What are "Schannel" errors and how to stop logging them

With certain Microsoft products, such as Exchange and Lync you see your evelogs filling up with "Schannel" errors; event id: 36888 The following fatal alert was generated: 51. The internal error state is 1306.

The event it self doesnt give out a lwhole lot of information but here is an explanation for it from technet:

When you enable Schannel event logging on a computer that is running Microsoft Windows NT Server 4.0, Microsoft Windows 2000 Server, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2008, or Microsoft Windows Server 2008 R2, detailed information from Schannel events can be written to the Event Viewer logs, in particular the System event log. This article describes how to enable and configure Schannel event logging. 


The internal error state is 1203 - From a support forum: "This event is seen on windows 2008 R2 running IIS. If a user tries to access a web site using HTTP but specifies an SSL port in the URL then this event is logged. This event is expected as the client is trying to use the wrong port or the wrong protocol to access the site
The error 1203 indicates invalid ClientHello from the client. This is by design and you can ignore this warning."

If your System eventlog is filling up with "Schannel" errors, and you want to stop this behavior, you can do the following.

Enable /disable logging

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note This registry key is present already in Windows 2000 and XP Professional.

1. Start Registry Editor. To do this, click Start, click Run, type regedt32, and then click OK.
2. Locate the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
3. On the Edit menu, click Add Value, and then add the following registry value:
   Value Name: EventLogging
   Data Type: REG_DWORD
   Note After you add this property, you must give it a value. See the table in the "Logging options" section to obtain the appropriate value for the kind of events that you want to log.
4. Exit Registry Editor.
5. Click Start, click Shut Down, click to select Restart, and then click OK to restart the computer. (Logging does not take effect until after you restart the computer).

Logging options

The default value for Schannel event logging is 0x0000 in Windows NT Server 4.0, which means that no Schannel events are logged. In Windows 2000 Server and Windows XP Professional, this value is set to 0x0001, which means that error messages are logged. Additionally, you can log multiple events by specifying the hexadecimal value that equates to the logging options that you want. For example, to log error messages (0x0001) and warnings (0x0002), set the value to 0x0003.

Collapse this tableExpand this table:

Value	Description
0x0000	Do not log
0x0001	Log error messages
0x0002	Log warnings
0x0004	Log informational and success events

Source

How to renew Lync Edge server "webserver" certificate

Once a year it's time to do this, and probably just like me, you think how did i do this last year.
So to never forget, or to look it up each year, here goes:

1. Inside your Lync environment, click on Start -> All Programs -> Microsoft Lync Server 2010 -> Lync Server Deployment Wizard.

2. Click on Install or Update Lync Server System.

3. Under Step 3, click on Run Again.

4. Select the certificate you would like to renew and click on Request.
5. Click Next.
6. Select Prepare the request now, but send it later (offline certificate request), and click Next.

7. Select where you want the request to be saved and click Next.
8. Click Next in the Certificate Template window.
9. Specify a name you want to use for identifying this certificate, and select "Mark the certificate's private key as exportable".

10. Enter the organization and organization unit name, as well as geographical location on the next window.
11. Next window will list Subject Names what will be included in the certificate, click Next.
12. If you are requesting a certificate for an Edge server,you will be able to select your SIP domain, click Next.
13. In this window, you will have to enter all of the Subject Alternate Names used in your Lync environment. For example lync.domain.com, edge.domain.com, dialin.domain.com, meet. domain.com etc.

14. Verify your information and click next.
15. Click Next to generate the request then click Finish.
16. Now that you have your CSR request file, send it over to your SSL provider or your local PKI environment. When you get your new certificate files, right click on each one and select Install Certificate.
17. Go back to your Lync Certificate wizard and click on Assign. Look for the friendly name you created in step 9, and select it. Click next until your certificate is assigned.
18. Restart Lync services and they should start right up. Check for any error logs in the Event Viewer.

If you plan on using the same certificate on your other Lync servers, you will have to use the Microsoft Management Console Certificate Snap-in to export and import the certificate to other servers. Now repeat from step 16.

Source 1
Source 2

VSS Writer showing retryable error and how to reset them

When backups fail with exchange, one of the first things i look for are the VSS writers.
These writers create a snapshot function for Windows and third party backup products.

If the status shown is "Retryable error", "Waiting for completion" and a status other than "Stable" things might go wrong.
I say might because the error shown is the writers last state, not the actual state.

