Tuesday, October 23, 2012

SMTP Custome Error Codes

SUMMARY
Error codes that can be displayed in the SMTP debug and activity log files.
DETAIL
The easiest way to determine why inbound messages are not being processed by the SMTP connector is to examine the SMTP Activity and Debug logs. The logs can be found in the MailEnable Admin MMC -> Servers -> Localhost -> Connectors ->SMTP Logs.
These log files record SMTP transactions and their associated response codes.
These response codes are explained further with possible resolutions below:


220 Service ready
Error Description: This response is sent from the SMTP server when a remote SMTP client or host has successfully connected to the SMTP service.
221 Service closing transmission channel
Error Description: This response is sent from the server when the remote server/client has notified that it is closing the connection. You would commonly notice this command after a QUIT command was received.
250 Requested mail action okay, completed
Error Description: This response indicates that a SMTP command was received by the server and successfully processed.
354 Start mail input; end with .
Error Description: This response is sent by the SMTP server and instructs a remote SMTP server or client that the DATA command was accepted and that it can commence sending the actual message. A message consists of;
[first the message headers],[CRLF].[CRLF] then
[the actual message body],[CRLF].[CRLF]
421 Service not available, closing transmission channel
Error Description: This response is sent by the SMTP server to a remote SMTP server or SMTP client to indicate that the MailEnable SMTP Server is currently unavailable.

Error Resolution: When this error is returned in the logs or to a client then it usually means that the data store in particular the configuration directory data cannot be accessed.
When using a default install of MailEnable you can check and repair the permissions on the MailEnable TAB delimited configuration files by comparing and/or executing the commands in step 6 of the following article:

Article ME020073
If you have changed your default installation to use the MailEnable database provider and are using an SQL database server while getting this error then ensure that the database is online. If the database is online then ensure MailEnable services are able to connect and retrieve data from the database tables you may also find errors for this within the server Event Logs.
451 Requested action aborted: error in processing
Error Description: This response is sent by the SMTP server to a remote SMTP Server or SMTP client to indicate that the MailEnable SMTP Server is currently unable to complete the transaction or command. There can often be more information contained within the SMTP debug logs for this error.

Error Resolution:When this error is returned in the logs or to a client then it usually means that the data store in particular the configuration directory data cannot be accessed. The first thing to check is that your hard drive is not full or faulty or in some cases ensure that any quotas enabled on the drive are not being exceeded. Information on these types of problems can usually be found in the server Event Logs.
When using a default install of MailEnable you can check and repair the permissions on the MailEnable TAB delimited configuration files by comparing and/or executing the commands in step 6 of the following article:
Article ME020073
If you have changed your default installation to use the MailEnable database provider and are using an SQL database server while getting this error then ensure that the database is online. If the database is online then ensure MailEnable services are able to connect and retrieve data from the database tables.
451 Temporary server error. Please try again later.
Error Description: This response is sent by the SMTP server to a remote SMTP Server or SMTP client to indicate that the MailEnable SMTP Server is currently unable to complete the transaction or command. There can often be more information contained within the SMTP debug logs for this error.

Error Resolution: When this error is returned in the logs or to a client then it usually means that the data store in particular the configuration directory data cannot be accessed. The first thing to check is that your hard drive is not full or faulty or in some cases ensure that any quotas enabled on the drive are not being exceeded. Information on these types of problems can usually be found in the server Event Logs.
When using a default install of MailEnable you can check and repair the permissions on the MailEnable TAB delimited configuration files by comparing and/or executing the commands in step 6 of the following article:

Article ME020073
If you have changed your default installation to use the MailEnable database provider and are using an SQL database server while getting this error then ensure that the database is online. If the database is online then ensure MailEnable services are able to connect and retrieve data from the database tables.
451 Requested action aborted: This mail account has sent too many messages in a short amount of time. Please try later.
Error Description: Means that the SMTP configuration setting to limit the the quantity of messages sent per hour has been reached. The message sent in this instance has failed and will need to be retried by the client.
Error Resolution: This feature is disabled by default. You can review this and increase the configured amount of messages per hour or accept the error as correctly limiting a sender or domain.
In the MailEnable Professional or Enterprise manual the settings can be found at:
Post Office Restriction - Administration->Post Office configuration->Restrictions->Limit Maximum SMTP recipients
Mailbox Restriction - Administration->Post Office actions->Create Mailbox->Restrictions->Limit SMTP usage to a maximum of

