Blog: Active Directory

I was helping out with a customer’s Active Directory migration and a different IT support group used a profile migration tool to help “ease” the transition between domains. But soon after the users started complaining that IE was not allowing them to save passwords. They would get prompted to store the credentials for a website and click yes, but as soon as they closed and reopened IE their stored credentials would disappear. Our suspicion was that the profile migration tool had corrupted the credential store in the registry.

I started a remote session with one of the users, checked the IE password store in the registry (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2), and saw several of the user’s old entries. In order to allow the user to store passwords again, I had to delete this registry key, reopen IE, and save credentials for a website. Once I clicked “yes” to the prompt to save credentials, the registry key was automatically recreated and the credentials got stored.


 

After installing a new server and promoting it to a domain controller, the replication from the other domain controller did not work and the NETLOGON and SYSVOL folders were not created. Initially, I tried demoting it and re-promoting it, but that didn't work. I found the following Microsoft Support article - http://support.microsoft.com/en-us/kb/315457 - on how to rebuild the SYSVOL tree and it’s content in a domain. In summary, I had to go into ADSI and delete the orphaned GUIDs and create new symbolic links for both of the folders. I also had to recreate all of the group policies in order for them to work on the new server.


 
 

We recently ran across a problem where users trying to log on to Microsoft Office Outlook Web Access in Exchange Server 2007 would receive the following error message:
"A problem occurred while trying to use your mailbox. Please contact technical support for your organization."

If Show Details is clicked in this error message, a call stack including the following message appears:
"Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later. Current version of the object is 0.0 (6.5.6500.0)." [more]

After some research we found that this issue occurs when the msExchVersion attribute is not set correctly on the user object in the Active Directory. Exchange 2007 uses the msExchVersion attribute to determine the version of Exchange that user objects are associated with. If the version value is less than 0.1, Exchange 2007 considers the object "read-only" and cannot write changes to the object.

The msExchVersion attribute may not set correctly if you created the user's mailbox by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in instead of by using the Exchange 2007 Management Console, as was the case in this situation. 

To resolve this issue, type the following command at the Exchange Management Shell prompt:
Set-Mailbox User_Name -ApplyMandatoryProperties

To verify the msExchVersion attribute, type the following command at the Exchange Management Shell prompt:
Get-Mailbox User_Name | format-list ExchangeVersion


 

In Active Directory Users and Computers there is an Email Addresses tab that lists email addresses for the user.  One of these (for each protocol) is selected as the Primary.  The primary address will be the one that a user's outgoing email appears to come from.  But there is also a General tab where one can enter an email address for the user. This also causes that user's outgoing email to appear to come from that address.  Normally, changing one also changes the other.  But if you are running Active Directory Users and Computers from a machine that does not have the Exchange Server tools installed, the Email Addresses tab is not there and changing the email address on the General tab will not change the primary.  Actually, anything can be entered in that field on the General tab, even invalid domains.  So it is recommend to always make user account changes on the Exchange server, or at least on a system that has the Exchange server tools installed.  And use the Email Addresses tab to change user's email addresses.

Some email servers perform some verification on the sender's email address and may reject it if the domain is invalid.  Nothing can send a bounce message either because the email address does not work, so the sender will not know the email was not delivered.