To check the status in a command box:

vssadmin list writers

To check the status in Powershell:

& vssadmin list writers | Select-String -Context 0,4 '^writer name:' | ? {
  $_.Context.PostContext[2].Trim() -ne "state: [1] stable" -or
  $_.Context.PostContext[3].Trim() -ne "last error: no error"
}

Or:

vssadmin list writers | fl name,state,last*

All show this output:

PS C:\> vssadmin list writers | fl name,state,last*
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Writer name: 'Task Scheduler Writer'
   Writer Id: {d61d61c8-d73a-4eee-8cdd-f6f9786b7124}
   Writer Instance Id: {1bddd48e-5052-49db-9b07-b96f96727e6b}
   State: [1] Stable
   Last error: No error

Writer name: 'VSS Metadata Store Writer'
   Writer Id: {75dfb225-e2e4-4d39-9ac9-ffaff65ddf06}
   Writer Instance Id: {088e7a7d-09a8-4cc6-a609-ad90e75ddc93}
   State: [1] Stable
   Last error: No error

Writer name: 'Performance Counters Writer'
   Writer Id: {0bada1de-01a9-4625-8278-69e735f39dd2}
   Writer Instance Id: {f0086dda-9efc-47c5-8eb6-a944c3d09381}
   State: [1] Stable
   Last error: No error

To resolve the error and get back to a healthy writer state, you could do one of the following:

• Restart your server
• Reboot the corresponding service (see the table below)

VSS Writer	Service Name	Service Display Name
ASR Writer	VSS	Volume Shadow Copy
BITS Writer	BITS	Background Intelligent Transfer Service
COM+ REGDB Writer	VSS	Volume Shadow Copy
DFS Replication service writer	DFSR	DFS Replication
DHCP Jet Writer	DHCPServer	DHCP Server
FRS Writer	NtFrs	File Replication
FSRM writer	srmsvc	File Server Resource Manager
IIS Config Writer	AppHostSvc	Application Host Helper Service
IIS Metabase Writer	IISADMIN	IIS Admin Service
Microsoft Exchange Writer Microsoft Exchange Writer	MSExchangeIS MSExchangeRepl	Microsoft Exchange Information Store Microsoft Exchange Replication
Microsoft Hyper-V VSS Writer	vmms	Hyper-V Virtual Machine Management
NTDS	NTDS	Active Directory Domain Services
OSearch VSS Writer	OSearch	Office SharePoint Server Search
OSearch14 VSS Writer	OSearch14	SharePoint Server Search 14
Registry Writer	VSS	Volume Shadow Copy
Shadow Copy Optimization Writer	VSS	Volume Shadow Copy
SPSearch VSS Writer	SPSearch	Windows SharePoint Services Search
SPSearch4 VSS Writer	SPSearch4	SharePoint Foundation Search V4
SqlServerWriter	SQLWriter	SQL Server VSS Writer
System Writer	CryptSvc	Cryptographic Services
TermServLicensing	TermServLicensing	Remote Desktop Licensing
WMI Writer	Winmgmt	Windows Management Instrumentation

I will be trying to get a script to check, report and restart the corresponding service for this.

Stay tuned.

Source

Edge server marks relayed sent item as spam

We had a case of "WTF", why is it doing this?
A message sent by a server in the DMZ relayed through an Edge server had the servername in the header address:

Return-Path: noreply@company.com

Received-SPF: Fail (sr-XXXX.company.lan: domain of noreply@company.com does

not designate 333.333.888.130 as permitted sender)

receiver=sr-XXXXX.company.lan; client-ip=333.333.888.130;

helo=SR-XXXXX.companycom.dmz;

In combination with Forefront protection for Exchange 2010 this led to unwanted spam and messages being bounced at the receiving side.

After searching some fora we came up with this solution:

Add the originating sending server to the whitelist in the Exchange whitelist on both Edge servers.

After this the mail header should look like this:

Received: from SR-XXXXX.company.com.dmz (333.333.888.131) by mx03.company.com

(333.333.888.25) with Microsoft SMTP Server id 14.3.174.1; Fri, 28 Feb 2014

07:45:22 +0100

Received: from mail pickup service by SR-XXXXX.company.com.dmz with Microsoft

SMTPSVC;      Fri, 28 Feb 2014 07:45:21 +0100

MIME-Version: 1.0

From: Company <noreply@company.com>

To: <email@domain.com>

Date: Fri, 28 Feb 2014 07:45:21 +0100

Subject: Some text

Content-Type: multipart/related; type="text/html";

        boundary="--boundary_57_0ae1edd8-bdc9-4428-b63f-9dffb4757d50"

