Sunday, August 23, 2015

Framed Route Configuration for MTS Internet

I recently found out that you can have multiple IPs on a MTS (Manitoba Telecom Services) Internet connection. I haven't investigated this for a long time and this was a pleasant surprise when migrating a client from a more expensive Internet connection to MTS after MTS upgraded the connectivity in their relatively remote building.

Adding additional IPs with MTS is done by purchasing a framed route. The minimum size is 6 IP addresses for $9.95/month. Pretty good if you need an extra IP or two as our client did. The description of the service is here:
We have the framed route up and running for the customer and it worked very well once it was configured. What we ran into was vague documentation and a support person that wasn't familiar with it and messed up the configuration on the first attempt (a second tech was very helpful and got it right).

MTS provides the following document to clients:
The document provided by MTS pretty much just indicates to add an IP from your framed route range to your computer or firewall and it will all start working. However, that is not the case. Your modem from MTS needs to be configured to support the framed route. It's not hard to do, but there is no documentation available, and it's not widely understood by the support staff.

We did the install for a Pace modem. So, the screenshots below show what needs to be configured for that specific modem type.

After you have connected to your Pace modem, go to Settings > Broadband > Link Configuration.

At the bottom of this page, in the Supplementary Network section, select Enable to add an additional network.

Notice that the interface doesn't ask you for your network, it only asks for the address you want to use as the default gateway (router address) and the subnet mask. The Pace box identifies the network from this information. So, you need to determine ahead of time which IP address in your framed route that you want to use as gateway. This means if you purchased a framed route of 6 IP addresses, only 5 are usable because the gateway uses one IP address.

You should also select the Auto Firewall Open option to automatically forward all Internet traffic to hosts inside the Pace box. If you don't, you'll need to either forward specific ports in the Pace firewall, or configure additional DMZ zones in the Pace box. In our case, we were configuring a firewall behind the Pace box and wanted all traffic to be forwarded.

Tuesday, August 4, 2015

Optimize Network Connectivity for Office 365

Microsoft has just released a nice video on optimizing network connectivity for Office 365:
A quick summary of the video:

A lot of connectivity to Office 365 is not in your control. However, you should have an understanding of connectivity to the data center to your tenant. In some cases, MS has worked with ISPs to optimize connectivity in cases where there was obviously bad routing. For example traffic being routed unnecessarily over trans-oceanic links.

If you have high latency to Office 365 you can use tools such as PSping to look at connectivity. PSping performs a connection to a service at a port number rather than using ICMP packets as regular ping does. You can also use Network Monitor to identify some issues.

PSping is free from Sysinternals:
It's important to know that DNS lookups are based on geographic location.  For example outlook.office365.com will resolve to a different data center depending on location. If users are accessing through a corporate VPN they may be accessing inefficiently.

Wednesday, July 15, 2015

Creating Shared Mailbox in a Hybrid Deployment

The first thing to be aware of when creating shared mailboxes in a hybrid deployment is security. Sharing mailboxes between on-premises and O365 is not supported. So, if a group of people need to share a mailbox then their mailboxes all need to be on-premises or all in O365.

On-Premises Shared Mailboxes

Creating an on-premises shared mailbox is pretty straight forward. Create the shared mailbox in the on-premises Exchange and it all works.

In Exchange 2013, shared mailboxes are explicitly listed as a recipient type in the Exchange admin center (EAC). You can create and manage the shared mailboxes there.

In Exchange 2010, shared mailboxes are not part of the Exchange Management Console (EMC). You need to create the shared mailbox by using the New-Mailbox cmdlet in the Exchange Management Shell (EMS). For example:
New-Mailbox HelpDesk -shared -UserPrincipalName HelpDesk@MyDomain.com
After creating the shared mailbox in Exchange 2010, you need to give users permission to access it. Assign Full Mailbox permissions to let users manage the contents of the mailbox. You may also want to give SendAs permissions depending on your scenario.

Office 365 Share Mailboxes

In Office 365, the web-based management interface provides the same option to create shared mailboxes as Exchange 2013 does. However, in a hybrid environment, you can't create the shared mailboxes directly in Office 365.

