How to remove a user from a security group in a different domain in PowerShell

Recently I ran into an issue at my company removing a user in our primary domain from a group in our root domain using the AD cmdlets in PowerShell. All my company’s user, computer, and group objects are in our primary domain and our root domain is more of a resource forest. The group in question was an Exchange RBAC role in the resource forest. So, when I first attempted the removal as such

Remove-ADGroupMember -Identity “HelpDesk Exchange Tasks” -members doej

I got the following error

Remove-ADGroupMember : Cannot find an object with the Identity: ‘HelpDesk Exchange Tasks’ under: ‘DC=corp,DC=contoso,DC=com’.

At first it seemed obvious that the solution was to use a domain controller in our resource domain to perform the task. So, I tried referencing a DC in the resource domain

Remove-ADGroupMember -Identity “HelpDesk Exchange Tasks” -members doej -server FRDC500.root.contoso.com

But got the following error

Remove-ADGroupMember : Cannot find an object with the Identity: ‘CN=doel,OU=US,OU=CORP,DC=corp,DC=contoso,DC=com’’ under: ‘DC=root,DC=contoso,DC=com’.

At that point I didn’t know how to proceed so I did some searching on the internet and came across an MS blog entry entitled Adding/removing members from another forest or domain to groups in Active Directory

Basically, you need to

  1. Choose against what domain server you want to run the command against.
  2. Get the default returned property set of the object in the other domain, referencing a domain controller in that domain if needed
  3. Run the command referencing just the name/samaccountname/CN/DN of the object that will be referenced by the server in the command and for the object in the other domain use the full object
    1. Referencing just the name/samaccountname/CN/DN OR even just selecting those properties on the object will not work. It needs to be the full default object as returned by the get-AD* command you are using to get the object

So, in my example I pulled the PDCEmulator from the resource domain (where the group was) and the default domain (where the user object was)

$DC_In_Root = (Get-ADDomain root.contso.com).PDCEmulator
$DC_In_Default = (Get-ADDomain corp.contso.com).PDCEmulator

Then I saved the default returned property set of the user object in the current domain (I didn’t need to reference a DC in this domain since it was my default working domain, but it’s done here for clarity’s sake)

$Default_Domain_User = Get-Aduser doej -server $DC_In_Default

In my example, I’m going to use the DC in my root domain to remove the user from the group. So, I only need to reference the group in this domain by name/samaccountname/CN/DN BUT the user needs to be referenced as an object with it’s complete default returned property set. The opposite can be done if needed

Remove-ADGroupMember -Identity “HelpDesk Exchange Tasks” -members $Default_Domain_User -server $DC_In_Root

I’m not sure why it needs to be the complete default property set. In my limited testing, removing just one of the properties caused it to fail.

Posted in Exchange, PowerShell | Leave a comment

Getting Exchange 2013/2016 Add-ins (Outlook Apps) working through a proxy

Like most companies, my organization uses a proxy for all internet traffic. This presented a problem when we tried using Add-ins for Exchange 2013. At the time we could not figure out how to get the subsystem that pulled down apps in Exchange to use the proxy server despite trying the following methods

·        Configuring the proxy in IE

·        Setting the proxy at the Exchange server level via set-exchangeserver -internetwebproxy

·        Using netsh or proxycfg

Since it was not needed at the time we migrated to Exchange 2013, I dropped the effort. Recently though, after we migrated to 2016, an actual request came in for an app from the Office Outlook app store. Since the servers could not get through the proxy we would see errors in the applications logs (Event ID 3018, see below for an example) and we would get errors every time we tried to add an app via the EMS or EAC. In regard to the Event log error, we would see a different URL referenced each time. When we logged into the Exchange host we could easily get to the URL in Internet Explorer (as along as long as our company’s  proxy settings were in place) but the Exchange server could not reach it

