Windows Server

SBS 2003 has lost its CAL’s (Client Access Licenses reset to 5)

Problem

Been a while since I’ve seen this one, and strangely I didn’t document it. so when I was asked this morning I searched here on PeteNetLive, and In my personal database of solutions but the cupboard was bare.

Solution

1. Before you do anything make sure your SBS has plenty of space on the hard drive, simply running out of room on the system drive can cause SBS to lose its licences, make sure this is not your problem.

2. If you have plenty of room, then click Start > Run > services.msc {enter}. Locate the Licence Logging service > Right Click > Stop.

3. Locate the licstr.cpa file (it’s in C:\windows\system32 by default) > Rename it to licstr.OLD.

4. Locate the autolicstr.cpa (Should be in the same folder) and COPY it to your desktop to create a backup, Then rename the original to licstr.cpa

5. Back in the services console restart the “Licence Logging Service”.

6. Your licences should now be back in place.

7. Finally, you will notice there’s an option in the Licensing console to back up your licences,now would be a good time, to avoid having to do this again.

Start the Network and Internet Troubleshooting Wizards from the Command-Prompt

The network and Internet troubleshooting wizards can also be started from the command line, using the parameters below. All you need is to copy and paste these commands in the Run window (press the Windows key + R) or in the Command Prompt:

  • To open the Internet Connections troubleshooter:msdt.exe -id NetworkDiagnosticsWeb
  • To open the Shared Folders troubleshooter:msdt.exe -id NetworkDiagnosticsFileShare
  • To open the HomeGroup troubleshooter:msdt.exe -id HomeGroupDiagnostic
  • To open the Network Adapter troubleshooter:msdt.exe -id NetworkDiagnosticsNetworkAdapter
  • To open the Incoming Connections troubleshooter:msdt.exe -id NetworkDiagnosticsInbound

BOOTMGR is missing

 

Cause:

This error occurs when either of the following conditions is true:

  • The Windows Boot Manager (Bootmgr) entry is not present in the Boot Configuration Data (BCD) store.
  • The Boot\BCD file on the active partition is damaged or missing.

Resolution:

Method 1: Repair the BCD store by using the Startup Repair option

You can use the Startup Repair option in the Windows Recovery Environment to repair the BCD store. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Startup Repair.
  7. Restart the computer.

Method 2: Rebuild the BCD store by using the Bootrec.exe tool

If the previous method does not resolve the problem, you can rebuild the BCD store by using the Bootrec.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type Bootrec /RebuildBcd, and then press ENTER.
    • If the Bootrec.exe tool runs successfully, it presents you with an installation path of a Windows directory. To add the entry to the BCD store, type Yes. A confirmation message appears that indicates the entry was added successfully.
    • If the Bootrec.exe tool cannot locate any missing Windows installations, you must remove the BCD store, and then you must re-create it. To do this, type the following commands in the order in which they are presented. Press ENTER after each command.
      Bcdedit /export C:\BCD_Backup
      ren c:\boot\bcd bcd.old
      Bootrec /rebuildbcd
  8. Restart the computer.

Method 3: Rebuild the BCD store manually by using the Bcdedit.exe tool

If the previous method does not resolve the problem, you can rebuild the BCD store manually by using the Bcdedit.exe tool in the Windows Recovery Environment. To do this, follow these steps:

  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type the following command, and then press ENTER:
    cd /d Partition:\Windows\System32

    Note Partition represents the letter of the partition on which Windows Vista is installed. Typically, this is partition C.

  8. Type the following command, and then press ENTER:
    bcdedit /enum all

    In the Windows Boot Loader section of the output from this command, note the GUID that is listed for resumeobject. You will use this GUID later.

  9. Type the following command, and then press ENTER:
    bcdedit -create {bootmgr} -d “Description

    Note Description represents the description for the new entry.

  10. Type the following command, and then press ENTER:
    bcdedit -set {bootmgr} device partition=Partition:

    Note Partition represents the letter of the partition. Typically, the letter is C.

  11. Type the following command, and then press ENTER:
    bcdedit /displayorder {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  12. Type the following command, and then press ENTER:
    bcdedit /default {GUID}

    Note GUID represents the GUID that you obtained in step 8.