451 This server employs greylisting as a means of reducing spam. Please resend e-mail shortly
Error Description: This is the temporary error returned to a connecting server when they try to send to an address for the first time while the MailEnable Greylisting spam protection feature is enabled.
Error Resolution: You can in this situation disable the Greylisting service or whitelist the connecting IP. By whitelisting the IP in the Greylisting feature options it means that when this server connects to the MailEnable SMTP service next it will bypass the Greylisting check.
In the ME Admin MMC the option is configurable at:
Note: MailEnable Professional version users can set this feature at a global level only so the first configuration option below applies. Enterprise users as with most features can also configure this at a post office and mailbox level.
ME Admin MMC->Servers->Localhost->SMTP "Properties"->Greylisting (TAB)
In the MailEnable Professional or Enterprise manual the setting can be found at:
Greylisting Global Configuration - Configuration of connectors, services and agents->SMTP Connector->SMTP - Greylisting
Post Office Restriction - Administration->Post Office configuration->Feature Selection->Force Greylisting for all users
Mailbox Restriction - Administration->Post Office actions->Create Mailbox->Spam->Enable Greylisting
451 The IP Address you are sending from was reported as a source of spam. Please contact your e-mail administrator.
Error Description: If a connecting IP has been found in a configured DNS blacklist then this error can be returned to the client and server.
Error Resolution: The best resolution in this case if you want to receive messages from the sending server is to alert the connecting server administrator that they are listed on a blacklist and need to get themselves removed. In some cases it can be easier to whitelist their IP in the SMTP whitelist option as this will bypass any Blacklist checks on the inbound. You can find out more on this rejection in the SMTP debug logs it should also list the blacklist name that the connecting IP was found in.
Note: We are assuming that the default setting in the blacklisting action feature is set to "Dont Accept Email". If this setting is configured to "Mark As Spam" then the message will be accepted and processed by internal filter actions.
In the MailEnable Professional or Enterprise manual the settings can be found at:
Global Restriction - Configuration of connectors, services and agents->SMTP Connector->SMTP Reverse DNS blacklisting
451 ESMTP MailEnable Service temporarily refused connection at [time] from IP [xxx.xxx.xxx.xxx] because the server is too busy
Error Description: When the SMTP service inbound connection limit is reached the service will reply with this temporary error. Usually in this situation the remote server will automatically retry the send to the service.
Error Resolution: This error is a warning and it should be reveived and considered correctly if increasing this inbound thread limit for the error. The default setting for this feature restriction is 32 connections or threads which for most servers will be enough. In high throughput servers you may find that this limit needs to be increased and as such you increase it as you feel, usually 256 is enough for most servers.
If this limit is being reached then you can check the SMTP activity logs and see how many connections you are getting before the error is returned in the logs. While checking make sure the inbound connections appear to be valid and not all coming from one IP or one domain/sender if they are repeating then you should use the other information in the logs to check if the messages are legitimate or the sender needs blocking.
The limit is in place to help prevent spammers or hackers from completing a DOS attack on the server and sending an unlimited and untimed connection based attack to your server.
In some cases if this error continues it can be a good idea to review your DNS Blacklisting service. If you have too many blacklists or one blacklist is timing out on connection then it can tie up your inbound connections for too long. The best way to check this is to disable all blacklists except one along with disabling the URL blacklisting to see if it helps.
Article ME020343
In the MailEnable Professional or Enterprise manual the setting can be found at:
Configuration of connectors, services and agents->SMTP Connector->Inbound->Maximum number of concurrent connections
452 Too many recipients
Error Description: Means that the SMTP configuration setting to limit the inbound recipients per transaction or message has been exceeded.
Error Resolution: This error is a warning and it should be reviewed and considered correctly if increasing this limit. The limit is in place to help prevent spammers or hackers from completing a DOS attack on the server and sending to a large amount of recipients in one connection. You may need to increase or disable this setting if you are sending mail outs as this error can be triggered when you are trying to send a mail out from a script or send mail program.
Article ME020268
In the MailEnable Professional or Enterprise manual the setting can be found at:
Configuration of connectors, services and agents->SMTP Connector->SMTP - Security->Restrict the number of recipients per email
452 You are not permitted to send to remote domains
Error Description: When this error is shown in the client and/or logs it means that the internal MailEnable configuration setting to limit a mailbox, post office or server has been enabled. By default this setting is not enabled but when changed it can prevent a singular mailbox, or all mailboxes in a domain or even on the server to only be able to send locally to their own domain.
Error Resolution: If this error is believed to be in error then it can be disabled in the ME Admin MMC. In each of the configuration options below you can change the option to allow the mailboxes to send to local and remote domains or restrict mailboxes to only send to local addresses.
Note: MailEnable Professional version users can set this feature at a global level only so the first configuration option below applies.
The first place to check for this setting is at the global level in the ME Admin MMC at:
ME Admin MMC->Servers->Localhost "Properties"->Policies (TAB)->Sender Policy
If the setting above is set to the option "Sending policy determined by postoffice" then you need to check the following place:
ME Admin MMC->Post Offices->[Post Office Name] Properties->Restrictions (TAB)->"The sender policy determines whether users can only send messages to a local domain"
If the above setting is set to "Sending policy determined by mailbox" then you need to check the following place.
ME Admin MMC->Messaging Manager->Post Offices->[Post Office Name]->Mailboxes->[Mailbox Name] "Properties"->Restrictions (TAB)->"User can only send to their local domain"
In the MailEnable Professional or Enterprise manual the settings can be found at:
Global Restriction - Administration->Server Configuration->Policies->Sender Policy
Post Office Restriction - Administration->Post Office configuration->Restrictions->Same Domain Restriction
Mailbox Restriction - Administration->Post Office actions->Create Mailbox->Restrictions->Local Sender Restriction
500 Message rejected because it contains links to an IP address that is blacklisted
Error Description: As a message is being received the SMTP service will resolve links in the message and check these against the configured blacklist. If the destination IP from the resolve is listed in a configured blacklist the message will be rejected with this error.
Note: We are assuming that the default setting in the blacklisting action feature is set to "Don't Accept Email". If this setting is configured to "Mark As Spam" then the message will be accepted and processed by internal filter actions.
Note: When URL blacklisting is executed we check the first section of the message only, about 20 lines. Checking large messages with many links can affect performance. In most situations, if not all, this is enough as spammers do not tend to send many links or large messages.
Error Resolution: The best resolution if you want to receive messages from the sending server is to alert the connecting server administrator that they are sending message links that are listed on a blacklist. In some cases it can be easier to whitelist their IP in the SMTP whitelist option as this will bypass any URL Blacklist checks on the inbound. You can find out more on this rejection in the SMTP debug logs it should also list the blacklist name that the connecting IP was found in.
In the MailEnable Professional or Enterprise manual the settings can be found at:
Global Restriction - Configuration of connectors, services and agents->SMTP Connector->SMTP Reverse DNS blacklisting
500 Syntax Error, command unrecognized
Error Description: This error means that a remote client or server has sent a command that is not recognized by the MailEnable SMTP service.
Error Resolution: The best way to find out more about this error is to check the SMTP activity log at the time of the connection as the command will be listed in the log transaction.
501 Syntax error in parameters or arguments
Error Description: This error means that the remote server is sending incorrect commands through to the server. Often this can occur when the message contains a line that is too long and as such cannot be read by the MailEnable SMTP service.
Error Resolution: Check the SMTP activity and debug logs in this situation as there should be more information on what is occurring. If the logs do not help then check how the message is being sent to see if you can find anything that is abnormal.
501 Invalid Address
Error Description: This error means that the address format used in the sending client is not correct. Usually this is checked in a standard retail client but when using scripts or web pages it may not be the case.
Error Resolution: Check the SMTP activity logs as they should show what format and what characters are being used for the addresses. Check in particular for incorrect characters, here is a list of correct email address characters;

