Wednesday, December 22, 2010

451 4.4.0 DNS query failed

Problem: Emails to a particular domain were not going through. Emails to all other domains were being received fine.

dcswa-ex01 = Edge Transport
dcswa-ex02 = Hub Transport = sending companies email suffix. = recieving companies email suffix.


Emails sent to are not arriving to the destination. emails are being passed from the hub transport server dcswa-ex02 to the edge transport server dcswa-ex01 successfully. The emails then sit in the edge transport queue for with the following error:

LastError : 451 4.4.0 DNS query failed

Dcswa-ex01 is resolving DNS correctly for, we can verify this by using the nslookup utility.

The edge transport server Dcswa-ex01 is able to open TCP25 connections to SMTP servers.

The Exchange 2010 connectivity logs shows that the DNS queries exchange is generating for were timing out on the edge transport server:

2010-12-22T02:26:15.708Z,08CD6F05CD2DBD8F,SMTP,,+,DnsConnectorDelivery afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad;QueueLength=1
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,,>,DNS server returned ErrorTimeout reported by
2010-12-22T02:27:21.458Z,08CD6F05CD2DBD8F,SMTP,,-,Messages: 0 Bytes: 0 (The DNS query for 'DnsConnectorDelivery':'':'afb8a1d5-3e6f-4e6b-8bab-17e38b9d7bad' failed with error : ErrorTimeout)


On the Edge Transport server dcswa-ex01 set the external DNS servers to use for external mail relay.

On the hub transport server dcswa-ex01 configure "Use the External DNS Lookup setting on the transport server" for all send connectors configured for edge sync with dcswa-ex01.

Force an Edge Sync on the hub transport server dcswa-ex02:

Restart the Microsoft Exchange Transport service on the edge transport server to utilize the new DNS settings.

After making this change it took 5-10 minutes for the email to successfully leave the queue!

Looking at the queue for again:

The email was successfully delivered as it no longer resides in the queue.

If we look at the SMTP send log on the edge transport server dcswa-ex01 we can see that the email transferred correctly. One interesting thing I found about was they are digitally encrypting all email communication traffic, I don't see how this would cause DNS to fail but I want to point that out.

2010-12-22T03:59:00.740Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,0,,,*,,attempting to connect
2010-12-22T03:59:01.052Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,1,,,+,,
2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,2,,,<,220 [ESMTP Server] service ready;DORIS ENGINEERING Email Gateway ok; 12/22/10 04:57:30, 2010-12-22T03:59:01.365Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,3,,,>,EHLO,
2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,4,,,<,, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,5,,,<,250-SIZE 13631488, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,6,,,<,250-8BITMIME, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,7,,,<,250 STARTTLS, 2010-12-22T03:59:01.677Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,8,,,>,STARTTLS,
2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,9,,,<,220 Ready to start TLS, 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,10,,,*,,Sending certificate 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,11,,,*,CN=dcswa-ex01,Certificate subject 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,12,,,*,CN=dcswa-ex01,Certificate issuer name 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,13,,,*,67E29A29EDE76AAF4BDBC5340D3185F0,Certificate serial number 2010-12-22T03:59:01.974Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,14,,,*,2A3B56F723AD7056F9372E486B3192E0EF877C6D,Certificate thumbprint 2010-12-22T03:59:01.990Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,15,,,*,dcswa-ex01;,Certificate alternate names 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,16,,,*,,Received certificate 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,17,,,*,B6CDD7D2A3CAC50AB653830A828037EC0D0B3901,Certificate thumbprint 2010-12-22T03:59:02.646Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,18,,,>,EHLO,
2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,19,,,<,, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,20,,,<,250-SIZE 13631488, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,21,,,<,250 8BITMIME, 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,22,,,*,29980,sending message 2010-12-22T03:59:02.958Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,23,,,>,MAIL FROM: SIZE=5233,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,24,,,<,250 Sender OK,
2010-12-22T03:59:03.271Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,25,,,>,RCPT TO:,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,26,,,<,250 Recipient OK,
2010-12-22T03:59:03.583Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,27,,,>,RCPT TO:,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,28,,,<,250 Recipient OK,
2010-12-22T03:59:03.896Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,29,,,>,RCPT TO:,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,30,,,<,250 Recipient OK,
2010-12-22T03:59:04.208Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,31,,,>,DATA,
2010-12-22T03:59:04.521Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,32,,,<,354 Start mail input; end with .,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,33,,,<,250 OK: <>,
2010-12-22T03:59:05.146Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,34,,,>,QUIT,
2010-12-22T03:59:05.458Z,EdgeSync - Perth to Internet,08CD6F9DD3D5A300,35,,,<,221 [ESMTP Server] service closing transmission channel,

There is another workaround that has been documented on the internet to add the external MX servers to the local "hosts" file on the edge transport server. I tested this and it does work however I do not recommend it. If another domain does fail, it will be a manual exercise on a case by case basis.

