Event ID 10016, DistributedCOM: The application-specific permission settings do not grant Local Activation permission for the COM Server application

When you see the following evntlog error: Event ID 10016, Source:’DistributedCOM. “The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.”

Solution: If you don’t know witch application is given this error, you can copy the GUID behind CLSID and start the registry editor (regedit.exe) and search for the GUID. You will find witch application is creating this error.
After you know that you start Administrative Tools – Component Services. Expand Component Services, Computers, My Computer, DCOM Config. Then find the found application, in this case IIS WAMREG, choose properties and go to the security tab.

Then at Launch and Activation Permissions, choose customize (if not already chjoosen) and Edit.
Add the user account given in the event error, in this case Network Service account and give the account allow Local Launch and Local Activation rights. After that close all windows and restart IIS service.

Update: There is a similar error about another CLSID but the options to change permissions are greyed out. Read here how to solve this issue.

Posted in Blog, SBS 2008, Windows 2008, Windows 2008R2 at September 29th, 2010. No Comments.

Exchange 2010 SP1 mailbox move errors

When moving mailbox from a exchange 2003 server to a exchange 2010 server I ran into some warnings and errors.

When you try to move a mailbox via the wizard and choose “Skip the corrupted messsages.” and select to skip more then 50 messages you get the following error:
“Large BadItemLimit (50+) is specified. Please confirm your intention to accept a large amount of data loss by specifying AcceptLargeDataLoss.”

Solution: Use the Exchange Management Shell and use “New-MoveRequest -Identity “Mailboxname” -BadItemLimit 50+ -AcceptLargeDataLoss”
You can use other options if you like, but the -AcceptLargeDataLoss resolves this issue. More option on the New-MoveRequest cmdlet are available here.

Another error I ran into was, “Active Directory operation failed on Servername. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ADOperationException
+ FullyQualifiedErrorId : D6EC1D97,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest”

Solution: Go to the Active Directory user account witch you are trying to move. Select properties, security tab and then Advanced. Make sure the “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with the entries explicity defined here.” is checked. If not enable it and then apply the setting.

Posted in Blog, Exchange 2010 at September 24th, 2010. No Comments.

Enable the use of saved credentials with remote desktop connection

When using remote desktop connection to connect to windows server 2008, 2008 R2, sbs 2008, vista or windows 7 and would use saved credentials. This doesn’t work when you start the connection you get the following error:

“Your system administrator does not allow the use of saved credentials to logon to the remote computer computername/ipadress because its identity is not fully verified. Please enter new credentials.” “The logon attempt failed”

Solution: This happens when trying to connect to a computer / server in another domain and no trust relationships exists. Windows then steps back to use NTLM and the default domain machine policy prohibits use of saved credentials. You can change this domain based or for a individual machine:

Start local group policy editor, start – run – gpedit.msc
Go to Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation
Edit “Allow Delegating Saved Credentials with NTLM-only Server Authentication”
Enable the policy, click Show and enter the value “TERMSRV/*” into the list.

Do the same thing for the following policies:
“Allow Delegating Saved Credentials”, “Allow Delegating Default Credentials with NTLM-only Server Authentication” en “Allow Delegating Default Credentials”

Close the policy editor,
open a command prompt and use “gpupdate /force” to apply the policy directly

Posted in Blog, SBS 2008, Windows 2008, Windows 2008R2 at September 21st, 2010. 33 Comments.

Outlook: The following message had an error and synchronization of it was skipped (0x00050b)

After migrating out Exchange 2007 server to Exchange 2010 I got on several outlook clients Sync Issues. When you look at the log it says: The following message had an error and synchronization of it was skipped (0x00050b).

Solution: Just before the error it gives Synchronizing server changes in folder ‘foldername’. When looking in the folder via Outlook no strange items were seen in this folder. When logging on to OWA and browsing to the folder I found an item witch was corrupted. Looking back in outlook the item wasn’t visable so it looks like outlook removes corrupted mails. So You have to remove the corrupted item via OWA.

Posted in Blog, Exchange 2010 at September 20th, 2010. No Comments.

