TechnoGist

Issue: “Service ‘MSExchangeTransport’ failed to reach  status ‘Running’ on this server.”

I am building my virtual lab using VMWare Fusion at home, It consists of a Windows 2008 R2 server with AD Domain Services installed and Exchange 2010.

Please Note:

I am running AD (Global Catalog) and Exchange 2010 on the same server and this is not a recommended configuration by Microsoft.

Possible Issues

After the installation of Windows 2008 R2 and AD Domain Services, I have installed all prerequisites for Exchange 2010 and performed the Exchange 2010 install using the install wizard. I chose to install Exchange Management Tools, Hub, CAS and Mailbox to have a nice contained environment.

However during the install of the ‘Hub Transport Role’ I got this failure;

The execution of: “$error.Clear(); if ($RoleStartTransportService) { start-SetupService -ServiceName MSExchangeTransport }”, generated the following error: “Service ‘MSExchangeTransport’ failed to reach  status ‘Running’ on this server.”

And this error appeared in the Application Event log.

Source: MSExchange ADAccess
Event ID: 2114
Task Category: Topology
Level: Error
Description:
Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=1784). Topology discovery failed, error 0x80040a02 (DSC_E_NO_SUITABLE_CDC). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, “Microsoft LDAP Error Codes.” Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

After finding several mentions of security changes and group membership alterations including domain policy issues I found this article from ‘Rui Silver’ in his blog. He experienced the very same issue while installing Exchange 2007 on Windows 2008 and it was a result of Exchange requiring IPv6. I had disabled it on the interface properties while building my Windows 2008 R2 server believing I would not need it.

After I re-enabled IPv6 on the interface and left it to obtain an IPv6 address automatically by default, rebooted the system and like magic the exchange services could start and I could complete the installation of all Exchange 2010 roles.

You can disable IPv6 permanently before installing Exchange and there are several articles out there. (I have not tested either of these.)

1. Windows Server Forums
2. Exchange Server Share

Resources:

1. Windows 2008 R2 Server
2. Active Directory Domain Services
3. Exchange 2010 Prerequisites

Please note that this is a basic overview of my server and it is not intended as a recommendation or standard to be used by anyone else.

Hope this helps

All information is provided on an AS-IS basis, with no warranties and confers no rights.

How To: Analyze Nested AD Groups.

I am working on a Kerberos Token size issue (Token Bloat) and need to accurately depict a groups nested members for token size analysis and remediation.

Brief Token Bloat Explanation:

Token Bloat is where due to several factors including deep group nesting the Kerberos token utilized in AD for resource authentication bloats towards the set limit or even beyond. This can cause larger logon times to resources and even issues in applications like Exchange 2003 that can only exist on a 32Bit OS.

I came across this article on the “Microsoft Active Directory Group PowerShell” blog, it has a great script for analysing nested group memberships. Unfortunately to use the PowerShell script you need to be running Windows 2008 servers for the Active Directory cmdlets to be available. The environment that I required the script for was not W2008 so I converted the script to use the Quest cmdlets available with the Quest Active Roles Management PSSnapIn.

You will need to have these installed before using this script.

The script originally written by the MS AD PowerShell team, provides a visual tree view of the groups and their nested levels, a ‘MaxNestingLevel’ value and a ‘NestedGroupMembershipCount’.

Example:

PS C:\> Get-QADGroupNesting.ps1 group-name

Or

PS C:\> Get-QADGroupNesting.ps1 group-name -ShowTree

The above example not only displays group statistics it also plots the structure of the group in a tree format.

