WSUS thorough cleanup

	1. Open the Windows Update Services MMC
	2. Select the All Updates View Set the display to show the Approval status of 'Any except Declined' with a Status of 'Any'. Click Refresh.
	3. Display the Supercedence Column Right-click the column headers and select Supercedence.
	4. Sort by Supercedence Left-click on the Supercedece Column.
	5. Select and Decline the Superceded Updates The updates to be declined have one of two particular flowchart symbols for their updates pictured in the attached image. Select the correct updates and Decline them by either right-clicking the selected updates and clicking decline or by pressing the decline button in the action pane.
	6. Run the Server Cleanup Wizard Make sure you have all options selected in the wizard and let it run. It will delete the files from the declined updates.
	7. OPTIONAL: Automatic Approval Options In the automatic approval options, under the advanced tab, there is an option to automatically approve update revisions for previously approved updates and subsequentially decline the now expired updates. I suggest you select them.

 

Verifying the file share witness server / directory in use for Exchange 2010

After trying a script that i was building, i received an unexpected error.

WARNING: Database availability group 'CL-XXXX' witness is in a failed state. The database availability group requires         
the witness server to maintain quorum. Please use the Set-      DatabaseAvailabilityGroup cmdlet to re-create the witness      
server and directory.                                          

After some reading i came across this blogarticle.

In short:

To check the witness share(s):

Get-DatabaseAvailabilityGroup -Identity CL-XXXXX -Status | fl name,servers,witnessserver,witnessdirectory,alternatewitnessserver,
alternatewitnessdirectory,operationalservers,primaryactivemanager,
witnessshareinuse

Name                      : DAG-Clustername                         
Servers                   : {SR-XXXX1, SR-XXXX2, SR-XXXX3, SR-XXXX4}
WitnessServer             : sr-CasHub1.domain.lan             
WitnessDirectory          : C:\DAGFileShareWitnesses\DAG-Clustername
AlternateWitnessServer    : sr-CasHub2.domain.lan                   
AlternateWitnessDirectory : C:\DAGFileShareWitnesses\DAG-Clustername
OperationalServers        : {SR-XXXX1, SR-XXXX2, SR-XXXX3, SR-XXXX4}
PrimaryActiveManager      : SR-XXXX3                                
WitnessShareInUse         : InvalidConfiguration                    

Check cluster resource using cluster commands

[PS] D:\Scripts>cluster cl-XXXXX.domain.lan res                     
Listing status for all available resources:                         
Resource             Group                Node            Status    
-------------------- -------------------- --------------- ------    
Cluster IP Address   Cluster Group        SR-XXXX3        Online    
Cluster Name         Cluster Group        SR-XXXX3        Online    
File Share Witness (\\sr-XXXX1.domain.lan\CL-XXXXX.domain.lan)       Cluster Group        SR-XXXX3                             Failed    

Check cluster using cluster Powershell module

[PS] D:\Scripts>Import-Module FailoverClusters                     
[PS]:\Scripts>                                                    
[PS] D:\Scripts>Get-ClusterQuorum -Cluster cl-XXXXX.domain.lan | fl
Cluster        : CL-XXXXX                                          
QuorumResource : File Share Witness (\\sr-XXXX1.domain.lan\CL-      XXXXX.domain.lan)                                                  
QuorumType     : NodeAndFileShareMajority                          

[PS] D:\Scripts>Get-ClusterResource "File Share Witness (\\sr-      XXXX1.domain.lan\CL-XXXXX.domain.lan)" -Cluster cl-XXXXX.domain.lan
| Get-ClusterParameter                                             
Object                        Name                                  Value                         Type                                 
------                        ----              -----                                        ----                                      
File Share Witness (\\sr-X... SharePath         \\sr-               XXXX1.domain.lan\CL-1... String                                    
File Share Witness (\\sr-X... ArbitrationDelay                      6                             UInt32                               

To correct the error:

Set-DatabaseAvailabilityGroup -Identity CL-XXXXX -WitnessServer sr-  XXXX1 -WitnessDirectory C:\DAGFileShareWitnesses\CL-XXXXX.domain.lan

And for the alternate witness directory:

Set-DatabaseAvailabilityGroup -Identity CL-XXXXX                     -AlternateWitnessDirectory C:\DAGFileShareWitnesses\CL-            XXXXX.domain.lan -AlternateWitnessServer SR-XXXX2                  

Source

Lync and the address book sync errors

"Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book"

Look familiar?

A couple of things to check, first on the lync server in Powershell

Update-CsUserDatabase
update-csuseraddressbook

After 5 minutes the update has completed, check the event viewer for event id 21005.

The Lync client will not immediately update the address book, but you can force the update.

