Zoho Banner September 2011

It’s sometimes interesting to know how old your AD forest is and when the various domains were created.  I recently came across a really useful TechNet Blog with a Powershell snippet to do just this.  My version shown below just has some slightly different formatting.

# How old is the forest?
Get-ADObject -SearchBase (Get-ADForest).PartitionsContainer `
-LDAPFilter "(&(objectClass=crossRef)(systemFlags=3))" `
-pr dnsRoot, nETBIOSName, whenCreated | Sort whenCreated `
| select @{e={($_.DNSRoot)};l=”DomainFQDN”}, `
nETBIOSName, @{e={(get-date $_.whencreated -format dd/MM/yyyy)};l=”whenCreated”} `
| ft -AutoSize

The output should look something like this:

check-forestage

So how old is your forest?

To be honest I’m only writing this one because I know I’ll get confused in the future and will want to refer to something authoritative. :-)

There are two configurable values when considering how to change the Exchange Server 2013 Offline Address Book (OAB) generation schedule from its default of 1 day.  These are:

  • OABGeneratorWorkCycle
  • OABGeneratorWorkCycleCheckpoint

Both are set to 1 day by default.

The values are not well documented and there are conflicting sources on the Internet that describe how they should be set to modify the generation schedule.  From testing, the key value is the OABGeneratorWorkCycleCheckpoint.  If you set this down to, e.g. 2 hours, the OAB will be generated every two hours as the screenshot below clearly shows:

OAB_WorkCycle

The command to set the value on all mailbox servers is shown below:

Get-MailboxServer | Set-MailboxServer -OABGeneratorWorkCycle 01:00:00 -OABGeneratorWorkCycleCheckpoint 02:00:00

Hopefully, this clears up the confusion for you as well as me :-)

If you have Send As permissions on another recipient object (e.g. mailbox, distribution group) you have the ability to specify that object’s primary SMTP address as your “From” address when sending from Outlook and Outlook Web App (OWA).  How you achieve this in OWA is not immediately obvious, so here are some (hopefully helpful) screenshots.  The method works for both Exchange 2013 on-premises and Office 365 OWA.

1. In the New Mail pane, click on the three dots to expose additional options.  Select “Show From”.

002

 

2. With the From field visible, right-click the email address shown and select “Remove”.

003

3. Click on the drop-down arrow in the From field.  From there select the address you which to send from/send as.

004

4. The address should now appear in the From field.  When you send the email it will send from the address shown.

005

That’s all there is to it.  It’s not rocket science, but then it’s not blindingly obvious either.

 

Let me start out by saying that I am not an Apple-hater. Nor do I have an irrational fear of their products [incredibly, there is a word for a fear of apples: Malusdomesticaphobia]. Generally, I find Apple’s products to be stylish and simple to use. So why would I find myself suffused with a feeling of schadenfreude upon learning of the bend problem (hashtag #bendgate) with the iPhone 6 Plus?  After some soul-searching I came to conclusion that my problem has less to do with Apple than the those who slavishly support the company and everything it churns out. In terms of blind faith and unswerving devotion, most religious cults would gladly trade disciples with Apple.

However this unquestioning devotion has come to pass it is clearly good for business. As a work colleague suggested, Apple could produce a plain cardboard cube and, following the requisite glitzy launch, fans would be camping out all night outside iStores ready to snap them up at $100 a pop.

The zealotry doesn’t stop there as is evidenced in recent Apple-related forums discussing bendgate. If anyone has the temerity to suggest that the bend is a fundamental product flaw they are quickly slapped down.  Here are some examples:

 

001

 

002

 

 

 

003

 

004

 

005

 

 

006

 

007

 

 

008

 

It is interesting and revealing that after the social media storm yesterday surrounding bendgate Apple has yet to comment.  I suspect the execs are too busy roasting the Test Manager’s testicles over an open flame. To a certain extent they don’t actually need to comment. After all, their Apple fan-base is doing a sterling job of defending the indefensible.

The bottom line is that Apple has released a premium product with a fundamental flaw. The right thing to do of course would be to start by issuing an immediate statement indicating that they fully understand the concerns. Then within a couple of days they should issue a statement being clear about how they will address the flaw. If, on the other hand, they attempt to sweep the whole business under the carpet they won’t lose the die-hard fans, but they will certainly lose the middle ground. That way madness (or at least Blackberry) lies.

Samsung, LG, Microsoft and others will be lapping this up, while at the same time furiously flogging their product development and test teams to ensure the same thing doesn’t happen to them.

Bendgate is a story with legs. I can’t wait for the next instalment.

If you haven’t heard that extended support for Windows XP ended earlier this year you’ve clearly been in a coma.  There are a number of well-publicised methods for finding out whether you still have XP machines in your environment.  Here is my own humble (and spectacularly over engineered) Powershell offering.