  13. Type the following command, and then press ENTER:
    bcdedit /timeout Value

    Note Value represents the time in seconds before the Windows Boot Manager selects the default entry that you created in step 12.

  14. Restart the computer.

If you are booting from a Server 2008 install disk, when you use the “Repair your computer” option, the available options look like this:

You can access the repair option on a Server 2008 disk by choosing “command prompt”, then running  “x:\sources\recovery\StartRep.exe”.

 

How to restore missing user licenses in SBS 2003

1. Look for licstr.cpa & Autolicstr.cpa files under c:\windows\system32 folder.
2. Exclude these two files from being scanned by Anti Virus.
3. Make a backup copy of both the files on a different folder.
4. Delete licstr.cpa from c:\windows\system32 folder.
5. Rename autolicstr.cpa file to licstr.cpa.
6. Restart the Licensing Service.
7. Go to Server Management Console -> Licensing and you will have the actual number of CALS.

“Help and Support” is missing after you upgrade to Windows Server 2003 Service Pack 2

To resolve this problem, reinstall the Help and Support service. To do this, follow these steps:

  1. Click Start, click Run, type cmd in the Open box, and then click OK.
  2. At the command prompt, locate the following folder:
    %windir%\PCHealth\HelpCtr\Binaries
  3. At the command prompt, type the following commands, and then press ENTER after each command:
    • HelpSvc.exe /regserver /svchost netsvcs /RAInstall
    • HSCUpd.exe -i hscmui.cab
    • HSCUpd.exe -i hscsp_s3.cab

      Note The following commands do not apply to some language versions of Windows Server 2003:

      • HSCUpd.exe -i hscmui.cab
      • HSCUpd.exe -i hscsp_s3.cab

      The reason is that the Hscmui.cab compressed file is not included in some language versions of Windows Server 2003, such as the Japanese version of Windows Server 2003.

 

ASN1 bad tag value met. 0x8009310

Question:
I get CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b on IIS 7 and I am unable to install my certificate.

Answer:
This can be a result of IIS placing the certificate in the wrong certificate store or forgetting where it places the private key, in many cases it gets placed in Other People Certificate store for theCurrent User account. Only certificates that are stored in the Personal Section of the Local Computer store can be used in IIS.

Option #1: Repair a damaged certificate.

  1. Open up DOS prompt (cmd.exe)
  2. Type: certutil -repairstore my “THUMBPRINT/SERIALNUMBER”
    Note: Also, sometimes the certificate is not available and needs to be imported in order for this command to work.
  3. Go back into the IIS Manager and re-edit the bindings for this site. (Where you can select the certificate.
    Note: Sometimes, you will get an error, so just ignore the error and try again. When trying again, the certificate may already be selected and nothing else needs to be done.

Option #2: Restore Certificate to the Local Computer Store

  1. Open the Certificate Snap-In from within the MMC (Microsoft Management Console)
    Start -> Run -> Type “mmc” -> File -> Add/Remove Snap-in -> Add -> Certificates
  2. Add Current User account.
    My User Account -> Finish.
  3. Add Local Computer account.
    Computer account -> Local Computer -> Finish.
  4. Close Add Standalone Snap-in.
  5. Click Ok.
  6. Now you should have a screen similar to this:

  7. Drag the certificate that will not install, out of the Other People store and drop it under theLocal Computer -> Personal -> Certificates.
  8. Do not close out of the MMC at this time.

  9. Open up a command prompt.
    Start -> Run -> Type cmd.
  10. Type: certutil -repairstore my “THUMBPRINT_OF_CERTIFICATE”. (with quotes)
  11. You should now have the private key back on the certificate so now open up IIS and assign it to your website.

Transferring FSMO Roles in Windows Server 2008

The five FSMO roles are:

  1. Schema Master
  2. Domain Naming Master
  3. Infrastructure Master
  4. Relative ID (RID) Master
  5. PDC Emulator

The FSMO roles are going to be transferred, using the following three MMC snap-ins :

  • Active Directory Schema snap-in : Will be used to transfer the Schema Master role
  • Active Directory Domains and Trusts snap-in : Will be used to transfer the Domain Naming Master role
  • Active Directory Users and Computers snap-in : Will be used to transfer the RID MasterPDC Emulator, and Infrastructure Master roles

Note: The following steps are done on the Windows Server 2008 machine that I intend to set as the roles holder ( transfer the roles to it )

Lets start transferring the FSMO roles.

