External Connections to Internal Web Servers Over 443 Fail

Probably one of the strangest issues I’ve seen, at least it seemed that way at the time.


2 internal web servers experiencing the symptom, one running 2010 OWA and the other a custom web application on 443. All internal users can hit each page just fine. External users cannot hit the pages and they just receive a timeout. However, if the admin logs into either of the two servers locally or via RDP and then you try again externally, it works and they can hit the web pages. This behavior only happened on 443. Customer was just using a Cisco ASA for their firewall with no web publishing.


Customer was a school district and I was reminded of a former life where I worked for a school district where web filtering was common. We found out that external users could only hit the pages when an Admin was logged into either of the servers; not a regular user. Combined with the below Cisco thread I found when trying to potentially pin this on the ASA it seemed a web filter or Intrusion Detection System was killing our connections.


According to the thread a Filter/IDS on the inside could potentially be issuing resets for web traffic that it did not like. In our case it was the customers “iBoss” content filter that started blocking access after a firmware update. It worked when an Administrator was logged into the web servers because it could filter based on the currently logged on AD account and there were exclusions for the Admins.

Doing a Disaster Recovery on a Exchange Server that is also a DC

email_exchange_iconHave you every worked on a failed exchange server that also happens to be a DC (not recommended, but it happens)

Well if you do and you find yourself trying to recover it here is how you can.

  1. Note critical information
    1. What are the drive letters
    2. Where is the logs and database located
    3. What is the service pack level
  2. Remove data from server
  3. Format and re-install the OS – using the same drive letters
  4. Seize Roles if they were on the failed server
  5. Run through a metadata cleanup to remove the failed server from AD
  6. Replicate changes to all DCs
  7. Join rebuilt server to the domain  – Using the Same name
  8. Add the Server object to the correct exchange groups
    1. Exchange 2007 – “Exchange Servers”, “Exchange Install Domain Servers”
    2. Exchange 2010 – “Exchange Servers”, “Exchange Install Domain Servers”, “Exchange Trusted Subsystem”
    3. Exchange 2003 – “Exchange Domain Servers”
  9. Windows Update the Server
  10. Do a disaster recovery install of exchange
    1. Exchange 2003 = setup /disasterrecovery
    2. Exchange 2007\2010 = Setup.com /m:recoverserver
  11. Restore data using backup application or recovered databases from failure
  12. and away you go!

Manual uninstall of Exchange 2k7 Edge server

When trying to uninstall Edge role you receive this message
“cannot find information about the local server in active directory. this may be related to a change in the server name”.

Even after setting name back to the original still cannot uninstall
If possible the best solution is to use remove-edgesubscription from the hub server, and format and re-install the edge server role.

Or if this is not possible

Perform a manual uninstall of Exchange Edge role

WARNING: Always be sure to have a backup of a Domain controller system state and registry of the server before making any changes

  1. 1. Install and use “Windows Installer Cleanup Utility” to uninstall Exchange all 2007 entries on the edge server
    1. Use ADSIEdit.msc (may need to install from support tools) to remove the following entries
      1. Open ADSIedit.msc on the domain controlle
        1. Right click ADSI Edit and click connect to
        2. Select Configuration under well known naming contex
        3. Select Default (domain or computer that you logged in to
        4. Click o
      2. Browse to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Administrative Groups, CN=Exchange Administrative Groups (FYDIBOHF23SPDLT), CN=Servers
        1. Delete CN=<edgeserver
    2. Open ADSIedit.msc on the Edge serve
      1. Right click ADSI Edit and click connect to
        1. Click Advanced and change port to: 50389
        2. Select Configuration under well known naming contex
        3. Select Default (domain or computer that you logged in to
        4. Click ok
      2. Browse to CN=Configuration, CN=Services
        1. Delete CN=”Microsoft Exchange” key
  2. Delete DNS entry for edge (not sure that was needed either)
  3. On the edge Server run Regedit
    1. Delete all the MSExchange keys under HKLM\System\currentcontrolset
    2. Delete HKLM\software\microsoft\Exchange
    3. Delete HKLM\SYSTEM\Currentcontrolset\services\ADAM_MSExchange
    4. Delete HKLM\SYSTEM\Currentcontrolset\services\ EdgeCredentialsvc
    5. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\ADAM_MSExchange$0
    6. Delete HKLM\software\microsoft\software\windows\currentVersion\uninstall\Microsoft Exchang
  4. Delete c:\program files\Microsoft
  5. Renamed c:\ExchangeSetupLogs to c:\old_ExchangeSetupLogs
  6. reinstall Edge

WWW Service Missing !!

