Exchange 2007/2010 Linked Mailboxes

Every time I’ve done a migration from Exchange 2003 to Exchange 2007 or 2010 one or two mailboxes for their own unknown reason decide they wish to come over as a linked mailbox. Now a linked mailbox is not needed unless you’re going to access it across a different trusted forest.  So why when you only have a single forest, single domain environment do these keep happening? If anyone genuinely knows the reason I’d love to know!

Originally it appeared you had to detach the mailbox from the account and associate it by hand, however now there appears to be an easier way I’ve come across but most guides do not quite explain it properly which initially makes you think the command has failed.

The first command is this which sets the linked account to nothing therefore removing the linked mailbox status.

[PS] C:\Windows\system32>Set-User -Identity user@domain.local -LinkedMasterAccount $null

However when I run it I see this error!

A positional parameter cannot be found that accepts argument ‘-LinkedMasterAccount’.
+ CategoryInfo          : InvalidArgument: (:) [Set-User], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Set-User

So then to verify I checked with this command:

[PS] C:\Windows\system32>Get-User -Identity “user@domain.local“

Name                                                    RecipientType
—-                                                        ————-
User                                                      UserMailbox

Here you will see in fact despite the big error saying no you’ve failed, you have actually managed to achieve what you set out to! So then being a happy little bunny you pop back over to your GUI list of users and find that wait no! They console has lied to you, the Linked Mailbox still exists, so somebody is lying here!

So here is the way I originally mentioned to complete this task.

1) From your Exchange Management Console view the list of Mailboxes under “Recipient Configuration > Mailbox”

2) In the properties make a note of all the aliases and e-mail addresses the problematic  user has as this will be lost!

3) Right click the problematic account and choose the option disable.

4) Under Recipients Configuration > Disconnected Mailboxes you will find the users Mailbox. If you do not see it currrently run the following power shell command which will update the list (sounds like a bad command to run but don’t worry!)

Clean-MailboxDatabase “Database Name”

5) Right click the Mailbox under Disconnected Mailboxes and then you can attach it to the previous user account as a User Mailbox!

Much easier way to remember how to do it than the power shell command also in my opinion.

Windows Server 2008 R2 DNS & WPAD Annoyances

So I was working on a single site Active Directory environment which had 3 Windows Server 2003 Domain Controllers. A couple weeks ago I built a new physical based Domain Controller, and a second virtual one, these were built in a new shiney Windows Server 2008 R2 build.

All appeared well, the DC’s were replicating nicely and my machine had been using it to resolve it’s DNS for a good couple weeks. So one morning I scheduled a change to the DHCP scope for some user VLAN’s to use the new DNS servers.

Later that morning random users were reporting their Internet access wasn’t working and that they were getting denied pages back from the ISA server. This is because we do not allow general Internet access out for end users unless they’re going through a filtering proxy which the details for are supplied via a WPAD file.

I check the machines out and find that the wpad is indeed set inside Internet Options, and that the web server was indeed up however it wouldn’t download. I open up nslookup and query against an old DNS server for wpad and got the correct IP address of the internal webserver. I then tried a new one and got wpad.co.uk returned rather then our companies webserver.

I then tried using the FQDN for wpad, old server returned fine, new server returned unknown host. I opened up the DNS console and indeed the wpad record existed on all 5 DNS servers on the company network. I deleted and recreated it just to be sure but still got the same results.

After a small amount of googling I find that Microsoft has implemented a new DNS security feature which is to by default black list common DNS names which they consider to be a security threat. So yes that is right your Windows Server 2008 R2 DNS server refuses to respond to wpad encase the location of your wpad file is exposed to a potential attacker! Great work guys because then not even legit users can resolve it.

I can understand not having wpad resolved by the outside world but really I hope there isn’t any Active Directory admins out there who will place there Domain Controller in a position that it is publicly resolvable from the Internet?

Since all our DNS servers are completely internal and no outside user can access them, I figured that any record I create will want to be resolvable internally so I simply disabled the black list. Unfortunately you have to remembe to do this to every DNS server you add but it is quite a quick one line command.

Here is a link to a Technet article: http://technet.microsoft.com/en-us/library/cc816908(WS.10).aspx

IPv6 is Coming.. No Seriously This Time!

Earlier this month the final five IPv4 /8 blocks were allocated by the IANA to the Regional Internet Registries. this means there are no more unallocated /8′s left to be given to registries. The regional registries will continue to give out IP allocation’s to the Internet Service Providers out there,  however once the regisitry uses it’s last available addresses up there will be no more IPv4 IP addresses available to any ISP in that region. So once the ISP runs out of IP addresses there will be no more IP addresses for its end users.

Now while this is a major problem that is going to affect your home broadband tomorrow, however as an IT professional its likely your organisation is using some sort of internet based services. Whether this be e-mail communication or many online web services, I really suggest being prepared. Most good IP transit providers are already IPv6 enabled, the IPv6 Internet is out there already and all that is lacking is for ISP’s to make the move to ensuring they’re able to provide IPv6 services to their end users.

I worked for a company which provided online marketing applications and hosted them on their own infrastructure, I made this network IPv6 enabled over 18 months ago. I am now working for a financial software company and they’re looking to provide new online services, I will be making their network IPv6 enabled from day one and may even look to provide services such as HTTP, HTTPS, SMTP and DNS all over IPv4 and IPv6.

Why?

Because one day, and we cannot be sure of the exact date, we will encounter an Internet end user who is IPv6 only and we need to be sure we’re ready to provide services to this user.