Log Name:      Application
Source:        MSExchangeApplicationLogic
Date:          11/19/2017 1:13:29 AM
Event ID:      3018
Task Category: Extension
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xchsrv01.contso.com
Description:
Scenario[ServiceHealth]: GetConfig. CorrelationId: e0bc58ff-f87e-4f73-a3df-814b4681bbfb. The request failed. Mailbox:  Url: https://officeclient.microsoft.com/config16?CV=15.1.1034.26&Client=WAC_Outlook&corr=e0bc58ff-f87e-4f73-a3df-814b4681bbfb Exception: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 40.83.182.229:443
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at Microsoft.Exchange.Data.ApplicationLogic.Extension.BaseAsyncOmexCommand.<>c__DisplayClass2.<EndGetResponseCallback>b__1()
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeApplicationLogic" />
    <EventID Qualifiers="49156">3018</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-11-19T06:13:29.933295500Z" />
    <EventRecordID>993987</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xchsrv01.contso.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>GetConfig</Data>
    <Data>e0bc58ff-f87e-4f73-a3df-814b4681bbfb</Data>
    <Data>
    </Data>
    <Data>https://officeclient.microsoft.com/config16?CV=15.1.1034.26&amp;Client=WAC_Outlook&amp;corr=e0bc58ff-f87e-4f73-a3df-814b4681bbfb</Data>
    <Data>System.Net.WebException: Unable to connect to the remote server ---&gt; System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 40.83.182.229:443
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket&amp; socket, IPAddress&amp; address, ConnectSocketState state, IAsyncResult asyncResult, Exception&amp; exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at Microsoft.Exchange.Data.ApplicationLogic.Extension.BaseAsyncOmexCommand.&lt;&gt;c__DisplayClass2.&lt;EndGetResponseCallback&gt;b__1()</Data>
  </EventData>
</Event>

After some digging we found out that we needed to set the proxy for the account that is running the app pools for Exchange (which in most cases is LOCALSYSTEM) and that it needed to be set with bitsadmin /setproxysetting. When using this command you will be given a message that it is deprecated but I couldn’t find another method to set the proxy for the LOCALYSTSTEM account. Using bitsadmin You can configure the proxy either manually, like so

bitsadmin /util /setieproxy localsystem MANUAL_PROXY http://http-contso.com:80 "*.corp,contso.com; <local>"

Or using a PAC file

bitsadmin /util /setieproxy localsystem AUTOSCRIPT http://security/webproxy/BalaPAC.pac

We had trouble in our environment getting the PAC file to work with Windows Server 2012R2 and it worked half the time with Windows Server 2016. So, we stuck with the manual method. Our exclusions list was really long and apparently was too big for the buffer to read the settings back using

bitsadmin /util /getieproxy localsystem

Or you can check the following registry entry for to verify the setting took: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

After setting the proxy and restarting IIS, we could install Add-ins via PowerShell and the EAC. Though occasionally we still get the 3018 Application log errors for some URLs, but at least we can now install Add-ins.

Posted in Exchange | Leave a comment

Log parser query to get Exchange clients below a certain patch level

At my company we are currently in the early stages of an Exchange 2013 to Exchange 2016 migration and we needed to identify any Outlook clients below a certain patch level (ones we identified as having issues with Mapi over HTTP via a proxy). So we used the following log parser query to gather a list of all clients past a certain patch level after a certain date and ran it against the RPC and MAPI logs on all our Exchange servers.

SELECT EXTRACT_SUFFIX(client-name,0,'=') as User,
client-name as DN,client-software,
client-software-version as Version,
client-mode,
client-ip,
REVERSEDNS(client-ip) as ClientName, protocol,
TO_LOCALTIME(TO_TIMESTAMP(EXTRACT_PREFIX(TO_STRING([#Fields: date-time]),0,'T'), 'yyyy-MM-dd')) AS [Day]
FROM '[LOGFILEPATH]'
WHERE (operation='Connect')
And Day > TimeStamp('2017-07-11','yyyy-MM-dd')
And (Version between '15.0.0000' and '15.0.4849.0000') OR (Version between '14.0.0000' and '14.0.7172.4000')
GROUP BY User,DN,client-software,Version,client-mode,client-ip,ClientName,protocol,Day
ORDER BY User
Posted in Exchange | Leave a comment

“Message Trace” option missing from the Exchange Admin Center in Office 365

Recently I created an RBAC role group for some of my team members so that they could manage a subset of Exchange features in one of our O365 instance. While the Role group I created had the following roles

  • Distribution Groups
  • HistoricalSearch
  • Mail Enabled Public Folders
  • Mail Recipient Creation
  •  Mail Recipients
  • Message Tracking
  • Public Folders
  • Security Group Creation and Membership
  • Security Reader
  • User Options
  • View-Only Audit Logs
  • View-Only Configuration

The “message trace” option was not available under “Mail flow” in the EAC for the members of this role group even though they had access to the get-messagetrace cmdlet when connecting to this Instance via PowerShell. After a call to Microsoft we discovered that we had to add the ‘View Only Recipients’ role to reveal that option in the EAC. This was odd seeing that they had the ‘Mail Recipients’ role already, but it worked.