Use any ASCII alphanumeric character plus (`!', `#', `$', `% `&', `*' `+', `-' `~', and whatever you can find in between ASCII 33 and 47).
In short, you should use lower case characters, numbers and the underscore to create your email address.
501 Your domain does not seem to be valid, Could not find MX record for your domain.
Error Description: This error means that the sending email address contains a domain that is not a registered domain name.
Error Resolution: This check is done when the following feature is enabled. The sender should check their email client settings and ensure that their configured email sender address contains a correct and valid domain name after the @ sign.
In the MailEnable Professional or Enterprise manual the setting can be found at:
MailEnable Manual - Configuration of connectors, services and agents->SMTP Connector->SMTP -Security->reject mail if sender address is from an invalid domain
502 Command not implemented
Error Description: This error means the remote client or server is trying to send a command that is not supported by the SMTP service.
Error Resolution: Use the SMTP activity logs to find out what command was sent to the MailEnable SMTP service. The commands that MailEnable lists and can use are listed in the SMTP service on the Advanced SMTP tab if the command is not listed then it is not supported or incorrect. On this tab the commands can also be enabled or disabled the feature can be found in the following location of the ME Admin MMC:
ME Admin MMC->Servers->Localhost->Connectors->SMTP "Properties"->Advanced SMTP (TAB)->Allowed SMTP commands
503 Bad sequence of Commands
Error Description: The error means that the remote client has sent a command to the server that is not in the correct and recognised order for the SMTP service.
Error Resolution: Use the SMTP activity logs to find out what the commands were and that they were issued in the correct order.
503 Bad sequence of commands. You must specify the recipients of a message before you can send it
Error Description: The error means that a client or server has tried to send a message to the MailEnable SMTP service without the presence of or a correct SMTP address in the TO, CC or BCC field.
Error Resolution: Check the client that is sending and determine why it is not correct you may also find out more in the MailEnable SMTP activity log.
503 Bad sequence of commands. Could not process DATA command when in this state
Error Description: The error means that a client or server has tried to send a message to the MailEnable SMTP service but has sent the DATA command out of sequence.
Error Resolution: Check the client that is sending and determine why it is not correct usually you will see that the client is sending a DATA command while the SMTP service is expecting another command like RCPT TO, EHLO
503 Bad sequence of commands. Could not process RCPT command when in this state
Error Description: The error means that a client or server has tried to send a message to the MailEnable SMTP service but has sent the RCPT TO command out of sequence.
Error Resolution: Check the client that is sending and determine why it is not correct. Usually you will see that the client is sending a RCPT TO command while the SMTP service is expecting another command.
503 This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your administrator to verify that the domain or address is defined for this server.
Error Description: This error means that the server or client has connected to the MailEnable SMTP service but has not entered a RCPT TO mail address that exists on the server but the domain for the incorrect address does reside on the server. The order of checks in this situation are;
1. Does the domain exist on the server (Yes)
2. Does the address exist in the address-map.tab file or table on the server (No)
3. Has the client authenticated. (Due to earlier No at 2 this check has not occurred.
As the connection has not authenticated meaning that one of the options above in 1 or 2 have not been met then the error is returned.
Error Resolution: The resolution here really resolves around when you think this error is being returned when it should not be. If the address is thought to exist on the server then you need to check the SMTP logs activity for the transaction and then the debug to see if there are any error descriptions that better explain what happened when the address was sent to. Then you should check your configuration to ensure that the address does exist. It can also be a good idea to check the address-map.tab file in the MailEnable\Config directory or relevant database table for a line that contains the mailbox name in question. If you are checking why the sender could not relay through the server then you should at this time check the client settings and ensure that the outbound settings in the client are configured as such so they can relay through the server to non local email addresses.
Article ME020198
503 Too many invalid commands were received. Terminating Session
Error Description: This error means that the threshold of the MailEnable SMTP security feature has been reached for too many invalid or unrecognized commands sent to the server.
Error Resolution: If this error is not working the way you expected then you can disable the feature or increase the configured limit so the connection is not dropped prematurely.
In the ME Admin MMC the option is configurable at:
ME Admin MMC->Servers->Localhost->SMTP "Properties"->Security (TAB)->Connection Dropping
In the MailEnable Professional or Enterprise manual the settings can be found at:
Configuration of connectors, services and agents->SMTP Connector->SMTP Security->Drop a connection when the failed number of commands or recipients reaches
504 Access to this user account has been denied by the mail administrator
Error Description: When this error is returned to a client it means that the mailbox has been configured by an administrator to not allow authentication.
Enterprise users may have a mailbox placed into this reject authentication status if the mailbox reaches the Server Password Policy lockout limit.
The Server Password Policy lockout limit in the ME Admin MMC is configurable at:
ME Admin MMC->Localhost "Properties"->Policies (TAB)->Password Policies
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Server configuration->Policies
Error Resolution: You can remove the mailbox authentication lock from the mailbox in the mailbox properties within the ME Admin MMC.
In the ME Admin MMC the option is configurable at:
ME Admin MMC->Messaging Manager->Post Offices->[Post Office Name]->Mailboxes->[Mailbox Name] "Properties"->General (TAB)->Prevent user from authenticating.
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Post office actions->Create mailbox->General->Prevent user from authenticating
504 User account has been disabled by the mail administrator
Error Description: When this error is returned to a client it means that the mailbox has been configured by an administrator to not allow authentication.
Enterprise users may have a mailbox placed into this reject authentication status if the mailbox reaches the Server Password Policy lockout limit.
The Server Password Policy lockout limit in the ME Admin MMC is configurable at:
ME Admin MMC->Localhost "Properties"->Policies (TAB)->Password Policies
