ldapsearch example on Active Directory

Just putting this here for safekeeping since I couldn’t remember the exact syntax.

[evan@ehoffman 10:35:50 ~]$ ldapsearch -x -LLL -D "ldapuser@example.com" -w password -b "OU=Users,DC=example,DC=com" -s sub -H ldaps://activedirectory.example.com "(sn=hoffman)" cn mail displayName samaccountname
dn: CN=Evan Hoffman,OU=Tech,OU=Users,DC=example,DC=com
cn: Evan Hoffman
displayName: Evan D. Hoffman
sAMAccountName: ehoffman
mail: Evan.Hoffman@example.com

Explanation: Connect to activedirectory.example.com using ldaps (SSL) with simple authentication, binding as ldapuser@example.com with password password; search for (sn=hoffman) within the OU=Users,DC=example,DC=com search base (branch), and search the subtree. Return the cn, displayName, and samaccountname fields.

Refer to the ldapsearch man page for more options.

ldapsearch on Active Directory

Just putting this here for safekeeping since I couldn’t remember the exact syntax.

[evan@ehoffman 10:35:50 ~]$ ldapsearch -x -LLL -D "ldapuser@example.com" -w password -b "OU=Users,DC=example,DC=com" -s sub -H ldaps://activedirectory.example.com "(sn=hoffman)" cn mail displayName samaccountname
dn: CN=Evan Hoffman,OU=Tech,OU=Users,DC=example,DC=com
cn: Evan Hoffman
displayName: Evan D. Hoffman
sAMAccountName: ehoffman
mail: Evan.Hoffman@example.com

Exchange 2010 – Out-of-office response (OOF) won’t turn off?

Two users reported the same problem this week: they turned on their out-of-office reply while they were out, then came back and turned it off. Except even after they turned it off, the autoreply was still being sent out. I had them log in to OWA and make sure it was off (maybe some weird bug with Outlook not registering the change in the server), which it was in both cases. I Googled hard and fast and couldn’t find anyone with this same problem.

I went in with Powershell and checked their autoreply status via Get-MailboxAutoReplyConfiguration and it appears that it is, in fact, disabled:

[PS] C:Windowssystem32>Get-mailbox -identity username | Get-MailboxAutoReplyConfiguration
RunspaceId       : 7ad7e9af-cd57-4572-a4fd-c1e999e4b9a5
AutoReplyState   : Disabled
EndTime          : 8/12/2010 12:00:00 PM
ExternalAudience : All
ExternalMessage  :
InternalMessage  :
StartTime        : 8/11/2010 12:00:00 PM
MailboxOwnerId   :  [removed]
Identity         :  [removed]
IsValid          : True

I used Set-MailboxAutoReplyConfiguration to set the messages to “” (empty string) and it’s still sending the user’s autoresponse, from before I blanked it out. My working theory right now is that the out-of-office message was set on both the Exchange 2010 server and the Exchange 2003 server (where the mailboxes were before I migrated them to 2010).

What a fun problem! It’s hard to test whether I’ve fixed it, since each sender only receives the message once, so I have to keep creating new test email addresses to send test messages.

Also, as an aside, why is “out-of-office” abbreviated “OOF” in Microsoft’s docs?

Edit 1: I had one user verify the message was off in OWA and then start Outlook via Start -> Run… “outlook /cleanrules” and this seemed to resolve the issue. Hopefully this isn’t required every time…

Exchange 2010 – Out-of-office response (OOF) won't turn off?

Two users reported the same problem this week: they turned on their out-of-office reply while they were out, then came back and turned it off. Except even after they turned it off, the autoreply was still being sent out. I had them log in to OWA and make sure it was off (maybe some weird bug with Outlook not registering the change in the server), which it was in both cases. I Googled hard and fast and couldn’t find anyone with this same problem.

I went in with Powershell and checked their autoreply status via Get-MailboxAutoReplyConfiguration and it appears that it is, in fact, disabled:

[PS] C:\Windows\system32>Get-mailbox -identity username | Get-MailboxAutoReplyConfiguration
RunspaceId : 7ad7e9af-cd57-4572-a4fd-c1e999e4b9a5
AutoReplyState : Disabled
EndTime : 8/12/2010 12:00:00 PM
ExternalAudience : All
ExternalMessage :
InternalMessage :
StartTime : 8/11/2010 12:00:00 PM
MailboxOwnerId : [removed]
Identity : [removed]
IsValid : True

I used Set-MailboxAutoReplyConfiguration to set the messages to “” (empty string) and it’s still sending the user’s autoresponse, from before I blanked it out. My working theory right now is that the out-of-office message was set on both the Exchange 2010 server and the Exchange 2003 server (where the mailboxes were before I migrated them to 2010).

What a fun problem! It’s hard to test whether I’ve fixed it, since each sender only receives the message once, so I have to keep creating new test email addresses to send test messages.

Also, as an aside, why is “out-of-office” abbreviated “OOF” in Microsoft’s docs?

Edit 1: I had one user verify the message was off in OWA and then start Outlook via Start -> Run… “outlook /cleanrules” and this seemed to resolve the issue. Hopefully this isn’t required every time…

Changing Active Directory Password in Browser through OWA 2010

A few months ago I was on a quest to figure out how to change my Active Directory password via a browser (for Linux/Mac users). I finally figured it out, but since I’ve been working on this Exchange 2010 migration I noticed one of the features of OWA (Outlook Web App) in Exchange 2010 is that you can change the AD password right in the browser from within the app:

The new OWA has a zillion other awesome features, my favorite being that Firefox and Chrome are no longer second-class-citizens and can use the “full version” now, even on Linux. So anyway, I guess all my work was for nothing. Not the first time (or the last). 🙂

Outlook 2007 & Exchange 2010 Autodiscover SSL certificate error annoyance

One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007’s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.

