I came across this tool a couple of years ago, demo'd it, thought it looked great but forgot about it and never used it in a live environment.
Last week I started a project which required a full audit of a fairly large Exchange 2007 network that spread throughout 13 sites worldwide. As part of the audit, I set about creating a Visio diagram of the Exchange Organization but soon ran into trouble trying to map out all of the site links and detailed information.
That's when I remembered Microsoft's Active Directory Topology Diagrammer. This is a really handy tool when you want to create Visio diagrams of your networks and it covers Active Directory Site Structure, OU Structure and brilliantly the Exchange Organization structure too!
Download the tool from here and try it out, you will need Visio installed and with the latest Exchange stencils though for the tool to draw the diagrams properly:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=cb42fc06-50c7-47ed-a65c-862661742764&displaylang=en
Kevin Greene's IT Blog. This is a blog about all things Cloud and Datacenter!
Monday, November 22, 2010
Tuesday, November 16, 2010
Increase Exchange 2010 DAG Failover Threshold
One of our clients has a 4 member node Exchange 2010 DAG spread across 4 different countries worldwide.
The client had reported to me that one of the sites that had a slight bandwidth issue was consistently failing it's Active Mailbox Store from the local site over to it's Dublin HQ site. When we manually moved the database back over to the original local site, it would randomly fail back over to the main Dublin HQ site presumably due to the intermittent latency on the Internet connection at that local site.
The customer requested that I find a way to increase the failover threshold or tolerance for the DAG so that it doesn't fail over as frequently without losing the functionality of High Availability.
After searching for quite a while on how to do this using Exchange Power Shell I found some information relating not to Exchange Server but to the Windows Server 2008 Cluster Service (which is essentially what the DAG uses when it is created for the first time) for it's clustering technology.
Using a standard Command Prompt (cmd), I started playing with the 'cluster' command and looking into what switches it used and what they could be applied to.
Here's what I came up with:
Type 'cluster /list' to display the name of the cluster that is present on the Server
When you run a 'cluster /prop' from the cmd line, it returns a number of values relating to the cluster, two of which are the following:
CrossSubnetDelay = 1000 (this is the default 1000 milliseconds which equals 1 second per heartbeat check)
CrossSubnetThreshold = 5 (this is the default number of heartbeats that can be missed before failover)
I changed the CrossSubnetDelay value to make the heartbeat check in every 2 seconds instead of the default 1 second by using the command below:
cluster /cluster:<ClusterName> /prop CrossSubnetDelay=2000
With this new setting along with the default value of 5 seconds for the CrossSubnetThreshold setting, this now allows the Cluster service to wait for 10 seconds before initiating a failover to a different DAG member.
This value can be increased to a maximum of 4000 milliseconds once the cluster is across subnets (it is a maximum of 2000 milliseconds if you are on the same subnet)
The CrossSubnetThreshold value can be modified with a value anywhere from 3 to 10.
This workaround / solution may need some tweaking with values until you reach the desired tolerance on your DAG.
It is also worth making sure you make a note of all changes that you make before and after the above commands and as always - make sure you have a full backup of your Exchange environment before you do anything like this!!!!
The client had reported to me that one of the sites that had a slight bandwidth issue was consistently failing it's Active Mailbox Store from the local site over to it's Dublin HQ site. When we manually moved the database back over to the original local site, it would randomly fail back over to the main Dublin HQ site presumably due to the intermittent latency on the Internet connection at that local site.
The customer requested that I find a way to increase the failover threshold or tolerance for the DAG so that it doesn't fail over as frequently without losing the functionality of High Availability.
After searching for quite a while on how to do this using Exchange Power Shell I found some information relating not to Exchange Server but to the Windows Server 2008 Cluster Service (which is essentially what the DAG uses when it is created for the first time) for it's clustering technology.
Using a standard Command Prompt (cmd), I started playing with the 'cluster' command and looking into what switches it used and what they could be applied to.
Here's what I came up with:
Type 'cluster /list' to display the name of the cluster that is present on the Server
When you run a 'cluster /prop' from the cmd line, it returns a number of values relating to the cluster, two of which are the following:
CrossSubnetDelay = 1000 (this is the default 1000 milliseconds which equals 1 second per heartbeat check)
CrossSubnetThreshold = 5 (this is the default number of heartbeats that can be missed before failover)
I changed the CrossSubnetDelay value to make the heartbeat check in every 2 seconds instead of the default 1 second by using the command below:
cluster /cluster:<ClusterName> /prop CrossSubnetDelay=2000
With this new setting along with the default value of 5 seconds for the CrossSubnetThreshold setting, this now allows the Cluster service to wait for 10 seconds before initiating a failover to a different DAG member.