Download Script at PoshCode.org

Code:

##########Copy the below script into a new file called Get-ADGroupNesting.ps1
 
Param (
    [Parameter(Mandatory=$true,
        Position=0,
        ValueFromPipeline=$true,
        HelpMessage="DN or ObjectGUID of the AD Group."
    )]
    [string]$groupIdentity,
    [switch]$showTree
    )
#Validate Quest PSSnapin is loaded
Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$global:numberOfRecursiveGroupMemberships = 0
$lastGroupAtALevelFlags = @() 
 
function Get-GroupNesting ([string] $identity, [int] $level, [hashtable] $groupsVisitedBeforeThisOne, [bool] $lastGroupOfTheLevel)
{
    $group = $null
    $group = Get-QADGroup -Identity $identity -SizeLimit 0
    if($lastGroupAtALevelFlags.Count -le $level)
    {
        $lastGroupAtALevelFlags = $lastGroupAtALevelFlags + 0
    }
    if($group -ne $null)
    {
        if($showTree)
        {
            for($i = 0; $i -lt $level - 1; $i++)
            {
                if($lastGroupAtALevelFlags[$i] -ne 0)
                {
                    Write-Host -ForegroundColor Blue -NoNewline "  "
                }
                else
                {
                    Write-Host -ForegroundColor Blue -NoNewline "│ "
                }
            }
            if($level -ne 0)
            {
                if($lastGroupOfTheLevel)
                {
                    Write-Host -ForegroundColor Blue -NoNewline "└─"
                }
                else
                {
                    Write-Host -ForegroundColor Blue -NoNewline "├─"
                }
            }
            Write-Host -ForegroundColor Blue $group.Name
        }
        $groupsVisitedBeforeThisOne.Add($group.DN,$null)
        $global:numberOfRecursiveGroupMemberships ++
        $groupMemberShipCount = $group.memberOf.Count
        if ($groupMemberShipCount -gt 0)
        {
            $maxMemberGroupLevel = 0
            $count = 0
            foreach($groupDN in $group.memberOf)
            {
                $count++
                $lastGroupOfThisLevel = $false
                if($count -eq $groupMemberShipCount){$lastGroupOfThisLevel = $true; $lastGroupAtALevelFlags[$level] = 1}
                if(-not $groupsVisitedBeforeThisOne.Contains($groupDN)) #prevent cyclic dependancies
                {
                    $memberGroupLevel = Get-GroupNesting -Identity $groupDN -Level $($level+1) -GroupsVisitedBeforeThisOne $groupsVisitedBeforeThisOne -lastGroupOfTheLevel $lastGroupOfThisLevel
                    if ($memberGroupLevel -gt $maxMemberGroupLevel){$maxMemberGroupLevel = $memberGroupLevel}
                }
            }
            $level = $maxMemberGroupLevel
        }
        else #we've reached the top level group, return it's height
        {
            return $level
        }
        return $level
    }
}
$global:numberOfRecursiveGroupMemberships = 0
$groupObj = Get-QADGroup -Identity $groupIdentity -SizeLimit 0
if($groupObj)
{
    [int]$maxNestingLevel = Get-GroupNesting -Identity $groupIdentity -Level 0 -GroupsVisitedBeforeThisOne @{} -lastGroupOfTheLevel $false
 Add-Member -InputObject $groupObj -MemberType NoteProperty  -Name MaxNestingLevel -Value $maxNestingLevel -Force
 Add-Member -InputObject $groupObj -MemberType NoteProperty  -Name NestedGroupMembershipCount -Value $($global:numberOfRecursiveGroupMemberships - 1) -Force
 $groupObj | Select-Object Name,DN,MaxNestingLevel,NestedGroupMembershipCount | Format-List
}

Hope this helps
All information is provided on an AS-IS basis, with no warranties and confers no rights.

I was looking into finding all disconnected/orphaned mailboxes in an Exchange2003 org. Normally I would use either an old VBScript I have or the Exchange 2003 ESM. I thought it would be good to experiment with PowerShell and try to simplify the VBScript that I have.

Below is a PowerShell script that utilizes ADSI to gather all Exchange 2003 servers in your configuration container. Then for each server it utilizes WMI to connect to the Root/MicrosoftExchangeV2 ‘NameSpace’ and the Exchange_Mailbox provider. From there we filter on only mailboxes that the “DateDiscoveredAbscentInDS” property is NOT NULL. That data is then passed through the pipeline to a Select-Object where a custom Hash table is built to display the Server Name of the filtered mailboxes. The filtered mailboxes and the selected data is then passed through the pipeline and exported to a .csv file on the root of C:\ named with the format C:\DisconnectedMailboxes_%Servername%.csv.