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Server configuration->Policies
Error Resolution: You can remove the mailbox authentication lock from the mailbox in the mailbox properties within the ME Admin MMC.
In the ME Admin MMC the option is configurable at:
ME Admin MMC->Messaging Manager->Post Offices->[Post Office Name]->Mailboxes->[Mailbox Name] "Properties"->General (TAB)->Prevent user from authenticating.
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Post office actions->Create mailbox->General->Prevent user from authenticating
550 Requested action not taken: mailbox unavailable or not local
Error Description: This error means that the server or client has connected to the MailEnable SMTP service but has not entered a RCPT TO mail address or domain that exists on the server. The address is checked in the local configuration files in particular the address-map.tab file or database table.
Error Resolution: The resolution here really resolves around when you think this error is being returned when it should not be. If the address is thought to exist on the server then you need to check the SMTP activity logs for the transaction and then the debug to see if there are any error descriptions that better explain what happened when the address was sent to. Then you should check your configuration to ensure that the address does exist. It can also be a good idea to check the address-map.tab file in the MailEnable\Config directory or relevant database table for a line that contains the mailbox name in question.
550 Requested action not taken. The domain you are sending from is not permitted to access this server
Error Description: When this error is returned to a client it means that the domain has been blocked from sending to any address in the receiving post office.
In the ME Admin MMC this is configurable at:
ME Admin MMC->Post Offices->[Post Office Name]->Domains->[Domain Name] "Properties"->Blacklist (TAB)->Domains
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Post office actions->Create domain->Blacklist
550 This mail server requires authentication (0) when attempting to send via this SMTP (submission) port
Error Description: When this error is received it means that the MailEnable server SMTP service has been configured to force all inbound connections to authenticate. This setting is designed mainly for servers that want all mail to come from a remote spam checking service as it forces connections that send to and through the server to authenticate unless they are allowed relay by IP. All other connections even when simply sending to the server will fail with this error if this is not the case.
In the ME Admin MMC this is configurable at:
ME Admin MMC->Servers->Localhost->SMTP Properties->Inbound (TAB)->"Properties"->Port Settings [Button]->SMTP Port->"Requires connections to authenticate before sending email"
Or for alternate SMTP listening port:
ME Admin MMC->Servers->Localhost->SMTP Properties->Inbound (TAB)->"Properties"->Port Settings [Button]->Submission Port->"Requires connections to authenticate before sending email"
In the MailEnable Professional or Enterprise manual the settings can be found at:
Configuration of connectors, services and agents->SMTP Connector->Inbound->Requires connections to authenticate before sending email
Error Resolution: The resolution is determined by whether you want this feature to be enabled or not. If you are getting this error when you are not expecting then ensure that this feature is not enabled for either SMTP port. If you require this feature and understand what it does then ensure any servers that are required to send through the server and not authenticate are added to the inbound IP relay list.
551 User not local: authentication required for relaying
Error Description: This error means that the server or client has connected to the MailEnable SMTP service but has not entered a valid MAIL FROM mail address. The address is checked in the local configuration files in particular the auth.tab file or database table.
This error can also mean that the mailbox that has been entered into the MAIL FROM address line is local on the server but has been disabled on the server by a server administrator or in some cases a control panel.
Error Resolution: The resolution here really resolves around when you think this error is being returned when it should not be. If the address is thought to exist on the server then you need to check the SMTP logs activity for the transaction and then the debug to see if there are any error descriptions that better explain what happened when the from address was entered. Then you should check your configuration to ensure that the address does exist. It can also be a good idea to check the auth.tab file in the MailEnable\Config directory or relevant database table for a line that contains the mailbox name in question.
If the mailbox has been disabled then you can find the setting for this in the following location.
In the ME Admin MMC this is configurable at:
ME Admin MMC->Messaging Manager->Post Offices->[Post Office Name]->Mailboxes->[Mailbox Name] "Properties"->General (TAB)->Domains->Mailbox is disabled
In the MailEnable Professional or Enterprise manual the settings can be found at:
Administration->Post office actions->Create mailbox->General->Logon disabled
551 Sender address is not valid for your login. Check your email program settings
Error Description: This error is returned when a client is connecting to relay through the MailEnable server and has authenticated with a correct mailbox address but in the sender field of the mailbox the address does not match. If this was not prevented it means that a mailbox on the server can authenticate correctly as one address but be able to send with a different from address in effect the sender would be creating a forged email.
Error Resolution: If you want to allow these email addresses to be different then you will need to disable the security feature in the SMTP options.
In the ME Admin MMC this is configurable at:
ME Admin MMC->Servers->Localhost->Connectors->SMTP "Properties"->Security (TAB)->Authenticated senders must use valid sender address
In the MailEnable Professional or Enterprise manual the settings can be found at:
Configuration of connectors, services and agents->SMTP Connector->SMTP Security->Authenticated senders must use valid sender address
552 Message size exceeds fixed maximum message size
Error Description: This error is displayed when either the configured SMTP inbound or outbound limit has been exceeded.
Error Resolution: You can find out about which SMTP option either inbound or outbound was the one that prevented the message by checking the SMTP activity logs. If the message is inbound in the log you will see SMTP-IN at the start of the line if the message was restricted while leaving the server (outbound) then the log line will contain SMTP-OU.
The inbound SMTP limit is configurable at the following location:
ME Admin MMC->Servers->Localhost->Connectors->SMTP "Properties"->Inbound (TAB)->Advanced Settings |Button|->Advertised maximum message size + Enforce this message size
The outbound SMTP limit which places a limit on relayed messages is configured at the following location:
ME Admin MMC->Servers->Localhost->Connectors->SMTP "Properties"->Outbound (TAB)->Limit outbound message size