Tuesday, December 21, 2010

How to Force EdgeSync Synchronization

You can use the Start-EdgeSynchronization cmdlet to force synchronization to start immediately. You may want to do this to start initial replication immediately after you create the Edge Subscription or if you have made significant changes to the configuration or recipients in Active Directory. The Start-EdgeSynchronization cmdlet resets the EdgeSync synchronization schedule. The time of the subsequent synchronization intervals is based on the time that this command is initiated.

If you try to run this procedure during regular synchronization, an error will occur.


How to Setup Auto QOS Cisco

The config below sets up Auto QOS (Quality of Service) on a Cisco Switch.

Single interface
Conf t
Int fa0/1
Auto-qos voip trust
Write mem

Multiple Interface
Conf t
Int range fa0/1 – 24 (to what ever port you want)
Auto-qos voip trust
Write mem

Sunday, December 12, 2010

Cisco ADSL Config with NAT

Below is a basic ADSL for Cisco routers with ADSL chip sets installed. This config if for a PPPoE based connection. I set this config up to use Amnet Broadband.

ip cef

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
dsl operating-mode auto
hold-queue 224 in

interface Vlan1
ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452

interface Dialer0
description Amnet ADSL
bandwidth 1300
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 999999
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname USERNAME
ppp chap password 0 PASSWORD
ppp pap sent-username USERNAME password 0 PASSWORD

ip route Dialer0

ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit

To port forwards to the config create static NAT entries like this:

ip nat inside source static tcp 25 interface Dialer0 25
ip nat inside source static tcp 3389 interface Dialer0 3389

To get some verbose logging on your ADSL connection please see the following website:

Monday, December 6, 2010

SBS 2008 System Synchronizing but Not Downloading Updates

I had an issue where wsus on a Windows SBS 2008 system was saying it was synchronizing successfully, but it wasn't downloading updates. All you would get was a message in the event logs from Windows Server Update Services (event id 10032) saying that "The server is failing to download some updates". Clients would show that they needed updates through the WSUS console and via the SBS Console, but the updates would never show up on the server for installation. In the local client WindowsUpdate.log file you would see something similar to the following

2010-10-12 10:39:45:574 784 1a20 PT +++++++++++ PT: Synchronizing server updates +++++++++++
2010-10-12 10:39:45:574 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:49:011 784 1a20 PT +++++++++++ PT: Synchronizing extended update info +++++++++++
2010-10-12 10:39:49:011 784 1a20 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://...
2010-10-12 10:39:52:433 784 1a20 Agent * Found 0 updates and 57 categories in search; evaluated appl. rules of 643 out of 1075 deployed entities

So why would the WSUS server recognize the server needed updates and the client not recognize and download them? Further investigation uncovered the fact that the WSUS Content Repository was nearly empty. Total size of the repository was less than 100 MB. Obviously, none of the patch data had been downloaded.

So why was the sync successful? Moving on, after more investigation, I discovered that the ISA server was blocking what appeared to be anonymous web traffic from the SBS server even though there was a access rule set to allow all http, https, and ftp traffic from the SBS server. So, skipping to the solution. First, ISA 2004 has a problem with BITS 7.0 that is used in Windows 2008 and Windows 7. Because the initial synchronization from WSUS ONLY downloads metadata, ISA was letting that out and it would show success in the consoles. Then WSUS turns over processing and downloading of the actual patch files (.cabs, etc.) to BITS. ISA was blocking BITS background download processing so what we had was metadata for the updates, but no updates. WSUS knew the servers needed the updates, but the servers had nothing to download because the actual content for the updates wasn’t there. The fix is to change the processing of update downloads using BITS from a background to a foreground process. ISA seems to allow that just fine.

Do it by running the following query against the WSUS database. The connection can be made via SQL Management Studio Express in most cases…you are just looking to run the query against the SUSDB database.

update tbConfigurationC set BitsDownloadPriorityForeground=1

If you are using Windows 2008 with the Microsoft Internal Database (as SBS 2008 does), this proves to be a little more challenging because you have to connect with SQ Management Studio Express using named pipes instead of TCP/IP. Connect using named pipes by using this as the server


Sunday, December 5, 2010

HP ML350 G6 hangs at Completing Installation on a Windows 2008 and SBS2008

I had a HP ML350 G6 server that was unable to complete the SBS 2008 install. Everytime it would hang forever at the Completing Installation stage of the Windows setup.

All hardware roms were running latest firmware.

It got to the stage where I had to start removing server hardware to find out what was causing SBS Installation to fail.

The item that was causing the problem was a HP Smart Array P212 SAS Controller which was connected to a HP StorageWorks Ultrium 920 SAS Tape Drive. After removing this card the SBS 2008 installation completed successfully.

Below is a picture of this SAS Card taken from my iPhone 4G:

I removed this card, completed the install of SBS 2008, then installed the card again once Windows was up and running on the system.

Wednesday, December 1, 2010

VBS - List all users in OU

The following script lists all users in an organisational unit:

Set objDictionary = CreateObject("Scripting.Dictionary")

Set objOU = GetObject("LDAP://OU=myou,DC=domain,DC=local")
objOU.Filter = Array("User")

For Each objUser in objOU
strUser = objUser.displayName
If Not objDictionary.Exists(strUser) Then
Wscript.Echo strUser
End If

Very handy if you want to add all users in an OU to a security group!

Monday, November 29, 2010

Use Windows 7 as a PPTP VPN Server

Today I was browsing technet and I found a link to a youtube video on how to setup Windows 7 to act as a PPTP VPN server for a home solution. This will allow computer savy home users to access any PC on their home network through a Windows 7 machine. I didn't even know this functionality was possible in Windows 7!

Check it out, here is the link:

Forefront Client Security Server Components Supported Operating Systems

Forefront Client Security (FCS) Server Components are not supported on all operating systems.

The Management Server must be setup on one of the following windows operating systems:

- Windows Server 2003 SP2 or later, Standard or Enterprise

- Windows Server 2008 Standard or Windows Server 2008 Enterprise

- Windows Server 2008 Standard SP1 or later, or Windows Server 2008 Enterprise SP1 or later

The following operating systems are not supported:

- Windows Server 2008 Server Core installation

- Windows Server 2008 R2

- x64 and Itanium server editions

- Microsoft Windows Small Business Server 2003

- Windows Small Business Server 2003 R2

- Windows Small Business Server 2008

For more information please see:

Thursday, November 25, 2010

New Password Stealer Found MD5: 6deb0bdb5fb07bcdb1205d6ddd6a4ec2

Today I stumbled across a new trojan/password stealer that installs itself through Sun Microsystems Java.

Users receive an email such as:

Amy Fibro commented on your photo.
To see the comment thread, follow the link below:
The Facebook Team

This email is not from facebook. If you look at the link on the email - it points to a different URL that contains the java application which installs the virus.

With a default install of Internet Explorer 8 with all latest security updates and patches up to 26/11/2010 and default security settings the worm was able to automatically install itself.

The worm adds itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it can automatically execute upon startup.

The worm also changes the internet explorer security settings by modifying a series of registry keys.

The following Registry Values were modified:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
1406 =
1609 =
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
1406 =
1609 =

The worm is also capable of infecting executables.

The malware injects codes into the address space of the following processes to mask its presence:

If you do not run your PC as administrator the worm will not have permissions to infect beyond your user profile.

The worm collects FTP credentials (IP, port, username, and passwords) from the following FTP software:
•Total Commander
•FTP Commander

The worm also has a keylogger for logging all other password related activity such as bank accounts etc.

When installed the worm copied itself to:

%APPDATA%\<random letters%>\<random letters>.exe

For example for me it called itself niba.exe.

When the virus is running the description the virus gives itself in task manager is Windows Defender.

Running the virus through one of my favorite sites we see that only some antivirus companies detect it and the ones that do only come back with a generic detection.

I will be submitting the virus sample to the other anti-virus companies to get this worm indexed ASAP.

How to Grab MD5 or SHA1 hash of files in Windows

To simply grab the MD5 or SHA1 hash of a file in windows use the Microsoft File Checksum Integrity Verifier (FCIV) Utility. Download this tool from here:

Below are examples on how to use this tool:

Tuesday, November 23, 2010

How to Deploy Microsoft .NET Framework 4 with Group Policy with Startup Script

To deploy .NET Framework 4 to your network you must use a startup script. No longer can you push .NET Framework out via an MSI file as with earlier versions such as .NET Framework 1.1.

I wrote a script that your welcome to copy it to push the .NET framework to all x86 and x64 windows based PC's on your network.

Save the following as a ".bat" file.


REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Enter the Product Name.
set ProductName=Microsoft .NET Framework 4 Client Profile

REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=\\kbomb.local\netlogon\software

REM Set LogLocation to a central directory to collect log files.
set LogLocation=C:\Windows\Logs

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

IF NOT "%ProgramFiles(x86)%"=="" (goto ARP64) else (goto ARP86)

REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 uninstall key
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%"
if NOT %errorlevel%==1 (goto End)

REM Check for 32 and 64 bit versions of Office 2010 in regular uninstall key.(Office 64bit would also appear here on a 64bit OS)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%"
if %errorlevel%==1 (goto DeployOffice) else (goto End)

REM If 1 returned, the product was not found. Run setup here.
start /wait %DeployServer%\dotNetFx40_Full_x86_x64.exe /passive
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.


Please modify the DeployServer path to fit your environment.

