Exchange 2010 to 2013 Migration - Public folders not accessible to migrated users

This was a fun one, due to the ridiculous public folder migration process that is required to go from Exchange 2010 to 2013, you are basically forced to have the two versions coexist for a while to get everything migrated. In the interim, i ended up having to have my 2013 Client Access Server proxy all connections back to the public folder database on my 2010 server (combo Hub/CAS/Mailbox). What i noticed was that i had a few limitations and quirks:

• Users with mailboxes located on the 2013 Mailbox Server could not access public folders on the 2010 server, they received an error something along the lines of: Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance.
• Users with mailboxes located on the 2010 Mailbox Server could not use RPC over HTTP (Outlook Anywhere) through the 2013 server.
• Users with mailboxes located on the 2013 Mailbox Server could use RPC over HTTP without a problem.
• All users could use OWA and Activesync

After quite a bit of troubleshooting, it was determined that the problem was the 2013 CAS was unable to proxy requests using RPC over HTTP to the 2010 CAS. There didn't seem to be a good reason for this, all certificates were good, internal/external URLs on all virtual directories specified properly, authentication methods configured properly, etc. Finally, this solution was found. I can't say for certain that this is the only fix required, however so far it has worked well for me.

The fix (run this on your 2010 CAS):

Set-OutlookProvider EXCH -CertPrincipalName msstd:mail.yourdomain.com
Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.yourdomain.com

That's it. This is a setting that was always there on 2010 but was never needed before. Note that mail.yourdomain.com should be the CN (common name) of your certificate. You can get that, if you don't know it, by running Get-ExchangeCertificate -server 2010CAS and looking at the CN= section for the entry that has IP.WS. listed for services. The moment i did this, RPC over HTTP for all users started working, and public folder access was fixed.

ASA 8.4 and Hairpin NAT

I previously posted here about setting up Hairpin NAT on a Cisco ASA running version 8.2, but of course they changed the syntax yet again, so here is an updated version for 8.4. For those unaware, Hairpin NAT is what allows you to access a server by its public IP from inside the network. This is useful if you are not running split DNS or if you have needy users that want to be able to use the same IP wherever they are.

The procedure for this is actually a bit simpler, there are just a few commands required:

Allow the traffic to get turned around:

same-security-traffic permit intra-interface

Add the NAT rule for users without their own static mapping

object network obj_any_hairpin
 subnet 0.0.0.0 0.0.0.0

object network obj_any_hairpin
 nat (inside,inside) dynamic interface

Note that i separated these two blocks as that is how it usually appears in the config. The first block defines the object group, while the second one applies the NAT rule to it. This rule will match for any LAN users that do not have a static 1:1 mapping defined.

Add NAT rules for all static users

object network obj_10.10.10.10
 host 10.10.10.10
object network obj_10.10.10.10_hairpin
 host 10.10.10.10

object network obj_10.10.10.10
 nat (inside,outside) static 1.2.3.4
object network obj_10.10.10.10_hairpin
 nat (inside,inside) static 1.2.3.4

The object groups need to be separate so that you can apply different NAT rules to them. The first object group and the corresponding NAT rule is for the external access coming in, while the second set are the ones that allow the internal to internal traffic.

Setting up a setuid PHP binary

I'm not going to go into it too much, but i assure you i had a very good reason for doing this.

The problem: I needed to run PHP on the command line as root when invoked by a non privileged user. The simple solution is to make a copy of the php binary and them chmod +s it and chown it to root. For most apps, this will just cause it to run as root and everything will be solved. This part is still necessary:

# cd /path/to/my/project
# cp `which php` .
# chown root:root php
# chmod +s php

Unfortunately, when running this, you will find that PHP does not actually think it's running as root, and subsequently you can't run things like shutdown which require root privileges. You can see this by running a script like this:


test.php:

<?php
    echo shell_exec('id');
?>

Command:

# sudo -u www ./php test.php
uid=80(www) gid=80(www) groups=80(www)

Well that didn't work, and the PHP docs and google didn't seem to have anything about PHP dropping privileges. A little more googling and i saw that PHP does have a setuid function, so i decided to give that a try. The function is called posix_setuid() and is allegedly included by default. Well guess what, on my PHP installation it shows the configure string as including --enable-posix=shared which for whatever reason means "i don't want to use this."

So i recompiled PHP with just --enable-posix and the function was now available. At this point, i began getting the desired results when calling the script: test.php:

<?php
posix_setuid(0);
echo shell_exec(`id`);
?>

Command:

# sudo -u www ./php test.php
uid=0(root) gid=80(www) groups=0(root),80(www)

Exchange 2010 Couldn't connect to the source mailbox

So I was working on decomissioning a horribly broken and misconfigured SBS 2011 server today. Part of this was to export all of the mailboxes to PST and import on the new server (don't ask why but the customer had two SBS 2011 servers). When attempting to export a mailbox, i ran into this error:

Couldn't connect to the source mailbox.
    + CategoryInfo          : NotSpecified: (0:Int32) [New-MailboxExportRequest], RemotePermanentException
    + FullyQualifiedErrorId : CA71126,Microsoft.Exchange.Management.RecipientTasks.NewMailboxExportRequest

