Alan's sysadmin Blog

Working smarter not harder

Archive for the ‘Windows 2008 R2’ Category

Script: Checking for Expired Certificates in Exchange

Posted by Alan McBurney on August 27, 2014

I was working with a customer that had unintentionally let their Exchange certificates expire.

This resulted in a bit of a headache for the team as users were now getting certificate warnings and mobility services were down until the certificate was replaced.

I decided to put together a script that will check and warn about expired or soon to expire certificates.
The script gets the certificates which have services bound to them on all Exchange 2010 client access and hub transport servers.
It checks for certificates that have expired or that will expire within the next 60 days and optionally emails the report and creates a schedule task.
An email will only be generated if expired\expiring certificates have been detected


<#
.SYNOPSIS
Detects expired certificates on Exchange 2010 Client Access & Hub Transport servers
 
.Author
Alan.McBurney
 
THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
 
Version 1.0, August 27th, 2014
 
.DESCRIPTION
This script will get the certificates which have services bound to them on all Exchange 2010
client access and hub transport servers.
It checks the expiration for any certificates that are due to expire within 60 days and optionally
emails the report and creates a schedule task
An email will only be generated if expired\expiring certificates have been detected
 
.REFERENCES
Parameters, checks and scheduled tasks stolen from Steve Goodman's Exchange Environmental Reports script
 
http://gallery.technet.microsoft.com/exchange/Generate-Exchange-2388e7c9
 
.Notes
To Do list: Enable Autnetication for SMTP
Support for Exchange 2007 & 2013
 
.PARAMETER SendMail
Send Mail after completion. Set to $True to enable. If enabled, -MailFrom, -MailTo, -MailServer are mandatory
 
.PARAMETER MailFrom
Email address to send from. Passed directly to Send-MailMessage as -From
 
.PARAMETER MailTo
Email address to send to. Passed directly to Send-MailMessage as -To
 
.PARAMETER MailServer
SMTP Mail server to attempt to send through. Passed directly to Send-MailMessage as -SmtpServer
 
.PARAMETER ScheduleAs
Attempt to schedule the command just executed weekly. Specify the username here, schtasks (under the hood) will ask for a password later.
 
.EXAMPLE
Get-ExpiringEx2K10Certs
#>
 
param(
[parameter(Position=1,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Send Mail ($True/$False)')][bool]$SendMail=$false,
[parameter(Position=2,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail From')][string]$MailFrom,
[parameter(Position=3,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail To')]$MailTo,
[parameter(Position=4,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail Server')][string]$MailServer,
[parameter(Position=5,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Schedule as user')][string]$ScheduleAs
)
 
#Check Powershell Version
if ((Get-Host).Version.Major -eq 1)
{
  throw "Powershell Version 1 not supported";
}
 
#Check Exchange Management Shell, attempt to load
if (!(Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue))
{
  if (Test-Path "C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1")
  {
    .'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'
    Connect-ExchangeServer -auto
  } elseif (Test-Path "C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1") {
    Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Admin
    .'C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1'
    } else {
    throw "Exchange Management Shell cannot be loaded"
  }
}
 
# Check if -SendMail parameter set and if so check -MailFrom, -MailTo and -MailServer are set
if ($SendMail)
{
  if (!$MailFrom -or !$MailTo -or !$MailServer)
  {
    throw "If -SendMail specified, you must also specify -MailFrom, -MailTo and -MailServer"
  }
}
 
$Path=Get-Location
$Dir=$Path.ToString()
$HTMLReport = $Dir + "\ExpiredCerts.html"
$CASServers = Get-ExchangeServer | Where-Object {$_.AdminDisplayVersion -match "Version 14" -and $_.ServerRole -match [regex] 'Hub|Client'}
$Certs = Foreach ($srv in $CASServers) {Get-ExchangeCertificate -Server $srv| Where-Object {$_.NotAfter -le (Get-Date).AddDays(60) -and $_.Services -ne "None"} | Select @{n="Server";e={$srv.name}}, @{n="Expiry Date";e={$_.NotAfter}}, Thumbprint, Services, Issuer, Subject}
$Certs | ConvertTo-Html | Out-File $HTMLReport
 

if ($SendMail)
{
  if ($Certs.count -gt 0)
  { 
    Send-MailMessage -Attachments $HTMLReport -To $MailTo -From $MailFrom -Subject "Warning - Expired Exchange Certificates Detected" -Body "Expired or soon to be expired certificates have been detected on Exchange Servers. Please see attached file for certificates affected" -SmtpServer $MailServer
  }
}
 
if ($ScheduleAs)
{
  if ($SendMail)
  {
    $params+=' -SendMail:$true'
    $params+=" -MailFrom:$MailFrom -MailTo:$MailTo -MailServer:$MailServer"
  }
  $task = "powershell -c \""pushd $dir; $($myinvocation.mycommand.definition) $params\"""
  schtasks /Create /RU $ScheduleAs /RP /SC WEEKLY /ST 22:00 /TN ExpiredCerts /TR $task
}