Copy the script into the startup script folder inside the group policy object. Make sure you use a startup script and not a logon script! Refer to the following screenshot:

My script is called frameworkinstall.bat

Link this group policy object to your computer accounts. When the workstations refresh there group policy they will automatically install .NET Framework v4 on next reboot.

Taken with my iPhone 4:

Note: If you do not want the user to see the progress of the installation, please change /passive to /q. This will result in the PC hanging at the "Running Startup Scripts" for a few minutes. I personally prefer to present the users with a progress bar!

Monday, November 22, 2010

Can a RODC be a GC?

Answer: Yes

One of the gotchas before an RODC will advertise as a GC in your domain is that domainprep needs to be run in each domain, regardless if there are Win2k8 DCs in the domain or not:

If the RODC will be a global catalog server, you must also run adprep /domainprep in all domains in the forest, regardless of whether the domain runs a Windows Server 2008 domain controller. When you run adprep /domainprep in all domains, the RODC can replicate global catalog data from all domains in the forest and then advertise as a global catalog server.

If you haven't looked at RODCs for your branch office deployments for the future now is a good time to do so. I think one of the best things coming for Win2k8 is the ability to run RODCs on Server Core, reducing the attack surface and patching requirements and only caching the passwords for the users needed in the branch site instead of all passwords for the domain.

What are inetOrgPerson objects?

What are inetOrgPerson objects?

Windows Server 2003 Active Directory includes a new object type (that is, object class), inetOrg-Person, which is identical to the user object type in practically every way. InetOrgPerson was defined in RFC 2798 to represent a standard network user, and many other directory services use it for this purpose. Therefore, inetOrgPerson was brought along to Active Directory so that it would be easier to interoperate with these other products or to migrate them to Active Directory.

Although inetOrgPerson should be identical to user, Microsoft recommends that you test it with your applications that would use Active Directory as an authentication method, and your other projected usage scenarios, before you actually start using inetOrgPerson objects.

If inetOrgPerson objects are not needed in your forest, you can modify the forest schema so that InetOrgPerson doesn't appear in the New context menu of the Users and Computers snap-in. You would need to change the defaultHidingValue property of the inetOrgPerson schema class definition to TRUE. This setting affects all administrators of the forest, unless they use some other tool to create objects.

Sunday, November 21, 2010

What is the Central Store with 2008 Group Policy?

ADMX Central Store is a centralized location of keeping new XML-based administrative template (ADMX) files. In a Windows Server 2008 network environment, the Group Policy Object Editor does not copy ADMX files to each edited group policy object (GPO). Instead, it uses ADMX Central Store in a domain controller. The ADMX Central Store is not created automatically.

When using GPMC on Windows Vista, 2008 or higher operating systems they automatically query the following location to see if a central store exists:


If you have not created this folder in your SYSVOL, GPMC will look at its local hard drive for:


If you have custom ADMX templates in your domain you want to use the new Central Store so that all PC's and domain controllers use the central store when editing group policy objects.

When you create the central store make sure you copy all existing custom ADMX policies from your local computer (%systemroot%\PolicyDefinitions) to the central store!

I encourage you to watch the following video by John Baker, it explains the Central Store and group policy changes in more detail!

You cannot change the location for the central store, it is hardcoded!

Saturday, November 20, 2010

Moving to DFS-R for SYSVOL

Windows Server 2008 and Windows Server 2008 R2 supports DFS-R for replicating the SYSVOL partition between domain controllers.

For this to work all domain controllers in a active directory domain need to be Windows Server 2008 or Windows Server 2008 R2 and the Domain Functional Level must be Windows Server 2008.

Every domain within a forest has its own SYSVOL directory structure that is replicated. As a result your Forest Functional Level does not need to be 2008... other domains in your forest can continue to use the legacy FRS.

If you create a new Active Directory Domain thats Windows Server 2008 domain functional level it will automatically use SYSVOL. However if you are migrating towards Windows Server 2008 DFL you will need to migrate the SYSVOL replication over to DFS-R. This migration process needs to be performed once you have raised the DFL to Windows Server 2008.

To understand the process of migrating to DFS-R for your SYSVOL directory please read the following blog posts by Mahesh Unnikrishnan, a Senior Program Manager at Microsoft. There are 5 parts to this how-to:


Monday, November 1, 2010

Exchange 2003 - Services wouldnt start due to AD Issues

Today I had an issue escalated to me where the following Exchange 2003 services would not start due to problems speaking with Active Directory:
- Microsoft Exchange Information Store
- Microsoft Exchange MTA Stacks
- Microsoft Exchange System Attendant

While diagnosing this issue I had the following diagnostic logging turned to medium for all sub components of the following:
- MSExchangeDSAccess
- MSExchangeSRS
- MSExchangeSA

Diagnostic logging is turned on in the Exchange 2003 server properties under the diagnostic logging tab.

There were two problems causing this issue - I will go through how I fixed both of them.