While not specificaly a exchange issue but could be on a Exchange server.
Had a situation where the WWW service was missing even after re-installing IIS.

Turns out there was a Group policy that changed permissions on the registry and did not allow the install.


  1. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
  2. Give full control to the administrators group on the SVCHOST key
  3. Un-install WWW service only
  4. Re-install WWW service

Now the service should be there and running

Folder Redirection Walkthrough

I know this isn’t Exchange related, but I ran across a customer that needed a walk through and couldn’t find exactly the walk-through I wanted for him.

First you need a location to put your redirected files

So the first thing we need to do is make a share on the server

  1. Create a new folder
  2. Right click the folder and choose sharing
    1. on the sharing tab choose everyone  – Full.
    2. on the security tab choose Users  – modify
  3. Now verify you can access the location  \\server\share with the client system as the user (not an administrator)

Second you need to create\configure a GPO

  1. Open “Group policy management” (what you don’t have that?? well better get it here)
  2. Right click the domain and choose “Create a GPO in this domain….”
  3. Name it Doc Redirection (or anything you like)
  4. Now Right click -> edit on the new GPO
    1. Expand the User Configuration Node
    2. Expand Policies
    3. Expand Windows Settings.
    4. Expand Folder Redirection.
    5. Select the folder you wish to redirect (in our case Documents), right-click, and choose Properties.
    6. On the Folder tab from the Properties dialog box, select the setting for redirection from the dropdown list:
      • Not configured: Redirection will not occur on this folder; this is the default.
      • Basic: Redirect everyone’s folder to the same location. You can configure the target options associated with this selection. These settings tell Windows where to put the redirected data.
      • Advanced: we aren’t covering this here
      • Target: Create a folder for each user under the root path
    7. Once the destination choices are made, enter the network share path where the data will be redirected, for example \\server\share. (remember the one we created and tested earlier)
    8. on the settings Tab are settings regarding exclusive rights to redirected content and the handling of existing content in the original locationimage
    9. Then, click OK.
      Configure the other folders to be redirected as needed.

Third Force the policy to apply (it will happen on its own but who wants to wait!)

  1. Login to the PC, click start -> run
  2. Type GPUPDATE/Force
  3. Log off
  4. log in
  5. Right click My Documents -> properties (what is the path location? did it change?)

Troubleshooting and notes

  1. When setting permissions don’t set a deny
  2. verify you can get to the share and make a file
  3. run gpresult from a CLI window on the client to make sure the policy is applied
  4. Processes only works for domain users\PCs (obvious but it had to be said)
  5. Always make a new GPO don’t edit the defaults

Exchange Prerequisites Scripts

Exchange 2010 on windows 2008 R2

Copy this to a notepad and save with a .ps1 extension to install pre-req, run From elevated Powershell prompt  – Kudos to Anderson Patricio for the script

or you can get the version that downloads the filter pack from Bhargav

You also need to set the Powershell Execution Policy so you can run the scripts

Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy RemoteSigned

write-host Exchange Server 2010 – Pre-requisites script
write-host Please, select which role you are going to install..
write-host ‘1) Hub Transport’
write-host ‘2) Client Access Server’
write-host ‘3) Mailbox’
write-host ‘4) Unified Messaging’
write-host ‘5) Edge’
write-host ‘6) Typical (CAS/HUB/Mailbox)’
write-host ‘7) Client Access and Hub Transport’
write-host ‘9) Configure NetTCP Port Sharing service’
write-host ’10) Install 2007 Office System Converter: Microsoft Filter Pack – Only if you are installing Hub or Mailbox Server role’
write-host ’13) Restart the computer’
write-host “Select an option.. [1-13]? ”
$opt = read-host