First, execute the following command from the Windows Command Prompt run as an administrator (or manually add the GalDownloadInitialDelay registry key).  Setting this value to 0 will force Lync to immediately download the address book instead of randomly selecting a time to check the server.

reg add HKLM\Software\Policies\Microsoft\Communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f

Second, exit the Lync client and manually delete the GalContacts.db and GalContacts.db.idx files from the user’s profile directory. If the .db file still exists during startup of the client then Lync may still wait for that random interval between 0 and 60 minutes before checking for changes on the server’s address book files.  By deleting the file the Lync client must download an entire new copy, forcing it to pick up any changes.

On Windows XP workstations:
%userprofile%\Local Settings\Application Data\Microsoft\Communicator\sip_<username@domain>\
On Windows Vista or Windows 7 workstations:
%userprofile%\AppData\Local\Microsoft\Communicator\sip_<username@domain>\

Restart the Lync client and search for any of the recently changed information, for example the Telephone Number added to this AD user account now appears for the Lync contact.

Another few things to check:

Use the “Automatically detect settings” instead of specifying settings for a proxy server in IE

For IE7 under Advanced / Security, uncheck the option “Check for server certificate revocation” and restart the browser (manually or via Group Policy)

Ascertain that the URL listed on the certificate points to the Certificate Revocation List (CRL) Distribution Point that is reachable on the inside and/or outside network

If OCS is deployed with digital certificates issued from an internal CA, add the .crl URL to the Trusted sites or Local Intranet zone on the Security tab in IE then exit and restart MOC e.g. http://*.cinline.se This enables the intranet URL for Address Book (AB) download to be recognized as safe and valid.

Deploy certificates from trusted public Certificate Authority (CA) permits both domain and guest (non-domain) accounts to connect to internal OCS pools

Possibly another solution even though it is for OCS 2007:

GAL Status;https://ocspool.work.domain.com/Abs/Int/Handler;Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator.; So i try to open the url in IE to see that it is not related to a certificate and it is not because i can not even log in, and after 3 tries I’m off to the 401. So my next attempt is on the front end OCS 2007 R2 server and i try from there as a domain admin, does not work. Well ill just try with https://localhost/abs/int … and guess what that works, so it has to do with Kerberos or something.. Do the following: C:\Windows\System32\inetsrv>setspn -A HTTP/ocspool.work.domain.com RTCCOMPONENTSERVICE  Registering ServicePrincipalNames for CN=RTCComponentService,CN=Users,DC=work,DC=domain,DC=com  HTTP/ocspool.work.domain.com  Updated object
C:\Windows\System32\inetsrv>iisreset

A last thing to check:

The Lync 2010 client or the Office Communicator client does not download the corporate address book and displays a notification: "Cannot Synchronize Address Book"

Article ID: 939530 - View products that this article applies to.

SYMPTOMS

Consider the following scenarios:

• You use the Microsoft Lync 2010 client to log on to the Microsoft Lync Server 2010.
• You use the Microsoft Office Communicator client to log on to the Communications server.

In these scenarios, the corporate address book does not download, and no results are displayed when you search contacts by name.

Also, you receive the following notification in the Lync 2010 client or in the Communicator client:

Cannot Synchronize Address Book

When you click the notification to display the details, you receive the following error message:

Communicator 2007

Cannot synchronize with the corporate address book because the file could not be found. Please contact your system administrator with this information.

Lync 2010 or Communicator 2007 R2

Cannot synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem continues please contact your...

If you run the Validation Wizard on the Communications Server 2007 R2 or Communications Server 2007 front-end server, you receive the following error message in the log:

Failure [0xC3FC200D] One or more errors were detected

In the Validation Wizard log, expand Diagnose WebComponents, expand Check Connectivity, and then expand Checking Address Book Serverconfiguration. The URL of the location to download the address book is displayed in the Check Http URL field together with the following error message:

Internal Error: ConnectFailure

Note: Lync Server 2010 does not have a validation wizard.

CAUSE

This issue occurs if the website that hosts the address book does not have a valid Secure Sockets Layer (SSL) certificate installed.

RESOLUTION

To resolve this issue on a computer that is running Windows Server 2003, make sure that the website that is hosting the address book has a valid SSL certificate installed. To do this, follow these steps:

1. On the computer that is running Internet Information Services (IIS), click Start, click Run, type inetmgr.msc, and then click OK.
2. Expand ComputerName (local computer), expand Web Sites, right-click the website that hosts the address book, and then click Properties.
3. Click the Directory Security tab.
4. In the Secure communications section, determine whether View Certificate is enabled.
   
   Note If View Certificate is enabled, click View Certificate. Then, you can determine whether the certificate is valid.
   • If the certificate is invalid, follow these steps:
     1. Click Server Certificate in the WebSiteName Properties dialog box.
     2. Click Next, and then click Renew the current certificate. Or, click Replace the current certificate.
     3. Follow the steps to finish the IIS Certificate Wizard.
        
