Bypassing Anti-Spam on an Exchange 2007/2010 Receive Connector

I was looking at an old Exchange environment that was being used to send bulk mail outs. We noticed every now and again a bunch of e-mails would not be getting sent, trawling through Message Tracking Logs we could see that the messages were failing because of an AGENT FAIL which usually means that there is a transport agent blocking those messages.

The customer still wanted the anti-spam agents enabled so instead we used PowerShell to modify the receive connector to bypass the Spam Filtering by giving the anonymous logon extended right ms-exch-bypass-anti-spam. Use the following PowerShell cmdlet and modify the Receive Connector with the name of your Connector.

Get-ReceiveConnector "Receive Connector" | Add-ADPermission 
-User "NT AuthorityAnonymous Logon" -AccessRights ExtendedRight 
-ExtendedRights ms-exch-bypass-anti-spam

Hope that helps.

Fixing The trust relationship between this computer and the primary domain failed Error when restoring a Snapshot or Old Virtual Machine

I had a VM snapshot/checkpoint running for several months in my test lab and after reverting the snapshot back I went to login to the machine and got the dreaded Trust relationship between this computer and the primary domain failed error message.  So I logged in as a local admin onto that machine, opened up an Administrative PowerShell window and entered the below commands.

$cred = Get-Credential – (enter domain admin account when prompted)
Reset-ComputerMachinePassword -Credential $cred -Server

Replace the server at the end with a FQDN of one of your Domain Controllers.  As I wasn’t authenticated to the domain, I needed to enter my domain admin credentials by using the Get-Credential cmdlet and then using those stored credentials to issue the Reset-ComputerMachinePassword cmdlet.

So there you have it, no more re-joining a computer to the domain.

Using PowerShell to Manage Windows Server DNS entries

Firstly, Happy new year. Anyway, I was recently tasked with creating a large number of DNS entries on our internal DNS servers. To accomplish this I decided to use PowerShell to perform an import of a CSV file that I had been given that already had my DNS entries. There was a header row with HostName and IPAddress as columns and then dozens of lines entries that needed to become DNS A Records on our server.

So the first command I used to Import these records was the below (replace with your DNS zone) and DNSentries.csv with your filename.
Import-CSV C:\Scripts\DNSentries.csv | %{ Add-DNSServerResourceRecordA -ZoneName -Name $_."HostName" -IPv4Address $_."IPAddress" }

After completing that I noticied that some had a typo (the file was given to me) so instead of going in and manually removing the ones that were wrong, I again used PowerShell to remove them with the following command:
Import-CSV C:\Scripts\DNSentries.csv | %{ Remove-DnsServerResourceRecord -ZoneName "" -RRType "A" -Name $_."HostName" -RecordData $_."IPAddress" }

Using the above commands you can quickly and easily add or remove DNS entries from your Windows Server DNS Infrastructure using entries from a CSV file.

Using custom OWA URLs in SharePoint to display your inbox as well as calendar and other items

This one has been sitting in my drafts folder for a while but last year I was experimenting with our SharePoint environment and thought it would be a cool idea to have a view of our web mail and calendar come up into our SharePoint homepage as web parts. Now if you are running SharePoint 2010/2013 you can simply use the Outlook OWA web parts to display what you want to a degree but by using a web page viewer web part and specifying the URL we can have a better degree of control on the output of the page.

So start by adding a web page viewer web part to your page and point the web part to your exchange server hosting Outlook Web Access. The following is an example of a URL that you can use:

Exchange 2010


Exchange 2013


For more information on how to format the links and available flags please follow this link I hope that has helped some people in bringing better looking mail access to their share point environments.

Make viewing and sorting Exchange 2013 / 2016 Message Tracking Logs using PowerShell easier with GridView

exchange2010-powershell-logoSo a lot of environments are making the jump to Exchange 2013/2016 away from 2007/2010. From a management point of view the largest change is the move away from a GUI Management option to web-based and PowerShell management. One of the tools missing is the Message Tracking tool, which in a basic form is available on the Web Console but is difficult to use for external mail items so then we move onto PowerShell which gives us what we want but not in the format that is the easiest to understand.