This value can be increased to a maximum of 4000 milliseconds once the cluster is across subnets (it is a maximum of 2000 milliseconds if you are on the same subnet)
The CrossSubnetThreshold value can be modified with a value anywhere from 3 to 10.
This workaround / solution may need some tweaking with values until you reach the desired tolerance on your DAG.
It is also worth making sure you make a note of all changes that you make before and after the above commands and as always - make sure you have a full backup of your Exchange environment before you do anything like this!!!!
Saturday, November 13, 2010
Bulk Create Active Directory User Accounts and Exchange Mailboxes
Although this process is fairly well known at this point, I am continually asked for this PowerShell script to assist with the bulk creation of new Active Directory user accounts with passwords and then the bulk creation of Exchange Mailboxes for these new accounts. It will also allow you to create or specify an OU to place them into.
This script was created by Exchange MVP Andy Grogan.
Here's the link to the downloadable Powershell Script and sample CSV file that creates the user accounts within Active Directory:
http://www.telnetport25.com/component/content/article/15-powershell/321-quick-post-script-to-create-lab-users-powershell-version.html
Once you have modified the CSV file to suit your user structure and run the Powershell script, you should now have all of the users created within AD and all assigned passwords of your choice too.
The next step is to create new Exchange mailboxes for those users using the following process:
You open the Exchange Management Shell and begin with Get-User.
If we imagine we have an OU we wish to grab all the users from we could just type Get-User –OrganizationalUnit <OU Name>. However, this will return to us all the users in that OU, whereas perhaps some are already mailbox enabled. To narrow down our grab we can use a request for RecipientType which we could say is equal to User (as opposed to UserMailbox, which would mean they already have a mailbox).
So, for example, if we want to locate all users in the Accounts OU that do not have mailboxes already for their accounts we could type:
Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"}
That command would get us part of the way there.
Now if we wanted to mailbox enable those users we would append to the end:
Enable-Mailbox –Database "<Name of Database>"
So, let’s say in our setup here we have the Accounts users in the Accounts OU and we want them all given mailboxes in a database called EX2010Database.
We would type the full command:
Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"} | Enable-Mailbox –Database "EX2010Database"
Now just sit back and let the script do all the hard work!
This script was created by Exchange MVP Andy Grogan.
Here's the link to the downloadable Powershell Script and sample CSV file that creates the user accounts within Active Directory:
http://www.telnetport25.com/component/content/article/15-powershell/321-quick-post-script-to-create-lab-users-powershell-version.html
Once you have modified the CSV file to suit your user structure and run the Powershell script, you should now have all of the users created within AD and all assigned passwords of your choice too.
The next step is to create new Exchange mailboxes for those users using the following process:
You open the Exchange Management Shell and begin with Get-User.
If we imagine we have an OU we wish to grab all the users from we could just type Get-User –OrganizationalUnit <OU Name>. However, this will return to us all the users in that OU, whereas perhaps some are already mailbox enabled. To narrow down our grab we can use a request for RecipientType which we could say is equal to User (as opposed to UserMailbox, which would mean they already have a mailbox).
So, for example, if we want to locate all users in the Accounts OU that do not have mailboxes already for their accounts we could type:
Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"}
That command would get us part of the way there.
Now if we wanted to mailbox enable those users we would append to the end:
Enable-Mailbox –Database "<Name of Database>"
So, let’s say in our setup here we have the Accounts users in the Accounts OU and we want them all given mailboxes in a database called EX2010Database.
We would type the full command:
Get-User –OrganizationalUnit Accounts | Where-Object [$_.RecipientType –eq "User"} | Enable-Mailbox –Database "EX2010Database"
Now just sit back and let the script do all the hard work!
Sunday, October 31, 2010
Exchange 2010 Remote Management using Powershell
I've been doing a lot of work recently with Exchange 2010 and Powershell and have come across this neat way of managing the Exchange Server within your network from a remote client PC without having to install the Exchange Management Tools and do it through the GUI.
You need to complete these commands from a Windows 7 client machine (or any machine that has Powershell installed) for it to work.
Firstly, you need to enable remote scripts to run on your Windows 7 machine by typing the following command from an elevated Powershell prompt:
(This command makes contact with the Exchange 2010 server and initiates a new Powershell session -don't forget to substitute your own servername and domainname into the line above!)
(This command then imports the new Powershell session into the local client library)
Now try to run the get-mailbox command again or any other Exchange 2010 Powershell command for that matter and you should now be able to work through administering your server remotely from your client pc!
