Category Archives: Exchange

Getting a stubborn Exchange Rollup Patch to Install

Over the course of a couple of days I’ve struggled to get an Exchange Server to install an update.  What I stumbled upon was an idea I’ll share now.  After repeated failures pointing to insufficient privilege, I discovered that while I couldn’t run the .msp package “As Administrator”, instead I could run an elevated command prompt that way and launch the .msp from that context.  Well guess what?  It worked!

While this was for Exchange 2007, I believe the concept is universal with any stubborn updates for any Microsoft products.  This means you have to manually download the patch locally too of course.



Exchange 2010 SP2 Pickup Directory .txt –> .eml

I’m migrating a Web Application that is used as a custom ticketing system; the migration is from Exchange 2003 to Exchange 2010 SP2 and have gone from an x86 OS to an x64.  The full scope of changes are complex but I wanted to document what was needed to set and then verify the Pickup Directory in Exchange 2010 SP2.  Also I wanted to document the simple batch script I wrote to check and rename .txt files in the Pickup Folder to .eml so that they are now processed.  Apparently .txt messages use to work but don’t any longer.

The basics of pickup folder messaging:

Exchange 2010 SP2 using Exchange PowerShell

*where Exchange01 is altered to match the Exchange Server name

To set the Pickup Directory to the default location (no set by default though and you cannot do this in the EMC)

Set-TransportServer Exchange01 -PickupDirectoryPath “C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\PickUp”

Validate the directory location

Get-TransportServer -Identity “Exchange01” | Fl *PickupDirectoryPath*

Batch Script Scheduled to Recur every 5 minutes that renames files from .txt to .eml

*create .bat file and copy below script in and save
*create schedule task to run the script every 5 minutes indefinitely

cd “C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Pickup” | ren *.txt *.eml

Use a Go Daddy SSL cert with DYNDNS site

How To:

  • Let’s say you like keeping as much money as possible and only spending what is necessary.
  • Let’s also say you like the idea of using an industry standard certificate that often has its Root and Intermediate certificates prepopulated in cell phones.

What Why Where?

  • Why DYNDNS?  …typically due to the business using a dynamic IP address
  • they hold the DNS name servers for their entire namespace which is how your DNS records can get instantly updated across the globe when your IP addy changes
  • …and you can have your ‘real’ domain name also registered and managed there using this same ‘instant-change’ DNS methodology
  • The cert offered by DYNDNS is overpriced at $99/yr.  Their other services are extremely price friendly so maybe this isn’t such a big deal.  …but then again it’s money you can keep
  • Go Daddy often has a Google Search keyword “security certificate” $12.99 SSL cert special.  This is the same cert they (Go Daddy) normally charge $45 for.  You can purchase from 1-5 years.

Hypothetical Site

  • your site:

your DYNDNS WHOIS information

  • it won’t be able to be seen by Go Daddy in order to send you the verification email
  • Why?  WHOIS queries only happen at the root domain level ….& the root domain isn’t owned by you
  • The Administrative Contact for that WHOIS query is which BTW isn’t you


  • Let’s imaging you also paid for a real domain name “” with DYNDNS and associate it with your zone
  • It will have the same WHOIS information as above …and the same failed results for a SSL cert issuance validation step
  • you can set up your SSL cert with either domain name – that won’t be covered in this post …assuming you understand and would most benefit of using the name

SSL certificate issuance steps

  • First step –generate a CSR (certificate signing request) – at your IIS server
  • Buy a cert – you are really buying a credit which later can get ‘managed’ into a real certificate – at GoDaddy
  • Manage the Certificate that is listed under your Go Daddy “My Products”
  • Use the cert credit – involves entering the CSR by cut-n-paste from the text file on your PC to the Go Daddy GUI
  • Cert goes to a state of ‘pending’
  • Go Daddy sends a validation email to the Administrator Contact which requires reception and a reply to prove you actually are authorized from the domain – …but that isn’t you (see WHOIS above) and you don’t get that email

When that fails (see above reason if you have forgotten) you **can** request that Go Daddy send you a 7 digit code to create a TXT record for validation

  • adding a DNS record into your domain proves you to be an authoritative person for the domain
  • Go Daddy must be called before they email you this
  • create the TXT record per their instructions
  • you manage your DNS records at DYNDNS (required when using a dynamic IP/DNS account) and that is where this TXT record gets entered

With that TXT alternate validation method in place you return to the Go Daddy certificate management portal and click the link for “What’s holding this up?”