Problem 1 - The Local DC was not listening on TCP 3268

After looking at the issue initially I found out that the domain controller in the same active directory site as Exchange 2003 server was not listening on TCP 3268 (Global Catalog). The server was marked as being a global catalog server. During this time the following errors were being generated.

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7024
Date: 01/11/2010
Time: 4:03:31 PM
User: N/A
Computer: MELB-EXCH-31
The Microsoft Exchange Information Store service terminated with service-specific error 2147500037 (0x80004005).

Event Type: Error
Event Source: MSExchangeMTA
Event Category: Operating System
Event ID: 2248
Date: 01/11/2010
Time: 5:18:22 PM
User: N/A
Computer: MELB-EXCH-31
A fatal error occurred. Directory operation (ds_initialize) failed with problem RD Server. [MAIN BASE 1 1 %5] (16)

Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 1121
Date: 01/11/2010
Time: 6:14:38 PM
User: N/A
Computer: MELB-EXCH-31
Error 0xfaf connecting to the Microsoft Active Directory.

This last error lead me down the right track, "0xfaf". I found a handy forum post that lets you understand all the different codes in relation to the information store connecting to Active Directory:

- Error: 0x96e, Service: Microsoft Active Directory - This problem occurs because the domain controller and other Exchange-Server-dependent services do not start completely when Exchange 2007 tries to start. See 940845 for details.
- Error: 0x8004010f, Service: Microsoft Active Directory - This behavior may occur if the organization name that you select during setup contains the forward slash mark (/) character. See 329599 for more information on this problem.
- Error: 4015, Service: Microsoft Exchange Information Server Directory - The Directory service will not start if the system date is later than January 17, 2038. See 154595 for details about this problem.
- Error: 0x80004005, Service: Microsoft Exchange Server Directory - This behavior may occur because the information store database is not initializing properly. See 322315 to solve this problem.
- Error: 0x80004005, Service: Microsoft Active Directory - You may not be able to mount Exchange 2000 information store databases and this event is logged. See 314294 and 822579 for details.
- Error: 0xfb5, Service: Microsoft Exchange Server Directory - This issue can occur if the Information Store service has been configured to log on as a system account or to use the Local System account. See 288952 to solve this problem.
- Error: 0xfaf, Service: Microsoft Active Directory - This behavior can occur because you do not have a global catalog in the forest or the connection to the global catalog is lost. See 303186 and 823163 to find out how to fix this problem.
- Error: 0xfaf, Service: Microsoft Exchange Server Directory - This issue can occur if the server is renamed after Exchange Server installation; some values in the MSExchangeIS key contain the name of the test server. See 248124 to solve this problem.
- Error: 0xfaf, Service: Microsoft Active Directory - This behavior can occur because you do not have a global catalog in the forest or the connection to the global catalog is lost. See 303186 and 823163 to find out how to fix this problem.
- Error: 0xfaf, Service: Microsoft Exchange Server Directory - This issue can occur if the server is renamed after Exchange Server installation; some values in the MSExchangeIS key contain the name of the test server. See 248124 to solve this problem.

As per the post above - I went to Microsoft Knowledgebase article 823163:

This article stated:

This issue may occur if one or both of the following conditions are true:
- There is no global catalog in the forest.
- There is a problem with the connection to the global catalog.

There was only a single domain controller in the same Active Directory site as the Exchange 2003 server. This domain controller was marked as being a global catalog server however performing a "netstat -ant" revealed that it was not listening on the global catalog port TCP 3268.

Initially I tried removing the global catalog role of the server rebooting, re-adding the global catalog role then rebooting again. This did not resolve the problem.

To resolve this problem I demoted the server from being a domain controller and re-promoted it. After re-promoting the DC it then came up as a global catalog server again. There were no errors in the event logs about not being a global catalog server.

Problem 2 - The Exchange 2003 Server could not find the Active Directory Site

After re-promoting the domain controller I ran into another problem, the Exchange 2003 server could not find which Active Directory Site it was in.

Exchange was producing the following error:

c007077f no site available

The following errors were experienced in the event logs:

Event Type: Error
Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2114
Date: 01/11/2010
Time: 9:55:46 PM
User: N/A
Computer: MELB-EXCH-31
Process MAD.EXE (PID=1936). Topology Discovery failed, error 0x80040952.

I ran NLTEST /DSGETSITE to see if windows server itself could find its active directory site. This command threw out the following error:


The exchange server was speaking to random domain controllers in other Active Directory sites. I determined this by following this article:

All other workstations and servers in the same Active Directory site could determine its site location. The problem was isolated to the Exchange 2003 server. To resolve this problem I found a workaround with a registry key where I hard coded the Exchange 2003 server's Active Directory site.


"SiteName" as a String Value

Enter the active directory site name as it appears in AD Sites and Services.

Then restart the Netlogon service. After this the Exchange Server 2003 was behaving properly and the services were able to be started.

