Sunday, September 28, 2014

Direct Access - IPHTTPS interface creation failed 0x643

Today I had an issue with a Windows 7 Enterprise laptop on my domain failing to successfully create a Direct Access connection to my Windows Server 2012 R2 server.  The error raised on the HTTPSTunnel interface was 0x643 with a status of IPHTTPS interface creation failure.


Also in Device Manager, the httpstunnel interface had a yellow explanation mark.

This problem can be caused by a few things, one of the most common causes is the DisabledComponents DWORD not being set to 0 which in effect disables IPv6 which is required by Direct Access.  Check this under the following registry key:

HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters

Note: If this registry key does not exist, it is the same as having it being set to 0.


Another issue which can cause this error is when the computer looses its trust with the computer account object in Active Directory.  When you bring the computer in and plug it into the internal network, you will see one of these two errors:

The trust relationship between this workstation and the primary domain failed.

 
The security database on the server does not have a computer account for this workstation trust relationship.
 
 
Simply re-join the computer to the Active Directory domain and this will resolve the Direct Access error IPHTTPS interface creation failed 0x643.

Monday, September 22, 2014

Exchange Database file: '-546 The log file sector size does not match the sector size of the current volumn

When attempting to backup an Exchange 2007 server running on Small Business Server 2008 with Backup Exec 2010 R2, the Exchange backup component of the selection failed with the following error in the job log.

Backup- \\SERVER\Microsoft Information Store\First Storage GroupV-79-57344-918 - Unable to complete the operation for the selected resource using the specified options.  The following error was returned when opening the Exchange Database file:  '-546 The log file sector size does not match the sector size of the current volumn. '
Backup- \\SERVER\Microsoft Information Store\Second Storage GroupV-79-57344-918 - Unable to complete the operation for the selected resource using the specified options.  The following error was returned when opening the Exchange Database file:  '-546 The log file sector size does not match the sector size of the current volumn. '


 This error occurred when backing up to a HP Tape Library attached to the server via SCSI.  When I attempted to do a disk based backup with Backup Exec 2010 R2 as a test, it worked successfully.

After leasing with Symantec, it turned out when backing up to tape, Backup Exec requires a temporary staging directory to be use during the backup job.  By default, Backup Exec selects the largest volume with the most available free space.  This cannot be a Removable USB Drive!

Backing up to disk does not require this staging area.

I had a 4TB USB Drive attached to the SBS 2008 server which was causing this issue.  To resolve the issue you need to manually specify what drive to use for staging by following these steps:

1. On the Exchange Server, click Start -> Run and type "regedit".  Click OK.
2. Within the Registry Editor, navigate to HKLM\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Exchange
3. Right click and add a new String Value, "OnHostTemp".
4. Right click and set the value of OnHostTemp to "C:\Temp"
5. Restart the Backup Exec Remote Agent for Windows Systems service on the Exchange Servers.
6. Run tape backup job of Exchange Resources from media server.

I selected H:\Temp as it had the most available free space on my SBS 2008 server.


After putting this RegKey in place it resolved the issue.

Outlook 2010 and Exchange 2013 Users Prompted for Authentication

Over the past months I have had customers complain about Outlook 2010 users getting prompted for username/password when moving to Exchange 2013.  In previous versions of Exchange server such as 2003, 2007 and 2010, users connected to the Exchange server using RPC or Outlook Anywhere.  Exchange connectivity for clients has changed significantly in Exchange 2013 and now only Outlook Anywhere is supported, with the Exception of MAPI over HTTP for Exchange 2013 SP1 only when using Outlook 2013 SP1 clients.

The following table summaries the connection methods available for the various versions of Outlook and Exchange Server.


The default method of Outlook connecting to the Exchange server has always been to use RPC for
internal connections and Outlook Anywhere for external connections.  As Outlook Anywhere was originally only designed to be used for external connections, the Autodiscover service in Exchange 2007 and 2010 only provided Outlook clients with one set of configuration parameters used for external connectivity.

The screenshot below displays the configuration output from Outlook Anywhere on a Exchange 2010 client access server.  Notice there is only one External Hostname for connectivity and one Client Authentication Method you can specify.


