A quick post with high-level message flow for Exchange 2003.
• MAPI client sends a message to a remote recipient
• Information Store (Store.exe) receives the message
• The created MailMsg object is forwarded to the Advanced Queue Engine (AQE)
• The Message Categorizer from the AQE processes the MailMsg object and splits it into MIME or RTF as necessary
• The Message Categorizer expands groups and checks defined Message limits on Exchange
• The MailMsg object is then transferred to the Remote Destination Domain within the AQE
• The AQE passes the destination address to the Exchange Routing Engine
• SMTP initiates an SMTP session with the remote SMTP host
• After the SMTP session with the remote host has been established, the information store retrieves the body of the message and converts the message as necessary
• SMTP sends the Message from the Queue to the Remote Host
The following Exchange Features require the use of SMTP:
• Intra Server Message Delivery
• Inter Server Message Delivery
• Message Delivery to the Internet
• Exchange of Routing Information
On our Cisco LAN switches we employ DHCP snooping and arp inspection.
Check out my previous post for details on how to configure. Recently we have been struggling with some port getting disabled and logging the following:
Aug 4 09:02:01.871: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa3/0/18. (las02-3)
Aug 4 09:02:01.871: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa3/0/18, putting Fa3/0/18 in err-disable state (las02-3)
Aug 4 09:02:02.878: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0/18, changed state to down
We have everything set to the default for the arp inspection limit. According to this cisco doc the limit would be 15 packets per second. So this is definitely beyond the
limit.
Not hard to fix but definitely impacting users….to fix simply shutdown and re-enable the port.
las02-3# configure terminal
las02-3(config)# interface Fa3/0/18
las02-3(config-if)# shutdown
las02-3(config-if)# no shutdown
las02-3(config-if)# exit
So we began to look for reasons this particular machine was sending so many arp packets. Found a reference to an issue with iTunes and their Bonjour protocol on this blog post and this was installed on one of the machines…..but not on all of them.
To get around this problem I was temporarily increasing the limit….but obviously this many arp broadcasts aren’t good.
las02-3# configure terminal
las02-3(config)# interface Fa3/0/18
las02-3(config-if)# ip arp inspection limit rate 100
las02-3(config-if)# exit
Continued to investigate and it turns out the McAfee ePolicy team had pushed rogue sensors to a number of computers on the different segments and this service was causing the problem. McAfee’s rogue sensor inspects ARP requests to determine if machines on the network have the ePO client installed. So the service sees traffic, sends an ARP request to get MAC for IPs it sees and then connects to the machine to determine if the client is installed. When the service first starts it trucks on down the list of all traffic it sees and causes this ARP storm.
Whether you want to set NTFS file permissions via a script or if you would like some confirmation that something other than an hour glass is happening when you apply permissions to a huge directory tree, cacls is the command for you.
There is also a script xcalcs vbscript that can be used….. http://support.microsoft.com/kb/825751
CACLS filename [/T] [/M] [/S[:SDDL]] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/M Changes ACLs of volumes mounted to a directory
/S Displays the SDDL string for the DACL.
/S:SDDL Replaces the ACLs with those specified in the SDDL string
(not valid with /E, /G, /R, /P, or /D).
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with /E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.I wanted to recursively set permissions for a directory structure and wanted to add permissions for users from 2 different domains…..
Example:
calcs "e:\test" /T /G "DOMAIN\Domain Users":F "DOMAIN2\Domain Admins":F
So recently encountered a problem in our Exchange 2003 environment where mailstores on one particular server kept dismounting at in opportune times. Snooped around awhile to figure this one out so I figured I’d post about it to make sure I could look it up again. Besides, I haven’t been posting much lately, changing responsibilities at work and all that, so I probably need to get back in the habit.
Event Type: Error
Event Source: MSExchangeIS
Event Category: General
Event ID: 1159
Date: 7/8/2010
Time: 4:35:52 AM
User: N/A
Computer: SMB01
Description:
Database error 0xfffffd9a occurred in function JTAB_BASE::EcUpdate while accessing the database "SG1\STORENAME".
For more information, click http://www.microsoft.com/contentredirect.asp.
Looking up the error on the event log promptly guided me to the problem. Found a Microsoft Article with the same symptoms. http://support.microsoft.com/kb/925817 This particular article was Exchange 2007, but the same hard limit applies for Exchange 2003.
Log files are only committed after a full backup has been performed. Turns out this box had been having backup troubles for about a week and the server administrative group didn’t let us know. Simple solution. Get a successful backup.
Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol for establishing a fault-tolerant default gateway, and has been described in detail in RFC 2281.
The protocol establishes a framework between network routers in order to achieve default gateway failover if the primary gateway should become inaccessible,[1] in close association with a rapid-converging routing protocol like EIGRP or OSPF. By multicasting packets, HSRP sends its hello messages to the multicast address 224.0.0.2 (all routers) using UDP port 1985, to other HSRP-enabled routers, defining priority between the routers. The primary router with the highest configured priority will act as a virtual router with a pre-defined gateway IP and will respond to the ARP request from machines connected to the LAN with the mac address 0000.0c07.acXX where XX is the group ID in hex. If the primary router should fail, the router with the next-highest priority would take over the gateway IP and answer ARP requests with the same mac address, thus achieving transparent default gateway fail-over.
The idea here is that HSRP routers will only have one of it’s peer responding to arp requests at one time.
So for my example lets say we have two routers depicted below. The HSRP standby address will be 10.1.1.1 and this will be the default gateway that traffic is routed through.
Setup is really pretty basic…. define your interface and assign it the gateways ip address. In our example this is 10.1.1.1 The example below is a trunk interface on VLAN 3874 for the first router.
1
2
3
4
5
6
7
| interface GigabitEthernet0/0.40
description Trunk port interface with HSRP defined.
encapsulation dot1Q 3874
ip address 10.1.1.2 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 priority 105 ! Higher priority, primary router
standby 1 preempt ! Router with highest priority is active |
The second router’s configuration as backup.
1
2
3
4
5
6
7
| interface GigabitEthernet0/0.40
description Trunk port interface with HSRP defined.
encapsulation dot1Q 3874
ip address 10.1.1.3 255.255.255.0
standby 1 ip 10.1.1.1
standby 1 priority 105 ! Lower priority, backup router
standby 1 preempt ! Router with highest priority is active |
This same technique and syntax can be applied to VLAN interfaces on a switch also. Used in conjunction with Cisco Port-Channel’s it is a simple and effect method for offering highly available routing.
The Recipient Update Service (RUS) is responsible for creating and maintaining E-Mail Addresses in your Exchange Organization. The Recipient Update Service creates an Entry (Recipient Update Service (Enterprise Configuration)) for the entire Exchange Organization for modifying objects in the Configuration Container Partition in Active Directory and one additional RUS for every Exchange enabled Domain in this Forest. The Recipient Update Service runs automatically in the background but you can manually start the RUS process if you click Update Now in the corresponding RUS Policy.
Recipient Policies are used to define the email addresses for your organization and to manage messages with the users mailbox.
The logic of the RUS is fairly simple, but often misunderstood. The details of the decision-making process are documented in article 328738
The basic idea is this:
In the Recipient Policies container, you have a set of recipient policies.
- Each policy has a priority and a filter.
- The policy for each user is the policy with the highest priority (the lower the number, the higher the priority) with a filter that matches the user.
- Once a filter is matched no further policies are applied for a mailbox so for simplicity keep the number of policies small.
There are two types of Recipient Policies. The “E-Mail Addresses” policy is the type used by the “Default Policy” created by exchange. This type of policy controls how proxy email addresses are created for new users. The “Mailbox Manager Settings” policy type can be used to purge off mailbox items based on their age or size.
(more…)
My company was moving from our in house email system to a completely new infrastructure with a new email domain name and a new Active Directory domain. The plan was to have users configure a new Outlook profile to connect to the new system at a particular time on the migration day. Because we have little control over when the users will actually make the transition, I want to make sure any new emaill that arrived at the old mailbox would get forwarded to the new mailbox. This would help cover the straggler users who keep sending email to users who had already migrated.
So this script does exactly that…. it takes a list of distinguished names in an input file, connects to active directory and sets the Active Directory attribute for “targetAddress”. This will essentially forward the mail to the targetAddress SMTP location.
The input file can be easily generated with a CSVDE command:
C:\csvde -f input.csv -d "dc=domain,dc=com" -r "(ObjectCategory=Person)" -l "DN"
Connecting to "(null)"
Logging in as current user using SSPI
Exporting directory to file input.csv
Searching for entries...
Writing out entries
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
...........................................
Export Completed. Post-processing in progress...
763 entries exported
The command has completed successfully
Then you can run this script to read it in and make the changes the the mail enabled active directory objects. (more…)
Cisco’s Overview of DHCP Snooping
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. An untrusted message is a message that is received from outside the network or firewall and that can cause traffic attacks within your network.
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information that corresponds to the local untrusted interfaces of a switch; it does not contain information regarding hosts interconnected with a trusted interface. An untrusted interface is an interface that is configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces connected to the DHCP server or another switch.
Well thanks for that extremely clear overview…….. what actually is going on? Lets say you have a switch. You hook a DHCP server up to port #1 and designate this as a “trusted” interface and all of the rest of the ports that will have devices connected to them are setup as “untrusted”. You would set this up using the commands:
*** Enable DHCP Snooping & ARP Inspection ***
ip dhcp snooping vlan 100
no ip dhcp snooping information option
ip dhcp snooping database flash:/dhcpdb.dat
ip dhcp snooping
ip arp inspection vlan 100
*** Untrusted Access Interfaces for DHCP ****
Int Range Fa1/0/2 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
Int Range Fa2/0/1 - 48
description Workstation
switchport access vlan 100
switchport mode access
no mdix auto
*** Trusted Access Interface for DHCP ***
Int Fa1/0/1
description DHCP Server
switchport access vlan 100
switchport mode access
no mdix auto
ip dhcp snooping trust
DHCP Client requests are forwarded regardless of the trust state of the port, but DHCP server responses are dropped if the port is untrusted.
So lets say on port #2 the switch sees a DHCP discovery packet float by from a DHCP client. Because it is a broadcast message this gets flooded to all ports on the VLAN. The DHCP server connected to port #1 sees the discovery packet and sends an uninicast DHCPOFFER packet to the client. Because this originated from a “trusted” port the offer is allowed to go through. The client recieves the DHCPOFFER chooses an offer from all that it receives and responds with a DHCPREQUEST back to the DHCP server. The server then responds with a DHCPACK and includes the configuration parameters and committed network address. The switch records the client binding port, vlan, mac address, and ip, etc into its local snooping database.
(more…)
As an Exchange administrator we have probably all had that panic call from an administrative assistant want to recall a message that was inadvertently sent to the wrong group. Every end-user knows that Outlooks “Re-Call” capability stinks. Microsoft’s Exchange Mailbox Merge tool can be used to perform this function (Available as a download from Microsoft Here). You’ve probably used this tool before to extract a single user’s mailbox from the Exchange Recovery Storage group to a PST.
We can use a similar technique to extract and delete all of the messages that match a criteria like “SUBJECT” to a PST and then simply throw away the PST.
Before we begin make sure the account you are using is NOT a Domain Admin and has read access to the mailstore and all of the mailboxes. I like setting this permission on the SERVER level and letting it propagte down to the individual mailboxes. You can’t use a Domain Admin account because Exchange explicitly denies Domain Admins read access at the mailbox level.
Startup exmerge, and choose the “Extract or Import (Two Step Procedure).
This allows us to extract the messages that meet our criteria first before trying to import or restore the messages.
Select "Extract or Import (Two Step Procedure)
So first we perform step 1 to extract the messages. (more…)
For audit purposes I needed to list all active directory users and prove that ex-employees were either deleted of disabled. There are a couple of techniques to produce the required output. I think the easiest was to make use of the csvde.exe.
Arguements for csvde.exe
CSV Directory Exchange
General Parameters
==================
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to (Default to DC of computer's domain)
-v Turn on Verbose Mode
-c FromDN ToDN Replace occurences of FromDN to ToDN
-j path Log File Location
-t port Port Number (default = 389)
-u Use Unicode format
-? Help
Export Specific
===============
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an
LDAP search
-o list List of attributes (comma separated) to omit from input.
-g Disable Paged Search.
-m Enable the SAM logic on export.
-n Do not export binary values
Import
======
-k The import will go on ignoring 'Constraint Violation' and
'Object Already Exists' errors
Credentials Establishment
=========================
Note that if no credentials is specified, CSVDE will bind as the currently
logged on user, using SSPI.
-a UserDN [Password | *] Simple authentication
-b UserName Domain [Password | *] SSPI bind method
Example: Simple import of current domain
csvde -i -f INPUT.CSV
Example: Simple export of current domain
csvde -f OUTPUT.CSV
Example: Export of specific domain with credentials
csvde -m -f OUTPUT.CSV
-b USERNAME DOMAINNAME *
-s SERVERNAME
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.So to display whether a user is disabled or not we need to extract the “userAccountControl” property.
(more…)