Posted in Office 365 | Leave a comment

Unable to delete items in modern public folders : “Some Items cannot be deleted. They were either moved or already deleted, or access was denied”

Recently we had reports from a subset of users that they received the following error when they tried to deleted items from a specific set of public folders using their Outlook client: “Some Items cannot be deleted. They were either moved or already deleted, or access was denied”

A quick google search revealed that this happens to a mailbox whenever it goes over its RecoverableItemsQuota. Seeing that this was an Exchange 2013 environment, and starting in Exchange 2013 public folders are now stored in mailboxes, I assumed the same symptom was occurring. Sure enough the public folder mailbox these folders resided in was over its deleted item limit.

Get-Mailbox pubfoldermbx01 -PublicFolder | Select Name, *recoverable*
Name            RecoverableItemsQuota         RecoverableItemsWarningQuota
----            ---------------------         ----------------------------
PubFolderMbx02  60 GB (64,424,509,440 bytes)  40 GB (42,949,672,960 bytes)
 
Get-Mailbox pubfoldermbx0q -PublicFolder | Get-MailboxStatistics | Select DisplayName, TotalDeletedItemSize
DisplayName     TotalDeletedItemSize
-----------     --------------------
PubFolderMbx01  60 GB (64,424,509,440 bytes)

Another folder in the same public folder mailbox was taking up most the deleted item space of the mailbox. You can find this out by running the following

$PFStats = Get-PublicFolder -ResidentFolders -Mailbox pubfoldermbx01 -Recurse | Get-PublicFolderStatistics
 
$PFStats | Select Name, FOlderPath, TotalDeletedItemSize | Sort TotalDeletedItemSize -Descending | select -First 3
Name              FolderPath           TotalDeletedItemSize
----              ----------           --------------------
Offending Folder  {Offending Folder}   59.10 GB (63,458,141,798 bytes)
CLEAN             {CLEAN}	       3.517 GB (3,776,367,512 bytes)
Inbox             {Inbox}	       1.715 GB (1,841,476,727 bytes)

At this point we temporarily set the RecoverableItemsQuota on this public folder mailbox to unlimited reached out to the owners of the offending public folder.

Get-Mailbox -PublicFolder pubfoldermbx01 | Set-Mailbox -UseDatabaseRetentionDefaults $FALSE -PublicFolder
 
Get-Mailbox -PublicFolder pubfoldermbx01 | Set-Mailbox -RetainDeletedItemsFor $NULL –PublicFolder

We learned they were using the folder as a dumping group for alert messages from a system in their development environment, which was generating close to 10,000 messages a day. After explaining the situation and its impact on other users, the public folder owners agreed to a shorter item age and deleted item retention period.

Set-PublicFolder "\Offending Folder" -RetainDeletedItemsFor 0 -AgeLimit 5

We could have also moved the public folder to its own mailbox, but we decided that it would be best to try to limit how long the data was being held instead of continuing to accommodate a large volume of non-critical data.  After about 48 hours the new retention policy kicked in. This is due to the Managed folder assistant needing to first stamp the items with the new retention settings during the first past and then to act on the new stamp after the second pass. This process usually happens every 24 hours in Exchange 2013+. You can manually kick it off using Start-ManagedFolderAssistant like so

Start-ManagedFolderAssistant -Identity pubfoldermbx01
Posted in Exchange, Exchange 2013, Public Folders | Leave a comment

Using script blocks within doubled quoted strings in PowerShell

While working on a script to convert an XML export of a new chat application to EML files for ingestion into my company’s compliance system (A task I’ve been doing a lot of over the past year or so), I came across an interesting use of variable usage in double quoted strings. One I was surprised I didn’t think of earlier.
Part of my script entailed providing options for grabbing various date ranges of the XML chat export from the provided REST API. I decided on the following options:

  • Full Export
  • This Date Forward
  • This Date Only

I normally use write-verbose statements partially as comment based help and a light version of logging for scripts like this. So when a non-full export was specified I wanted a write verbose statement like

Write-Verbose "Building REST URL for a $ExportType export using $ExportStartDate"