Well that's fun, so i re-ran the export command with -Verbose and ended up with:

New-MailboxExportRequest : Couldn't connect to the source mailbox. -->
MapiExceptionCallFailed: Unable to make connection to the server. (hr=0x80004005, ec=1249)
Diagnostic context:
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=154]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x4E1][length=56][latency=0]
    Lid: 59505   StoreEc: 0x4E1
    Lid: 52465   StoreEc: 0x4E1
    Lid: 60065
    Lid: 33777   StoreEc: 0x4E1
    Lid: 59805
    Lid: 52209   StoreEc: 0x4E1
    Lid: 56583
    Lid: 52487   StoreEc: 0x4E1
    Lid: 19778
    Lid: 27970   StoreEc: 0x4E1
    Lid: 17730
    Lid: 25922   StoreEc: 0x4E1

After a bit of googling i did find someone else with a similar error, but their solution actually worked oppositely for me, so here is what i did to resolve:

Set-CASMailbox jsmith -MAPIBlockOutlookNonCachedMode:$false

After that, the mailbox exported correctly. I can't say for sure why this was blocked in the first place, but this did resolve it.

Drag and drop stops working in Windows 7 and 8

I've been struggling with this problem for a long time, and never really found a solution. Basically (and very randomly) drag and drop would stop working on my workstation. This includes dragging emails in Outlook (2007, 2010, 2013), dragging files in explorer, and even resizing columns in certain folders/views/apps. What threw me the most is that the issue persisted when i upgraded to a new workstation with a fresh OS, and also across Windows 7 and 8. I do have a lot of apps, so it's very possible one of them is to blame. A reboot would always fix it, but that's obviously annoying. Anyways, the fix: Go to explorer, click on a file, and press the escape key. That's it. I have yet to investigate why it works, but it works. The working theory is that somewhere a file is stuck in the drag state, and windows doesn't let you drag additional items. Hitting escape must clear that out and let you do it again.

Media Keyboard Shortcuts with AutoHotKey

Recently I switched to a mechanical keyboard, and though I love it, the one thing I missed were the media keys on my old keyboard. At work I frequently utilize the volume and play/pause controls when quickly answering a phone call, and stumbling to hit the volume icon in the system tray was just not quite fast enough. To solve this problem, I ended up installing AutoHotKey and setting up some very simple automation. The basic method is to create a new text file with an AHK extension (I called mine media.ahk) and add the hotkeys to the file. You can mix these up as much as you want, check the AHK docs for more info. This script uses the windows key for all of the hotkeys:

#PgUp::Send {Volume_Up 3}
#PgDn::Send {Volume_Down 3}
#End::Send {Media_Play_Pause}
#Home::Send {Volume_Mute}
#Insert::Send {Media_Next}

After making the file, you can just double click on it for AHK to pick it up. See their docs for making that happen at login. Since I'm on Windows 8, there is already an on-screen volume meter when you start changing the volume, so I did not need an OSD or anything fancy.

ASA 8.2 and Hairpin NAT

Don't ask me why people still do this, but there is occasionally the need to set up hairpin NAT on a firewall. This functionality is where a LAN user accesses another server on the LAN by its static public IP. For example, if i am 10.0.0.6 and i try to access 1.1.1.5, the firewall will turn the traffic around (and rewrite the IP) and send it down to whatever 1.1.1.5 is mapped to in the LAN. This functionality is different depending on the version of ASA software you're running, this is specifically for 8.2. This gets a little messier when you have a mixture of people with 1:1 NAT and PAT set up, but it works either way. Base config that will not work for hairpinning:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.5 10.0.0.5 netmask 255.255.255.255
static (inside,outside) 1.1.1.6 10.0.0.6 netmask 255.255.255.255

The issue with this is that if any user on the LAN tries to access 1.1.1.6, the ASA doesn't really know what to do with it, and drops it. So there are a few things that need to be fixed at this point:

Allow the ASA to turn the traffic around:

same-security-traffic permit intra-interface

Allow PAT'd users to have their IP rewritten when being hairpinned:

global (inside) 1 interface

Allow static NAT users to have their IP rewritten as well:

static (inside,inside) 1.1.1.5 10.0.0.5 netmask 255.255.255.255
static (inside,inside) 1.1.1.6 10.0.0.6 netmask 255.255.255.255

At this point it should be working normally, so here is the completed config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0

interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0

same-security-traffic permit intra-interface
global (outside) 1 interface
global (inside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 1.1.1.5 10.0.0.5 netmask 255.255.255.255
static (inside,outside) 1.1.1.6 10.0.0.6 netmask 255.255.255.255
static (inside,inside) 1.1.1.5 10.0.0.5 netmask 255.255.255.255
static (inside,inside) 1.1.1.6 10.0.0.6 netmask 255.255.255.255

Once this is done, you should be able to access the public IPs internally and get the traffic routed appropriately. If you are still having problems, i highly recommend the packet-trace command which can help you find out where the problem is occurring.