Sunday, October 31, 2010

WMI Issue - WinMgmt could not open the repository file

I had the following problem on a client's server:

Event Type: Error
Event Source: WinMgmt
Event Category: None
Event ID: 27
Date: 1/11/2010
Time: 2:31:11 PM
User: N/A
Computer: ORIONCH
WinMgmt could not open the repository file. This could be due to insufficient security access to the "<%SystemRoot%>\System32\WBEM\Repository", insufficient disk space or insufficient memory.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1090
Date: 1/11/2010
Time: 4:38:53 PM
Computer: ORIONCH
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.

This was resolved by performing the following:

1. net stop winmgmt
2. rename the e:\winnt\system32\wbem\repository directory
3. net start winmgmt
4. wmi should recreate the repository

WMI Database successfully showing up:

Tuesday, October 26, 2010

Syncing user attributes cross forest VBScript

Syncing user attributes cross forest. I wrote a script that can be used to sync user attributes cross forest. Run this script in the destination forest. The example below syncs the email address attribute on the user account.

' Active Directory Const's
' Active Directory Const's

Set rootDSE = GetObject("LDAP://rootDSE")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Page Size") = 1000
objCommand.CommandText = "SELECT * FROM 'LDAP://olddomain/dc=olddomain,dc=local' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

On Error Resume Next

Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = Replace(objType.distinguishedName, "DC=olddomain,DC=local", "DC=newdomain,DC=local")
strEmailAddress = objType.mail



Wscript.echo "Email Addresses have been Migrated"

Function ADChanges()
Set objUser = GetObject("LDAP://" & strDistinguishedName)
objUser.Put "mail", strEmailAddress
End Function

How to set an AD Attribute using LDAP in VBScript

How to set an AD Attribute using LDAP in VBScript. In this instance I'm setting the mail attribute.

Set objUser = GetObject("LDAP://CN=Clint Boessen,OU=Corporate Information Services,OU=Corporate Services,DC=kbomb,DC=local")
objUser.Put "mail", ""

List all users in domain cross forest

Below is a VBScript I wrote that lists all users by the distinguishedname attribute across a forest trust.

If you search through all users using a while statement as per:

It does not work cross forest! The below script does:

' Active Directory Const's

Set rootDSE = GetObject("LDAP://rootDSE")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADSDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = "SELECT * FROM 'LDAP://stirling/dc=stirling' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Set objType = GetObject(objRecordSet.Fields("ADsPath").Value)
strDistinguishedName = objType.distinguishedName
wscript.echo strDistinguishedName

How to find locked out user accounts VBScript

How to find locked out accounts using VBScript and LDAP:


ldapFilter = "(&(sAMAccountType=805306368)(lockoutTime>=1))"

Set rootDSE = GetObject("LDAP://rootDSE")
domainDN = rootDSE.Get("defaultNamingContext")

WScript.Echo "Locked accounts:"

Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & domainDN & ">" & ldapFilter & ";ADSPath,distinguishedName;subtree")
While Not objectList.EOF
Set user = GetObject(objectList.Fields("ADSPath"))

user.GetInfoEx Array("msDS-User-Account-Control-Computed"), 0
flags = user.Get("msDS-User-Account-Control-Computed")
if (flags and ADS_UF_LOCKOUT) then
WScript.Echo objectList.Fields("distinguishedName")
End if


Scripting Active Directory users using VBScript

I came across a website by ActiveXperts with lots of script examples of modifying user attributes via LDAP and VBScript. Please check it out!

Very good article.

Wednesday, October 20, 2010

Powershell - List all users in domain

The following powershell script lists all users in an active directory domain.

$strFilter = "(&(objectCategory=User))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 10000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$objSearcher.SearchRoot = "dc=domain,dc=local"

$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
{$objItem = $objResult.Properties; $}

Wednesday, October 13, 2010

Move Active Mailbox Database Error

I went to move a mailbox database to another node by using "Move Active Mailbox Database" from Exchange Management Console or Move-ActiveMailboxDatabase from the shell. When performing this action I received the following error:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'LABEXCH04 Database 02' on server 'LABEXCH04.lab.local' has content index catalog files in the following state: 'Failed'.. [Database: LABEXCH04 Database 02, Server: LABEXCH03.lab.local]

An Active Manager operation failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error: Database copy 'LABEXCH04 Database 02' on server 'LABEXCH04.lab.local' has content index catalog files in the following state: 'Failed'..
Click here for help...

Exchange Management Shell command attempted:
Move-ActiveMailboxDatabase -Identity 'LABEXCH04 Database 02' -ActivateOnServer 'LABEXCH04' -MountDialOverride 'Lossless'

Elapsed Time: 00:00:00

My passive database was coming up as healthy!

The problem was resolved by:

- Suspending the database copy
- Activating the database copy - wait for resync
- Performing the move active mailbox database command again.

