Home  
  Projects  
  About Us  
  Blog  
     
     
   
   
   
   

Updates and Solutions

  Mailbox access provisioning via PowerShell
      Thursday, July 22, 2010

There are plenty of reasons why you might want to give one user access to another user’s mailbox. The first user may be in the hospital, or under HR review, or maybe they’ve been dropping the ball lately and management need to make sure that certain projects have been followed up on. It’s not really our job to care. The fact is, Bill in management has requested that you give Paul Stanley access to Gene Simmon’s mailbox, and for various reasons, logging on to Gene’s mailbox to set these permissions up is not a good option. For one, you’d only be able to delegate access to certain primary folders, not to the whole mailbox, and second, you’d have to know Gene’s password to do that. Because you are a smart admin, you tell Bill you can take care of it easily from the server. And here’s how you do it with Exchange 2007 or Exchange 2010:

Using this powershell command, you can give one user the permission to open and view another user’s entire mailbox. They won’t be able to send mail from that mailbox though, unless you add the SendAs permission:

Add-MailboxPermission user1 -User user2 -AccessRights fullaccess


So if you wanted to give Paul Stanley access to Gene Simmons’ mailbox, you would do this:
Add-MailboxPermission gsimmons -user pstanley -AccessRights fullaccess
To add sending functionality, you would do this:

Add-MailboxPermission gsimmons -User pstanley -AccessRights sendas

Make sure you run the Exchange Management Shell as Admin (escalated) or you may not get the results you were expecting.

If you want to verify the permissions you’ve given Paul, you can run this command:

Get-MailboxPermission gsimmons -User pstanley | fl
After you tell Bill that you’ve taken care of it, he asks you what Paul is supposed to do to view the mailbox. You send him the following instructions:

In Outlook, go into Tools -> Account Settingss and open up the properties on your Exchange email account. Choose More Settings, and when you get to the tabbed window, choose the Advanced tab.

On the Advanced tab, you will see the option to open additional mailboxes. Click Add and type the name of the user whose mailbox you want to open. In this case, Paul could type “Gene Simmons” or “gsimmons”. OK all the way out, and you should see another root mailbox for Gene Simmons added to Paul’s Outlook.

And yes, this can be done in the Exchange Management Console, but PowerShell is quicker!
 
  SBS 2008 Training Videos
      Wednesday, April 14, 2010

Earlier this year TrainSignal published a video training course that I had been working on for quite a while. Many late nights and weekends. You know how side projects are. The course consists of 17 hours of videos covering all the major aspects of configuring Small Business Server 2008.

I thought I would talk about it a little bit here, since I wrote it with the SMB consulting audience in mind.

I think that if I was looking for a course to take myself, I would want to know that it did two things: cover all the essentials and additionally give me some beyond-the-basics expertise to add value to my consulting. Beyond that, I would also want it to efficiently cover a given topic in a demo-driven way so that instead of having to plow through the whole course, I would be able to sit down for 45 minutes or so with a specific topic and walk away feeling more prepared to implement.

That’s pretty much what I have put together, and when you add up all the content, it covers a whole lot of ground, including segments covering SharePoint customization, certificates, WSUS, SBS 2003-2008 migrations, Exchange disaster recovery and much more.

TrainSignal typically sells scenario-driven courses, so there is usually a fictitious company with fictitious characters whose needs the course is built around, and as part of the course, we field management requests from our "client" and translate them into technological solutions. In this course we are working for Mal Falconi, who runs KingFish Private Investigations, and she wants to set up a solution that maximizes her decentralized office strategy. Many videos begin with a description of a "business need" and we move on to craft and implement a solution that meets that need. I had a lot of fun building the course.

Check out a sample of the course here:
 
  Avoiding trouble with Windows Updates
      Thursday, August 6, 2009

Do you ever wonder why there are so many sporadic one-off problems with Windows Update? Someone runs a .Net update and it breaks a lot of things, even though thousands of other admins have run that same patch without problems?

I think I might have an inkling why.

How many times have you been checking on a server right before lunch and saw an optimization you could easily make, made the change and then saw that the server wanted a reboot? It wasn't that critical a change, and you can't restart the system during business hours, so you add a task to your list to restart the server that evening. Or do you? Did you ever actually get around to it?

Maybe you download a patch for a known issue and then it calls for a reboot, and you decide that you might as well run some other updates before the reboot to get your downtime's worth.

Both of these situations are much more likely to result in failed Windows Updates, since there are unresolved .dll, file and registry changes underway.

The best practice is to restart a server BEFORE you run Windows Update or any significant patches. You would do this in order to ensure that there are no subsystems that can't be patched properly due to their already holding their breath for a reboot. So a good Windows Update procedure would involve at least two server restarts: one before the updates are run, and another after.

The truth is, if your servers run for 30+ days between reboots, it's fairly common for them to begin to accumulate some of these "pending reboot" situations, and if you don't resolve those before doing any serious patching, you may end up with unpredictable results.
 