Message-ID: <SR-XXXXX0het1ULbDlB00018788@SR-XXXXX.company.com.dmz>

X-OriginalArrivalTime: 28 Feb 2014 06:45:21.0601 (UTC) FILETIME=[A6B60B10:01CF3450]

Return-Path: noreply@company.com

RPC virtual Directory Basic Authentication keeps getting disabled

RPC virtual Directory Basic Authentication keeps getting disabled

A common problem, and i always keep forgetting how to fix it again:

The RPC virtual Directory Basic Authentication keeps getting disabled in about 5 minutes even when we enable it manually. During the testing of the RPC/HTTP via http://exrca.com/, it keeps passed when the Basic Authentication keeps enabled and failed when the change has introduced automatically.

Also, the cmdlet output for Get-OutlookAnywhere |fl showed the IISAuthenticationMethods as follows:



So the Exchange was forcefully overwriting the Windows IIS settings for RPC virtual Directory with on some minutes every time.

Requirement:
Default Settings for Exchange Virtual Directories for Exchange 2010 & 2013 showed the following requirement for RPC Virtual Directory under ‘Default Website’ in IIS.



Also IISAuthenticationMethods for OutlookAnywhere should be listed as follows:



How to Fix the issue
The TechNet Blog published here mentioned some hints to fix the issue.
The fix is set the Exchange OutlookAnywhere settings forcefully by using the following cmdlet:

Get-OutlookAnywhere | Set-OutlookAnywhere -IISAuthenticationMethods: Basic, ntlm

After setting this, I have manually Enabled the RPC virtual Directory Basic Authentication and it keeps maintaining the settings because of the fix.

Source

Force Lync sync, updating Lync contacts

Lync in combination with sharepoint sometimes doesn't update the profile picture.
To force the update process which by default runs at 1:30 at night, you can run:

Update-CsAddressBook

and/or:

Update-CsUserDatabase

To check the current settings:

Get-CsUserReplicatorConfiguration


Identity                  : Global
ADDomainNamingContextList : {}

ReplicationCycleInterval  : 00:01:00

and:

Get-CsAddressBookConfiguration

Identity                   : Global

RunTimeOfDay               : 1:30

KeepDuration               : 30

SynchronizePollingInterval : 00:05:00

MaxDeltaFileSizePercentage : 20

UseNormalizationRules      : True

IgnoreGenericRules         : False

EnableFileGeneration       : True

Great trouble shooting can be found here:

Source part 1

Source part 2

Source part 3

Automapping of Mailbox in Outlook does not work if Full Access Permission are assigned to a Group

Came across this blogpost when searching for a similar problem i had.
Turns out the attributes in AD for the group are not updated.

But there's a script for that:

INFORMATION
Many companies may have a number of shared mailboxes that their users or certain departments may require access to. Generally the easiest way to get this done based on Microsoft methodology is to add the individual users to a group and give the group permission to the resource – all nice so far!
One of the new improvements of Exchange 2010 SP1 was the possibility of an Outlook client to automatically map to its profile any mailbox that the logged on user has full access to!

SO HOW DOES IT WORK??
When you assign a user full access permission permissions in Exchange 2010 SP1 to a shared mailbox, Exchange will modify the multi-valued MsExchDelegateListLink attribute on the shared mailbox to include the distinguished name (DN) of the users who have been assigned the access permission.
At the same time, Exchange will not update the MsExchDelegateListBL attribute on each of the users who have been given the permission to include the DN of the shared mailbox. Next time the user opens Outlook, it will use AutoDiscover to locate the values of the MsExchDelegateListBL for the user and use it to automatically map the shared mailbox to the user’s Outlook profile.
This works perfect if you are assigning individual users the permission but many organizations use groups to assign such permissions. When a group is assigned this permission, all the members of the group will inherit the rights assigned HOWEVER Automapping will NOT work! This is because the group’s MsExchDelegateListLink attribute is modified and not the individual users within the group.

WORKAROUNDS

1. Users will be able to add the shared mailbox manually by adding it to their Outlook profile.
2. Use the following Exchange Powershell script that will read the membership of the distribution group and add each individual member to have full access permission to the shared mailbox (copy the code below and paste to a notepad file. Save the file with a NAME.PS1 extension):

$DL = Get-distributiongroupmember GROUPNAME | Select-Object -ExpandProperty Name
foreach ($D in $DL ) {
Add-MailboxPermission -Identity SHARED_MAILBOX_NAME -User $D -AccessRights ‘FullAccess’
write-host -FORE yellow “$D is a member of the distribution group GROUPNAME has been given full access permission to SHARED_MAILBOX_NAME mailbox” }

Please name sure to replace GROUPNAME with the name of the distribution group and SHARED_MAILBOX_NAME with the name of the shared mailbox

Source

Allow Anonymous Relay on a Receive Connector

One of those things you do once a year and think, how did i do that the last time?