554 The IP address of the sender (xxx.xxx.xxx.xxx) was found in a DNS blacklist database and was therefore refused
Error Description: This error means that an inbound connection has been detected as being listed in one of your configured DNS blacklists within the SMTP options.
To find out more about this feature check the MailEnable manual:
In the MailEnable Professional or Enterprise manual the settings can be found at:
Configuration of connectors, services and agents->SMTP Connector->Reverse DNS blacklisting
Error Resolution: The resolution in this situation varies depending on the inbound connection itself and your verification of the validity of the sender. In short if the sender is blacklisted and you want to receive mail from this sender then you should suggest/request that they remove themselves from the blacklist (Click here for more) Article ME020166. In some situations this resolution can be too slow or troublesome and as such you can either stop checking this particular blacklist by removing it from the SMTP blacklist options configuration or you can add the connecting IP to the Whitelist of the SMTP service this will ensure that any future connections from this IP bypass the blacklist check.

554 The IP address of the sender (xxx.xxx.xxx.xxx) does not match the SPF record for the sender domain
Error Description: This error correlates to the SPF checking feature within the MailEnable SMTP service settings. The SPF feature checks for a valid SPF record to be configured in DNS and then acts on this according to your actions configured in the SPF feature within ME Admin MMC.
To find out more about this feature check the MailEnable manual:
In the MailEnable Professional or Enterprise manual the settings can be found at:
Configuration of connectors, services and agents->SMTP Connector->Sender Policy Framework (SPF)
Error Resolution: In a similar manner to the Blacklisting feature the resolution in this situation varies depending on the inbound connection itself and your verification of the validity of the sender. If the sender is rejected in this situation and you want to receive mail from this sender then you should suggest/request that they correct their SPF record and /or ensure that they have one configured (Click here for more) Article ME020345. In some situations this resolution can be too slow or troublesome and as such you can either turn off the checking of SPF altogether or you can add the connecting IP to the Whitelist of the SMTP service this will ensure that any future connections from this IP bypass the SPF check.

Requested action not taken: mailbox unavailable or not local

Hi Friends,

i have setup exchange 2010 on premise and Recently facing issues regarding email bounce from google App with below error.

Error :

"550 Requested action not taken: mailbox unavailable" only form some of the mail server.
and
"Requested action not taken: mailbox unavailable or not local"

to resolve this issue i search a lot on internet but not able to find any propper solution, after investigation i found the solution and working fine without any problem,

Resolution :

configure Gateway firewall for SMTP Traffic or disable Email scan for Mail server.


in my next blog i will describe various smtp errors with cause and resolutions.

thanks,
Gaurang Patel

Saturday, October 20, 2012

How to modify Default SMTP Banner in Exchange 2010


The SMTP banner is the SMTP connection response that a remote SMTP messaging server receives after it connects to a Receive connector configured on a computer running Microsoft Exchange Server 2010 that has the Hub Transport server role or the Edge Transport server role installed. You may want to modify the default SMTP banner for Internet-facing SMTP Receive connectors on an Edge Transport server so that the server name and messaging server software aren't disclosed by the SMTP banner.
Looking for other management tasks related to connectors? Check out Managing Connectors.
You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Receive connectors" entry in the Transport Permissions topic.
noteNote:
You can't use the EMC to modify the default SMTP banner. Don't use the Specify the FQDN this connector will provide in response to EHLO or HELO field in the Receive connector properties page in the EMC.
You control the SMTP banner by using the Banner parameter in the Set-ReceiveConnector cmdlet or the New-ReceiveConnector cmdlet. The default value of the Bannerparameter is $null. When the Banner parameter isn't specified on a Receive connector, or the Banner parameter is specified with the value of $null, a remote SMTP messaging server that connects to that Receive connector receives the following response.
220 <Servername> Microsoft ESMTP MAIL service ready at <RegionalDay-Date-24HourTimeFormat> <RegionalTimeZoneOffset>


When you specify a value for the Banner parameter on a Receive connector, a remote SMTP messaging server that connects to that SMTP Receive connector receives the following response.
<220 BannerText>
noteNote:
The replacement SMTP banner text string must always start with 220. As defined in RFC 2821, the default service ready SMTP response code is 220.
This example modifies the SMTP banner on the existing Receive connector From the Internet so the SMTP banner displays 220 Contoso Corporation.

Set-ReceiveConnector "From the Internet" -Banner "220 Contoso Corporation"

For detailed syntax and parameter information, see Set-ReceiveConnector.

for More Information Please Visit Microsoft Official Website. : 

Thursday, October 11, 2012

Microsoft Exchange 2010 OWA not able to Open.

Hello Friends,

Today i will show you how to resolve Outlook Web Access isses in Microsoft Exchange 2010 after installing Updates / SP upgrade.

After Installing Service Pack of Update OWA stops working with below error.

Error :

Microsoft.Exchange.Clients.Owa.Core.OwaThemeManagerInitializationException
Exception message: Couldn’t find a base theme (folder name=base)


Solution :

1) Open Microsoft Exchange Power Shell
2) Go to "C:\Program Files\Microsoft\Exchange Server\V14\Bin"
3) run CAS Powershell Script by using this command "./UpdateCas.ps1"
4) Restart IIS

And it's Done!!!!

hope this solution helps you..please write any suggetions or correct me if any correction needed.

Have a Good Day!!!!


 

VSOM & LDAP Intigration


Hellow Friends,

Hear i will show you how to intigrate LDAP users in to VSOM server.
there are two configuration steps one is LDAP connection String and second one is USER Creation in VSOM server.

these steps are very simple to configure but one most intresting part is that when you create AD USER in VSOM then user name should be CN ratherAD logon account.

How I configured it to work was:

- From the Video Surveillance Management Console select "Operations Manager" on the left side.

- Change the Authentication Type from Application Database to LDAP Server.

- Put in the hostname of the LDAP server. (I just put the IP address of my AD server)

- Enter the host port.(I just put in 389)

- For the Relative Distinguished Name use something like
"CN=%username%,OU=VSOM,OU=Users"

- cn=%username% <- uses the username from the loging page

- OU=VSOM,OU=Users <- this needs to change to the OU where your VSOM users are.

- Domain Controllers needs to be something like "DC=cisco,DC=com" to match your domain

- Make sure you click on the Update button


Back in VSOM:

- Go to the Users page

- then when you add or edit a user you have the option to select "Local Password" or "LDAP"

- Enter the username to match the AD cn which in my case was "Andrew Osborne"

- Select LDAP

- Enter the first name and last name. These are locally significant.

- Select any other options you need.

- finally select submit.


After doing this I was able to log in using the same password that I have in AD but not the same username. If anyone has a different method to get VSOM to authenticate using the same username as in AD that would be great.

For more information or User Manual please follow below link :
http://www.cisco.com/en/US/docs/security/physical_security/video_surveillance/network/operations_manager/4_0/vsom.pdf
 

Tuesday, October 2, 2012

How to use USMT 4 hardlinking in a Configuration Manager 2007 Task Sequence

How to use USMT 4 hardlinking in a Configuration Manager 2007 Task Sequence

 
Suppose you want to use the USMT 4 feature of hardlinking in a System Center Configuration Manager 2007 Task Sequence, but you notice that the "Capture User State"/"Capture User Files and Settings" and "Restore User State"/"Restore User Files and Settings" tasks do not have any options to perform a local capture with hardlinking.  What's up with that?
Well what's going on is that USMT 4, which introduced hardlinking, shipped after ConfigMgr 2007 so the hardlinking option was not available in ConfigMgr 2007. However, USMT 4 support was added in ConfigMgr 2007 SP2, and via the OSDMigrateAdditionalCaptureOptions and OSDMigrateAdditionalRestoreOptions variables, a hardlink user migration can be accomplished in a ConfigMgr 2007 SP2 Task Sequence.
Out of the box, ConfigMgr 2007 SP2 only supports USMT 4 online captures, or captures that take place while in the full Windows OS. ConfigMgr 2007 SP2 does not support USMT 4 offline captures, or captures that take place while in WinPE. Offline captures are possible using the UDI feature of MDT 2010 Update 1 when it is integrated with ConfigMgr 2007 SP2.
With that said, there are several ways that a USMT 4 hardlink migration can be accomplished in a ConfigMgr 2007 Task Sequence, including:
  1. Create a new ConfigMgr 2007 Task Sequence that supports USMT 4 hardlinking.
  2. Modify an existing ConfigMgr 2007 Task Sequence that have the "Capture User State" and "Restore User State" tasks to support USMT 4 hardlinking.
Since USMT 4 support was not added until SP2 of ConfigMgr 2007, SP2 of ConfigMgr 2007 is required for hardlinking.
USMT 4 is supported in the following refresh scenarios:
  • Windows XP --> Windows Vista
  • Windows XP --> Windows 7
  • Windows Vista --> Windows Vista
  • Windows Vista --> Windows 7
  • Windows 7 --> Windows 7
USMT 4 is not supported for Windows XP --> Windows XP scenarios.
The first step is to ensure that the USMT 4 package is created:

Create the USMT 4 Package

When ConfigMgr 2007 SP2 is installed on the site server, the Windows Automated Installation Kit 2.0 (WAIK 2.0) is automatically installed. USMT 4 is part of WAIK 2.0 and its binaries can be found within the WAIK 2.0 installation folder.
  1. In the ConfigMgr 2007 Admin console on the site server, navigate to the "Computer Management" --> "Software Distribution" --> "Packages" node.
  2. Right click on the "Packages" node and select "New" --> "Package".
  3. In the "General" window, fill out the appropriate fields. The name of the package should describe it as the USMT 4 package. Click on the "Next >" button.
  4. In the "Date Source" window:
    • Check the option "This package contains source files"
    • Click on the "Set..." button under "Source directory".
      • Click on the option "Local drive on site server"
      • Click on the "Browse..." button under "Source directory: "
      • Navigate to and select C:\Program Files\Windows AIK\Tools\USMT folder and click on the "OK" button. Make sure to select the root of the USMT folder. DO NOT directly select either the amd64 or x86 folders. When running, the Task Sequence will automatically choose the appropriate binaries.
    • Click on the "OK" button.
    • Click on the "Next >" button.
  5. In the "Data Access" window, click on the "Next >" button.
  6. In the "Distribution Settings" window, click on the "Next >" button.
  7. In the "Reporting" window, click on the "Next >" button.
  8. In the "Security" window, click on the "Next >" button.
  9. In the "Summary" window, click on the "Next >" button.
  10. In the "Wizard Complete" window, click on the "Close" button.
  11. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Software Distribution" --> "Packages" node and find the newly created USMT 4 package.
  12. Expand the USMT 4 package and then right click on "Distribution Points" and select "New Distribution Points".
  13. Go through the "New Distribution Points Wizard" and make sure that the USMT 4 package is placed on some Distribution Points.
Notes:
  • It is not required to create a Program as part of the USMT 4 package.
  • In Step 5, if the WAIK 2.0 is installed on a different drive or directory, make sure to adjust the path C:\Program Files\Windows AIK\Tools\USMT accordingly.
  • It is recommended that the above steps be taken in a ConfigMgr 2007 console running on the site server where the WAIK 2.0 is installed. However, the above steps can be taken in a ConfigMgr 2007 admin console that is not running on the site server. In Step 5 , instead of selecting the option "Local drive on site server", select the option "Network path (UNC name)" and browse to a network share that has the WAIK 2.0 installed or the USMT 4 binary source files.
  • Please remember that the USMT 4 source files should contain BOTH the amd64 and x86 directories. The package should point to the root of the USMT 4 directory. It should NOT point directly to either the amd64 and x86 directories.
After creating the USMT 4 package, select the method below to enable USMT 4 hardlinking in a Task Sequence.