Code:

[String]$StrFilter = "(objectCategory=msExchExchangeServer)"
$objRootDSE = [ADSI]"LDAP://RootDSE"
[String]$strContainer = $objRootDSE.configurationNamingContext
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-object System.DirectoryServices.DirectoryEntry("LDAP://$strContainer")
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colResults = $objSearcher.FindAll()
ForEach ($objResult in $colResults) {
[String]$ServerDN = $objResult.Properties.distinguishedname
$objServer = [ADSI]"LDAP://$ServerDN"
[String]$Server = $objServer.cn
Get-WmiObject -NameSpace Root\MicrosoftExchangeV2 -Class Exchange_Mailbox -Computer $Server | `
Where { $_.DateDiscoveredAbsentInDS -ne $null } | `
Select-Object @{N="Server";E={$_.__Server}},`
StorageGroupName,StoreName,MailboxDisplayName,Size,DateDiscoveredAbsentInDS | `
Export-Csv "C:\DisconnectedMailboxes_$Server.csv" -NoTypeInformation
}#End ForEach

Hope this helps.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

Question:

Do we have any Email enabled groups in Active Directory that have an Exchange 2003 expansion server explicitly specified in its properties and who manages them? 

Expansion Server:

“Exchange server dedicated to expanding the members of a specific mail enabled group (distribution list)”

Answer:

So I would need to look at  Active Directory for all email enabled distribution lists that have the attribute ‘msExchExpansionServerName’ (which only exists when a group is mail enabled), and that it’s value is not blank. If the attribute is blank the distribution list is set to default which is ‘Any server in the organization’. The value can be viewed on the ‘Exchange Advanced’ TAB on the groups properties in ADUC.

Here is the PowerShell one line command that I used. I am utilizing the Quest Active Roles Management cmdlets.

You will need the following:

1. DN, GUID or Canonical Name of the Domain or Container where you wish to search for groups. (The example quotes a DN for the group container)
2. Quest Active Roles Management Shell snapin.

Get-QADGroup -SearchRoot 'OU=GrouOU,DC=company,DC=com' -SizeLimit 0 -LdapFilter '(msExchExpansionServerName=*)' -IncludeAllProperties | Select-Object name,msexchexpansionservername,managedby

If you need any assistance in using the Quest Active Roles Management cmdlets see this article.

Note:

I use the ‘-IncludeAllProperties’property of the ‘Get-QADGroup’ cmdlet to ensure the ‘msExchExpansionServerName’ attribute is returned into the local cached object result set, by default this would not be returned, for more information see this article..

Hope this helps.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

Did you ever want an Custom Outlook Form to automatically populate a Custom Outlook Field with the Active Directory .displayName of the logged on user?

The code below populates the custom Outlook Fields “LOUDisplay”,”LOUGivenName”,”LOUSN” upon the creation of the Form.

This action does not repeat if the item is re-opened. This is restricted because the code is initiated only when the Item_Open() event occurs and Item.size = “0″ or newly generated. You will have to add this code in the Visual Basic part of the Custom Form.

Function Item_Open()
If Item.Size = "0" Then 'Item is New
Set objSysInfo = CreateObject("ADSystemInfo")
objUser = objSysInfo.UserName
Set ADOUser = GetObject("LDAP://"&objUser)
StrDisplayName = ADOUser.displayName
StrGivenName = ADOUser.givenName
StrSN = ADOUser.SN
Item.UserProperties("LOUDisplay") = StrDisplayName
Item.UserProperties("LOUGivenName") = StrGivenName
Item.UserProperties("LOUSN") = StrSN
Else 'Item Exists
End If
End Function

If you want any other properties for the logged on user accessing the Form just add to the fields pulled from ADUser and link to the required custom field.