  • Using Active Directory Schema snap-in to transfer the Schema Master role You have to register schmmgmt.dll in order to be able to use the Active Directory Schema snap-in 
  1. Click StartRun
  2. Type regsvr32 schmmgmt.dll
  3. Click OK A popup message will confirm that schmmgmt.dll was successfully registered. Click OK
  4. Click Start Run, type mmc, then click OK
  5. Click File > then click Add/Remove Snap-in…
  6. From the left side, under Available Snap-ins, click on Active Directory Schema, then click Add > and then click OK

  7. Right click Active Directory Schema, then click Change Active Directory Domain Controller…
  8. From the listed Domain Controllers, click on the domain controller that you want to be the schema master role holder and then click on OKYou will receive a message box stating that the schema snap-in is not connected to a schema operations master. That is for sure, as we have not yet set this Windows Server 2008 domain controller as a Schema Master role holder. This will be done in the next step. Click OK
  9. In the console tree, right click Active Directory Schema [DomainController.DomainName], and then click Operations Master…
  10. On the Change Schema Master page, the current schema master role holder will be displayed ( ex. DC.SOMETHING.NET) and the targeted schema holder as well (ex. DC2K8.SOMETHING.NET). Once you click Change, the schema master holder will become 
    DC2K8.SOMETHING.NET
    , click Change

    Click Yesto confirm the role transfer

    The role will be transferred and a confirmation message will be displayed. Click OK

    Then click Close, as you can see in the below snapshot, the current schema master is DC2K8.SOMETHING.NET

  • Using Active Directory Domains and Trusts snap-in to transfer the Domain Naming Master Role
  1. Click Start Administrative Tools > then click Active Directory Domains and Trusts
  2. Right click Active Directory Domains and Trusts, then click Change Active Directory Domain Controller…
  3. From the listed Domain Controllers, click on the domain controller that you want to be the Domain Naming master role holder and then click onOK
  4. Right click Active Directory Domains and Trusts, then click Operations Master…
  5. On the Operations Master page, we are going to change the Domain Naming role holder from DC.SOMETHING.NET to DC2K8.SOMETHING.NET, Click ChangeClick YES to confirm the transfer of the Domain Naming roleThe role will be transferred and a confirmation message will be displayed. Click OK , then click Close


Till now, we have successfully transferred two FSMO roles, the Schema Master role and the Domain Naming role. The last three roles can be transferred using a single Snap-in.

 

  • Using Active Directory Users and Computers snap-in to transfer the RID Master, PDC Emulator, and Infrastructure Master Roles
  1. Click StartAdministrative Tools > then click Active Directory Users and Computers
  2. Right click Active Directory Users and Computers, then click All TasksOperations Master…
  3. You will have three Tabs, representing three FSMO roles (RID, PDC, Infrastructure). Click the Change button under each of these three tabs to transfer the roles.Click Yes to confirm the role transferThe role will be transferred and a confirmation message will be displayed. Click OK

    As for the Infrastructure role, once you click on the Change button you will receive the below message

    By default, when you first install your first Domain Controller, it holds the five roles and beside that it is a Global Catalog. If your environment is a multi-domain/forest, then you should think about structuring your FSMO roles and transfer the Infrastructure role to a none Global Catalog domain controller. Else if you have small number of domain controllers ( ex. two domain controllers) then you should not worry about this. ClickYes

  4. The Tabs should now look like this:

 

That’s it, by now, you have successfully transferred the five FSMO roles to the Windows Server 2008 Domain Controller.

 

Summary

 

There are five FSMO roles in a forest, to transfer any of these roles you have to use the appropriate Active Directory snap-in.

 

 

Outlook Certificate Errors

When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2003/2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.something.net.”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.something.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:

Get-ExchangeCertificate

Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.something.net.com

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.something.net, and autodiscover.something.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUrihttps://mail.something.net/Autodiscover/Autodiscover.xml

We now need to go configure all the InternalURLs for each web distributed service.  If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.

Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.something.net/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.something.net/OAB

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.something.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.something.net/Microsoft-Server-Activesync

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” –InternalURL https://mail.something.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010.  Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.

NDR and Open Relay Spam Clean Up – Exchange 2000/2003

If you have been the target of an NDR attack* attempt or made an error when configuring your Exchange server and have left yourself an open relay, then you may find that your queues on the Exchange server have a large number of invalid email messages.
* An NDR Attack is where messages are sent to your server with an invalid email address on purpose. Your server then attempts to bounce them back to the sender. The only problem is that the sender has been spoofed and it is that address that is the intended target of the message. These attacks can be avoided with Exchange 2003 and Windows 2003 Service Pack 1 and higher using a new option.Other symptoms include hard disk space is dropping rapidly and the server has become unresponsive. The Exchange logs are much larger than normal.

This article is based on the MS KB 324958 which was written for Small Business Server and MSKB 909005 which is for the full version of Exchange. Some of the techniques have been adjusted based on our experience with following the guides. Original articles:
http://support.microsoft.com/default.aspx?kbid=324958
http://support.microsoft.com/default.aspx?kbid=909005


Find the Problem

Before you start cleaning up the server, you need to find the source of the problem and deal with it.

Check Whether the Exchange Server is an Open SMTP Relay using a Telnet Test

A Telnet test involves establishing a Telnet session from a computer that is not located on the local network to the external (public) IP address of the Exchange server. You need to carry out the test from a machine at home, or from another office. Doing the test from a machine on your own network will produce useless results.

  1. Start a command prompt.
    Either click start, run and type CMD
    or Choose Command Prompt from Start, Programs, Accessories, Command Prompt
  2. Type “telnet” (minus quotes) and press enter.
  3. At the Telnet prompt, type

    set localecho

    (minus quotes) and press enter. This lets you see what is going on.

  4. Still in the telnet prompt, enter the following command and then press enter

    open 111.222.333.444 25

    where 111.222.333.444 is your Exchange server’s external IP address

  5. You should get a response back similar to the following:

    220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at

  6. Type the following command in to the telnet windows:

    ehlo testdomain.com

    and press enter (note “testdomain.com” can be anything that isn’t a domain that the Exchange server is responsible for.

  7. After pressing OK you should get a response back

    250 OK

  8. Type the following command in to the telnet window:

    mail from:address@testdomain.com

    and press enter (again where address@testdomain is an email address that is not on the Exchange server. Note the lack of space between from and the first part of the address).

  9. After pressing OK you should get a response back:

    250 2.1.0 address@testdomain.com….Sender OK

  10. Type the following command in to the telnet window:

    rcpt to:address@anotherdomain.com

    and then press enter (where address@anotherdomain.com is not either an address you use internally or the address you entered earlier as the from. Once again note the lack of space between to and the first part of the e-mail address).

  11. After pressing enter you will get one of two responses.
    If you get

    550 5.7.1 Unable to relay for address@anotherdomain.com

    then you are relay secure.
    However if you get

    250 2.1.5 address@anotherdomain.com

    Then you are an open relay.

What now?

There are two parts of the Exchange that can make your Exchange server an open relay, the Default SMTP Virtual Server and SMTP connectors. You need to check both to ensure that you haven’t configured them wrongly and turned your machine in to a spammers target.

Default SMTP Virtual Server

To check or correct the configuration of the Default SMTP Virtual Server:

  1. Start Exchange System manager (ESM)
  2. Expand Servers, <your server>, Protocols, SMTP.
  3. Right click on “Default SMTP Virtual Server” and choose Properties.
  4. Click on the “Access” Tab.
  5. There are four buttons, click on “Relay…” at the bottom.
  6. Ensure that “Only the list below” is enabled and the list is empty.
  7. If you don’t have users sending email through your email server with Outlook Express or another POP3 client then you can disable “Allow all users that successfully authenticate to relay regardless of the list above”.
  8. Apply/OK until all windows are closed.

SMTP Connections

  1. Start ESM, then open Connectors.
  2. Right click on each SMTP Connector in turn and choose Properties.
  3. Click on the “Address Space” tab.
  4. If you have a “*” in the address list, check that “Allow messages to be routed to these domains” is not enabled.
  5. Apply/OK until all windows are closed.

