Certificate enrollment fails giving (The RPC server is unavailable. 0x800706ba (WIN32: 1722))

I experienced this problem while trying to Autoenroll a certificate from a client. after searching I found that it is because of CA is installed on a Domain controller.

the problem solved by adding “Domain Controllers” security group to “CERTSVC_DCOM_ACCESS” Domain Local Security Group.

for further investigations and other troubleshooting steps review the following links





Posted in Windows Server 2003, Windows Server 2008 | Tagged , | Leave a comment

Setting a process exclusion in your network

while I was configuring exclusions in Forefront Client security, I was having to actions to do. first was set Files and Folders exclusions and the second is to exclude processes itself. for first action I had no problem however for the second one I found that there is no option in FCS GUI to exclude processes. after search I found to do this task you need to edit the registry or through GPO if you have a good numbers of servers.

As i had only one server I went to change the registry on that server to set exclusions. for the right steps do the following

  1. go to the following registry Key HKLM\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes
  2. for each process add new DWORD entry with the complete listing name of the process (e.g. “C:\WINDOWS\system32\Process_Name.exe“) one puts on.

Note that you need to replace process_Name.exe or the entire path according to the process you want to exclude.

references: http://blogs.technet.com/b/clientsecurity/archive/2010/03/12/setting-a-process-exclusion-in-your-network.aspx

Best Regards,


Posted in FCS | Tagged | Leave a comment

Setup TMG Failed while registering performance monitors

My installation to TMG failed for not able to register performance monitor. after investigation the problem I believed that the corruption of the performance was due to a group policy applied to the machine and mostly it was due to FCS policy.


to solve this issue you need to manually rebuild Performance Counter Library values. if you want to rebuild all Performance counters including extensible and third-party counters in Windows Server 2003, type the following commands at a command prompt. Press ENTER after each command.


lodctr /R

however you can go step by step through the following link




Posted in Forefront TMG | Tagged | Leave a comment

Which Is Better for Exchange Edge Server High Availability?


Administrators have two ways to load balance Exchange Edge servers:

· Round Robin DNS

· Network Load Balancing

Each has its pros and cons and we will look at both methods, which will allow you to choose which method suits your organization best.

Round Robin DNS

Round Robin DNS is the easiest method available to load balance web servers. An Exchange server really is nothing more than a web server and round robin DNS is a simple solution you can use to load balance the Edge servers. Round robin works by assigning multiple IP addresses to the fully qualified domain name (FQDN) of a resource. The IP addresses are rotated so that one server IP address is handed out first, then the next request is given the next IP in the list. This repeats as each DNS resolution is handled, moving down the list of IP addresses until you get to the end of the list, which starts the whole process over. Another upside is that you don’t need any special hardware; the standard network interface card in any server will work.

The following diagram (Figure 1) shows our demo scenario that includes the DNS server and the three Edge Exchange servers.


Figure 1: Round Robin Scenario

To configure round robin for this Exchange organization, open up the DNS Management MMC and right-click on the DNS server; choose Properties. Click on the Advanced tab and check the box next to Enable Round Robin (see Figure 2).


Figure 2: Enable Round Robin

Now drill down to the forward lookup zone and create an A(Host) record for each Edge server with the same FQDN. In this case I am creating three A records for owa.thelazyadmin.lab each with an IP address from one of the Exchange Edge servers (see Figure 3).


Figure 3: A(Host) Records

That is it! DNS round robin will now spread the requests out between the three Exchange Edge servers. If you are using BIND DNS servers (version 9.x) the concept is the same, just create multiple A(Host) records for the FQDN.

Before we get too excited about how easy this was to configure and all the positive things that will happen with this configuration, there are some things that you should be aware of.

Round Robin DNS is not fault tolerant. If a user receives the IP address of a down server, they will get an error message. This is usually resolved by refreshing a few times, but they may have to go a step further and purge the local DNS cache before they get the IP address of a functional server. For this reason a low TTL value is recommended.

Each Edge server should be running the same base operating system and Exchange version including service packs and hot fixes. Also if you are provisioning OWA features, you need to ensure you configure each Edge identically as well.

Since everything is handled by DNS, you need to configure a monitoring method to notify administrators if a Edge node is unavailable. Unlike a cluster configuration, there is no built in monitoring service that can notify administrators of a downed node.

Network Load Balancing

The other option you have to load balance your Exchange Edge is Network Load Balancing (NLB). Network Load Balancing is a Microsoft clustering technology that is included in Windows 2000 Advanced Server and all editions of Windows Server 2003 & Windows Server 2008. NLB works by using an algorithm to provide load balancing and high availability.

Typically, two nodes cannot share an IP address. If you have ever given two computers the same IP address, you have seen the issues this can cause. The Network Load Balancing Service solves this problem by redirecting the traffic to the shared IP address to one of the nodes in the cluster. It also monitors the state and the load on each node allowing it to send traffic to the least busy node, and skip any nodes that are unavailable.