Import-module ServerManager

switch ($opt)
        1 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server }
        2 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        3 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server}
        4 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience }
        5 { Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS }
        6 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        7 { Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy }
        9 { Set-Service NetTcpPortSharing -StartupType Automatic }
        10 { Write-warning ‘Download it from here: http://tinyurl.com/36yrlj’}
        13 { restart-computer }
        default {write-host “You haven’t selected any of the available options. “}

Exchange 2010 on windows 2008 R1

Dejan Foro has made a script to install 2010 on 2008 R1

Exchange 2007 on windows 2008 R1

Simon Gallagher has a script for 2k7/R1

Exchange 2007 on windows 2003

Still have to do it manually 😦

MS KBS with prerequisite info

How to reinstall a dynamic DNS Active Directory-integrated zone

Info based on KB294328 and revamped for 2003 and 2008

The following steps can remove the defective information in Active Directory-integrated DNS:

  1. Go to the properties of the DNS zone files and change them to be a “Standard Primary”. (on 2008 un check the Box “Store the Zone in active directory”)
  2. In the %Systemroot%\windows\System32\DNS folder, delete the text DNS Zones files.
  3. Delete the object in Active Directory Users and Computers.
  4. On the View menu, click Advanced Features, expand the System folder, click MicrosoftDNS, and then delete the zone file objects. (they may not exist here and that is OK)
  5. For each Active Directory-integrated DNS server, repeat steps 1-3.
  6. In the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of the first Active Directory-integrated DNS server, point it to itself. For any other DNS servers, point all of them to the first DNS server that you bring up.
    NOTE: Do not change the properties of any additional Active Directory-integrated DNS servers to point to themselves until you have confirmed that a full and complete zone transfer has occurred from the first Active Directory-integrated DNS server after the rebuild process.
  7. To obtain proper resolution, you must clear the Caching Resolver, which is the DNS client on the DNS server. At the command prompt, type: ipconfig /flushdns.
  8. 8.Remove and re-add the DNS service (add remove/programs Windows Components->Networking services ),
  9. In the DNS Server under the forward lookup Zones right click the domain (i.e. my domain.com) and the _msdcs Zones and select delete. (this will remove all static and stale data and allow DNS to re-generate Dynamic Data)
  10. Now Re-create the zone you deleted (ie mydomain.local)
  11. Stop and restart DNS and the NetLogon service..
    NOTE: You can use the net stop netlogon command and the net start netlogon command for the NetLogon service that registers information in DNS. Also, you can use the net stop dns and net start dns commands (to stop and start the DNS service) if DNS has not been totally removed. Or, you can stop and start the NetLogon service and the DNS service in Control Panel, in Services, or you can restart the computer.
You have completed the process to clear out a DNS server.
You must complete the process for any additional DNS servers that you plan to integrate with Active Directory.
The following steps can assist you to build a strong foundation for DNS, Active Directory, and FRS:
  1. Configure all DNS servers to point to the same DNS server in the domain or forest under TCP/IP properties in DNS: Right-click My Network Places, click Local Area Connection, right-click Local Area Connection, click Properties, select the properties of TCP/IP, and then point all DNS servers to the same DNS server. Also, click the Advanced DNS tab, and then confirm that secondary DNS servers are not configured.
  2. Re-add the DNS service, or re-add the zones and configure them to be Active Directory integrated. For troubleshooting purposes, you may want to set “Allow Dynamic Updates?” to Yes. Later, you can change this setting to “Allow Only Secure Updates”.
  3. Stop the DNS service and the NetLogon service by using either a command or the Computer Management snap-in.
  4. Run the ipconfig /flushdns command, and then run the ipconfig /registerdns comand. This command can help you to register your A resource record for DNS as well as your start of authority (SOA). You may want to run this command on any other servers that are critical to you.
    NOTE: The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to “start” and the “Start up” type set to “automatic.” The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.)
  5. Active Directory-integrated DNS is now working on your first Dynamic DNS server. You must point additional Dynamic DNS servers to the first DNS server under TCP/IP properties. You must confirm that a full and complete replication process has occurred before you change the TCP/IP properties to point to itself for any additional DNS servers.