It takes time to test software and hardware to be sure they’re compatible with IPv6. It also takes time to ensure your network is running correctly under IPv6, so take advantage of this window now to get your knowledge up to speed and your configuration tested before it becomes part of your production infrastructure before you run into the situation where you need to make changes and have to start scheduling maintenance windows to get it all setup how it should be.

Don’t sit back, get in to it now as I guarentee you if you develop good IPv6 skills people will be asking for them in the next few months and there will be a shortage of supply to meet the demand.

If you wish to learn more about IPv6 and play on the real live IPv6 Internet then I recommend you contact your Service Provider and enquire about whether they can offer you the service now.

If not, don’t jump on the phone ready to move ISP’s, try out a tunnel broker. The past year I’ve been using Hurricane Electric’s free IPv6 tunnel broker using my own Cisco 1841 router on my broadband line as the end point for the IPv6 over IPv4 tunnel. They give you a /64 subnet by default but you can also request a /48 per tunnel which means I have plenty of IPv6 addresses for my internal network to play with.

Check them out at http://www.tunnelbroker.net

Building a Frame Relay Switch in The Lab.

As part of Cisco learning studies Frame Relay is used to simulate WAN topologies. While in the real world it is unlikely to be used as many new technologies such as MPLS and Metro Ethernet are taking over the WAN connections world, it is still a useful way of understanding how point to point or point to multipoint WAN connections work.

To create a switch in the lab you just need a Cisco Router with multiple serial interfaces. I recommend getting something like a Cisco 2521 or 2522 depending on whether you wish to create a 4 port or 8 port switch. These can be picked up on eBay at very reasonable prices! For this demo I am using a Cisco 2521 running IOS 11.2 which was saved from the skip. Before we begin we need to wipe any configuration off the router by running “erase startup-config” and then  reload it with the command “reload”. Once the router comes up say no to any startup configuration help.

First step is to enable Frame Relay Switching using the command “frame-relay switching” – this enables the feature on the router, just like you enable routing with “ip routing”.

Next we need to go to each serial interface we want to use and setup its basic settings. Firstly setup the clockrate to a speed of your preference, this speed will also depend on the type of serial interface your router has. Some ports might allow a clockrate of 2000000 others may only allow 115200. Next we also need to set up the encapsulation of the interface to be frame relay. So under each interface setup the following commands. The final command will tell frame relay that the DCE end of the cable will be attached to the router.

clockrate 2000000
encapsulation frame-relay
frame-relay intf-type dce

 Next we need to setup the DLCI routes for each interface. I setup the DLCI numbers as follows: 102 which means interface 1 to interface 2 or 304 which interface 3 to interface 4. Remember that DLCI’s are locally significant and can be different on each side. So between interface 1 and 2 and vice versa I’d create the DLCI’s as 102 and 201.

You maybe fine with 1 set of DLCI’s but on my setup I also did the same but with the number 2 in the middle which gave me 2 paths between each router. The reason I do this is if I ever want to do a lab where a router has 2 redundant point to point links connected to it, I can just use the alternative DLCIs. In fact I never remove the frame relay switch and cables from my lab, if I am doing a lab purely based on point to point networks I will still use the frame relay switch to emulate the point to point links. This way my lab is quick to reuse and never requires re-cabling between scenarios.

To create the routes we use the command “frame-relay route <source DLCI>interface <serial x> <destination DLCI>”, for example “frame-relay route 102 interface Serial1 201″

Here is an example configuration of a 2 interface frame relay switch setup:

frame-relay switching
interface Serial0
clockrate 2000000
encapsulation frame-relay
frame-relay intf-type dce
frame-relay route 102 interface Serial1 201
!
interface Serial1
clockrate 2000000
encapsulation frame-relay
frame-relay intf-type dce
frame-relay route 201 interface Serial0 102

While this looks pretty simple the more interfaces you add the number of frame-relay route commands multiplies so I’ve also included a complete configuration for a 4 port with dual paths for you to use as a template configuration:

version 11.2
no service password-encryption
no service udp-small-servers
no service tcp-small-servers
!
hostname FRS
!
!
partition flash 2 8 8
!
no ip routing
no ip domain-lookup
frame-relay switching
!
interface Serial0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 clockrate 2000000
 frame-relay intf-type dce
 frame-relay route 102 interface Serial1 201
 frame-relay route 103 interface Serial2 301
 frame-relay route 104 interface Serial3 401
 frame-relay route 122 interface Serial1 221
 frame-relay route 123 interface Serial2 321
 frame-relay route 124 interface Serial3 421
!
interface Serial1
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 clockrate 2000000
 frame-relay intf-type dce
 frame-relay route 201 interface Serial0 102
 frame-relay route 203 interface Serial2 302
 frame-relay route 204 interface Serial3 402
 frame-relay route 221 interface Serial0 122
 frame-relay route 223 interface Serial2 322
 frame-relay route 224 interface Serial3 422
!
interface Serial2
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 clockrate 115200
 frame-relay intf-type dce
 frame-relay route 301 interface Serial0 103
 frame-relay route 302 interface Serial1 203
 frame-relay route 304 interface Serial3 403
 frame-relay route 321 interface Serial0 123
 frame-relay route 322 interface Serial1 223
 frame-relay route 324 interface Serial3 423
!
interface Serial3
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 clockrate 115200
 frame-relay intf-type dce
 frame-relay route 401 interface Serial0 104
 frame-relay route 402 interface Serial1 204
 frame-relay route 403 interface Serial2 304
 frame-relay route 421 interface Serial0 124
 frame-relay route 422 interface Serial1 224
 frame-relay route 423 interface Serial2 324
!
interface TokenRing0
 no ip address
 no ip route-cache
 shutdown
!
interface BRI0
 no ip address
 no ip route-cache
 shutdown
!
no ip classless
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login
!
end