Once you have made the changes, restart the SMTP server service and then repeat the telnet test above to ensure that you have closed everything.


Check Whether an Authenticated User is Relaying

This technique requires the Windows Event Viewer to determine whether a user is trying to use the SMTP service in Exchange to send email. If you have disabled the authenticated user option already then this isn’t an issue.

  1. Start ESM.
  2. Expand Servers and then right click on your server and choose Properties.
  3. Click on the “Diagnostic Logging” tab.
  4. In the list of “Services” on the right, find “MSExchangeTransport”.
  5. In the resulting list choose “SMTP Protocol”.
  6. Below the list, change the “Logging Level” to Maximum and click Apply.
  7. Repeat for “Authentication”
  8. Press Apply/OK to close Server Properties.

You now need to watch the Event Logs on the Exchange server. In the application log you will see something similar to the following which can indicate that a user is trying to send email through the SMTP interface.

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 30/08/2004
Time: 15:45:08
User: N/A
Computer: EXCH-SRV1
Description: SMTP Authentication was performed successfully with client test-pc1. The authentication method was LOGIN and the username was domain\username.

If the account being used is “Guest” then you need to disable the Guest account.
If it is another account then you need to either change the password or disable the account.

Ideally you do not want any kind of relaying going on. The best option if this is happening is to disable the feature altogether. If this isn’t practical for business reasons, then you need to secure it as best you can.

The Administrator Account is the most common target

Note that the most common account that is used for this type of attack is the Administrator account. Therefore if you suspect that that the administrator account is being abused, then change its password and restart the SMTP Server Service to ensure that the new credentials are used. The administrator account is attacked because it doesn’t lock out.


Check whether you are under an NDR Attack

If you are under an NDR attack, then you will find lots of messages in the queues of the server. These messages have special characteristics which make them easy to spot.

  1. Start Exchange System Manager.
  2. Go to Servers, <your server>, Queues in Exchange 2003, or down to Protocols, SMTP in Exchange 2000.
  3. Select a queue that contains many messages, click Find messages, and then click Find Now.
  4. In the Sender field of the messages will be an address. If it is postmaster@ your domain then the message is an NDR. You can view the recipient of the NDR by double clicking on the message.

Note: If you are using an SMTP Connector to route email through your ISP using a smart host, then you cannot detect this type of attack. The messages are sent straight out to the ISP by your server. If your ISP has alerted you that there may be a problem, you will need to use message tracking and the SMTP log to detect the cause of the attack.

If you are on Exchange 2003 with Windows 2003 then you can stop an NDR attack by using recipient filtering and the tar pit option in Windows 2003. You will still need to clean the queues using the techniques outlined, but it will stop further traffic.

If you are on Exchange 2003 on Windows 2000 then you should NOT enable recipient filtering as this exposes your server to a directory harvest attack.
Exchange 2000 users do not have any kind of recipient filtering options available to them.
Therefore you should look at a third party tool that can do the filtering for you, often referred to as an LDAP lookup. Vamsoft ORF has Active Directory filtering and has a 30 day trial version.


Cleaning up the Server

Once you have found out the cause of the problem and dealt with it, then you need to clean up the server.

Block port 25 on your firewall/router so that SMTP traffic is not coming in while you cleaning the server. This stops new messages, both spam and valid messages and also ensures that nothing you want is lost while you clean up the server. As long as you do not leave the port closed for longer than 48 hours then genuine inbound email will still be delivered.

When following this procedure you should note that it can take NUMEROUS ATTEMPTS OVER MANY HOURS before the queues are clear. Exchange System Manager is notorious for being unable to show the true extent of the queues when it has been abused in this way, so messages can continue to appear even after you think you have cleaned the queues.

Cleaning Up the Exchange Server’s SMTP Queues

Warning: This process will delete all email that is due to go to external recipients. Internal messages are not affected, neither are new inbound messages from the Internet unless they are from the spammer continuing to try and abuse your server.

Capturing the Messages Into a Single Queue

This process requires an SMTP connector for all addresses. If you don’t already have one (with a * on the namespace tab) then you need to create one using the instructions below.
If you already have an SMTP Connector with a * on the namespace tab, then you can use it for this process. You will need to adjust the settings as appropriate. You may wish to just make a note of the settings, delete the connector and create a new one for this process. When complete recreate your live connector.