Posted in Certificates, Exchange 2010, PowerShell, Windows 2008 R2, Windows Server 2012, Windows Servers | Tagged: , , | Leave a Comment »

Detecting members of Protected Groups within AD

Posted by Alan McBurney on July 16, 2013

I do a lot Exchange and Lync work and typically post project I get calls from customers that things aren’t working quite as expected.

Some typical issues include insufficient rights to modify users within Lync, ActiveSync not working or send as permissions being stripped out for users within Exchange.

What all these issues have in common is that users affected are members of what’s termed as Protected Groups within AD and security inheritance is being stripped from the user object.

If you need a primer or a deep dive for that matter into Protected Groups see John Policelli’s article here

The following Active Directory PowerShell commands can be used detect which users and groups are affected by Protected Group status.

To get the list of protected users:
     Get-ADUser -LDAPFilter "(admincount=1)" | select name

To get the list of protected groups:
     Get-ADGroup -LDAPFilter "(admincount=1)" | select name

Once the users have been removed from the Protected Groups its just a matter of enabling security inheritance for the user object from within AD and the issues should be resolved. 

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, PowerShell, Windows 2008 R2, Windows Server 2012 | Tagged: , | 2 Comments »

Error 0x800706D9 deploying Exchange 2010 Client Access Servers

Posted by Alan McBurney on March 14, 2012

As part of a large scale migration from Exchange 2007 to Exchange 2010 I’ve been installing  a number of Client Access Server using the SP2 binaries of Exchange 2010

The servers displayed the error below when installing the Client Access Server role complaining about End Point mappings

image 

After digging around the ExchangeSetup.log file located in the C:\ExchangeSetupLogs folder I noticed that setup was trying to configure some firewall rules

image

I checked the status of the Firewall and sure enough it was disabled.

All servers were deployed from a template which has the firewall disabled.

I uninstalled Exchange from the server, set the firewall to Automatic and rebooted.

After the reboot the Exchange Client Access role installed on all servers without issue.

Posted in Exchange 2010, Windows 2008 R2 | Tagged: , , , | Leave a Comment »

Exchange 2010 NLB and remote Subnets

Posted by Alan McBurney on June 14, 2011

While configuring an Exchange 2010 NLB I had no choice but to publish direct access to the Exchange servers from the Internet instead of using my preferred method of directing all traffic through a TMG\ISA server.

Consequently access to the published NLB wouldn’t resolve properly from external locations. All traffic on the local LAN was fine although traffic originating from outside the local subnet was dropped and no response was received by clients.

The servers were configured with dual NIC’s with a dedicated NIC on each host being assigned for NLB traffic. As the NLB NIC only has an IP and Subnet entered I suspected that the lack of default gateway to be the issue.

I changed the Firewall rules to point to an individual servers Public NIC then everything was fine although this bypassed the NLB and as such wasnt really of much use to me.

As of Windows 2008 R2 all networking uses “Strong Host Model” whereby traffic can only exit from the interface that it entered on.

A resolution for this was to allow forwarding of traffic from the NLB NIC to the public NIC via the following command.

netsh int ipv4 set int “[Name of NLB NIC]” forwarding=enabled

Posted in Exchange 2010, Windows 2008 R2, Windows Servers | Tagged: , , | Leave a Comment »

RSAT for Windows 7 SP1 now available

Posted by Alan McBurney on April 11, 2011

RSAT for Windows 7 SP1 is now available for download from here

Posted in Windows 2008 R2, Windows 7, Windows Servers | Leave a Comment »

2008 R2 RDS & XenApp 6 Tuning

Posted by Alan McBurney on March 17, 2011

Great article on tuning RDS, XenApp6  & Windows OS by Julien Sybille

RDS & XenApp 6 Tuning Policies

Posted in Citrix, Windows 2008 R2 | Leave a Comment »