You need to complete these commands from a Windows 7 client machine (or any machine that has Powershell installed) for it to work.
Firstly, you need to enable remote scripts to run on your Windows 7 machine by typing the following command from an elevated Powershell prompt:
Set-executionpolicy remotesigned
At this point, it's worth trying to input an administrative Exchange Powershell command into your client to see if it understands it. Try entering something like: get-mailbox
Your Windows 7 client will come back with an error stating that the command is not recognisable as an internal Powershell cmdlet - this is correct as we haven't imported the Exchange 2010 session into the local client's Powershell Library yet
Once the 'set-executionpolicy remotesigned' command is completed, enter the following commands to get control of your Exchange 2010 server:
Your Windows 7 client will come back with an error stating that the command is not recognisable as an internal Powershell cmdlet - this is correct as we haven't imported the Exchange 2010 session into the local client's Powershell Library yet
Once the 'set-executionpolicy remotesigned' command is completed, enter the following commands to get control of your Exchange 2010 server:
$session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri http://servername.domainname.local/PowerShell -Authentication Kerberos
(This command makes contact with the Exchange 2010 server and initiates a new Powershell session -don't forget to substitute your own servername and domainname into the line above!)
Import-PSSession $session
(This command then imports the new Powershell session into the local client library)
Now try to run the get-mailbox command again or any other Exchange 2010 Powershell command for that matter and you should now be able to work through administering your server remotely from your client pc!
Tuesday, October 26, 2010
DPM 2010 Monitoring Management Pack Released!
Finally the RTM version of the DPM 2010 Monitoring Management Pack has been released. There are some nice features around SLA based alerting and integration with your in-house ticketing systems.
Here's the link from Microsoft to download it:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32077d99-618f-43d0-843d-4ba4f8019f84&displaylang=en
Here's the link from Microsoft to download it:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32077d99-618f-43d0-843d-4ba4f8019f84&displaylang=en
Friday, October 22, 2010
Hyper V and SCVMM Missing Updates Script
I came across this really handy little script on Microsoft SCVMM Engineer JonJor's blog. This script is basically a reporting tool that checks all of the relevant Hyper-V, Failover Cluster, SCVMM, Bits,VDS, VSS,WMI and WinRM components for installed updates and reports back with any that are missing.
Most of these updates are generally deployed automatically using Windows Update but there are some that slip through the net and this tool will help you find them.
Make sure that you check back to the link below regularly for an updated script as the author continually makes changes and additions to it.
I've already resolved issues on two Hyper-V cluster sites just by installing the recommended updates from this report.
It's worth noting that you are best running the script from a folder on the root of the System Drive with no spaces in the name as I had some initial syntax issues when I named the folder something like 'Hyper V Updates', try naming it to 'missingupdates' or 'hypervupdates' to be sure it works first time.
Here's the link:
http://blogs.technet.com/b/jonjor/archive/2010/10/14/vmmupdate.aspx
Most of these updates are generally deployed automatically using Windows Update but there are some that slip through the net and this tool will help you find them.
Make sure that you check back to the link below regularly for an updated script as the author continually makes changes and additions to it.
I've already resolved issues on two Hyper-V cluster sites just by installing the recommended updates from this report.
It's worth noting that you are best running the script from a folder on the root of the System Drive with no spaces in the name as I had some initial syntax issues when I named the folder something like 'Hyper V Updates', try naming it to 'missingupdates' or 'hypervupdates' to be sure it works first time.
Here's the link:
http://blogs.technet.com/b/jonjor/archive/2010/10/14/vmmupdate.aspx
Thursday, October 21, 2010
Using DPM 2010 to Restore a System State or Perform a Bare Metal Recovery for a Windows 2008 Server
Here's a step by step video from Microsoft's Shane Brasher on how to restore the system state of a Windows 2008 Server using DPM 2010.
http://www.microsoft.com/showcase/en/us/details/bb0b5339-445b-4298-8705-350f13227b93
And here's one detailing how to perform a Bare Metal Recovery of a Windows 2008 Server - the Bare Metal recovery is a new feature to DPM 2010 and will come in really handy in a non-virtualised environment or if you choose not to back up the entire VHD each day:
http://www.microsoft.com/showcase/en/us/details/bec0b1c6-d1fd-41f0-b4bc-df5791dfc68d
Always handy to know how to do this in case of emergency!
http://www.microsoft.com/showcase/en/us/details/bb0b5339-445b-4298-8705-350f13227b93
And here's one detailing how to perform a Bare Metal Recovery of a Windows 2008 Server - the Bare Metal recovery is a new feature to DPM 2010 and will come in really handy in a non-virtualised environment or if you choose not to back up the entire VHD each day:
http://www.microsoft.com/showcase/en/us/details/bec0b1c6-d1fd-41f0-b4bc-df5791dfc68d
Always handy to know how to do this in case of emergency!