In Exchange 2013 we now have the ability to specify different hostnames and authentication methods based on if the client is internal or external.


The authentication type is very important:
  • NTLM Authentication will leverage the credentials you used when signing into Windows and result in the Outlook client automatically signing in without prompting for authentication.
  • Basic Authentication is clear text authentication which does not use your Windows credentials.  As long as the Basic Authentication is encapsulated within Secure Socket Layer will it be secure.
As a general rule of thumb you want to use Basic Authentication for external connections and NTLM Authentication for internal connections.  You can use NTLM externally as well however I have had issues with it passing through some firewalls and proxy servers on remote networks so I advise my customers to always use Basic Authentication for maximum supportability for remote connections.

Here is where things get a little tricky.  Outlook 2010 RTM only understands the External Autodiscover response for Outlook Anywhere, not the Internal response.  This is shown in the screenshot below, notice the Server address is my ExternalURL and the Authentication is Basic.

This means provided you have split DNS in place for the External FQDN used for connectivity "mail.company.com", your clients will connect but with Basic Authentication.  This will result in the Outlook clients being prompted for authentication.


As of Outlook 2010 SP1 and higher it supports the Internal and External Autodiscover response for Outlook Anywhere which I have displayed below in two screenshots as I needed to scroll down in the Test E-mail AutoConfiguration screen:

Note: I went straight to Outlook 2010 SP2 in the screenshot below.

 
 
To ensure Outlook clients are not prompted for Authentication, ensure they are set to use NTLM authentication.  If Outlook 2010 clients have not been service packed, they will always receive the External authentication method.

In summary make sure you have done the following:
  • Configured your External and Internal Authentication types correctly using the information provided above.
  • Upgraded your Outlook clients to the latest service pack
 I hope this post has been helpful.

Thursday, September 18, 2014

V-79-10000-11226 - VSS Snapshot error Microsoft Exchange 2007

An SBS Customer of mine running Exchange 2007 on Microsoft Windows Server SBS 2008 with Backup Exec 2010 R2 ran into a backup issue where their Exchange 2007 backups with GRT began failing.  The backups had been operational for over 3 years and suddenly started failing with the following errors.

Before I cover of the errors we were experiencing, it is important to note that during this time we also had disk problems with disks in a RAID5 array failing and requiring replacing.  The failing disks also resulted in some slight disk corruption and I needed to repair the Exchange database with eseutil /p.

The following errors were experienced:

- AOFO: Initialization failure on: "\\SERVER\Microsoft Information Store\First Storage Group". Advanced Open File Option used: Microsoft Volume Shadow Copy Service (VSS).
V-79-10000-11226 - VSS Snapshot error. The Microsoft Volume Shadow Copy Service (VSS) snapshot provider selected returned: "Unexpected provider error". Ensure that all provider services are enabled and can be started. Check the Windows Event Viewer for details.


In addition to the above Backup Exec error, the following Windows Application Event Logs were logged:

Log Name:      Application
Source:        VSS
Date:          9/18/2014 7:45:11 PM
Event ID:      12293
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server.domain.local
Description:
Volume Shadow Copy Service error: Error calling a routine on a Shadow Copy Provider {b5946137-7b9f-4925-af80-51abd60b20d5}. Routine details EndPrepareSnapshots({2c88e07d-a06c-4f6f-b826-b6e8bbfd3e10}) [hr = 0x8000ffff].
Operation:
   Executing Asynchronous Operation
Context:
   Current State: DoSnapshotSet


After researching VSS EventID 12293 it brought me to http://support.microsoft.com/kb/924262 which said the resolution was:

"To resolve this issue, you can delete a Snapshot copy that lets you continue with your present backup."

I went and deleted all Exchange VSS backups with diskshadow.exe by using the following commands:

unexposed e:

delete shadows all

Note: E:\ is the volume containing my Microsoft Exchange databases.


After cleaning up the existing shadow copies, Exchange backups resumed to normal.  I believe the problem was introduced due to the disk corruption problems we experienced.