Exchange 2007 or 2010 migration fails with: Access control list (ACL) inheritance is blocked

The setup of Exchange 2007, Exchange 2010 or even SBS 2008 stops with the error “Access control list (ACL) inheritance is blocked”

Solution: Exchange setup requires that permission inheritance is enabled for the following objects:
Exchange Organization object, Exchange Administrative Group object, Exchange Servers container object, Exchange Address List object, Exchange Public Folder object and Exchange Public Folder tree object.

For Exchange 2003 start Exchange system manager and goto the objects and right click and choose properties, then on the security tab choose advanced and make sure “Allow inheritable permissions from the parent to propagate to this object and all child objects” is enabled. After that restart the Exchange server.

If security tab isn’t available you have to create the following registry value:
Value Name: ShowSecurityPage, Data Type: REG_DWORD, Radix: Binary, Value: 1 At the HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin key.

For Exchange 2007 and 2010 use adsiedit, and browse to the object you want to change. Right click and choose properties, then on the security tab choose advanced and make sure “Allow inheritable permissions from the parent to propagate to this object and all child objects” is enabled. Wait till Active Directory replication has replicated the changes.

Posted in Blog, Exchange 2007, Exchange 2010, SBS 2008 at September 17th, 2010. No Comments.

Upgrading Exchange 2010 RTM to Exchange 2010 SP1

When upgrading your Exchange 2010 RTM server to Exchange 2010 SP1 you need to install a set of pre-required hotfixes. These hotfixes depent on with Operating System you run and witch Exchange roles you have installed on the server.

When you start the Exchange 2010 SP1 setup, you first can choose Exchange language option for upgrade. If you run multiple servers you can download the language bundle file from microsoft. So you can point to this file every installation and don’t have to download it multiple times.

After you choose the language option you can choose Install Microsoft Exchange Server upgrade. This starts a wizard and after the introduction and license agreement, the readiness checks are performed. This is where setup tells you witch pre-requirements are needed.

In my case all servers are running windows server 2008 R2. I have 2 load balanced Client Access / Hub Transport servers and 2 Mailbox servers configured with a DAG.

For the Client Access role the following updates are needed: KB 982867, 979744, 983440 and 977020.

For the Hub Transport and the Mailbox role only the Microsoft Office 2010 Filter Pack is needed.

In my case KB 979099 was already installed by windows updates so wasn’t needed.

When upgrading keep the following Exchange roles upgrade order in mind:
Client Access server
Hub Transport server
Unified Messaging server
Mailbox server

More information about upgrading, pre-requirements and known issues can be found:
by the Exchange team: Exchange 2010 SP1 FAQ and Known Issues
by Microsoft Technet: Upgrade from Exchange 2010 RTM to Exchange 2010 SP1

Posted in Blog, Exchange 2010 at September 15th, 2010. No Comments.

Error updating public folder with free/busy information.

On a exchange server you notice the following error in the application event log.
Event id 8207, MSExchangeFBPublish
Error updating public folder with free/busy information on virtual machine servername. The error number is 0x80004005.

Start a elevated Exchange management shell and run the following command:
set-publicfolder -identity “\NON_IPM_SUBTREE\SCHEDULE+ FREE BUSY\EX:/o=orgnizationname/ou=First Administrative Group” -replicas “public folder database”

Posted in Blog, Exchange 2007, Exchange 2010 at September 11th, 2010. No Comments.

OfflineAddressBook, PublicFolderDatabase still points to old server

After migrating your Exchange server (I’ve seen this in transition to exchange 2007 and 2010) the PublicFolderDatabase for your OfflineAddressBook is still pointing to the old servers public folder store.

When you run the get-OfflineAddressBook | fl command in a exchange management shell on your new server, you get a result like this:

At Server you see the new servername and the PublicFolderDatabase is still pointing to your old server. Public folder replica’s and offline address book generation server are already moved to the new server.

Solution: I found if you do the following steps you can change the PublicFolderDatabase.
First start adsiedit and browse to CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=First Organization, CN=Address Lists Container, CN=Offline Address Lists and open the properties of CN=Default Offline Address List

Look for the siteFolderServer attribute, here you will see the old public folder store. Choose clear and close with ok, now you may close adsiedit.