While a full export would be

Write-Verbose "Building REST URL for a $ExportType”

So I originally started with the following code

if ($ExportType -ne “Full”) {
Write-Verbose "Building REST URL for a $ExportType export using $ExportStartDate"
}
Else {
Write-Verbose "Building REST URL for a $ExportType export"
}

But then it dawned on me, I’ve done some expressions in double quoted strings before. A simple example would be

Write-host “Yesterday was $((Get-date -Hour 00 -Minute 00 -Second 00).adddays(-1).tostring())"

Could I do something a little more complex? Turns out I can! The following worked and could fit on one line

Write-Verbose "Building REST URL for a $ExportType export $(if($ExportType -ne “Full”) {"using $ExportStartDate"})"

Thinking about it some more. I wondered if I had a more complex statement as a script block. Could I pass that as well? Turns out I can!

[ScriptBlock]$CalculatedValue = {if($ExportType -ne “Full”) {"using $ExportStartDate"}}
Write-host "Building REST URL for a $ExportType export $(&amp; $CaculdateValue)"
Write-host "Building REST URL for a $ExportType export $(Invoke-Command $CaculdateValue)"

Using either the call operator (&) or Invoke-Command I can execute a script block in a double quoted string. A fun trick I hope to use in the future to tighten up some code.

Posted in PowerShell | Leave a comment

Creating an array of arrays in powershell

Recently I had a need to convert a series of messages from one of my company’s Slack instances into EML files so they could be ingested into our compliance system. In the process of parsing the export file via PowerShell, I had the need to group individual messages by conversations for further processing. This meant I needed an array of message threads, and each thread could be a single or multiple messages (another array). But when I was doing the standard method of adding an object to an array

$MessageTable += $Thread

it was instead adding the individual array members of $Tread to object to $MessageTable instead of adding it as a single object. So for threads with multiple messages I was joining the arrays instead. In order to do this I had to do the following:

$MessageTable += ,$Thread

The big differences was the comma ( , ). This allowed each array to be added as an entire object instead of being joined. As a better explanation, here is an example through pseudo PowerShell code

Create an array to hold all the objects called $MessageTable

$MessageTable = @()

Do some work to create the following thread, which contains only one message object

$Thread =
 
type : message
user : john.mello@contso.com
text : FYI meeting tommorrow
ts : 10/10/2016 8:42:25 PM
MsgType : Direct Message
participants : Chad.Doe@contso.com

Now add it to the $MessageTable as an object

$MessageTable += ,$Thread

Do some more work to create a new thread, which contains 3 message objects

$Thread =
 
type : message
user : john.mello@contso.com
text : do you have tickets for next week? if not i was going to get them.
ts : 10/10/2016 10:40:12 AM
MsgType : Direct Message
participants : {jane.brown@contso.com}
 
type : message
user : john.mello@contso.com
text: have 2 meetings for the AM on the 18th, but afternoon is free
ts&: 10/10/2016 10:40:36 AM
MsgType : Direct Message
participants : {jane.brown@contso.com}
 
type : message
user: jane.brown@contso.com
text: No tickets yet.
ts : 10/10/2016 11:04:56 AM
MsgType: Direct Message
participants : {john.mello@contso.com}

Now add it to the $MessageTable as an object  as well

$MessageTable += ,$Thread

Now when I check the count of the $MessageTable object I see that it only has 2 total objects

$MessageTable.count
2

I can also see that each item is references as the whole object

$MessageTable[0]
 
type : message
user : john.mello@contso.com
text : FYI meeting tommorrow
ts : 10/10/2016 8:42:25 PM
MsgType : Direct Message
participants : Chad.Doe@contso.com
 
$MessageTable[1]
 
type : message
user : john.mello@contso.com
text : do you have tickets for next week? if not i was going to get them.
ts : 10/10/2016 10:40:12 AM
MsgType : Direct Message
participants : {jane.brown@contso.com}
 
type : message
user: john.mello@contso.com
text: have 2 meetings for the AM on the 18th, but afternoon is free
ts : 10/10/2016 10:40:36 AM
MsgType : Direct Message
participants : {jane.brown@contso.com}
 
type : message
user : jane.brown@contso.com
text: No tickets yet.
ts& : 10/10/2016 11:04:56 AM
MsgType : Direct Message
participants : {john.mello@contso.com}

Now if I did it the normal way ($MessageTable += $Thread), each message would have been joined to the array