One other thing you need to implement a NLB cluster is an extra network card in each Edge server. NLB requires each node in the cluster to have two IP addresses. Technically you can do this with a single network card, but a second network card simplifies things greatly. With two NICs installed in each Edge server we are ready to go. The following diagram is a typical Edge NLB cluster configuration (see Figure 4). Doesn’t look much different from the round robin scenario, the only real difference is that each Edge server has a second NIC and IP address.


Figure 4: NLB Scenario

Again, each Edge server should be running the same base operating system and Exchange version including service packs and hot fixes and, if you are provisioning OWA features, you need to ensure you configure each Edge identically as well.

There are two tasks involved in creating a NLB cluster for your Exchange Edge.

· Configure NLB on each Edge server

· Configure a DNS record for the NLB cluster

To configure NLB on each Edge server, open up the properties of the NIC you will be using for the NLB cluster. Check the box next to Network Load Balancing, and then with that option highlighted, press the Properties button. Under the Cluster Parameters tab, enter a unique IP address for the cluster. This will be the IP address that DNS will point clients to. Enter the subnet mask and the FQDN of the cluster. Leave the cluster in Unicast mode and leave remote control disabled. See figure 5 for a sample configuration.


Figure 5: Cluster Parameters

Next, click on the Host Parameters tab and select a Priority. Each node in the NLB cluster will need a unique Priority and it can range anywhere from 1 to 32. Next enter the nodes IP address (the unique NLB IP) and the subnet mask. Leave Initial Host State as Started. See figure 6 for a sample configuration.


Figure 6: Host Parameters

The last checkbox next to Retain suspended state after computer restarts can be checked if you desire. If you do check it you will have to re-enable the node if it has been restarted. Click OK until you exit the network card properties. Repeat these steps on the other nodes in the NLB cluster making sure you use a unique Priority for each. Once complete, test it out by pinging the cluster IP address.

The last step is to create a DNS A(Host) record for the cluster IP. Open up the DNS Management MMC and drill down to the forward lookup zone. Add an A(Host) record that points to the cluster IP and give it a unique name. Close the DNS Management MMC and test it out by pinging the FQDN.


That is all there is to load balancing your Exchange Edge servers. If you can, use NLB, it is the more robust of the two methods and offers high availability features you can’t get with Round Robin DNS. Both methods are easily expandable, simply add another server to the farm and add it to the round robin DNS list, or the NLB cluster. The only limitation is that NLB only supports up to 32 nodes.

Posted in Exchange Server 2007/2010 | Tagged | Leave a comment

Cannot move Public Folder Replica..

I was trying to move Public Folder Replica through Exchange 2010 SP1 mailboxes. I used MoveAllReplica Script as the following

.\MoveAllReplicas.ps1 -Server Server01 -NewServer Server02

I got the following error

Cannot save the object ‘\Internet Newsgroups’. Make sure that you specified the correct Identity and that you have the
necessary permissions to save it.
    + CategoryInfo          : NotSpecified: (0:Int32) [Set-PublicFolder], MapiObjectNotFoundException
    + FullyQualifiedErrorId : 337B5C79,Microsoft.Exchange.Management.MapiTasks.SetPublicFolder

I did a workaround by adding my current account to the Public Folder Management role group.

by the following commonad

Add-RoleGroupMember -Identity “Public Folder Management” -Member Tony

and then run MoveAllReplica script again, and this time no sign good sign.

Ref: http://technet.microsoft.com/en-us/library/aa996369.aspx 



Posted in Exchange Server 2007/2010 | Tagged | Leave a comment

How to force Exchange Server Public Folder Removal

After I have upgraded my Exchange Server 2007 to Exchange 2010. now it is time to uninstall Exchange 2007. of course as every body know without removing Public Folder Replica, Exchange MB will not be uninstalled.

I have tried to move the replica, but the procedures took too much time without feeling any progress. so I decided to remove it through ADSIEDIT.MSC esp. it is not required in my environment and no Outlook 2003 exist.

go ahead and do the procedures below:

  1. Connect to your DC.
  2. Open ADSIEDIT.MSC console and connect to configuration.
  3. Go to the following path.

–> CN=Configuration –> CN=Services –> CN=Microsoft Exchange –> CN=YOUR ORGANISATION –> CN=Administrative Groups –> CN=First Administrative Group –> CN=Servers –> CN=SERVER NAME +—> CN=InformationStore

4.    Delete public folder Database.

refresh EMC and you should see that the database has been removed otherwise restart Exchange Information Store.

Note that if you run Exchange BPA tool you might got error that Site folder server deleted. I would suggest to follow this article –> http://technet.microsoft.com/en-us/library/aa996485(EXCHG.80).aspx



Posted in Exchange Server 2007/2010 | Tagged | 5 Comments

Cann’t remove Exchange 2007 Hub Transport role.

while I was trying t remove Exchange Hub Transport role, I got error message as snapshot below that this computer is configured as a source server in connector



after checking the error, the Exchange Server was already configured as a source computer in explicitly created send connector for applications. after deleting these connector as I was not needing them anymore, the decommissioning of Exchange was successful.


Haytham M. Ghazy

Posted in Exchange Server 2007/2010 | Leave a comment