I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:

Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.

Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.

Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.

Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.

Other useful resources:

The Joy of Migrating from Exchange 2003 to 2010

I’ve been working on migrating from Exchange 2003 to Exchange 2010 for several weeks. Actually, at this point it feels like several months. Now that I think about it, I guess that’s because it’s actually been several months.

Back in January or February, I got fed up with the Exchange setup I inherited: our Exchange 2003 server was running on a server in the basement of our office, on non-UPS power, with a power company that likes to pull shenanigans (like 3-4 hour outages every few months). In addition, the physical machine itself has some weird bug where it would hang at the POST screen complaining about some USB device, even though there are no USB devices plugged in, and USB is disabled in the BIOS. Meanwhile, in the datacenter, I had recently finished migrating most of our ancient physical servers to virtual machines on beautiful new hardware. It didn’t take long to see the solution that seemed to be obvious: move Exchange to the datacenter, in a VM.

There was a major wrinkle in this plan, however: there were no quota limits enforced in Exchange, and the average mailbox was 6-7 gigabytes, with 4 users over 10 gigs. At the time, we only had a 5 mbit upload connection to the datacenter, and the total size of the mailboxes was around 400 gigs. I didn’t want to spend weeks and weeks moving tons of mail over a slow pipe – and with mailboxes being so big, I wasn’t sure I could even complete some of them overnight.

At this point I brought up the idea of migrating the company to Google Apps. I’m a big fan of Gmail and moving off of Exchange would have certainly simplified some aspects of my job, and nobody would need Outlook (especially not me). I knew it would be a tough sell internally, but the pricing certainly didn’t help; it came out to $83/user/year for Google Apps + document retention. The price came out to about the same as upgrading to Exchange 2010. If it had been half or a third the cost I may have pushed harder, but to make the story (a little) shorter, we ended up sticking with Exchange, and instituting quotas.

We phased in the quotas over the course of a month to give users time to archive and clean up their mailboxes. Once that was done, I setup a new Exchange 2003 frontend server (in a VM) in the datacenter and pointed our webmail (OWA & ActiveSync) there. So we had the frontend in the datacenter and the backend “mailbox” server still in the office. I then setup another VM running Exchange 2003 in the datacenter. This enabled me to move mailboxes over one at a time with almost no interruption in service, except for the user whose mail was in transit. Since we instituted quotas, the mailboxes were all under 2 GB, and I was able to do 6-10 mailboxes each night.

I can’t tell you how happy I was when we lost power yet everyone retained full connectivity to email via their phones (except BlackBerry users, since BES was still in the basement — note to RIM: ActiveSync!).

So phase 1 & 2 (instituting quotas and moving email out of the basement) were complete. Phase 3 was the bigger unknown – moving to Exchange 2010. After lots of reading and planning, installing, configuring and testing, about two weeks ago I setup a Client Access Server to serve as the new webmail “frontend.” Microsoft has some pretty great instructions for setting up 2003 and 2010 in coexistence, but basically you point your “real” webmail URL to the 2010 CAS and move your “old” Exchange 2003 webmail to another url (they suggest legacy.company.com). Then people log in to the 2010 interface, and if their mailbox is housed on the 2003 server, it seamlessly redirects them to https://legacy.company.com/, and they don’t have to log in again. Pretty slick, and I didn’t believe it would work until I saw it for myself (which, btw, it does). So ActiveSync and Outlook Anywhere were working through the 2010 CAS even for the users housed on the 2003 server (which was all of them).

This week I started moving users over to Exchange 2010. So far it’s been mostly positive. We have several Mac users, so the ability for them to have native mail & calendaring is pretty epic. The Outlook Web App in Exchange 2010 is phenomenal. I mean, it almost brings a tear to my eye, it’s so beautiful – especially when compared with 2003. And being able to do server-side searching in OWA & on my iPhone is fabulous.

All is not perfect, though. I keep getting stupid certificate errors for Autodiscover when I open Outlook 2007. I guess I’ll need to buy another SSL certificate and dedicate another IP to this service… ugh. And now that I moved my mailbox to Exchange 2010, Outlook Anywhere appears not to work. Oh well, almost there…

vCenter: Error parsing the server "(server IP)" "clients.xml" file

I got the above error today after running Windows Update on my XP VM a few days ago. A quick search showed that the error is caused by a Microsoft update to the .NET framework. To resolve it, remove update KB980773 (Add/Remove programs, make sure “Show Updates” is checked; KB980773 is under “Microsoft .NET Framework 2.0 Service Pack 2”). I removed it and was able to log in without problems.

References:

Edit 10/22/2010: You can also resolve this by upgrading your vCenter client to 4.1, which I recently did. 4.1 is available on vmware.com.

vCenter: Error parsing the server “(server IP)” “clients.xml” file

I got the above error today after running Windows Update on my XP VM a few days ago. A quick search showed that the error is caused by a Microsoft update to the .NET framework. To resolve it, remove update KB980773 (Add/Remove programs, make sure “Show Updates” is checked; KB980773 is under “Microsoft .NET Framework 2.0 Service Pack 2”). I removed it and was able to log in without problems.

References:

Edit 10/22/2010: You can also resolve this by upgrading your vCenter client to 4.1, which I recently did. 4.1 is available on vmware.com.

Hygiene Management?

I’m installing Exchange 2010 and in the docs it shows a bunch of groups that get created in the AD Schema during the domain prep part. After running prep, I looked to see if the groups were there, and sure enough they were (yay). What caught my eye was that one of the groups is called Hygiene Management. I thought maybe this was an Easter Egg from MS, but apparently it’s just the name of the group of people who can manage the Exchange antivirus/antispam features. Still funny though.