$MessageTable.count
4
 
$MessageTable[0]
 
type : message
user : john.mello@contso.com
text : FYI meeting tommorrow
ts : 10/10/2016 8:42:25 PM
MsgType : Direct Message
participants : Chad.Doe@contso.com
 
$MessageTable[1]
 
type : message
user : john.mello@contso.com
text : do you have tickets for next week? if not i was going to get them.
ts : 10/10/2016 10:40:12 AM
MsgType : Direct Message
participants : {jane.brown@contso.com}
 
$MessageTable[2]
 
type message
user : john.mello@contso.com
text: have 2 meetings for the AM on the 18th, but afternoon is free
ts: 10/10/2016 10:40:36 AM
MsgType: Direct Message
participants : {jane.brown@contso.com}
 
$MessageTable[3]
 
type : message
user : jane.brown@contso.com
text : No tickets yet.
ts : 10/10/2016 11:04:56 AM
MsgType : Direct Message
participants : {john.mello@contso.com}

Now I could have also used an Array List, which always adds the whole object as one entry in the array. An Array lists also has the following benefits which I frequently use

  • Has a remove() method with Array does not
  • More efficient when adding hundreds of members because the += method makes PowerShell create a new variable equal to the whole of the old one, add our new entry to the end, and then throws away the old variable

Here is how I would use it in the same situations

Create the array list

$MessageTable = New-Object System.Collections.ArrayList

Use the add method to add an object

$MessageTable.Add($Thread)
0
 
#MORE WORK
 
$MessageTable.Add($Thread)
1

Note that an Array list will always return the current addressable location of the object added to the console, in order to avoid that use your favorite out null method. Example

$MessageTable.Add($Thread) | Out-Null

Here is a fully fleshed out example using get-process

#Arrays
$Array1 = @()
$Array2 = @()
$ArrayList = New-Object System.Collections.ArrayList
 
#Data
$Process_W = Get-Process -Name W*
$Process_S = Get-Process -Name S*
 
#Joining Arrays example
$Array1 += $Process_W
$Array1 += $Process_S
$Array1.count
$Array1[1]
 
#Adding arrays to array example
$Array2 += ,$Process_W
$Array2 += ,$Process_S
$Array2.count
$Array2[1]
 
#Array list example
$ArrayList.add($Process_W)
$ArrayList.add($Process_S) | Out-Null
$ArrayList.count
$ArrayList[1]
Posted in PowerShell | Leave a comment

The various picture resolutions supported by Exchange 2013 mailboxes

In researching what picture resolutions are supported by Exchange (and Lync 2013/Skype for business) I came across this MS Technet article stating the the following 3 resolutions used in Lync:

  • 48 x 48 : Used if no higher resolution image is selected
  • 96 x 96 : Used in Outlook Web App and Outlook 2013
  • 648 x 648 : Used in Lync 2013 desktop client and Lync 2013 Web App

I also came across this MSDN article detailing an EWS URL you can use to retrieve the photo used in an Exchange 2013 mailbox : https://Exchange Server/ews/Exchange.asmx/s/GetUserPhoto?email=email address&size=size code
In working on a script to pull pictures from my company’s HR system and push them to user’s mailboxes, I noticed other resolutions were available as well. So I decided to try and figure out all the supported resolutions with this quick and dirty PoweShell script:

Foreach ($Num in 1..648) {
   Try {
      $URL = "http://contoso.com/EWS/Exchange.asmx/s/GetUserPhoto?email=John.Mello@contoso.com&amp;size=HR$($Num)x$($Num)" Invoke-WebRequest -Uri $URL -UseDefaultCredentials -ErrorAction stop | Out-NUll
      $Num
   }
   Catch{ } 
}

In doing so I discovered that these were all the supported resolutions in Exchange 2013:

  • 48×48
  • 64×64
  • 96×96
  • 120×120
  • 240×240
  • 360×360
  • 432×432
  • 504×504
  • 648×648
Posted in EWS, Exchange 2013, Outlook | Leave a comment

Display Names on mail enabled public folders in Exchange 2013

Fun fact, you can have a different display for the same public folder if it’s mail enabled

