Exchange 2013. IMAP (S) not Connectable. No peer certificate available

You are find IMAPS connections aren’t working. You’ve checked the settings with Get-IMAPSettings and confirmed the services are running.

Testing with OpenSSL you find there are problems with the SSL Handshake

openssl s_client -showcerts -connect %ServerName%:993
Loading ‘screen’ into random state – done
CONNECTED(00000634)
write:errno=10054

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 317 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

It took me a while to find this. It looks like Active Manager has intervened and disabled the Imap component.

Get-ComponentState -Identity ExchangeServer

And what do we see?

Component State
——— —–
ImapProxy Inactive

This kind of makes sense, just think about what you do to the Hub Transport component when you patch servers in a DAG.

This can be fixed by running

Set-ServerComponentState -Identity ExchangeServer1 -Component imapproxy -State Active -Requester HealthApi

Exchange 2013. Management Tools. RDS. Part 2

You may have read this post
https://mxrnz.wordpress.com/2014/07/30/exchange-2013-management-tools-rds/

Or this Microsoft Article
https://support.microsoft.com/en-gb/kb/2921141

I had given up on this and after some time, I thought I’d reattempt this with the Exchange 2013 CU 12 release and to my surprise the Management Tools have installed!

I’m not so sure when the fix was made and I may have missed it in the updates notes, however it does appear to have been fixed!

Party Time!

 

 

SCCM. SQL Query for AV Detections. v_gs_threats.

Rather than using the in built SCCM’s reports, I run a customized query to return Anti Virus detection.

SELECT v_R_System.Name0 as Name,Username,DetectionID,DetectionTime,ThreatName,Path,CleaningAction,ActionSuccess
From v_GS_Threats
Inner Join v_R_System
ON v_GS_Threats.ResourceID=v_R_System.ResourceID
WHERE DetectionTime >= DATEADD(DAY,-%days%, GETDATE())

Edit the days value depending on how far back you want to go. I like to run this weekly and in my case, it would be -7.

You can use this if you build your own report in Reporting Services or if you are that way inclined, wrap it in Powershell to send an HTML email.

You can download and install the SQL Powershell module on a non sql server by following the instructions here http://guidestomicrosoft.com/2015/01/13/install-sql-server-powershell-module-sqlps/

Public Folder Mailbox. Storage Limit. False Alerts.

In a follow up to this post

https://mxrnz.wordpress.com/2015/12/07/exchange-2013-split-publicfoldermailbox-ps1-fails/

I had received quota alerts and moved the folders, a default quota of 2 GB, a PublicFolderStatistics only shows 4 MB of data, a Search-Mailbox with -SearchDumpsterOnly returns nothing and yet the alert was still generating.

A quick google brought up the blog post below suggesting this is a bug and I am inclined to agree. http://no-one-uses-email-anymore.com/bogus-public-folder-mailbox-quota-alerts-in-exchange-2013/

My advise in the mean time is to ignore the alert entirely until there is a fix.

A better option would be to remove the reliance on Public Folders altogether. Like all good things, this will take time.

Alert: 
PublicFolders health set unhealthy (PublicFolderMailboxQuotaMonitor/PublicFolders) – Public folder mailbox %Mailbox%is approaching storage limit – The public folder mailbox PFMailbox11 is approaching its storage limit. Consider splitting the mailbox using Split-PublicFolderMailbox.ps1. This warning will not be sent again for at least twenty four hours. Error context: {<Properties> <TenantHint>00000000000000000000000000000000</TenantHint> <MailboxDisplayName>%Mailbox%</MailboxDisplayName> <MailboxGuid>%guid%</MailboxGuid></Properties>} Knowledge: http://technet.microsoft.com/en-us/library/ms.exch.scom.PublicFolders(EXCHG.150).aspx?v=15.0.1130.7

NBU_CATALOG.MAXJOBS Limit Reached

Scenario: Your Catalog backups are not running. You check the jobs and these are hung with the error below.

Limit has been reached for the logical resource %MyServer%.NBU_CATALOG.MAXJOBS

Google and Symantec’s forums weren’t giving me much. I checked disk space, the policy, the schedules, the media and anything other setting I could find.

Solution: The solution is obvious in hindsight. Netbackup only allows one Catalog job to run at a time.

Queried my history and found a hung Catalog job. Terminated the old job, ran a manual backup and all is going again.

Add-DHCPv4FailOverScope : Failed to update failover relationship

Recently I was setting up DHCP High Availability.

All was going well, I had set up DHCP Services on my Standby Node and configured the DHCP Failover Relationship with my first DHCP scope.

All until I started to get the error below

Add-DHCPv4FailOverScope : Failed to update failover relationship MyRelationship on server MyServer
Category info: Object not found: (MyRelationShip:root/Microsoft/…v4FailoverScope)

The Solution

After some digging, this problem occurs where you have custom options set on your DHCP server and inside your DHCP scope.

To fix this. On the new standby server, open DHCP > Right click IPv4 > Set Predefined Options and add your options as required.

DHCP

 

 

 

 

Configure Time Service for Domain, PDC

In this post, I’ll briefly run through the process I follow for configuring the time service in a domain, including the PDC Emulator.

There are a couple of considerations and questions you will need to ask yourself
– Is my Forest a single domain or are there multiple domains?
– What is my external NTP Time source?

In my example, I have a Forest with two domains.

In my ‘root’ Forest, identify by the PDC by running the following command on a Domain Cotnroller

dsquery server -hasfsmo pdc

On the PDC, I run the following command.

net stop w32time
w32tm /config /manualpeerlist:”NTP.Domain.Com ntp2.domain.com” /syncfromflags:manual /reliable:yes
net start w32time

Those commands

  • Stops the time service,
  • Configures the NTP server,
  • Configures the PDC as a reliable time source for domain clients
  • Starts the time service again

For the rest of your environment, including the PDC in the child domain, Servers and Workstations, run the following commands

net stop w32time
w32tm /config /syncfromflags:domhier
net start w32time

Those commands

  • Stops the time Service,
  • Configures the Client to use the Domain Hierarchy for Time Syncronisation
  • Starts the time Service again,

More information:

For more information, including details of the Time Service Hierarchy, go here https://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx