Showing posts from July, 2017

Creating a Complex Custom Azure Role

We recently had the need to create a custom role in the Azure Portal which stopped a set of administrators from creating networks or virtual machines. This was because we are planning to share our ExpressRoute connection with their subscription and we only allow IT to add new devices to our network or domain. Now the standard Azure RBAC roles don't do anything like this.  These roles are typically configured with only a small set of permissions. The role needed the following setup Allow All Allow start, stop, deallocate VM Deny All Compute Deny All Network Deny All Permissions The following article was pretty useful in describing the process of creating the custom role.  There are a few methods, but I opted for the creation of the JSON file. To get the actual permissions required to build the JSON file itself, we needed to run the following commands Get-AzureRMProviderOperation Microsoft.Compute/* Get-AzureRMProviderOperation Microsoft.Network

Exchange Hybrid Mailbox Move - Corruption Due To Missing Security Principals (ACL issues) - TooManyBadItemsPermanentException

UPDATE 14 Jan 2020 --------------------- Microsoft have introduced DCS ( Data Consistency Scoring ) which is planned to supersede the Bad Item Limit count you declare on a migration. There are four grades of DCS; Perfect , Good , Investigate and Poor .  You can complete the migration for all grades, except Poor . Importantly, this now means they can now properly differentiate between a corruption in mailbox data and missing permissions or security principal which couldn't be set on the target mailbox. Previously you had to raise the Bad Item Limit to compensate for security principals and genuine corruption combined; this should no longer be the case. For now, DCS will be used by default where you don't set a Bad Item Count. If you do specify a Bad Item Count, DCS will not be used See the below links for more details:

Exchange Back Pressure and Safety Net

The following article covers a scenario where 2 Exchange 2013 servers were in the same Active Directory site. There is no DAG in place and the Safety Net settings had the default configuration. Issue:  A receive connector was set-up on ExchangeSrv#1 to allow relays from 3rd party of line of business applications. ExchangeSrv#1 had plenty of space, not low on resources and was not in a back pressure condition. A 3rd party system was in place and submitting emails using Telnet. The majority of emails being submitted were being rejected with the error "453 4.3.1 Insufficient system resources". ExchangeSrv#2, did not have the same receive connector configured and was not accepting emails from the 3rd party system. It did however have little of no disk space left on the C:\ drive which also hosted the transport queue file. In the event viewer ExchangeSrv#2 was in back pressure. It was discovered that multiple IIS logs files were consuming space on the C:\ drive of Ex