Set up your receive connector:

Use the EMC to create the Receive connector

---

1. Perform one of the following steps:
   
   1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.
   2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.
2. In the action pane, click New Receive Connector. The New Receive Connector wizard starts.
3. On the Introduction page, follow these steps:
   
   1. In the Name field, type a meaningful name for this connector. This name is used to identify the connector.
   2. In the Select the intended use for this Receive connector field, select Custom.
   3. Click Next.
4. On the Local Network settings page, follow these steps:
   
   1. Select the existing All Available IPv4 entry, and then click .
   2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address assigned to a network adapter on the local server that's best able to communicate with the remote messaging server. In the Port field, type 25, and then click OK. Leave the Specify the FQDN this connector will provide in response to HELO or EHLO field blank.
   3. Click Next.
5. On the Remote Network settings page, follow these steps:
   
   1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click .
   2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you're finished entering the IP addresses, click OK.
   3. Click Next.
6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
7. On the Completion page, click Finish.
8. In the work pane, select the Receive connector that you created.
9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
10. Click the Permission Groups tab. Select Anonymous users.
11. Click OK to save your changes and exit the Properties page.

Use the Shell to create the Receive connector

---

This example uses the New-ReceiveConnector cmdlet to create the Receive connector Anonymous Relay that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77.

Copy

New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -PermissionGroups AnonymousUsers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77

For detailed syntax and configuration information, see New-ReceiveConnector.

Use the Shell to grant relay permission to anonymous connections on the new Receive connector

---

Note:
You can't use the EMC to perform this task.

This example retrieves the specified Receive connector information and pipes the result to the Add-ADPermission cmdlet to grant relay permission to anonymous connections on the new Receive connector.

Copy

Get-ReceiveConnector "Anonymous Relay" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"

For detailed syntax and configuration information, see Get-ReceiveConnector or Add-ADPermission.

Use the EMC to create the Receive connector as externally secured

---

1. Perform one of the following steps:
   
   1. To create a Receive connector on a computer that has the Edge Transport server role installed, select Edge Transport, and then in the work pane, click the Receive Connectors tab.
   2. To create a Receive connector on a Hub Transport server role, in the console tree, expand Server Configuration and select Hub Transport. In the result pane, select the server on which you want to create the connector, and then click the Receive Connectors tab.
2. In the action pane, click New Receive Connector. The New Receive Connector wizard starts.
3. On the Introduction page, follow these steps:
   
   1. In the Name field, type a meaningful name for this connector. This name is used to identify the connector.
   2. In the Select the intended use for this Receive connector field, select Custom.
   3. Click Next.
4. On the Local Network settings page, follow these steps:
   
   1. Select the existing All Available entry, and then click .
   2. Click Add. In the Add Receive Connector Binding dialog box, select Specify an IP address. Type an IP address assigned to a network adapter on the local server that's best able to communicate with the remote messaging server. In the Port field, type 25, and then click OK. Leave the Specify the FQDN this connector will provide in response to HELO or EHLO field blank.
   3. Click Next.
5. On the Remote Network settings page, follow these steps:
   
   1. Select the existing 0.0.0.0 - 255.255.255.255 entry, and then click .
   2. Click Add or the drop-down arrow located next to Add and type the IP address or IP address range for the remote messaging server or servers that are allowed to relay mail on this server. When you're finished entering the IP addresses, click OK.
   3. Click Next.
6. On the New Connector page, review the configuration summary for the connector. If you want to modify the settings, click Back. To create the Receive connector by using the settings in the configuration summary, click New.
7. On the Completion page, click Finish.
8. In the work pane, select the Receive connector that you created.
9. Under the name of the Receive connector in the action pane, click Properties to open the Properties page.
10. Click the Permission Groups tab. Select Exchange servers.
11. Click the Authentication tab. Select Externally Secured (for example, with IPsec).
12. Click OK to save your changes and exit the Properties page.

Use the Shell to create the Receive connector as externally secured

---

This example creates the Receive connector Anonymous Relay that listens on local IP address 10.2.3.4 on port 25 from a source server at IP address 192.168.5.77.