        Note The IIS Certificate Wizard will help you renew your certificate or replace your certificate with a valid certificate.
        
        For more information about how to request a certificate and install the certificate in IIS, click the following article number to view the article in the Microsoft Knowledge Base:
        299875
        

        (http://support.microsoft.com/kb/299875/ )

        How to implement SSL in IIS
   • If View Certificate is disabled, no certificate is installed on this computer. You have to install a certificate to this website. To do this, follow these steps:
     1. Click Server Certificate in the WebSiteName Properties dialog box.
     2. Click Next, and then click Create a new certificate.
     3. Follow the steps to finish the IIS Certificate Wizard.
        
        Note The IIS Certificate Wizard will help you install a certificate to this website.
        
        For more information about how to request a certificate and to install the certificate in IIS, click the following article number to view the article in the Microsoft Knowledge Base:
        299875
        

        (http://support.microsoft.com/kb/299875/ )

        How to implement SSL in IIS

To resolve this issue on a computer that is running Windows Server 2008, make sure that the website that is hosting the address book has a valid SSL certificate installed. To do this, follow these steps:

1. 1. On the computer that is running Internet Information Services (IIS 7.0), click Start, click Run, type inetmgr.msc, and then click OK.
2. Expand ComputerName (local computer), expand Web Sites, click the website that hosts the address book, and then click Bindings in the Actions pane.
3. Select the HTTPS site binding that includes the port that the Address book Service is listening on, and then click Edit.
4. Click View to open the certificate dialog box, and then view the expiration date of the certificate on the General tab.
   
   Note The IIS Server Certificate feature helps you renew your certificate or replace your certificate with a valid certificate.
   • If the certificate is invalid, follow these steps:
     1. In the Connections pane, select the name of the IIS 7.0 server that hosts the Address Book service, select the Features view, and then click Server Certificates.
     2. In the Actions pane, select Open Feature.
     3. In the Features view, select the certificate that you viewed in step 4, and then use the Actions pane to renew the certificate.
   • If the needed certificate is not installed on this computer, use the certificate wizards in the Actions pane to do one of the following: Import, Create a Certificate Request, Complete a Certificate Request, or Create a Domain Certificate.
   • For more information about how to renew, create, and complete certificate requests on IIS 7.0, visit the following Microsoft website: http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx

Source 1
Source 2
Source 3
Source 4

Custom Role Group for "Send as" and "Full access permissions"

The Role Recipient Management is often given to Helpdesk and Support staff who need to be able to create, modify and disable recipients in Exchange 2010. One permission which this role does not grant and may be needed is the ability to modify the “Send as” attribute on recipients.

The Active Directory Permission Role allows this access and by default is part of the Role Group Organisation Management. This Role Group grants the member complete access to Exchange and it’s likely you don’t want to grant complete access to allow them to modify the “Send as” attribute.

There are 2 ways to create such a group.

1. Through the ECP page in OWA
2. In the EMC under "Tools"

First copy the "Recipient Management" role and give it a logical name for your arganisation.
Then add the "Active Directory Permission" group

 

Add the member to this newly created group.

After an hour or so you support staff will be able to grant "Send as" and "Full access" permissions to mailboxes.

 

 

Source

Enable PDF indexing on Exchange 2010 servers.

Download and install the Adobe PDF iFilter 9 for 64 bit platforms located here:http://www.adobe.com/support/downloads/detail.jsp?ftpID=4025

After installing the Adobe PDF Filter Pack, paste the following text into the Exchange Management Shell window:

 # Adobe iFilter Directory Path

$iFilterDirName = "C:\Program Files\Adobe\Adobe PDF IFilter 9 for 64-bit platforms\bin"

# Get the original path environment variable

$original = (Get-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path).Path

# Add the ifilter path

Set-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Control\Session Manager\Environment" Path -value ( $original + ";" + $iFilterDirName )

$CLSIDKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\V14\MSSearch\CLSID"

$FiltersKey = "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters"

# Filter DLL Locations

$pdfFilterLocation = “PDFFilter.dll"

# Filter GUIDs

$PDFGuid    ="{E8978DA6-047F-4E3D-9C78-CDBE46041603}"

# Create CLSIDs

Write-Host "Creating CLSIDs..."

New-Item -Path $CLSIDKey -Name $PDFGuid -Value $pdfFilterLocation -Type String

# Set Threading model

Write-Host "Setting threading model..."

New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "ThreadingModel" -Value "Both" -Type String

# Set Flags

Write-Host "Setting Flags..."