  1. In ESM, Connectors.
  2. Right click on connectors and choose New, SMTP Connector.
  3. On the “General Tab” type a name for the connector. “Spam Cleanup” or similar.
  4. Click the “Add” button under “Local Bridgeheads” and choose your Exchange server.
  5. Click on the “Address Space” tab.
  6. Click “Add” and choose SMTP. Leave each setting (* and cost of 1) and press ok.
    If all the spam is to one domain, then you could remove the * and enter the domain that the messages are being sent to. This should leave legitimate messages in the queue.
  7. Click on the General tab again. Change the option in the centre from DNS to “Forward all mail through this connector to the following smart hosts”.
  8. Enter an invalid IP address in square brackets:  [99.99.99.99].
  9. Click on the “Delivery Options” tab and ensure that “Specify when messages are sent through this connector” is selected.
  10. Change the option to 11pm. (If it is close to 11pm when you are doing this, use a much earlier time – 6am or similar. The time doesn’t matter as long as it is not close).
  11. Press Apply/OK to close the SMTP Connector dialogue.
  12. Restart SMTP Virtual Server.
    1. Expand Servers, <your server>, Protocols, SMTP.
    2. Right click on the “Default SMTP Virtual Server”
    3. Choose “Stop”. This may take a few minutes.
    4. Once it has stopped, right click again and choose “Start”.

The Exchange SMTP virtual server is now processing all the messages and placing them in to a single queue for your SMTP connector. This can take some time. You may want to wait until the number of messages in the queue stays constant before attempting the next stage.

Exchange 2000: The queues can be found in Servers, <your server>, Protocols, SMTP.

Exchange 2003: The queues can be found in Servers, <your server>, Queues.

You may also find the Servers listed under an administrative group.

To locate the required queue, look for a small red clock on the yellow icon. This indicates that it is on a timed delivery.

Deleting the Messages

Now that the messages are in one queue, it is quite easy to delete them

Exchange 2003

  1. Right click on this connector and choose “Find Messages”.
  2. In the drop down box select the number of messages to be listed in the search.
  3. Click “Find Now”.
  4. Once the search is complete, select all of the messages (use the shift-page down key combination)
  5. Then click “Delete all Messages (No NDR).

Exchange 2000

  1. Right click on this connector and choose “Delete All Message (No NDR)”
  2. Select Yes when asked if you want to delete all the messages in the queue.

Once the messages have been deleted, which could take some time, refresh the queues to ensure that they don’t continue to build. If they do then Exchange is still processing the messages. You will need to repeat the procedure to delete more messages until the queues are completely clear and stay at zero.

Once you have flushed out the messages, undo the changes that you have made.

If it was a new SMTP connector, delete it.
If you adjusted an existing connector, put the settings back how they were. Don’t forget the time on the “Delivery Options” tab. it should be “Always Run”.

Finally restart SMTP virtual server to get Exchange to start using the new settings.

If you closed port 25 during this process, then remember to open it up again.

Alternative Queue Clean Up Method

If you have a very large number of messages, then there is a command line tool that you can get from Microsoft.

ftp://ftp.microsoft.com/pss/Tools/

Then go in to the folders: Exchange Support Tools / Aqadmcli
(Due to the use of spaces in the folder names, a direct link isn’t possible)

After downloading the utility use the following command to clear all the queues.

aqadmcli delmsg flags=all


Clear up “Bad Mail” (Exchange 2000 or Exchange 2003 without SP1)

Messages that have been stuck in the queue but cannot deliver will usually end up in the “badmail” folder. This folder can take up a lot of space. You should remove the content of this folder to free up some valuable space.

Exchange 2003 SP1 and higher does not use the Badmail folder unless you specifically enable it via registry hack.

  1. Locate the Badmail folder
    The default location is C:\Program Files\Exchsrvr\Mailroot\Vsi 1
  2. DO NOT OPEN THE BADMAIL FOLDER. It may contain a large amount of messages which could make the server unresponsive.
  3. Right click on the folder “Badmail” and choose “Rename”. Give it a new name.
  4. While holding down the shift key, press the “Delete” key on your keyboard. Click yes to delete the contents immediately. Holding down shift bypasses the recycle bin, so make sure that you have selected the right folder.
  5. Exchange will recreate the “Badmail” folder when it needs to.

