Alan's sysadmin Blog

Working smarter not harder

Archive for the ‘Windows Server 2012’ Category

Script: Checking for Expired Certificates in Exchange

Posted by Alan McBurney on August 27, 2014

I was working with a customer that had unintentionally let their Exchange certificates expire.

This resulted in a bit of a headache for the team as users were now getting certificate warnings and mobility services were down until the certificate was replaced.

I decided to put together a script that will check and warn about expired or soon to expire certificates.
The script gets the certificates which have services bound to them on all Exchange 2010 client access and hub transport servers.
It checks for certificates that have expired or that will expire within the next 60 days and optionally emails the report and creates a schedule task.
An email will only be generated if expired\expiring certificates have been detected

Detects expired certificates on Exchange 2010 Client Access & Hub Transport servers
Version 1.0, August 27th, 2014
This script will get the certificates which have services bound to them on all Exchange 2010
client access and hub transport servers.
It checks the expiration for any certificates that are due to expire within 60 days and optionally
emails the report and creates a schedule task
An email will only be generated if expired\expiring certificates have been detected
Parameters, checks and scheduled tasks stolen from Steve Goodman's Exchange Environmental Reports script
To Do list: Enable Autnetication for SMTP
Support for Exchange 2007 & 2013
Send Mail after completion. Set to $True to enable. If enabled, -MailFrom, -MailTo, -MailServer are mandatory
Email address to send from. Passed directly to Send-MailMessage as -From
Email address to send to. Passed directly to Send-MailMessage as -To
SMTP Mail server to attempt to send through. Passed directly to Send-MailMessage as -SmtpServer
Attempt to schedule the command just executed weekly. Specify the username here, schtasks (under the hood) will ask for a password later.
[parameter(Position=1,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Send Mail ($True/$False)')][bool]$SendMail=$false,
[parameter(Position=2,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail From')][string]$MailFrom,
[parameter(Position=3,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail To')]$MailTo,
[parameter(Position=4,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Mail Server')][string]$MailServer,
[parameter(Position=5,Mandatory=$false,ValueFromPipeline=$false,HelpMessage='Schedule as user')][string]$ScheduleAs
#Check Powershell Version
if ((Get-Host).Version.Major -eq 1)
  throw "Powershell Version 1 not supported";
#Check Exchange Management Shell, attempt to load
if (!(Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue))
  if (Test-Path "C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1")
    .'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'
    Connect-ExchangeServer -auto
  } elseif (Test-Path "C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1") {
    Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Admin
    .'C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1'
    } else {
    throw "Exchange Management Shell cannot be loaded"
# Check if -SendMail parameter set and if so check -MailFrom, -MailTo and -MailServer are set
if ($SendMail)
  if (!$MailFrom -or !$MailTo -or !$MailServer)
    throw "If -SendMail specified, you must also specify -MailFrom, -MailTo and -MailServer"
$HTMLReport = $Dir + "\ExpiredCerts.html"
$CASServers = Get-ExchangeServer | Where-Object {$_.AdminDisplayVersion -match "Version 14" -and $_.ServerRole -match [regex] 'Hub|Client'}
$Certs = Foreach ($srv in $CASServers) {Get-ExchangeCertificate -Server $srv| Where-Object {$_.NotAfter -le (Get-Date).AddDays(60) -and $_.Services -ne "None"} | Select @{n="Server";e={$}}, @{n="Expiry Date";e={$_.NotAfter}}, Thumbprint, Services, Issuer, Subject}
$Certs | ConvertTo-Html | Out-File $HTMLReport

if ($SendMail)
  if ($Certs.count -gt 0)
    Send-MailMessage -Attachments $HTMLReport -To $MailTo -From $MailFrom -Subject "Warning - Expired Exchange Certificates Detected" -Body "Expired or soon to be expired certificates have been detected on Exchange Servers. Please see attached file for certificates affected" -SmtpServer $MailServer
if ($ScheduleAs)
  if ($SendMail)
    $params+=' -SendMail:$true'
    $params+=" -MailFrom:$MailFrom -MailTo:$MailTo -MailServer:$MailServer"
  $task = "powershell -c \""pushd $dir; $($myinvocation.mycommand.definition) $params\"""
  schtasks /Create /RU $ScheduleAs /RP /SC WEEKLY /ST 22:00 /TN ExpiredCerts /TR $task


Posted in Certificates, Exchange 2010, PowerShell, Windows 2008 R2, Windows Server 2012, Windows Servers | Tagged: , , | Leave a Comment »

Install Certificate Services on Server 2012 Core

Posted by Alan McBurney on July 24, 2013

I’m finally getting the time to focus more and more on Windows Server 2012.

With Server 2012 I’m running Domain Controllers as server core installations.

My reasoning for running DC’s using core is as follows:

  • No additional software can be installed on the server. Domain Controllers are Domain Controllers are Domain Controllers.
  • With server core installations admins generally don’t log onto the server unless they are comfortable with the command line and Shell and even then they only log on typically when something needs to be changed with the configuration.
  • Surface area is greatly reduced as there are limited binaries installed.
  • Memory is also minimal. My server core installs are running with 512MB RAM
  • Disk requirements are reduced

All of the above in my opinion leads to a more stable system.
On the downside though it takes a bit more work to get things up and running.

Getting Certificate Services up and running on the server core installation was pretty easy.