New-ItemProperty -Path "$CLSIDKey\$PDFGuid" -Name "Flags" -Value "1" -Type Dword

# Create Filter Entries

Write-Host "Creating Filter Entries..."

# These are the entries for commonly exchange formats

New-Item -Path $FiltersKey -Name ".pdf" -Value $PDFGuid -Type String

Write-Host -foregroundcolor Green "Registry subkeys created. If this server holds the Hub Transport Role, the Network Service will need to have read access to the following registry keys:`n$CLSIDKey\$PDFGuid`n$FiltersKey\.pdf”

Reboot the Exchange Server

Rebuild the search indexes using the Management Shell commands:

Cd ‘C:\Program Files\Microsoft\Exchange Server\V14\Scripts’

./ResetSearchIndex.ps1 –Force –All

 

Wait for the indexes to be rebuilt before initiating a search. Assuming all mailbox databases are empty this should take little time to complete.

 

Repeat this process on each Mailbox Server and Hub Transport in the organization.

 

Note: The permissions on for NETWORK SERVICE are required on the Hub Transport role (or multi-roled server that hosts the Hub role) so that transport rules can do PDF attachment filtering.

 

Source

Search for a list of documents that couldn't be indexed by Exchange Search

The Get-FailedContentIndexDocuments cmdlet returns a list of documents that couldn't be indexed. The most common reason is that there was no filter available for that document type or there was an attachment within the document.

For example, the PDF filter isn't available by default. If an email message contains a PDF document, because there is no PDF filter, the document is marked as failed content indexing.

After a new filter is installed, only new messages with attachments of the type for which the filter is installed are indexed. If you want to index older messages for the document type, the mailbox has to be moved.

The cmdlet output provides details about items in a mailbox that couldn't be indexed, including an error code and the reason for failure.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you.

The default enabled search list bij the Microsoft Office Filter Pack:

Filter	File extension
Email message	.eml
Graphics Interchange Format	.gif
JPEG	.jpg
Microsoft Excel	.xls, .xlt, .xlsx, .xlsm, .xlb, .xlc, .xlsb
Microsoft InfoPath	.infopathml
Microsoft Office Binder	.obt, obd
Microsoft PowerPoint	.pptx, .pptm, .ppt, .ppsx, .ppsm, .pps, .ppam, .potm, .pot, .potx
Microsoft Publisher	.pub
Microsoft Word	.doc, .docm, .dotx, .dotm, .dot, .docx
Microsoft XML Paper Specification	.xps
OneNote	.one
OpenDocument Presentation	.odp
OpenDocument Spreadsheet	.ods
OpenDocument Text	.odt
Outlook Item	.msg
Portable Document Format	.pdf
Rich Text	.rtf
Text	.txt
vCalendar	.vcs
vCard	.vcf
Visio	.vdw, .vsd, .vss, .vst, .vsx, .vtx, .vssx, .vssm, .vsdm, .vstx, .vstm, .vdx
Web archive	.mht
Web page	.html
XML document	.xml
ZIP archive	.zip

Source

Re-index Mailbox Database

Users may report that searching Outlook for non-cached or online mode mailboxes isn’t getting the right results or not returning results past a certain date. Also OWA may return “The action couldn’t be completed.  Try again later.” when trying to search. You need to reindex your mailbox database(s). 

1. Run Repair-ExchangeSearchSymLinks.ps1. It isn’t included in the normal scripts folder under the Exchange program files. View source

 

You can get it from Microsoft here me and place it in the Exchange Server\V14\Scripts folder. Open Exchange Management Shell (remember you might need to run EMS elevated and run Set-ExecutionPolicy Unrestricted first), change path to the scripts folder then run:

 

.\Repair-ExchangeSearchSymLinks.ps1

 

After this you can run the test-exchangesearch script in the scripts directory

to verify the installation.

 

2. Next run the ResetSearchIndex.ps1 script, this one is included in the Exchange program files scripts folder so no need to download. You can run it against a specific database or against all of them as per the commands below:

 

.\ResetSearchIndex.ps1 -All .\ResetSearchIndex.ps1 databasename

 

You should see event id 109 for each database stating that an index has been created and sometime later event id 110 for each database as the indexing finishes.

 

Source

Alternate source

Common Lync Powershell commands

Get the user settings:

 

Get-CSUser -Identity "Username"

 

Change the sip address of a user:

 

Set-CsUser –Identity "Username" –SipAddress "sip:username@domain.com"

 

Move a user to a Pool":

 

Move-CsUser –Identity "Username" –RegistrarPool poolname.domain.com

 

Move a legacy user from OCS 2007 to Lync 2010:

 

Move-CsLegacyUser –Identity "Username" –Target "lyncserver.domain.com"

 

This command causes all your Address Book services to synch with the User Services database:

 

Update-CsAddressBook