If you create the share mailbox directly in Office 365 there is no Active Directory reference to the shared mailbox on-premises. This prevents Outlook from properly adding the shared mailboxes because autodiscover does not work properly. In a hybrid environment, autodiscover is directed to the on-premises Exchange organization and won't be able to direct Outlook to the correct location of the shared mailbox because there is no information in Active Directory about the shared mailbox in the on-premises AD.


In a hybrid environment, you should perform the following steps instead:
  1. Create a Remote Mailbox in Office 365 from the on-premises Exchange organization.
  2. Run Dirsync (or wait for several hours).
  3. In Office 365, convert the mailbox to a shared mailbox. Available when the recipient is selected as seen in the screenshot to the right.
  4. In Office 365, configure Full Access and SendAs permissions to the shared mailbox as required.
It's a bit more of a hassle to create a shared mailbox in Office 365 for a hybrid environment, but it does work!

When you create the shared mailbox directly in Office 365, you'll see the following symptoms:
  • Shared mailboxes are not automatically added to Outlook.
  • If you attempt to add the shared mailbox to Outlook manually in the properties of the Exchange account, then Outlook will continually prompt for credentials and hang.

Tuesday, July 7, 2015

Script for Exchange 2013 Message Tracking

Exchange Server 2010 had a graphical utility for analyzing message tracking logs. Unfortunately, this tool was removed from Exchange Server 2013. Instead in Exchange Server 2013, you have only the Get-MessageTrackingLog cmdlet.

The Get-MessageTrackingLog cmdlet is a pain in the butt for a few reasons:
  • You need to memorize the syntax. Most of it is pretty straight forward, but you need to remember the correct parameters for searching by sender, recipient, or subject.
  • It only searches the local server by default. Without specifying servers, it only searches the local Exchange server that you're running the tool on. In a lot of cases, you need to see information from all your servers to track it down.
While working on a message delivery problem this week, I wrote up a short script help with simple message tracking based on time, sender, recipient, or message subject. The script is as follows:
 Write-Host "Current Date/Time: $(Get-Date)"  
 $StartTime = Read-Host "Start time for search"  
 $EndTime = Read-Host "End time for search"  
 $SearchType = Read-Host "Search for (S)ender, (R)ecipient, (M)essage subject, or display (A)ll"  
 Switch ($SearchType) {  
   'S' {  
            $Sender = Read-Host "Sender"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Sender $Sender |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'R' {  
            $Recipient = Read-Host "Recipient"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Recipient $Recipient |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'M' {  
            $MessageSubject = Read-Host "Message subject (performs partial matches)"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -MessageSubject $MessageSubject |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'A' {  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   default {Write-Host "Invalid Option - Run Script Again"}  
 }  
Here is how the script works:
  1. The current date/time are displayed. This shows you the date/time syntax to use for entering time in the next steps.
  2. You are prompted for the time to start searching the logs.
  3. You are prompted for the time to stop searching the logs.
  4. You are prompted for the type of search you want to do: sender, recipient, message subject, or display all.
  5. The switch command uses the $SearchType variable to run a specific code block. The command varies depending on the option, but in general, it prompts for the required information and then runs the query based on it.
  6. Results are displayed by using Out-Gridview. This allows you to sort based on columns.

Notes:

  • This code is used to identify and generate a list of all Exchange servers with message tracking logs which is then piped to the Get-MessageTrackingLog cmdlet.
    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true}  
  • When you search by message subject, it returns all results that include the snippet of text. This can make it hard to track down the specific message that you're looking for sometimes. For example, searching for "text" will include messages with "text" in the subject, but also "context","textbook", etc.
  • Only 1000 results are returned by the Get-MessageTrackingLog cmdlet. It's possible to override this, but if your query is returning more than 1000 results, you should probably be refining your query.
  • Times from Exchange 2007 servers seem off. I was testing in a Mixed 2013 and 2007 environment and the content coming back from the 2007 environment had timestamps outside the range I queried. I have not yet had time to investigate, but be aware of this when sorting results based on time.

