SMTP Delivery failure, Source: AGENT

So I ran into an issue the other day involving emails not being delivered.. Upon further inspection I noted that the Barracuda passed the messages through because the sending domain was whitelisted.  Funny though because I was one of the recipients and the message did not come through.

We have two Exchange 2010 servers so I began inspecting the Transport logs on teh gateway server.  Turns out those messages had a status of "FAIL" due to a 'SOURCE: AGENT'.

Agents meaning Transport Agents.  Now yes, we do have a Barracuda 410 Spam Filter, but also had the Anti-Spam agents in Exch enabled.

Not knowing which one is causing this failure I started with what I would logically think was causing my issue.. Sender ID.

Then re-pushed the messages from the 'Cuda.  Checking the Transport logs again I found out they still Failed.  So making a long story short I went down the list disabling each Agent was disabled and wound up my Transport Rule Agent was the cause except none of my actual Transport Rules were affecting this particular sender, message body or content.

IDK it's weird.  But at least I got mail flowing which is the important part.

Modify DistributionGroup field en masse

Ok so we are in the process of migrating to Office365.. a push started by our parent company.  After the move there will be one giant GAL for all the operating companies.  To help combat the complexity of such a beast I have to pre-pend ALL of my existing DG's with 'UB_"

I found a quick way to accomplish such a task, Enter POWERSHELL! lol.


Ok so first export your DG view from the EMC to a .csv.  You will end up with a spreadsheet with a few columns, delete all but the Name column and Save.

Then from the EMS type:

I had around 154 groups to rename, and caught errors on 4 of them.  MUCH better than a manual process obviously.

Now just to help keep things as simple as possible I wanted both the Name, DisplayName and Aliases to match.  By changing $_.Name after the Set-DistributionGroup to $_.DisplayName, then to $_.Alias I was able to accomplish that.

Relocating a DC from Site A to Site B

I recently learned that my company is shuttering one of our remote locations, which I can't say at this time.

It seems that just yesterday I spent a week out there setting up that as a new site.. *shakes head*

Anyway during that acquisition we gained an office in *major US city* and a manufacturing facility in *tiny friggin remote location*.  "TFRL" only has like 8 actual user's and a file server, I did set them up as an AD Site but they had no domain controller.  We looks like the best plan I can come up with is moving the DC in the city to TFRL, lol.


So in order to move a Domain Controller to a new AD Site it seems as though the best way is to demote and re-promote in the new site on the new subnet.  I do have to change the hostname to match the new Site code so yeah here's what I'm going to do:

Demote DC in old site.
Change hostname
Physically move to new site
Static IP on that subnet
Promote
And Done.

Now from what I can tell via Microsoft's method if my hostname was staying the same then I could just alter the IP config and AD would see that the DC was not using IP info associated with a different Site and change the service records and DNS accordingly.  However I would still need to move the object manually to the new site in AD.

This DC is not a bridgehead so being as such that removes some additional config.  It does however have the DNS and GC roles so I will need to make sure there are no static records to the old IP.


It'll be next summer before this happens so I won't be travelling again during the middle of winter.

Changing certificate on Exchange 2010 SP3

Today I ran into an issue with Exch2010 and adding a new certificate.

See we have two primary sites at the company I work for.. MS and MI.  MS is and has always been the SMTP gateway as our spam filter is there.  Which is fine and dandy.  However we are in the beginning stages of an Office 365 migration and in preparation for that I decided to allow external access to my Exch server here in the MI site.. so as not to traverse slow MPLS to MS then to the cloud when uploading mailbox data.

So since our external URL for OWA is https:\\internetmail.unifiedbrands.net, I chose 'internetmail2' for the common name.

So I buy the cert for Network Solutions, add it to the server, assign IIS and SMTP services to it then edit the Internalurl for OWA, ECP, Active-Sync, OAB, EWS and CAS.
Which worked pretty much except for this nagging Security Alert when opening Outlook complaining at how there was a name mis-match, it was looking for the FQDN of the server.

Oh what now! I hate problems.

I went through and double and triple checked every Virtual Directory there is.  I'll be damned their all correct!  I reset IIS, I rebooted the server.. the cert mis-match was still here.