  Links for the SBS 2008 Build Day participants
      Saturday, June 6, 2009

Yeah, that's right. Every body else look the other way.

Are you short on space and thinking about using restoring to an RSG located on a USB drive? Remember that you'll need that drive to have an admin share.
http://msexchangeteam.com/archive/2009/05/27/451488.aspx

You need to set up a dial-tone database, but you need to think carefully about how it will affect your cached Exchange Outlook users.
http://technet.microsoft.com/en-us/library/aa998698.aspx

This is a common problem that I usually hear about via the old, "Server runs fine for a few days and then nothing works, no connectivity at all" story.
http://blogs.technet.com/sbs/archive/2009/02/12/you-may-lose-network-connectivity-on-sbs-2008-when-using-a-driver-which-utilizes-tdi.aspx

This was fun. I need to come back and talk about troubleshooting mailflow hassles.
 
  Advanced SBS 2008 Build Day in Portland
      Thursday, June 4, 2009

This Saturday there's an event held at a New Horizons center in Portland that I'll be speaking at. It's an all-day thing, from 9am to 4pm, and it will be covering security, virtualization and Exchange. Yours truly will be gabbing and demoing for two full hours as part of this event. I'll be covering the following topics:

- Exchange Management: Tasks Beyond the SBS Console
- Recovering Exchange on SBS 2008: Backup and Disaster Recovery
- Troubleshooting Mail Hassles on SBS 2008

Tim Carney (of basbits.org fame) will probably be talking on a variety of topics, and SME's Dana Epp and Susan Bradley will also be presenting via Live Meeting. All of them are awesome people to learn from.

The event will showcase a live step-by-step build of SBS 2008, including joining clients to the domain and post-installation tasks.

The event includes lunch and snacks, and I think the paltry registration fee is primarily to cover those...

https://www.clicktoattend.com/invitation.aspx?code=137854

New Horizons
9800 SW Nimbus Ave
Suite 100
Beaverton, OR 97008
USA
 
  VMWare - Cannot find a valid peer process to connect to
      Monday, February 23, 2009

I work a lot with VMWare Workstation, and tonight while I was doing some work on a lab environment, I realized that the VM containing my domain controller was not running. It had been running earlier, but now it was not. When I tried to start it again, I got the message "Cannot find a valid peer process to connect to". Google turned up all sorts of things, including people who said that everything was fine after they rebooted the host machine. Since I'm usually juggling three or four VMs at a time and each one takes around 8-10 minutes to shut down, I wasn't about to waste my time with that.

Instead I went into Task Manager and looked at the processes. I currently had two VMs running, one Windows 2003 server with Data Protection Manager that I'd given 1.5gb of memory to, and an Exchange 2007 server that I'd given 3gb to. In the Processes list, I could see three instances of vmware-vmx.exe, and two of them had a Peak Working Set that matched the amounts of ram that I'd allocated them. The remaining one showed a working set of 1.2gb, around the amount I'd allocated to the domain controller. Once I killed that process, I was then able to fire up that VM. Apparently it had crashed, but it had left a ghost process behind that was keeping that VM from starting up again.

So that's an easier way to go about it than rebooting your host workstation. Worked for me, but it might not work for you.
 
  Trouble with reporting services during DPM installation
      Saturday, January 31, 2009

If you're installing Data Protection Manager and you keep running into issues at the point that it tries to install SQL Reporting Services, you are probably dealing with a certificate error. You can't have a public cert installed in IIS, you need the simple kind that maps to the local NetBIOS name.

If you check the logs, you'll have something like this near the end of the log:

The remote certificate is invalid according to the validation procedure.

Chances are if you check the certs in this server's Personal store, there won't be a cert that matches the local server's NetBIOS name. There needs to be one. Check in the Trusted Root, and if there's one there, copy it into the Personal store. Make sure that the cert that matches your NetBIOS name is also the one that the Default Web Site is configured to use. But there may not be one there. That was the case for me tonight, and I figure that since it took me till 2am to find a solution, I'm sure as heck going to publish it.

Basically the next step if you don't have that cert is to request one from your local CA. But maybe you don't have a CA or you don't want to hassle with setting one up at 1am. What I did is this:

1. Go to my nearby Exchange 2007 server, open up the Exchange Management Shell, and (assuming your server's name is DPMSERVER1) do the following:

New-ExchangeCertificate -DomainName DPMSERVER1 -privatekeyexportable:$true

Then tell it "No" you don't want to overwrite the existing SMTP cert settings. This will generate a cert with your DPM server's NetBIOS name set as the Common Name.

2. Go into the cert MMC on the Exchange server and export this cert with the private key.

3. Copy the cert file over to your DPM server and import it into the Personal store there.

4. Then go into IIS and configure the Default Web Site to use that cert.

Now rerun setup AGAIN... Your installation should work if lacking the proper cert was your issue.