Saturday, December 31, 2011

Office 365: one or more users need an assigned license

I recently setup a five user P1 Email system on Office 365.  Iniitally I setup the default domain and added the users.  

Then I added the "Vantiy domain" ie  (why Microsoft call this a vanity domain is beyond me, Id call it an essential to do business domain, but....)

I then changed the logon primary account for each user from to - (There are a number of poweshell scipts around for this, however you can do it from the Office 365 Admin GUI.  Just go to the users and once the Vantity domain has been validated you can change the login domain to the one you have added.)

I then started receiving a typical Microsoft Cryptic error message: "one or more users need an assigned license in order to retain an exchange online mailbox or archive."

I created a view as they suggested showing unlicensed users, and it showed all my users...!

It took me ages to work out what Microsoft 365 were on about, but it seems that the license is assigned to the logon name account - and so changing it to domain confused it.  All other settings and data such as email etc stayed in tact.

This has got to be an Office 365 bug

Work around fix:
  • You need to go to each user on the Admin screen on office 365,
  • go to licensing
  • un-check the Lync license
  • Save and update
  • Then go back into the account again
  • check the Lync license
  • Save and update
Hey presto problem has gone.  It would seem that re-applying a small change to the license, re-assigns it correctly to the changed

CAUTION DO NOT Uncheck the Exchange License as Ive seen dire warnings saying this will delete the users email mailbox which would be bad !

Thursday, October 13, 2011

Friday, October 07, 2011

Viewing Sharepoint sites on the Sharepoint server (disabling server loopback checks)

Its been a problem since Win2003 SP1 that you couldn’t browse to a web site hosted on Sharepoint on that server.
Ive now found this is security restriction called loopback check, where the server stops any access back to itself unless you use the server’s name in the URL.

There are two alternatives to stop this behaviour.

Option 1 - is to disable the loopback check for all sites – which should only be used on a development machine.

· In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
· Right-click Lsa, point to New, and then click DWORD Value. (In Win 2008, its DWORD 32bit)
· Type DisableLoopbackCheck, and then press ENTER.
· Right-click DisableLoopbackCheck, and then click Modify.
· In the Value data box, type 1 and then click OK.
· Quit Registry Editor.
· You may need to restart your server.

Option 2 - is to disable the loopback check for each site individually – which should be used on production machines.
· Click Start, click Run, type regedit, and then click OK.
· In Registry Editor, locate and then click the following registry key:
· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa4.Right-click Lsa, point to New, and then click DWORD Value.
· Type DisableLoopbackCheck, and then press ENTER.
· Right-click DisableLoopbackCheck, and then click Modify.
· In the Value data box, type 1, and then click OK.
· Quit Registry Editor, and then restart your computer.

Ps I also found a related issue with respect to CNAME sharing restrictions (see this link)
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters [DisableStrictNameChecking (DWORD) = 0x01]

Blog references

Wednesday, August 31, 2011

After adding a new Exchange 2010 DB - BES users no longer work once moved to it

By default it would appear that BES doesnt have permission to access a new Exchange Database.  In this Blackberry knowledge base article recommend using powershell to update the permissions on all mailboxes on a server.

For Microsoft Exchange 2010

  1. Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Open the command prompt as administrator, type the following line and then press ENTER:
    Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

Wednesday, June 01, 2011

Some usefull Exchange 2010 powershell scripts for space management

Force remove disconnected database after a move or delete
Remove-StoreMailbox -Database "" -Identity "" -MailboxState SoftDelete

Exchange 2010 Find Database White Space
Get-MailboxDatabase -Status | Select-Object Server,Name,AvailableNewMailboxSpace

Retrieve List of Disconnected Mailboxes
Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -eq “SoftDeleted”} | Select DisplayName,ServerName,Database,ItemCount

Permanently Delete all Disconnected Mailboxes across all Database
$var1 = Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -eq “SoftDeleted”}
$var1 | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

Tuesday, May 10, 2011

Sharepoint FBA user administration (Forms Based Authentication)

We had a strange error where a user couldnt log on using FBA.   It turned out that the account was locked out, however it started a voyage of discovery into the murkey world of FBA in Sharepoint.

To add an FBA user we use the + _layouts/vCreateUser.aspx which works out fine, however with FBA it was not obvious how to either Reset a users password by the administrator or Delete a user.

Using II7 lots of documents say you can edit the list of users using the IIS7 admin console and open the .Net Users Feature.  However you either get an error saying the "default provider is not a trusted provider", or a time out error saying it cannot connect to the SQL database because of a network or instance-specific error!