Copy

New-ReceiveConnector -Name "Anonymous Relay" -Usage Custom -AuthMechanism ExternalAuthoritative -PermissionGroups ExchangeServers -Bindings 10.2.3.4:25 -RemoteIpRanges 192.168.5.77

For detailed syntax and configuration information, see New-ReceiveConnector.

Source

When a database failover occurs, send an email on event id

When a database failover occurs you normally wouldn't know unless you have a monitoring like SCOM setup.
In our case we don't have any kind of monitoring going on, but i do want to know if a failover occurs.

To do this we can use the great new feature of the eventviewer: "Attach task to this event".
The events you're looking for are:

127
147
161
184
184
252
292
293
301
316
333

After filtering the eventlog in: applications and services logs - microsoft - exchange - high availability - operational filter the log on warnings, errors, and critical events, you can see all failover related event id's.

Select an event and click "Attach task to this event".

Select "Send an e-mail"

Fill out with your settings

On the summary page you can select "Open the properties dialog for this task when i click finish", this allows you to change the account the the task uses to run.

After you click finish the task can be found at "event viewer tasks"

When any of these events occurs, you will be notified.

You will have to do this for every event you want to monitor.

Increase cluster time out values, database failover's too soon

If your exchange databases fail over too soon, you can alter the default values for the cluster service.

First check your default values:
In a command window on a database server run:

cluster /prop

T  Cluster              Name                           Value
-- -------------------- ------------------------------ -----------------------
DR CL-XXXXX             FixQuorum                      0 (0x0)
DR CL-XXXXX             IgnorePersistentStateOnStartup 0 (0x0)
SR CL-XXXXX             SharedVolumesRoot              C:\ClusterStorage
D  CL-XXXXX             AddEvictDelay                  60 (0x3c)
D  CL-XXXXX             BackupInProgress               0 (0x0)
D  CL-XXXXX             ClusSvcHangTimeout             60 (0x3c)
D  CL-XXXXX             ClusSvcRegroupOpeningTimeout   5 (0x5)
D  CL-XXXXX             ClusSvcRegroupPruningTimeout   5 (0x5)
D  CL-XXXXX             ClusSvcRegroupStageTimeout     7 (0x7)
D  CL-XXXXX             ClusSvcRegroupTickInMilliseconds 300 (0x12c)
D  CL-XXXXX             ClusterGroupWaitDelay          30 (0x1e)
D  CL-XXXXX             ClusterLogLevel                3 (0x3)
D  CL-XXXXX             ClusterLogSize                 100 (0x64)
D  CL-XXXXX             CrossSubnetDelay               1000 (0x3e8)
D  CL-XXXXX             CrossSubnetThreshold           5 (0x5)
D  CL-XXXXX             DefaultNetworkRole             2 (0x2)
S  CL-XXXXX             Description
D  CL-XXXXX             EnableSharedVolumes            0 (0x0)
D  CL-XXXXX             HangRecoveryAction             3 (0x3)
D  CL-XXXXX             LogResourceControls            0 (0x0)
D  CL-XXXXX             PlumbAllCrossSubnetRoutes      0 (0x0)
D  CL-XXXXX             QuorumArbitrationTimeMax       90 (0x5a)
D  CL-XXXXX             RequestReplyTimeout            60 (0x3c)
D  CL-XXXXX             RootMemoryReserved             4294967295 (0xffffffff)
D  CL-XXXXX             SameSubnetDelay                2000 (0x7d0)
D  CL-XXXXX             SameSubnetThreshold            5 (0x5)
B  CL-XXXXX             Security Descriptor            01 00 04 80 ... (164 byte
s)
D  CL-XXXXX             SecurityLevel                  1 (0x1)
M  CL-XXXXX             SharedVolumeCompatibleFilters
M  CL-XXXXX             SharedVolumeIncompatibleFilters
D  CL-XXXXX             ShutdownTimeoutInMinutes       20 (0x14)
D  CL-XXXXX             WitnessDatabaseWriteTimeout    300 (0x12c)
D  CL-XXXXX             WitnessRestartInterval         15 (0xf)

To change the value for the internal network:

cluster /prop SameSubnetDelay=2000:DWORD

To change the valuea for the external network:

cluster /prop CrossSubnetDelay=4000:DWORD

To change the default value for the number of error's before failing over:

cluster /prop CrossSubnetThreshold=10:DWORD
cluster /prop SameSubnetThreshold=10:DWORD

These are the maximum values.
The command only need to be run on 1 Exchange database server

Source