Monday, September 15, 2014

Exchange 2007 Mailbox Import Export Issues with Outlook 2010

A customer of mine experienced two hard disks dying in a RAID5 array over a weekend which held their Exchange 2007 mailbox databases.  They also had no recent backup of the Exchange mailbox databases.

Luckily this customer only has approximately 20 users all who run cached Exchange mode within Outlook 2010.  As a result, their mail was stored locally on each workstation in their OST file.  I went around to each workstation and exported the users mailbox to a PST file.

Next I replaced the disks and rebuild the RAID5 array, created a new NTFS partition and started the Information Store.  This generated new black mailbox databases.

With Exchange 2007, you need to use the legacy Import-Mailbox cmdlet instead of the New-MailboxImportRequest cmdlet available in Exchange 2010 and Exchange 2013.  Import-Mailbox requires a 32bit computer running 32bit version of Outlook.  I downloaded the Exchange 2007 SP3 32bit installation which I installed on a 32bit Windows 7 workstation joined to the domain and installed only the Exchange 2007 Management Tools.

When attempting to import a mailbox it failed with the following error:

[PS] C:\Windows\system32>Import-Mailbox -Identity information -PSTFolderPath C:\pstfiles\info.pst -Verbose

VERBOSE: Import-Mailbox : Beginning processing.
VERBOSE: Import-Mailbox : Trying to open registry key 'Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\OUTLOOK.EXE'.
VERBOSE: Import-Mailbox : The default value of the registry key is 'C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE'.
VERBOSE: Import-Mailbox : The version of Outlook.exe is '14.0.6131.5000'.
VERBOSE: Import-Mailbox : Searching objects "information" of type "ADUser" under the root "$null".
VERBOSE: Import-Mailbox : Previous operation run on global catalog server 'JCC-SBS.domain.local'.
VERBOSE: Import-Mailbox : Processing object "domain.local/MyBusiness/Users/Exchange/Shared Mailboxes/Information".
VERBOSE: Import-Mailbox : Searching objects "jcc-sbs" of type "Server" under the root "$null".
VERBOSE: Import-Mailbox : Previous operation run on domain controller 'JCC-SBS.domain.local'.
VERBOSE: Import-Mailbox : Searching objects "JCC-SBS\First Storage Group\Mailbox Database" of type "MailboxDatabase" under the root "$null".
VERBOSE: Import-Mailbox : Previous operation run on domain controller 'JCC-SBS.domain.local'.

Confirm
Are you sure you want to perform this action?
Importing mailbox content from .pst file 'C:\pstfiles\info.pst' to mailbox 'Information'. This operation may take a long time to complete.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help
(default is "Y"):y

VERBOSE: Import-Mailbox : Ending processing.
VERBOSE: Import-Mailbox : [information] The operation has started.
VERBOSE: Import-Mailbox : [information] Initializing MAPI, loading library.
VERBOSE: Import-Mailbox : [information] Approving object.
VERBOSE: Import-Mailbox : [information] Logging on to the MAPI profile.
VERBOSE: Import-Mailbox : [information] Opening Exchange mailbox.

Import-Mailbox : Error was found for Information (info@domain.com) because: Error occurred in the step: Approving object. An unknown error has occurred., error code: -2147221233
At line:1 char:15
+ Import-Mailbox <<<<  -Identity information -PSTFolderPath C:\pstfiles\info.pst -Verbose
    + CategoryInfo          : InvalidOperation: (0:Int32) [Import-Mailbox], RecipientTaskException
    + FullyQualifiedErrorId : 39DE607E,Microsoft.Exchange.Management.RecipientTasks.ImportMailbox

VERBOSE: Import-Mailbox : [information] The operation has finished.


Most resolutions on the Internet for this problem is to simply run FIXMAPI.exe from a command prompt.  This however did not resolve my issue.  After further research, I found that two updates released by Microsoft for Outlook 2010 cause this problem:
  • KB2597090
  • KB2687623
Simply uninstall these updates from "Programs and Features" in Control Panel.  Make sure you enable "View Installed Updates" so that the updates come up in the list.

After uninstalling these patches, I rebooted the Windows 7 workstation and straight away I was able to import mailboxes and export.