  • you will see a window with a link to click to have Go Daddy use the TXT validation

Return to the cert portal and see if the cert has cleared all hurdles and is “issued”

If it isn’t you may have to wait for Go Daddy to manually review your site and request

  • I phoned and politely requested that it be moved to the top of the list – and so it went upwards to the top
  • took about an hour and your mileage may vary since there are a lot of unknown factors to a manual process …but it will get completed!

Download the certificate

A five year Go Daddy SSL cert just cost you $65.  Of course you could have spent $495 with DYNDNS.  Please send your grateful donation to me at your discretion. ;-D

Exchange 2010 SP1 migration from 2003

The last couple of days I’ve been involved in an Exchange 2010 SP1 from Exchange 2003 (latest SP) migration project on a 120 user environment and found the following Exchange MVP Jaap Wesselius’s step through guide to be very useful:

more useful Exchange articles such as What’s Awesome & New in Exchange 2010 SP1 and importing PST’s in Exchange 2010 SP1  via PowerShell…

What does Exchange 2010’s SP1 really do that is exciting to me?   It gives more management through the GUI console & OWA is much improved and entirely cross browser functional using Silverlight.

BES, BESX, BESE, BPS …user with admin rights

subtitle “Send As issue with Administrator accounts
(users who are Enterprise and/or Domain Administrator accounts)”

for a long while there has been a known issue whenever BlackBerry Server (whatever flavor) is configured for a user with admin rights.  The workaround is below and is primarily credited to awesome Aussie Gary Cutri’s work:

GaryCutri clip_image002 Moderator

Join Date: Sep 2006, Location: Melbourne, Posts: 1,895

To correct the "Send As" issue I have outlined the steps I use to quickly resolve this issue:

1. Stop the Blackberry Router service.

2. Open Active Directory and from the View menu select "Advanced Features". Then go to each user that will be added to the BES and open their properties, go to the security tab and add the user BESadmin and add the security permission "Send As".

3. Run the following script logged on as Administrator

Note: Only use this step if you have BlackBerry users that are members of Admin groups. Using best practice methods it is recomended that mobile user accounts aren’t members of any administration groups.

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "DOMAINNAME\BESadmin:CA;Send As"

Example 1: dsacls "cn=adminsdholder,cn=system,dc=experts-exchange,dc=com" /G "EXPERTS_EXCHANGE\BESadmin:CA;Send As"

Example 2: dsacls "cn=adminsdholder,cn=system,dc=blackberryforums,dc=com,dc=au" /G "BLACKBERRYFORUMS\BESadmin:CA;Send As"

Example 3: dsacls "cn=adminsdholder,cn=system,dc=mobilenetwork,dc=local" /G "MOBILENETWORK.local\BESadmin:CA;Send As"

NOTE: dsacls can be found in the Windows Server 2003 SP1 Support Tools pack: Download details: Windows Server 2003 Service Pack 1 32-bit Support Tools

4. Wait 20 minutes and then restart the BlackBerry Router service.

5. Restart the BES server.

Pasted (with minor edits) from <>

**** so why all the waiting and restarting needed above?  …read more****

Re: AdminSDHolder

The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does – it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.

The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it’ s most granular level. Because of this, a user can have ‘write access’ to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.

Re: Stopping the BlackBerry Router Service

Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).

Pasted from <>