Now go to the exchange management console, Organization Configuration, Mailbox, Offline Address Book open the properties of the Default Offline Address List and go to the tab distribution.

Uncheck “Outlook version 2 and 3” at client support and “Enable public folder distribution”. Make sure “Web-based distribution” is enabled. Choose apply and ok, then right click on Default Offline Address List and choose update. After that go back to properties and distribution and check “Outlook client support version 2 and 3” and “Enable public folder distibution”. Again choose apply and ok and right click and choose update.

When you go back to the exchange management shell and repeat get-OfflineAddressBook | fl you now will see the public folder store on your new server.

Posted in Blog, Exchange 2007, Exchange 2010 at September 8th, 2010. 45 Comments.

Autodiscover errors after installing a ssl certificate on a Exchange server

When you install a Exchange 2007 or 2010 client access server and using outlook 2007 or 2010. You will get a autodiscover error by default. Also connect with outlook webaccess or web app you get a certificate error.

To solve this problem you will have to import the certificate on all computers. Another way is to buy a trusted third party certificate. In most cases this will be a SAN / UCC certificate so you can use multiple names on the certificate, webmail.domain.name, autodiscover.domain.name, servername.domain.name and for a transition legacy.domain.name.

But after you request and installed the certificate you still get a autodiscover or certificate error.

Possible solution: you will have to change some autodiscover and client access setting, I will describe the wat to check and change the settings with the Exchange management shell. Some settings can also be changed by GUI.

Check the AutoDiscoverServiceInternalUri with the following command: Get-ClientAccessServer |ft Identity,AutoDiscoverServiceInternalUri
To change the setting: Set-ClientAccessServer -Identity “SERVERNAME” -AutoDiscoverServiceInternalUri “https://url.domain.name/autodiscover/autodiscover.xml”

For the next options you can set for both internal and external a different url. But you can choose to use same url for both in that case you will have to setup your internal and external dns right.

Check the AutodiscoverVirtualDirectory Get-AutodiscoverVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -ExternalUrl https://externalurl.domain.name/Autodiscover/Autodiscover.xml’
Set-AutodiscoverVirtualDirectory -Identity ‘SERVERNAME\Autodiscover (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/Autodiscover/Autodiscover.xml’

Check the WebServicesVirtualDirectory InternalUrl and ExternalUrl Get-WebServicesVirtualDirectory |ft internalurl,externalurl
To change the settings:
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -ExternalUrl ‘https://externalurl.domain.name/EWS/Exchange.asmx’
Set-WebServicesVirtualDirectory -Identity ‘SERVERNAME\EWS (Default Web site)’ -InternalUrl ‘https://internalurl.domain.name/EWS/Exchange.asmx’

You will have to do the same thing for all the next option. If you don’t use one of these options you can consider skipping the setting.

Get-OabVirtualDirectory |ft internalurl,externalurl
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/OAB’
Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/OAB’

Get-ActiveSyncVirtualDirectory |ft internalurl,externalurl
Set-ActiveSyncVirtualDirectory -Identity “SERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)” -InternalUrl ‘https://internalurl.domain.name/OAB’
Set-ActiveSyncVirtualDirectory -Identity “SERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalUrl ‘https://externalurl.domain.name/OAB’

Get-OwaVirtualDirectory |ft internalurl,externalurl
Set-OwaVirtualDirectory -Identity “SERVERNAME\owa (Default Web Site)” -InternalUrl ‘https://internalurl.domain.name/OAB’
Set-OwaVirtualDirectory -Identity “SERVERNAME\owa (Default Web Site)” -ExternalUrl ‘https://externalurl.domain.name/OAB’

Get-UMVirtualDirectory |ft internalurl,externalurl
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -InternalUrl ‘https://internalurl.domain.name/UnifiedMessaging/Service.asmx’
Set-UMVirtualDirectory -Identity “SERVERNAME\UnifiedMessaging (Default Web site)” -ExternalUrl ‘https://externalurl.domain.name/UnifiedMessaging/Service.asmx’

Note: when you using SBS 2008 you should replace (Default Web site) by (SBS Web Applications)

Posted in Blog, Exchange 2007, Exchange 2010 at September 3rd, 2010. 3 Comments.

Sharing Buttons by Linksku