[PS] Get-PublicFolder "\Market Data Services\MDS Bills" | Select Identity, Name | Ft -AutoSize
Identity                        Name
--------                        ----
\Market Data Services\MDS Bills MDS Bills
[PS] Get-MailPublicFolder "\Market Data Services\MDS Bills" | Select Identity, Alias, Displayname, name | FT -AutoSize
Identity                                                        Alias       DisplayName   Name
--------                                                        -----       -----------   ----
contso.com/Microsoft Exchange System Objects/OLD MDS Bills OLDMDSBILLS OLD MDS Bills OLD MDS Bills

This happens because the mail enabled object is an object that resides in AD in the Microsoft Exchange System Objects OU, while the standard folder is just a folder in the public folder mailboxes

Posted in Exchange, Exchange 2013 | Leave a comment

I took my Exchange 2013 environment down doing a CU11 prerequisite check

In preparing for my company’s Exchange 2013 CU8 to CU11 uprage a few weekends ago I decided during my lunch break to the run the CU11 installer through the prerequisite check on all our servers just to make sure nothing would get in the way of the install that weekend. This is something I used to do all the time in Exchange 2010 with Service packs and Roll ups. So I started the GUI setup on one of our multi role servers hosting a lagged database in our DR site first and the prerequisite check came up clean so I exited out of the installer at the section where you would normally hit “next” to install Exchange 2013. I then ran it on one of our production servers and it came up clean as well. Figuring I should be thorough, I ran the prerequisite check on the remaining production and DR servers. Within a few minutes we started getting multiple alarms for our Exchange email environment through out monitoring system. After 45 minutes of email routing and access down time I was able to piece together that the prerequisite check runs the following which puts the following 3 Exchange 2013 component states offline

Set-ServerComponentState $Target -Component Monitoring -Requester Functional -State Inactive
Set-ServerComponentState $Target -Component RecoveryActionsEnabled -Requester Functional -State Inactive
Set-ServerComponentState $Target -Component ServerWideOffline -Requester Functional -State InActive

Unfortunately the setup does not put them back online if you cancel it for any reason. Early in the trouble shooting process I realized that the components states were in an inactive state and I tried to bring them back online (like I normally do when patching). What I didn’t realize was that since the Requester was “Functional” and I was using “Maintenance” to try and bring them back online, it wasn’t taking. Only after I did so using “Functional” did it take.

After doing a post mortem on the issue at work we came across the following info online

This Exchange team blog post from 09/26/2013 that states the following

While an Exchange 2013 Server is updated with CU2, the setup- sets “Monitoring”, “RecoveryActionsEnabled” and “ServerWideOffline” to Inactive using the Requester “Functional” at the beginning, as can be seen in the “ExchangeSetup”-Logfile:

However, when the update exits prematurely because it encounters an unrecoverable error-condition, it does not restore the original state. Even when the Administrator restarts all stopped Exchange services or reboots the server, the Exchange components still remain in the Inactive state.

In order to recover from this situation, you must either find the root cause for the error and remove it so that the setup completes successfully, or manually set the ServerComponentStates back to Active with the Requester “Functional”.

This issue might be fixed in future CUs and SPs.

When I looked over my Exchange install log files I did not see any entries stating an abnormal end, but it appears that simply cancelling the setup after the prerequisite check is enough to cause this condition. I persoanlly wish this was actively stated in the setup process itself (e.g. “Putting this server in ServerWideOffline mode, do you want to continue?”)

This TechNet Blog from 10/21/2014 states the following about running a CU and when the server component states are set to inactive:

In Exchange 2013, we have also extended setup to perform some of the maintenance tasks prescribed here – specifically handling server health states to ensure that the server can be safely upgraded. When performing setup.exe /mode:upgrade to upgrade between Exchange 2013 CUs we now perform the following:

  • Set the monitoring state of the server to inactive.
  • Prevent automatic recovery actions from occurring on the server.
  • Set the ServerWideOffline component state to InActive

This essentially disables all health checking against the server, all automatic recovery actions as a result of that health checking, and prevents the server from performing transport and other client functions.

….

It should be noted that these steps are executed directly at the beginning of setup – even before pre-requisite analysis etc.

So all in all, I didn’t realize running the install up to the prerequisite check would cause so many issues. This is our first CU update since we deployed Exchange 2013 and I don’t recall running into this issue in 2010 when I deployed SPs or RUs. So hopefully this will help someone else out before they make the same mistake.

 

Posted in Exchange, Exchange 2013 | Leave a comment
  • Archives

  • December 2017
    M T W T F S S
    « Nov    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Page list