Very weird for the fact that it was displaying as a healthy copy!

Thursday, October 7, 2010

Exchange 2010 Redirect or Proxy

When dealing with Exchange 2010 and legacy exchange servers such as 2003 or 2007, Exchange 2010 CAS servers will either redirect or proxy the request.

Some web services are proxied and some web services are redirected. To get an understanding around what web services are redirected and what services are proxied please view the following blog post:

I found this article very handy also:

Monday, October 4, 2010

Autodiscover issue with ISA2006 or Forefront TMG

I had a client where autodiscover was working fine internally however external clients could not perform autodiscover requests. The client is running forefront threat management gateway 2010.

When running the exchange remote connectivity analyzer from I received the following error:

ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url for user
Failed to obtain AutoDiscover XML response.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name in DNS.
Host successfully resolved
Additional Details
IP(s) returned:

Testing TCP Port 80 on host to ensure it is listening and open.
The port was opened successfully.
Checking Host for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Tell me more about this issue and how to resolve it
Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.

ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method.
Failed to contact AutoDiscover using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it

To resolve this open the exchange rule on your ISA server or TMG. On the public names tab add the autodiscover record.

On the paths tab add in the autodiscover directory.

Wednesday, September 22, 2010

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}

I was getting an error on my Windows XP workstations:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 22/09/2010
Time: 9:34:00 PM
User: KBOMB\administrator
Computer: ARIA
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=kbomb,DC=local. The file must be present at the location <\\kbomb.local\sysvol\kbomb.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.

From research on the Internet this can be caused by many things.

In my case my windows 2008 server required SMB Signing. If I logged into a Windows XP workstation and navigated to \\domain.local\sysvol it asked me for username and password. If I navigated to any other share on the domain controllers it worked successfully.

I navigated to the following registry key:


enablesecuritysignature was set to 0... this means the workstation will never take part in signed SMB if the server requests it. I set this to "1" meaning my XP machine can talked signed SMB if my 2008 server requests it.

There is another setting, requiresecuritysignature. This should be set to 0. Setting this to 1 means if the PC at the other end does not support signed SMB it will not communicate.

After making the change I restarted the "workstation" and "server" services.

Ran another gpupdate /force after the change was made.


How to Deploy Microsoft .NET Framework 4 with Group Policy

In this blog post I'm going to show you how to mass deploy .NET Framework 4 to all PC's in your Active Directory domain.


Deploy .NET Framework 4 using a Startup Script:

Download .NET Framework 4

First download .NET Framework 4 from the following location:

Extract the Package

Run the setup file "dotNetFx40_Full_x86_x64.exe"

The setup file will automatically extract to a random directory on the drive with the most available disk space:

When the setup wizard opens do not click next just leave it open!

Create a new Group Policy Object

Create a new group policy object to be used for deployment. Make note of the GUID.

Move the .NET Framework Files

Navigate to a location on the network where you want to store the installation files. I stored them in the following location:


Create a folder called Frameworkv4.

Copy all files from the temporary extracted directory to:


Once the files are copied you can cancel the .NET Framework installation wizard which we started in an above step. We only ran the setup file so it would extract the files.

Create the Administrative Install Points

Create Administrative Install Points for 4 MSI's:
- .NET Framework v4 x86 for Server Core
- .NET Framework v4 x64 for Server Core
- .NET Framework v4 x86 for XP, Vista, Win7, and Full Installations of Windows Server
- .NET Framework v4 x64 for XP, Vista, Win7, and Full Installations of Windows Server

Run the following commands in a command prompt:

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_Core_x86.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_core_x86

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_core_x64.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_core_x64

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_extended_x86.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_extended_x86

msiexec /a \\kbombserver\netlogon\software\frameworkv4\netfx_extended_x64.msi EXTUI=1 TARGETDIR=\\kbombserver\netlogon\software\frameworkv4\AIP\netfx_extended_x64

Deploy .NET Framework with Group Policy

Add the package in Group Policy.

Assign both the x64 and x86 packages extended packages.

x64 will only install on x64 machines.
x86 will only install on x86 machines.

Also assign the core ones if you have Server Core installations of windows.

The packages also need the following MST assigned from Aaron Stebner's WebLog:

The transform changes the condition for CA_BlockDirectInstall to False so it will not be run during the installation process.

If you dont include the MST you will get the following error when the application trys to deploy via MSI:

Place the MST with the MSI and add it to the deployed application:

Note: For the 32bit package make sure you go into advanced deployment options on the deployment tab and untick "Make this 32-bit X86 application available to Win64 machines.