Method 1: Create a new ConfigMgr 2007 Task Sequence that supports USMT 4 hardlinking
  1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.
  2. Right click on the "Task Sequences" node and choose "New" --> "Task Sequence".
  3. In the "Create a New Task Sequence" window, select the option "Install an existing image package" and click on the "Next >" button.
  4. In the "Task Sequence Information" window:
    • Next to "Task Sequence name:" text box, give the Task Sequence the desired name.
    • Click on the "Browse..." button next to "Boot Image:" and choose an appropriate Boot Image.
    • Click on the "Next >" button.
  5. In the "Install the Windows Operating System" window:
    • Click on the "Browse..." button next to "Image package:" and select the Operating System Image that is desired to be deployed.
    • Next to the "Image:" drop down box, make sure the desired image is selected.
    • UNCHECK the option "Partition and format the target computer before installing the operating system".
    • If desired, enter the product key next to the "Product Key:" text box.  If using a KMS activation server, this field should be left blank when deploying Windows Vista or Windows 7.
    • If desired, select the option "Always use the same administrator password" and specify the password in the "Password:" and "Confirm password:" text boxes.
    • Click on the "Next >" button.
  6. In the "Configure the Network" window, select "Join a domain" and fill out the appropriate fields. Click on the "Next >" button.
  7. In the "Install the ConfigMgr client" window, click on the "Browse" button and choose a package that contains the ConfigMgr 2007 SP2 install files. Make sure that the package is an SP2 installer of the ConfigMgr 2007 client. Selecting a package that contains either the RTM or SP1 client install files will cause the "Restore User State" task to fail since clients that are not SP2 do not support USMT 4. Click on the "Next >" button.
  8. In the "Configure State Migration" window:
    • Click on the "Browse..." button next to the "USMT Package:" field. Select the USMT 4 package and then click on the "OK" button.
    • Select the option "Save user settings locally". If this option is grayed out, the option "Partition and format the target computer before installing the operating system" was not unchecked in Step 5.
    • If desired, leave the options "Capture network settings" and "Capture Microsoft Windows settings" checked.
    • Click on the "Next >" button.
  9. In the "Include Updates in Image" window, select whether or not to install updates during the Task Sequence, and then click on the "Next >" button.
  10. In the "Install Software Packages" window, add any packages that are desired to be installed during the Task Sequence, and then click on the "Next >" button.
  11. In the "Summary" window, click on the "Next >" button.
  12. In the "Wizard Complete" window, click on the "Close" button.
  13. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.
  14. Right click on the newly created Task Sequence and choose "Edit".
  15. Click on the "Set Local State Location" task. Next to the "Value:" text field, change it from %_SMSTSUserStatePath% to %SystemDrive%\UserState.
  16. Make sure that the "Set Local State Location" task is still selected and go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task in after the "Set Local State Location" and before "Capture User Files and Settings" tasks.
  17. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name:" text box, enter in:
      Set USMT Additional Capture Options
    • Next to the "Task Sequence Variable:" text box, enter in:
      OSDMigrateAdditionalCaptureOptions
    • Next to the "Value:" text box, enter in:
      /nocompress /hardlink
  18. Click on the "Capture User Files and Settings" task to select it:
    • Check the option "Enable verbose logging"
    • Click on the "Options" tab and then uncheck the option "Continue on error".
  19. Click on the "Restore User Files and Settings" task and then go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task after the "Restore User Files and Settings" group and before the "Restore User Files and Settings" task.
  20. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name: " text box, enter in:
      Set USMT Additional Restore Options
    • Next to the "Task Sequence Variable:" text box, enter in:
      OSDMigrateAdditionalRestoreOptions
    • Next to the "Value:" text box, enter in:
      /nocompress /hardlink
  21. Click on the "Restore User Files and Settings" task to select it and then click on the option "Enable verbose logging".
  22. Click on the "OK" or "Apply" button to save the task sequence.
Please make sure to look at the notes section at the end of this post for detailed explanations on some of the above actions.
Method 2: Modify an existing ConfigMgr 2007 Task Sequence that has the "Capture User State" and "Restore User State" tasks in it


If a ConfigMgr 2007 Task Sequence that was used with USMT 3 or USMT 4 exists and was setup for either network capture with a State Migration Point (SMP) or for local capture on the hard drive without hardlinking, it can be modified to support USMT 4 local capture with hard linking.