Thursday, June 18, 2015

KB 3062157 Breaks Single Role Exchange 2013 Servers

It appears that there may be problems, in at least some cases, when you apply KB 3062157 to servers running Exchange Server 2013 SP1 or later. It will break web services such as OWA, ActiveSync, EWS, and ECP.  The KB is meant to address vulnerabilities described in Microsoft Security bulletin MS15-064.

The good news is that this problem appears to affect only  single role servers and not multi-role servers. Since most deployments have multi-role servers that will limit the impact.

If you deploy this update and experience problems, removing the update should resolve the issue and get the server functional again.


This update is also included as part of CU9 and doesn't appear to have the same issues when installed as part of CU9. A commenter on the blog below had problems with KB3062157, uninstalled that update, and installed CU9 without issue.

Tuesday, June 2, 2015

Automatic Activation for Hyper-V VMs

When you use Windows Server 2012 R2 Datacenter Edition as the host operating system for Hyper-V, you can implement an unlimited number of virtual machines using that same license. This means that you can buy a single Windows Server 2012 R2 Datacenter Edition license for a single physical server and run an unlimited number of guests using Windows Server 2012 R2 as the operating system.

If you have multiple Hyper-V hosts, it can be a pain to keep track of the Windows Server 2012 R2 keys for the guest VMs. Instead of using typical activation methods, you can use Automatic Virtual Machine Activation (AVMA).

AVMA activates a guest VM against the Hyper-V host instead of typical Microsoft activation methods. This means that the VM can be completely isolated without access to the Internet or other network and still be activated.

You can use AVMA guest VMs running:
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Datacenter

For each guest operating system you enter in a generic AVMA license key. The generic license keys are:
  • Datacenter - Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
  • Standard - DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
  • Essentials - K2XGM-NMBT3-2R6Q8-WF2FK-P36R2
To enter the generic AVMA key, you can use any method that you typically use to enter a license key. During installation, you can use an unattend.xml file. After installation, you can run the following command:
slmgr /ipk AVMAlicensekey
To monitor AVMA licensing requests on the Hyper-V host, look for Event ID 12310. On the guest VMs look for Event ID 12309.

Wednesday, May 27, 2015

Perc H700 Connector Confusion

Throwing this one out there in case anyone hits a similar issue. This one confused the heck out of me but was simple in the end.

We have a customer with a Dell T310 server with an H200 RAID adapter. The performance on the H200 is pretty poor. In part because the drive cache is disabled by default. But, search around and you'll see no one has much nice to say about the H200.

To improve performance for this server, we ordered an H700i card from Dell. We ordered from Dell rather than aftermarket to avoid issues with compatibility. And so that it would be supported.

There are several sets of instructions out there for doing this upgrade. Here is the one I thought was the best:
We went through the guide, installed the card, installed drivers, and then went to connect the drive backplane to the card. Uh oh, wrong connector type.


You can see above that the new card has a two prong connector that does not match the mini SAS connector (shown below) of the cables that shipped with the card. The cable already in the server also had this type of connector.


While I'm comfortable with server hardware, I'm by no means an expert on all different connection types. So, at this point I assume that there is a connector type that I'm unaware of and we need either a different card or different cables.

My rep confirmed that this is in fact the correct card. Next step is calling support. I sent the pictures to support and he wasn't sure what was up either. While on the phone as the support rep was searching, I tried searching for SAS connector types and nothing matched what I was seeing on the card. It wasn't making sense. This can't possibly be correct.

At this point, I tried gently pulling on the plastic part of the connector and it came out (see below). The plastic was a spacer put in the connector for shipping. After removing the plastic plug the connector fit the cable properly. It seems obvious in retrospect, but it didn't at the time.


One final note about this card. We ordered the model with 1 GB non-volatile RAM. I assumed that this meant no battery was required. In fact the card uses DRAM for operations because it is faster than NVRAM. The battery is still required to move data from DRAM to NVRAM when a power outage occurs.