Here's the Cliff-Notes version on checking the VD's:

Get-ClientAccessServer | fl identity,autodiscoverserviceinternaluri
Get-Webservicesvirtualdirectory | fl identity,internalurl,externalurl
Get-OABvirtualdirectory | fl identity,internalurl,externalurl
Get-OWAvirtualdirectory | fl identity,internalurl,externalurl
Get-ECPvirtualdirectory | fl identity,internalurl,externalurl
Get-ActiveSyncVirtualDirectory | fl identity,internalurl,externalurl
*Get-OutlookAnywhere | fl identity,externalhostname  (if used)

So as much as I hate recreating VD's.. I wound up recreating the EWS virtual directory.  Then re-set the InternalURL value.. verifying all Authentication settings were correct, flushing my local DNS cache, resetting IIS again and after about 15 minutes Outlook opened without complaint.  MailTips were back and I could see Free/Busy info for both users on my CAS and users on the MS server's CAS.
YAY.

AIR-CAP2602E join issues to WLC controller

So I bought a Cisco AIR-CAP2602E wireless access point about a month ago.  Currently we have an older 2506 controller and a newer 5500 controller sitting there un-used.

Since I did not have the time I had our telecom guy setup the base config on the 5500 and he spent a good 2-3 days trying to get this 2602 to see and join that controller to no avail.

I'll make a long story short.. I took this afternoon to play with it and checking out the console messages it was stuck in a loop:

*Mar 1 00:21:57.082: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Mar 1 00:22:00.105: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.
*Mar 1 00:22:00.208: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.1.250, mask 255.255.255.0, hostname AP7081.0500.0000

Translating "CISCO-CAPWAP-CONTROLLER.example.com"...domain server (172.16.50.100)

*Mar 1 00:22:08.083: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.50.25 obtained through DHCP
*Mar 1 00:22:08.083: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:22:08.173: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.example.com
Not in Bound state.

(*ip's were changed to protect the innocent)

So it kept renewing is IP via DHCP but could not find the controller.  Now as far as I can tell, and what I found Googling the LAP's have to use DHCP.. which is fine.  And they can find the WLC in two ways:
DNS resolution by way of the CISCO-CAPWAP-CONTROLLER.domina.com or
DHCP Option 43


Option 43 takes a specific syntax all in Hex but here's the short of it:

It always begins with F1 then in my case I had two controller IP's so because of that the next piece is 08, the followed up with the ip's of my two controllers in hex.  So my string was:
F1080a0204120a020404

Now, admittedly while searching for help on the error "invalid event 38 & state 2 combination" I also came across a blog where the guy mentioned enabling the WLC to accept self-signed certs from the AP's.  So I did that as well... did not feel like testing the joining without that enabled so it *might* not be needed.

After setting the option 43 I bounced teh AP and it found and subsequently joined the controller.  WOOT.

powershell.. change directory to a UNC path

I realize this may be old stuff for a lot of people.. but I literally just discovered this.  In testing a logon script I opened Powershell and cd'd to a unc path..

How friggin awesome is that? lol

70-411, Administering Windows Server 2012 - Directions Training

So last week I was off at home.. back in my basement sitting through the 70-411 Administering Windows Server 2012 course via WebEx with Directions Training.  maybe it's just me but I'm not a fan of the compressed lecturing styles.
I realize that there's limited time to go through the official material, but if I were paying real money for these courses I'd expect a higher level of professionalism, and "complete-ness".  Don't skimp on the examples, don;t skim over the lessor topics.  I want the instructor to touch every part of the curriculum. You know.. if the material required 9 days... or 12 days I'd go through it in order to cover 100% of the material, as I'm sure most others who are paying good money for these courses would.

Granted many of the topics are not new to 2012, but it's a great refresher for those of us who don't use every part of a Microsoft server OS on a daily basis.

I had wanted this post to be a review of the material but I come back to the training provider on every thought.  For the price of the course you do get a virtual copy of the official Microsoft training book, with the labs for each section, which is a good thing.
You can also re-take the course for up to 6-months.. But I don;t think anything new would be gleaned from such an undertaking.


I only hope that the third and final course, 70-412.. the Instructor might keep on track and keep the detail level set to high.

That's my 0.2 anyway.