There are various techniques for dealing with the badmail folder. This blog posting outlines a useful script that you can use to do it for you:http://hellomate.typepad.com/exchange/2003/07/dealing_with_ba.html


Email Blacklists

If you were an open relay then you may have ended up on some of the blacklists. When the message bounces back you will get a reason code which should include which blacklist has rejected you.
To get off the blacklist you will have to find their web site and follow their procedure.

As a short term measure, setup an SMTP connector to send all your email via your ISPs SMTP server.

Using Email Blacklists (Exchange 2003 ONLY)

If you want to use an Email Blacklist yourself, then you will need to setup filtering. This article at MS tells you how:
http://support.microsoft.com/default.aspx?kbid=823866

Those of you using an older version of Exchange will have to use a third party tool – whether this is commercial or open source. Vamsoft’s ORF has blacklist support.

Steps to move a DHCP database from a Windows Server 2003 or 2008 to another Windows Server 2008 machine

The DHCP database can be moved or migrated from a Windows Server 2003 server to a Windows Server 2008 server, or from one Windows Server 2008 server to another.  The information below details the necessary steps.

Export the DHCP database from a server that is running Microsoft Windows Server 2003 or Windows Server 2008

To move a DHCP database and configuration from a server that is running Windows Server 2003 or Windows Server 2008 to another server that is running Windows Server 2008:

1.   Log on to the source DHCP server by using an account that is a member of the local Administrators group.

2.   Click Start, click Run, type cmd in the Open box, and then click OK.

3.   Type netsh dhcp server export C:\dhcp.txt all , and then press ENTER.

Note: You must have local administrator permissions to export the data.

Configure the DHCP server service on the server that is running Windows Server 2008

1.   Click Start, click Administrative Tools, click Server Manager. If needed acknowledge User Account Control.

2.   In Roles Summary click Add Roles, click Next, check DHCP server, and then click Next.

Import the DHCP database

1.   Log on as a user who is an explicit member of the local Administrators group. A user account in a group that is a member of the local Administrators group will not work. If a local Administrators account does not exist for the domain controller, restart the computer in Directory Services Restore Mode, and use the administrator account to import the database as described later in this section.

2.   Copy the exported DHCP database file to the local hard disk of the Windows Server 2008-based computer.

3.   Verify that the DHCP service is started on the Windows Server 2008-based computer.

4.   Click Start, click Run, type cmd in the Open box, and then click OK.

5.   At the command prompt, type netsh dhcp server import c:\dhcpdatabase.txt all , and then press ENTER, where c:\dhcpdatabase.txt is the full path and file name of the database file that you copied to the server.

Note When you try to export a DHCP database from a Windows 2000/2003 domain controller to a Windows Server 2008 member server of the domain, you may receive the following error message:

Error initializing and reading the service configuration – Access Denied

Note You must have local administrator permissions to import the data.

6.   To resolve this issue, add the Windows Server 2008 DHCP server computer to the DHCP Admins group at the Enterprise level and redo steps 4 & 5.

7.   If the “access is denied” error message occurs after you add the Windows Server 2008 DCHP server computer to the DHCP Admins group at the Enterprise level that is mentioned in step 6, verify that the user account that is currently used to import belongs to the local Administrators group. If the account does not belong to this group, add the account to that group, or log on as a local administrator to complete the import and redo steps 4 & 5.

Authorize the DHCP server

1.   Click Start, point to All Programs, point to Administrative Tools, and then click DHCP.

Note You must be logged on to the server by using an account that is a member of the Administrators group. In an Active Directory domain, you must be logged on to the server by using an account that is a member of the Enterprise Administrators group.

2.   In the console tree of the DHCP snap-in, expand the new DHCP server. If there is a red arrow in the lower-right corner of the server object, the server has not yet been authorized.

3.   Right-click the server object, and then click Authorize.

4.   After several moments, right-click the server again, and then click Refresh. A green arrow indicates that the DHCP server is authorized.