Once logged onto the server I run PowerShell from the cmd line and then Import-Module ServerManager


Next is to add the Active Directory Certificate Services & Certification Authority roles

Add-WindowsFeature AD-Certificate, ADCS-Cert-Authority

A reboot is required after installation.

After the comes has rebooted we can check that the features have been installed by running

Get-WindowsFeature | Where Installed


We now need to configure the Certificate Authority. To do this we need a bit of code that Microsoft has handily already provided here

Copy the code into notepad on the server core installation and save to a  location on the disk.
(I RDP to my server core installation and therefore can paste the clipboard contents from my desktop to the server core console.)

Final piece of the configuration is to run the SetupCA.vbs fiile using the following parameters

cscript SetupCA.vbs /IE


Once installed I can now manage the CA from any workstation or  server running RSAT.


Posted in Certificate Authority, Certificates, PowerShell, Server Core, Windows Server 2012 | Tagged: , , | 1 Comment »

Detecting members of Protected Groups within AD

Posted by Alan McBurney on July 16, 2013

I do a lot Exchange and Lync work and typically post project I get calls from customers that things aren’t working quite as expected.

Some typical issues include insufficient rights to modify users within Lync, ActiveSync not working or send as permissions being stripped out for users within Exchange.

What all these issues have in common is that users affected are members of what’s termed as Protected Groups within AD and security inheritance is being stripped from the user object.

If you need a primer or a deep dive for that matter into Protected Groups see John Policelli’s article here

The following Active Directory PowerShell commands can be used detect which users and groups are affected by Protected Group status.

To get the list of protected users:
     Get-ADUser -LDAPFilter "(admincount=1)" | select name

To get the list of protected groups:
     Get-ADGroup -LDAPFilter "(admincount=1)" | select name

Once the users have been removed from the Protected Groups its just a matter of enabling security inheritance for the user object from within AD and the issues should be resolved. 

Posted in Active Directory, Exchange 2010, Exchange 2013, Lync, PowerShell, Windows 2008 R2, Windows Server 2012 | Tagged: , | 2 Comments »

Error Adding Members to a DAG on Server 2012

Posted by Alan McBurney on April 8, 2013

Ran into an error this morning trying to add members to a DAG running on Server 2012

When I try to add the nodes to the DAG I got the error

“You must provide an value for this property”


Decided I better do some reading on TechNet regarding 2010 DAGs and Server 2012 and it turns out that you must pre-stage the CNO (Cluster Named Object)

The documentation states

Pre-staging the CNO is required for Windows Server 2012 DAG members due to permissions changes in Windows Server 2012 for computer objects.

There are 2 methods to achieve the pre-staging.

  1. Add the “Exchange Trusted Subsystem” group with Full Control to the CNO
  2. Add the first DAG member with Full Control to the CNO

For me I choose to add the “Exchange Trusted Subsystem

Adding the Nodes to the DAG after making the necessary changes worked without issue


Posted in Database Availability Group, Exchange 2010, Windows Server 2012 | Tagged: , , , , , , | Leave a Comment »

Change Windows 2012 Server Edition

Posted by Alan McBurney on April 8, 2013

Just started a new project today for a customer where I will be building a 2 node DAG on Server 2012.

Got the Exchange server bits installed and then tried creating the DAG which failed.

After a bit of analysis it transpires that the customer built the base OS with Windows 2012 Standard and not DataCenter (Server 2012 doesn’t include an Enterprise Edition any more)

Luckily we can convert between editions of Windows Server on the fly via DISM (Deployment Image Service & Management)

TechNet documentation on converting between server 2012 versions can be found here

To determine the current edition of Windows Server installed run the following

  • DISM /online /Get-CurrentEdition


To determine which versions the server can be upgraded to run

  • DISM /online /Get-TargetEditions


As can be seen from the above screenshot this version of Windows Server can be upgraded to Target Edition : ServerDatacenter

To complete the conversion between editions we use the DISM command with the following format

  • DISM /online /Set-Edition:<Version> /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEULA

In the above example the target edition is ServerDatacenter


A reboot of the server and a check of the server edition reveals that is has indeed been successfully upgraded to DataCenter


Posted in Windows Server 2012 | Tagged: , , , | 3 Comments »

Exchange 2013 CU1 Installation

Posted by Alan McBurney on April 3, 2013

The long awaited CU1 update for Exchange 2013 has finally arrived.
This updates allows for on-premises coexistence with Exchange 2010 SP3 & 2007 SP3 RU10 and brings the Exchange 2013 build number up to 15.0 (Build 620.29)

The admin display version from a pre and post CU1 install are shown below. (Ex2K13-01 running RTM & Ex2K13-02 running CU1)


CU1 also brings new Schema, AD & Domain updates so all three need to be prepared before running setup.

To prepare the schema run

  • setup.exe /PrepareSchema

To prepare AD run

  • setup.exe /PrepareAD

To prepare Domain its

  • setup.exe /PrepareDomain

Finally to install the update onto a RTM version of 2013 run

  • setup.exe /m:Upgrade

There are only a few click to navigate though before installation begins

Installation took a good 40 minutes on my machines.

If you have been hanging back on the installation of 2013 until CU1 there is no need to install the RTM version first.
As the updates are cumulative run setup straight from CU1 media and your done.

Happy patching.

Exchange 2013 CU1 can be downloaded here

Posted in Exchange 2013, Windows Server 2012 | Tagged: , , | 1 Comment »