Hope this helps.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

In my previous blog entry “Getting Started” I went over downloading and installing the Quest AD Management shell, registering the snapins and running some basic commands using the Get-QADUser CmdLet.

Today I will be looking at the Get-QADGroup CmdLet.
This allows easy access to Active Directory “Group” objects.

As before open a PowerShell Shell window and add in your snapins.

add-pssnapin Quest.ActiveRoles.ADManagement

Getting the number of members in a group.

(Get-QADGroup "GroupName").members.count

Export out the members of a group to a formatted table including the name,displayname,mail(SMTP) and office for each member.

Function Get-MemberName()
{
Process
{
ForEach($Member In $_)
{
Get-QADUser –ObjectAttributes @{distinguishedName=$Member}
}
}
}
(Get-QADGroup "GroupName").members | Get-MemberName | Format-Table name,displayname,mail,office

I often have to clean up groups by looking for disabled users.
To do this you can just add the “accountisdisabled” property to the script above.

E.g.

(Get-QADGroup "GroupName").members | Get-MemberName | Format-Table name,displayname,mail,office,accountisdisabled

Export out the members of a group to a CSV file with all properties.

Function Get-MemberName()
{
Process
{
ForEach($Member In $_)
{
Get-QADUser –ObjectAttributes @{distinguishedName=$Member}
}
}
}
(Get-QADGroup "GroupName").members | Get-MemberName | Export-Csv "C:\GroupMembers.csv"

Above are some useful examples of using Quest AD CmdLets to enumerate Active Directory Group objects.

Hope this helps.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

Until now I have always used ADSI and LDAP to query Active Directory for object stored information.
I have been following Dimitry’s examples with the Quest AD PowerShell CmdLets and I thought it was about time I started to embrace them into my PowerShell scripts.

You can download the “ActiveRoles Management Shell for AD” Here.

Before running the Quest ActiveRoles Management Shell snapins I would recommend reading the “Requirements on Active Directory” section (p21) in the administration guide.

After you have installed the Quest ActiveRoles Management Shell you will have to register the PowerShell snapin at the PowerShell prompt.

Enter the command:

add-pssnapin Quest.ActiveRoles.ADManagement

Once you are ready to go and the Quest ActiveRoles Management Shell snapins are installed and registered you can get started with some basic commands.

For Example:

Getting the .displayName of your Active Directory account.

$User = Get-QADUser -Name "YourAccountName"
$User.DisplayName

Getting the Sam Account Name of your Active Directory account.

(Get-QADUSer -Name "YourAccountName").SamAccountName

Checking if a user account is disabled.

(Get-QADUSer -Name "UserAccount").AccountIsDisabled

Using the Get-QADUser with no previously specified connection details allows the Cmdlet to connect to any available domain controller with the credentials of the locally logged on user.

Next time I will start to go through mail enabled groups, their memberships and properties.

Hope this helps.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

In Active Directory a user object can hold multiple “Proxy” addresses.
Using ADSI and LDAP the PowerShell script below enumerates all .proxyaddresses from a specific Active Directory user object.

This scripting technique can be used to get any Active Directory user object attributes.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

I routinely have to populate Active Directory Email distribution lists from lists of employee full names. These list usually contain the “.displayName” of the user. A quick way to resolve this is to convert the “.displayName” of the user into the users common name or “.cn” attribute and cut/paste them into the distribution lists “Members” box. I put the list of users display names into a C:\Scripts\Users.txt file and the script will produce a list of .cn attribute in the C:\Scripts\ConvertedUsers.txt file.

All information is provided on an AS-IS basis, with no warranties and confers no rights.

Many of the PowerShell scripts that I write are for Exchange 2003. To keep the scripts as dynamic as possible I like to enumerate my servers from AD. The server objects for Exchange are held in the Configuration partition of the AD Schema.

All information is provided on an AS-IS basis, with no warranties and confers no rights.