Always wait for the network at computer startup and logon

My Windows 7 PC's all booted too fast and missed the application deployment during startup. They all received the following error in the event logs:

Log Name: System
Source: Application Management Group Policy
Date: 22/09/2010 8:28:12 PM
Event ID: 101
Task Category: None
Level: Warning
Keywords: Classic
Computer: kbombpc.kbomb.local
The assignment of application Microsoft .NET Framework 4 Extended x64 from policy Microsoft .NET Framework 4 failed. The error was : %%1274

To resolve this I had to set the following group policy:

Computer Configuration --> Administrative Templates --> System --> Logon --> Always wait for the network at computer startup and logon

Error 25003. Error occurred while initializing fusion.

Hey guys sorry I'm currently getting the following error when it deploys:

Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 10005
Date: 22/09/2010
Time: 10:09:40 PM
Computer: ARIA
Product: Microsoft .NET Framework 4 Extended -- Error 25003. Error occurred while initializing fusion.

Will let you know as soon as I have a fix.

Tuesday, September 21, 2010

How to find Wireless Channels in Windows

To find the wireless channels in windows open a command prompt and run the following commands:

show all

scroll down...

Monday, September 20, 2010

Exchange 2007 Certificates Whitepaper

Exchange 2007 Certificates Whitepaper - very good article:

Exchange 2010 with Threat Management Gateway

How to publish Exchange 2010 through Threat Management Gateway (TMG)

Enable MAPI Encryption Group Policy

In Exchange 2010 MAPI Encryption is enforced by default. Outlook 2003 does not support MAPI Encryption by default. This means Outlook 2003 cannot talk to Exchange 2010 unless its turned on.

The following KB article explains all regardless if your enabling MAPI encryption on Outlook 2003 via Group Policy or Disabling MAPI encryption on Exchange 2010.

Sunday, September 19, 2010

Enable Link State Suppression

When running the Exchange 2010 Pre-Deployment Analyzer you will probably get this message:

Before introducing Exchange Server 2010 into this topology, the 'SuppressStateChanges' configuration parameter should be set to '1' on server EXCHANGE03SERVER. This parameter is essential if you plan to create multiple connectors to the dedicated Exchange 2010 routing group.

Exchange Server 2003 includes functionality to detect automatically changes in the state of a link. This information can be used to inform other servers running Exchange Server 2003 that an alternative route should be used instead of the lowest cost primary route. Link state information is divided into major and minor changes. A major change occurs when the administrator changes the routing topology, such as the addition of a new connector or a cost change. Minor updates occur when the system automatically detects the failure or restoration of a link.

This feature works well in small to medium-sized organizations. However, in large multi-site environments, mass network fluctuation can cause link update floods for the minor version. To be truly effective, link state data must be broadcast to all the servers in the organization. Additionally, when state changes, the whole link state table is rebroadcast, which can cause a significant amount of data to be transmitted over the network. In these scenarios, it may be useful to suppress minor link state changes. The SuppressStateChanges registry value is a custom configuration setting used to suppress minor link state changes. When SuppressStateChanges is set to a value of 1 (or any value greater than 0), all link state traffic generated by a connector state change on this Exchange Server computer are suppressed.

In Exchange 2010 you want to link every Exchange 2003 routing group to the Exchange 2010 routing group to utilize the new hub transport technology for routing messages around your organisation. Because of this you must disable link stage suppression on all your Exchange 2003 servers before installing Exchange 2010.

To do this perform the following steps:

1.Open a registry editor, such as Regedit.exe or Regedt32.exe.

2.Navigate to HKLM\System\CurrentControlSet\Services\RESvc\Parameters.

3.Right-click Parameters and select New | DWORD value. Name the new DWORD value SuppressStateChanges.

4.Double-click SuppressStateChanges.

5.Set Base to Decimal.

6.In the Value data field, enter 1.

7.Close the registry editor and then restart the Simple Mail Transfer Protocol (SMTP), the Microsoft Exchange Routing Engine, and the Microsoft Exchange MTA Stacks services for the change to take effect.

What are Exchange Development Kit (EDK) Connectors?

When running the Exchange Pre-Deployment Analyzer I got the following message:

Exchange Development Kit (EDK) connector 'Connector for Captaris RightFax (WSPER14)' was found in the organization. Exchange Server 2010 does not support EDK connectors. This connector will need to remain on existing Exchange 2003 servers.

What are Exchange Development Kit (EDK) Connectors?

EDK connectors are third-party applications built to connect to communication systems such as fax machines, Short Message Service (SMS), telex, or to connect to other messaging systems, such as Lotus Notes, that use a gateway connector. Non-Microsoft vendors use the Exchange Development Kit (EDK) to develop proprietary connectors.

Wednesday, September 15, 2010

How to GREP in Powershell

In Linux and Unix world when we want to grab a line that contains specific output we would just use the following command:

command | grep search

In powershell to do the same thing we use this command:

command | ls *search*

For example we run the following command to list a whole bunch of output for:


We want to to identify all lines that have the word "Name" in it. Run the following command:

Get-AcceptedDomain | fl *name*

Very easy.