You can use things like FormatList or FormatTable to make things a little prettier but a nicer trick I learned recently was to use Out-GridView which formats things into a new window which we can apply filters to. An example of Get-MessageTrackingLog piped to GridView is below (see the image for the example output)

Get-MessageTrackingLog -ResultSize Unlimited -Start "November 10 2016" -End "November 30 2016" -Recipient "[email protected]" | Out-GridView

Using the GridView we can easily apply filters to further narrow down our search easier.

How to Install a trusted certificate onto a FileZilla FTP server to enable FTPS (FTP over TLS)

I was recently helping troubleshoot an issue where as part of that I needed to get a 50GB SQL Database transferred from an interstate client onto our servers.  Both the client and us have a decent Internet Connection and we already had an FTP server in place but I was worried about the sensitive nature of the material we were transferring, so I set about enabling FTP over TLS on our FileZilla FTP Server using our Public CA Digital Certificate, the process took a little fiddling and I’ll outline it now. One thing I would highly recommend is re-exporting this Certificate with a different private key than what you would normally use as FileZilla unfortunately stores it in plain text.

openssl-commandsFirstly, you will need the OpenSSL windows binaries (available here).  Once downloaded, extract them to a handy place like c:\openssl and copy across your Certificate in PKCS#12 .pfx format (which is what our default format of the certificate is).  So we have .pfx inside c:\openssl. Now that we are ready, open an administrative command prompt and CD into C:\OpenSSL (handy tip, in Windows Explorer when you are in a folder you want to open a CMD prompt to, just type CMD into the address bar and hit enter).  Now there are two commands we will use with OpenSSL to convert and strip out what we need.

openssl pkcs12 -in <your.pfx>  -nocerts -nodes -passin pass:<yourpass> | openssl rsa -out <output.pem>


openssl pkcs12 -in <your.pfx> -clcerts -nokeys -passin pass:<yourpass> -out <output.crt>

filezilla-settingsOnce you have that, open both of them up in Notepad (or Notepad++), you will want to copy the Certificate extract from command two into the RSA Key we extracted in command one.  Once we have that save the file as <yourcertnamehere>.crt.  Open up FileZilla Server manager and go into Settings.  Under the FTP over TLS Settings page, select the Certificate we created earlier and enter the Private Key for the Certificate and click OK.  Now I’d recommend using WinSCP to connect as it trusts certificates already in the Windows Trusted Root CAs Store (FileZilla will always prompt to trust).


Adventures with setting up RDS RemoteApp and Web Access in Windows Server 2012 R2

RDS Overview in Server ManagerSo I was recently setting up a demo environment in Azure with two servers.  Our goal was to have Remote Web Access and then publish RemoteApps through that so we could give live demos.  The process to setup Remote Desktop Services is much easier in Server 2012 / 2012 R2 thanks to the Add Remove Features Wizard, but there are still some gotcha’s that I encountered and will cover in this blog post.

The first thing was getting the FQDN of the RD Gateway / Web Access server set to our external domain (since it is different). For example we’ll use adatum.internal and  For web access it is simply a matter of having a public DNS record and pointing to your web server but getting it working for the RD Gateway requires some PowerShell.  A script from the TechNet Gallery called Change published FQDN for Server 2012 or 2012 R2 RDS Deployment works a treat for Server 2012 and 2012 R2.  Simply go to the directory you have the script in with a PowerShell admin prompt and enter the following;

Set-RDPublishedName ""

This should now allow clients to see a connecting to a proper server FQDN instead of something like rds-01.demo.adatum.local.

My next issue was when my demo client when to connect it errored out with 0x607 – An authentication error has occurred.  After having a talk with someone in the office I had found out the Session Host server was hosting some demo web apps that ran using HTTPS.  Now I had imported a proper certificate (that hadn’t expired) but still found this issue.  So I opened up mmc.exe added the Certificates snap-in, browsed the computer certificate store and under personal I could see an EXPIRED certificate.  I deleted this but was still getting the error.  So my other trick was to force Terminal Services to no longer try to use that certificate.  To do this I opened up REGEDIT and went to the following key;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

In this key I would scroll down until I found SSLCertificateSHA1Hash and deleted the entry (you could also replace the hash with our good certificate).  Once I had done this, I restarted the server for good measure and was then able to connect up to my Remote Apps using Web Access without an issue.