Tuesday, October 19, 2010
Windows 2008 R2 RADIUS with Cisco ASA
I came across an issue last week when a customer had retired their old Windows 2003 RADIUS server and replaced it with a new Windows 2008 R2 server. They had their Cisco ASA device integrated for Authentication of remote IPSec VPN clients to Active Directory through the RADIUS server.
When the old Windows 2003 server was removed and the new Windows 2008 R2 server went in, naturally, the RADIUS had stopped working and needed to be reconfigured.
After playing around with this problem for nearly half a day I found the solution wasn't too technical but more a step by step configuration of both sides of the Authentication process (RADIUS and Cisco ASA) needed to be carried out exactly as outlined below.
One of the main differences of the old RADIUS on the Windows 2003 Server versus the new Windows 2008 R2 server is that the Windows 2008 R2 Server uses the new Microsoft Network Policy Server to provide RADIUS and NAC (Network Access Control) to the network.
When the NPS component is deployed out of the box, it comes pre configured with some policies that can conflict with how you want your Cisco ASA to communicate with it and these policies will need to be deleted and recreated to get the Cisco to communicate with it.
The following blog post outlines exactly the process needed to properly configure your Cisco ASA with a Windows 2008 R2 RADIUS / NPS Server:
http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/
When the old Windows 2003 server was removed and the new Windows 2008 R2 server went in, naturally, the RADIUS had stopped working and needed to be reconfigured.
After playing around with this problem for nearly half a day I found the solution wasn't too technical but more a step by step configuration of both sides of the Authentication process (RADIUS and Cisco ASA) needed to be carried out exactly as outlined below.
One of the main differences of the old RADIUS on the Windows 2003 Server versus the new Windows 2008 R2 server is that the Windows 2008 R2 Server uses the new Microsoft Network Policy Server to provide RADIUS and NAC (Network Access Control) to the network.
When the NPS component is deployed out of the box, it comes pre configured with some policies that can conflict with how you want your Cisco ASA to communicate with it and these policies will need to be deleted and recreated to get the Cisco to communicate with it.
The following blog post outlines exactly the process needed to properly configure your Cisco ASA with a Windows 2008 R2 RADIUS / NPS Server:
http://fixingit.wordpress.com/2009/09/08/using-windows-server-2008-as-a-radius-server-for-a-cisco-asa/
Sunday, October 10, 2010
MBSA, SCOM and SCCM Connectors for Microsoft Visio
O.K., so I suppose for some people these products are old news but I came across them this week when creating detailed documentation for some clients and found the add on's they provide are quite useful and informative when creating Visio Network Diagrams for clients.
Basically, these add ons allow you to add MBSA security scan reports to your individual or collective servers and computers on any given LAN and can then change the color of your server stencil depending on the security staus of the machine - e.g. Red for Critical, Yellow for Information and Green for all good!
It will also update the properties of the stencil to tag in the MBSA report and provide better detail information too.
Here's the links to them if you're interested!
http://blogs.msdn.com/b/nickmac/archive/2008/04/14/microsoft-visio-toolbox.aspx
http://technet.microsoft.com/en-us/security/cc184925.aspx
Basically, these add ons allow you to add MBSA security scan reports to your individual or collective servers and computers on any given LAN and can then change the color of your server stencil depending on the security staus of the machine - e.g. Red for Critical, Yellow for Information and Green for all good!
It will also update the properties of the stencil to tag in the MBSA report and provide better detail information too.
Here's the links to them if you're interested!
http://blogs.msdn.com/b/nickmac/archive/2008/04/14/microsoft-visio-toolbox.aspx
http://technet.microsoft.com/en-us/security/cc184925.aspx
Thursday, September 16, 2010
IE 9 Beta Released!
Click below to read about the new Internet Explorer 9 Web Browser from Microsoft. Looks nice at first glance, getting more and more integrated like Windows Explorer and some nice features such as pinned websites too!
http://blogs.technet.com/b/uktechnet/archive/2010/09/15/internet-explorer-9-beta-for-it-professionals-ie9-a-guest-post-by-simon-may.aspx
http://blogs.technet.com/b/uktechnet/archive/2010/09/15/internet-explorer-9-beta-for-it-professionals-ie9-a-guest-post-by-simon-may.aspx
Subscribe to:
Posts (Atom)