It turns out you need to ensure that you need to Set the Default Provider in the .Net Users to the Sharepoint SQLRoleProvider after its given you an error saying it cant connect.  If you manage to get that and your IIS Connection Strings all tidied up then you have a small chance of all the users apearing when you open the .Net Users Feature.

When you get there you can either Delete the user or change its email address but not a lot more - EXCEPT that is to UNLOCK the account.

It turns out that in the web.config file there are a number of settings which handle the account lock out policies for the entry of incorrect passwords.  A good MSDN link for mor info on this is here - however even setting these and iisreset and reboot doesnt seem to want to change the settings for me, so I'll keep digging.

Another useful link on how to setup IIS7 for Sharepoint FBA is here

Sharepoint's link to FBA seems such a cludge and without proper user management tools is not something that can be sensibly rolled out.  Once again such a good idea not quite finished but still rolled out by Microsoft.

Wednesday, March 02, 2011

AD Sync: The source server is currently rejecting replication requests

After a few power outages one of our DC's decided not to co-operate in Syncing data.

The Directory Service App Log gave lots of errors talking about "The Knowledge Consistency Checker (KCC) being unable to form complete spanning tree network topologies" but nothing really useful to work with.

I first used repadmin /replsummary to try to see what was wrong, but it only confirmed that there were errors.

I then ran DCDiag
On Starting test Replications it said: [Replications Check, Replications Check] Inbound replication is disabled.
To correct, run "repadmin /options -DISABLE_INBOUND_REPL"
Also Outbound replication is disabled
To correct, run "repadmin /options -DISABLE_OUTBOUND_REPL"

Now on the face of those commands it looks like its disabling the inbound and outbound connections, BUT ITS NOT!
What it does it toggles the current setting to the opposite of what it is already, so if its disabled it enables it and vice versa.

Forcing some replication and running DCDiag shows that this has resolved the problem, although why it occured I still dont know - any ideas anyone ?

Thanks to the pointer in the blog The source server is currently rejecting replication requests

Monday, February 28, 2011

Windows 2008 INCORRECT FUNCTION error, sharing folders or file shares

If you get the error "Incorrect Function" on a Windows Server 2008 or 2008R2 when trying to share a folder or create a file share then you will find the error message "INCORRECT FUNCTION" is extreemly useless.

It occurs because you don't have the Firewall Rules for Inbound and Outbound "File and Printer Sharing" included in your rule sets.  

But I have firewall disabled I hear you cry!  For Windows it doesnt matter if you have the Firewall on or off for any of the Profiles.  If you dont have the rules there you cant share folders......

Dont know why this is but it just doesnt work and gives the silly error message above.

Tuesday, February 22, 2011

Animoto - The End of Slideshows

A very smart video and picture compilation piece of software

Animoto - The End of Slideshows

Running a Virtual Router & Firewall inside VMware ESX with Vyatta

I needed to run an router inside and ESX server to route between a couple of virtual networks and came across Vyatta. I'm sure loads of people know about this but I'm a newbie to network routers so was quaite taken by its functionality.

Although this video is old it gives a very good understanding of what Vyatta is and how to install it on ESXi

Running a Virtual Router & Firewall inside VMware ESX with Vyatta

Thursday, January 06, 2011

32bit ODBC on a Win7 64 bit machine

We had a requirement to run Access 2003 on a  Windows 7 64 bit server and couldnt find the 32bit ODBC settings anywhere.  They are not shown in the control panel app, however you can find them at C:\Windows\SysWOW64\odbcad32.exe

Monday, January 03, 2011

Exchange 2010 ActiveSync not function for Domain Admins user

I built a new domain with my own account as Domain Admin, and then after installing Exchange 2010 couldnt work out why every other user except me could access ActiveSync.

The issues turns out to be that AD membership of certain Admin "Protected Groups" turns off the inherited permissions on your AD account in the OU that you reside.

To check if Inheritance is disabled on your user account, Open AD Users and Computers -> View - Advanced Features, Locate the user account and click Properties, Security Tab and then Advanced. Make sure the check box for "Include inheritable permissions from this objects parent" is checked.

If it is the ActiveSync will work - HOWEVER only for about 60 minutes !

You will find the SPPROP process will clear the inheritable permissions for you after every 60 minutes ! - See This Technet Article for more on SDPROP and the issues with OU inherited security that this can bring.

So the only practicle answer is to have 2 accounts, one for email as a user account and one for administration. This is Microsoft recommended practice and detaild in this reference: Exchange ActiveSync Returned an HTTP 500 Error