 

#########################################################
#
# Name: Find-XPStillActive.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 23/09/2014
# Comment: PowerShell 2.0 script to find active
# Windows XP computer accounts
#
#########################################################

## Define global variables
# Export file for storing results
$expfile = "c:\xp_still_active.csv"
# Define the header row for the CSV (we will create our own)
$header = "`"name`",`"os`",`"sp`",`"lastlogondate`""
# Consider any account logged on in the last x days to be active
$days = 60
$Today = Get-date
$SubtractDays = New-Object System.TimeSpan $days, 0, 0, 0, 0
$StartDate = $Today.Subtract($SubtractDays)
$startdate = $startdate.ToFiletime()
# LDAP filter settings
$filter = "(&(lastlogontimestamp>=$startDate)(operatingsystem=Windows XP*))"

## Functions
Function Format-ShortDate ($fdate)
{
        if ($fdate) {
            $day = $fdate.day
            $month = $fdate.month
            $year = $fdate.year
            "$day/$month/$year"
        } # end if

} # end function

## Start doing things
# Import the AD module
ipmo ActiveDirectory
# Tidy up any previous copies of the export file 
if (test-path $expfile) {Remove-Item $expfile}
# Add the header row to the export file
Add-Content -Value $header -Path $expfile
# Create an array of computer objects
$active = Get-ADComputer -LDAPFilter $filter -pr *
# loop through the array
foreach ($xp in $active) {
    # Grab the attribute values we need from the AD object
    $nm = $xp.name
    $os = $xp.operatingsystem
    $sp = $xp.operatingsystemservicepack
    $lt = Format-ShortDate $($xp.lastlogondate)
    $row = "`"$nm`",`"$os`",`"$sp`",`"$lt`""
    # Commit the row to the export file
    Add-Content -Value $row -Path $expfile
} # end foreach

## End script

Enjoy!

 

There was in interesting discussion the other day on the ActiveDir.org mailing list. Someone asked how many values can be stored within the proxyAddresses mutlivalued attribute in Active Directory. The responses were reasonably consistent, with most people indicating that in Windows 2000 the number was in the range of approximately 800 to 850 and from Windows 2000 the range is approximately 1200 to 1300.

This begs the question of why we can’t be specific about the number. Well, it comes down to how the data is stored within the Active Directory database (ntds.dit). Most of the attribute data for an individual object is stored within a single row in the Data Table within the database. I say “most” because linked attribute data (e.g. member/memberof, manager/directReports, etc.) is kept in a separate table (the Link Table). The AD schema determines how many attributes are available for a particular object and this obviously varies a lot from forest to forest, as does which of those possible attributes actually have populated values. There are also some overhead requirements that vary. All this combines to make it impossible to determine with any accuracy how many values an individual multivalued, nonlinked attribute can have.

Because I have an enquiring mind (some would say “nosey bastard”), I decided to try and hit the limit in my test lab. I did this by running a Powershell script to keep adding SMTP addresses to the proxyAddresses attribute for a user until an exception was thrown. I got to 1192 before I got the “The administrative limit for this request was exceeded” error (see below).

admin_limit

As Don Hacherl (former dev lead for AD at Microsoft) pointed out to me on the mailing list, the non-linked attribute limit is a limit across all non-linked attributes on the object. So for example, if I had added a telephone number before running the script then I would have only got to 1191 values on proxyAddresses.

Don also made is clear that under normal circumstances you shouldn’t need to be anywhere near the limit. In his words…

“The limit is supposed to be high enough that the only time you’ll hit it is when you have made an architectural error in your schema usage. Asking questions about the exact number of a limit that you have not yet hit is often a warning sign of your burning desire to make an architectural error in the future.”

I found a Powershell script on Experts Exchange that seemed to be useful for detecting errant objects that have a high number of values within an individual multivalued attribute. I’ve hacked with it a bit and have ensured that it now excludes linked values. Here it is for anyone that is interested.

#########################################################
#
# Name: Find-BloatedObjects.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 18/09/2014
# Comment: PowerShell 2.0 script to
# find objects with an unusually large number of values
# within a non-linked multi-valued attribute
# Credit: Parts of the script are from a solution posted by 
# footech on Experts Exchange here:
# http://tinyurl.com/md3cvzn
#
#########################################################

Import-Module ActiveDirectory
$queryCount = 1000 # adjust this if you need to
$snc = (Get-ADRootDSE).SchemaNamingContext
$dnc = (Get-ADRootDSE).DefaultNamingContext
$def = "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection*"
$objs = Get-ADObject -Filter * -Properties * -SearchBase $dnc

ForEach ($obj in $objs) {
    #Write-Output "Looking at object $obj.distinguishedname"
    $ADOprops = $obj | gm -MemberType Property `
    | Where { $_.Definition -like $def } `
    | Select -ExpandProperty Name
        foreach ($prop in $ADOprops) {
            #Write-Output "Looking at property $prop"
            $fl = "(&(objectclass=attributeschema)(ldapdisplayname=$prop))"
            $linked = (Get-ADObject -LDAPFilter $fl -SearchBase $snc -pr linkid).linkid
            #Write-Output $linked
            If (($linked -eq $null) -and (($obj.$prop).count -gt $queryCount)) {
                Write-Output "----------------------------------------------"
                Write-Output "AD Object ""$($obj.DistinguishedName)"""
                Write-Output "has attribute ""$prop"" with a count of $($obj.$prop.count)"
            } # end if
        } # end foreach
} # end foreach

Feedback is, as always, very welcome!

