to troubleshoot another issue. We switched the Internal NIC for the External NIC, by switching the IP addresses and the cabling. I had evidently forgotten about the speed and duplex settings on the NICs, because the Internal card was now set to 100Mbps/Full Duplex and the Extrenal was set to Auto. The settings should have been switched with the rest of the config. After I set the Internal card to auto and the External card to 100Mbps/full everything started working again. Funny how a setting like this can have such an impact. I thought that once the speed and duplex settings were negotiated with the switch it was no longer relevant. There are known issues with mismatched speed/duplex settings.

Recovering hidden items in ExBPA

The Exchange Best Practices Analyzer is a great tool to check your Exchange setup. You get a lot of excellent guidance about various aspects of Exchange, presented as items of different severity. In the results list of a scan you can select to hide items that you do not want to be alerted about the next time the tool is run. A couple of times I have pressed the wrong choice in that list and subsequently hidden items I wanted to investigate. I could not find a UI to recover those hidden items and that prompted me to try to find out by myself. Turned out it was very easy.

The items you have suppressed are stored in the registry. The path is:

HKCUSoftwareMicrosoftExchangeExBPA

The key is called SuppressionData and has a string data type. All the items you have suppressed are listed in this key and you can recover them by deleting individual ones or all of them. The values are comma separated.

Here is a sample of the data in SuppressionData (data modified for readability):

C:>reg query HKCUSoftwaremicrosoftexchangeexbpa /v SuppressionData

HKEY_CURRENT_USERSoftwaremicrosoftexchangeexbpa
SuppressionData
REG_SZ
fDisclaimerWithoutException,fMaxMsgOutgoingNotSetOrganizationTEST-ORG

In the ExBPA you can select to hide an item for a particular instance or for all instances. The choices in the UI are “Do not show me this item again for this instance only” and “Do not show me this item again for all instances” respectively. Which choice you make is reflected in the registry by appending the name of the instance you were working with to the name of the item. In the above sample the fDisclaimerWithoutException value will hide the disclaimer exception item for all instances, while the fMaxMsgOutgoingNotSet item is hidden only for the TEST-ORG organization.

After you have manipulated the SuppressionData value in the registry you have to restart ExBPA for the changes to take effect.

Virtual Server 2005 and Service Principal Names (SPN)

I recently had to warnings in the Virtual Server log on my Virtual Server 2005 R2 host:
Type:         Warning
Event:        1130
Date Time:    27.06.2007 22:28:42
Source:       Virtual Server
ComputerName: HOME-VSHOST
Category:     Virtual Server
User:         NT AUTHORITYNETWORK SERVICE
Description:  The service principal names for Virtual Server could not be registered. Constrained delegation cannot be used until the SPNs have been registered manually.  Error 0x800706ba – The RPC server is unavailable.
Type:         Warning
Event:        1029
Date Time:    27.06.2007 22:28:42
Source:       Virtual Server
ComputerName: HOME-VSHOST
Category:     Remote Control
User:         NT AUTHORITYNETWORK SERVICE
Description:  The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication.  Error 0x800706ba – The RPC server is unavailable.
For some reason, the Virtual Server service, running as Network Service, was unable to add the necessary Service Principal Names (SPN) to the computer object of the Virtual Server host in Active Directory. This is a known problem when Virtual Server is running on a Domain Controller (http://support.microsoft.com/kb/890893/en-us), but this machine was a member server.
To resolve this problem you run the following commands:
setspn -A vmrc/<NetBIOS name of VS machine>:5900 <NetBIOS name of VS machine>
setspn -A vmrc/<FQDN of VS machine>:5900 <NetBIOS name of VS machine>
setspn -A vssrvc/<NetBIOS name of VS machine> <NetBIOS name of VS machine>
setspn -A vssrcv/<FQDN of VS machine> <NetBIOS name of VS machine>
Restart the Virtual Server service and the errors should be gone.

More on certificates; you cannot use the Certificate Services Web enrollment pages together with Windows Vista

Continuing my posts about the strange world of PKI and certificates.
Today I browsed over to my CA using my Windows Vista Ultimate machine. Only to receive this message:
ERROR:
The certificate enrollment page you are attempting to access cannot be used with this version of Windows. To enable Web certificate enrollment for clients running Windows Vista, your administrator must update all Windows CA Web enrollment pages. To learn more about this issue and the steps needed to update Web enrollment pages to support all versions of Windows, see:
Turns out that you have to copy the Web Enrollement pages from Longhorn Server (Windows Server 2008) to use Vista and web enrollement.

Information wants to be free!