 

I upgraded a client’s CAS servers recently from Exchange 2007 Service Pack 2 Update Rollup 5 to Service Pack 3 Update Rollup 13 in preparation for upgrade to Exchange 2013.  Following the restart after the Update Rollup had completed I found I could not log into OWA.  Instead I got a blank page with a URL similar to the one shown below.

https://MyCAS/owa/auth/logon.aspx?url=https://MyCAS/owa&reason=0

I found several suggestions for what might be the problem on the web, but the one that worked for me was to run the UpdateOwa.ps1 Powershell script in the Bin folder under the Exchange installation path.

It was required on both CAS servers, so at least it was consistent :-)

When you install a new version of Exchange or apply a Cumulative Update certain AD attributes are updated to reflect the change.  The updates are made in three different directory partitions (also known as naming contexts): Schema, Configuration and Domain.  The following Microsoft TechNet article is a good reference for the different versions and the corresponding attribute values.

http://technet.microsoft.com/en-us/library/bb125224(v=exchg.150).aspx

You can check the values manually….or you could do it the easy way with Powershell.  Here’s a Powershell sample to give you values across the three partitions (assumes a single domain forest):

 

# Exchange Schema Version
$sc = (Get-ADRootDSE).SchemaNamingContext
$ob = "CN=ms-Exch-Schema-Version-Pt," + $sc
(Get-ADObject $ob -pr rangeUpper).rangeUpper

# Exchange Object Version (forest)
$cc = (Get-ADRootDSE).ConfigurationNamingContext
$fl = "(objectClass=msExchOrganizationContainer)"
(Get-ADObject -LDAPFilter $fl -SearchBase $cc -pr objectVersion).objectVersion

# Exchange Object Version (domain) - assumes single domain forest
$dc = (Get-ADRootDSE).DefaultNamingContext
$ob = "CN=Microsoft Exchange System Objects," + $dc
(Get-ADObject $ob -pr objectVersion).objectVersion

The output will looking something similar to screenshot shown below (showing the values for Exchange Server 2013 CU5):

Schema

I had an interesting one recently when submitting a certificate request to a Windows Certificate Authority using certreq.exe.  The error that came back was:

The disposition message is “Error Parsing Request The request subject name is invalid or too long. 0×80094001 (-2146877439)”

I found several links to possible solutions but, as it turns out, the problem in my case was the subject name (specified an X.500 DistinguishedName) was too long.  It seems that the CA limits the subject name field to 64 characters.  Mine was around 80 characters, which is not unusual for a DN.

The workaround is to remove the 64 character limit by running the following command:

certutil -setreg ca\EnforceX500NameLengths 0

The CA service needs to be restarted after running the command.

The Microsoft TechNet article that provides more detail can be found here.

I’ve had my Lenovo Ideapad Yoga 13 for a little over a year now. Generally, I’m very happy with it.  It has two internal SSDs, 8GB RAM and an Intel Core i7 processor.  Windows 8.1 runs very nicely on it.  I use the Ideapad for my day-to-day work as well as running test labs in Hyper-V.  Memory is generally my main limitation with Hyper-V, but mostly I can starve the VMs of RAM as performance isn’t a key issue for me for demos and/or testing purposes.  [As an aside, Exchange 2013 is a complete resource hog and won't run nicely unless you give each machine at least 4GB of RAM, which makes running a DAG near impossible for me].   Recently, I noticed that my disk latency (average response time) on the SSD that I run the VMs off was really high (around 11,000ms).  Ok, I was running 3 VMs simultaneously, but still!  So I downloaded AS SSD Benchmark to see how my SSD was performing.  The overall result was 438, which is not great when compared with what others have posted on line with the same SSD.

as-ssd-bench M4-CT256M4SSD3 15.07.2014 8-31-44 a.m.

After some deep thinking (i.e. staring idly into space over a coffee), the idea struck me that Bitlocker might be the culprit.  So I disabled Bitlocker for that drive and tried again. The difference was significant (around 20%) without being remarkable.  Interestingly, the read times before and after were almost identical.  The write times were where the difference was appreciable.

as-ssd-bench M4-CT256M4SSD3 15.07.2014 4-29-01 p.m.

The disk is still performing slowly compared with others online.  I checked my other SSD (a Samsung) and it was also slow, so the conclusion I’ve reached is that there must be some other factor (controller?) causing the slowness.  It would be interesting to hear what others with Ideapads are seeing, or if you have any ideas on how to improve performance.  Windows 8.1 is apparently optimised for SSD use, so I haven’t found any silver bullet for speeding things up.