The below instructions assume that there is already a "Capture User State"/"Capture User Files and Settings" and "Restore User State"/"Restore User Files and Settings" tasks in the appropriate spots in the Task Sequence. If these tasks do no already exist in the Task Sequence, it is recommended to create a new Task Sequence using the method detailed above.
The below instructions are also not valid for a ConfigMgr 2007 Task Sequence that was created using the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard. Please see the section "More Information" for additional information regarding Task Sequences created using the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard:
  1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.
  2. Right click on the affected Task Sequence and choose "Edit".
  3. Find any "Request State Store"/"Request User State Store" and "Release State Store"/"Release User State Storage" tasks and disable them. They can be disabled by clicking on the individual tasks, clicking on the "Options" tab, and then clicking on the option "Disable this step". If none of these tasks exist in the Task Sequence, continue to Step 4.
  4. Find any "Format and Partition Disk"/"Partition Disk"/"Partition Disk 0" tasks and disable them. They can be disabled by clicking on the individual tasks, clicking on the "Options" tab, and then clicking on the option "Disable this step". If none of these tasks exist in the Task Sequence, continue to Step 5.
  5. If a task "Set Local State Location" already exists before the "Capture User State"/"Capture User Files and Settings" task, skip to Step 6. Otherwise, click on the "Capture User State"/"Capture User Files and Settings" task to select it and then go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task before the "Capture User State"/"Capture User Files and Settings" task.
  6. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name:" text box, enter in:
      Set Local State Location
    • Next to the "Task Sequence Variable:" text box, enter in
      OSDStateStorePath
    • Next to the "Value:" text box, enter in:
      %SystemDrive%\UserState If there was already a "Set Task Sequence Variable Task" task in the Task Sequence that sets the OSDStateStorePath variable, make sure that it is configured to the above value.
  7. Click on the "Capture User State"/"Capture User Files and Settings" task to select it and then go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task before the "Capture User State"/"Capture User Files and Settings" task and after the "Set Local State Location".
  8. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name:" text box, enter in:
      Set USMT Additional Capture Options
    • Next to the "Task Sequence Variable:" text box, enter in:
      OSDMigrateAdditionalCaptureOptions
    • Next to the "Value:" text box, enter in:
      /nocompress /hardlink If there was already a "Set Task Sequence Variable Task" in the Task Sequence that defined the variable OSDMigrateAdditionalCaptureOptions with some options, such as /ue, then add the additional options /nocompress /hardlink in the "Value:" text box after the options that already exist. Make sure that there is a space between each option.
  9. Click on the "Capture User Files and Settings"/"Capture User State" task to select it:
    • Ensure that the package under "User state migration tool package:"  is a USMT 4 package.
    • Check the option "Enable verbose logging".
    • Click on the "Options" tab and then uncheck the option "Continue on error".
  10. Click on the "Setup Windows and ConfigMgr" task. Ensure that the package selected next to the "Package" field is a package that installs the SP2 version of the ConfigMgr 2007 client. RTM and SP1 versions of the client will not work with USMT 4.
  11. Click on the "Restore User State"/"Restore User Files and Settings" task and then go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task before the "Restore User State"/"Restore User Files and Settings" task.
  12. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name: " text box, enter in:
      Set USMT Additional Restore Options
    • Next to the "Task Sequence Variable:" text box, enter in:
      OSDMigrateAdditionalRestoreOptions
    • Next to the "Value:" text box, enter in:
      /nocompress /hardlink If there was already a "Set Task Sequence Variable Task" in the Task Sequence that defined the variable OSDMigrateAdditionalRestoreOptions with some options, such as /lac, then add the additional options /nocompress /hardlink in the "Value:" text box after the options that already exist. Make sure that there is a space between each option.
  13. Click on the "Restore User Files and Settings"/"Restore User State" task:
    • Ensure that the package under "User state migration tool package:"  is a USMT 4 package.
    • Check the option "Enable verbose logging".
  14. Click on the "OK" or "Apply" button to save the task sequence.
Notes on the two above methods:
  • A "Format and Partition Disk" task is not desired in the above Task Sequences. If a format and partition of the disk occurred, it would wipe all data on the drive, including the State Store, and the captured data would be lost. Instead, to erase content off of the drive in preparation to install the new Windows OS, during the "Apply Operating System Image"/"Apply Operating System" task, a recursive delete of all files and directories occurs on the drive minus a few protected folders.
The protected folders that are not deleted include the Task Sequence cache folder and the State Store folder. The Task Sequence cache folder path is stored in the variables _SMSTSMDataPath , _SMSTSClientCache, and _SMSTSNewClientCachePathToCleanup and usually resolves to the path C:\_SMSTaskSequence. The State Store path is stored in the variable OSDStateStorePath. The protected folders that will not be wiped are stored in the variable _SMSTSProtectedPaths.
In the SMSTS.log you will see the recursive delete and wipe process logged as something similar to the following:
Wiping C:\                                                                                               ApplyOperatingSystem
Set "C:\_SMSTaskSequence" to not be wiped                                             ApplyOperatingSystem
Set "%OSDStateStorePath%" to not be wiped                                             ApplyOperatingSystem
Set "%_SMSTSClientCache%" to not be wiped                                            ApplyOperatingSystem
Set "%_SMSTSNewClientCachePathToCleanup%" to not be wiped                ApplyOperatingSystem
Skipping C:\_SMSTaskSequence for wipe                                                   ApplyOperatingSystem
Calculating expected free space.                                                                ApplyOperatingSystem
Reporting deletion progress.                                                                      ApplyOperatingSystem
Successfully wiped C:\                                                                              ApplyOperatingSystem
  • In Step 15 (Method 1) and Step 6 (Method 2), the State Store path location is changed from %_SMSTSUserStatePath% to %SystemDrive%\UserState. The _SMSTSUserStatePath variable normally resolves to the path C:\_SMSTaskSequence\UserState. The C:\_SMSTaskSequence folder is the Task Sequence cache folder. This is done to fix several issues that can be caused by saving the State Store in the Task Sequence cache folder. These problems include:
    1. Whether or not a Task Sequence succeeded, the Task Sequence usually exits cleanly. When the Task Sequence exists cleanly, it deletes the Task Sequence cache folder of C:\_SMSTaskSequence. This can be a problem if the Task Sequence fails for whatever reason before the captured user data is restored.
      If the Task Sequence fails but exists cleanly before the user data is restored, then the cache folder of C:\_SMSTaskSequence is deleted, which will cause the C:\_SMSTaskSequence\UserState user State Store folder located within the C:\_SMSTaskSequence folder to also be deleted. The captured data will then be deleted and lost before it can be restored.
      If instead the State Store is specified to be a folder outside of the Task Sequence cache folder, such as C:\UserState, when the Task Sequence exists cleanly, it will not automatically delete the State Store since it is no longer within the Task Sequence cache folder. The Task Sequence cache folder will still be deleted, but the State Store will not. In case of Task Sequence failures before user data is restored, user data can still be restored from the State Store using manual methods.
      See KB958808 for additional information:
      User data from the USMT may be deleted unexpectedly by the task sequence engine during the operating system deployment process in System Center Configuration Manager 2007 SP1
      http://support.microsoft.com/kb/958808

      Note: KB958808 does not have to be installed in ConfigMgr 2007 SP2 as this hotfix is already included as part of SP2.
    2. Given the following scenario on a PC:
      1) PC has two (or multiple) drives or partitions
      2) User profiles and Windows are located on the first drive or partition (assume drive letter C:)
      3) Second drive or partition has more available free space than the first (assume drive letter D:)
      then the Task Sequence cache folder will probably be created on the second drive/partition (D:).
      In these scenarios the variable _SMSTSUserStatePath would resolve to the path D:\_SMSTaskSequence\UserState. This is a problem when using USMT 4 hardlinking because the hardlink store has to be on the same drive/partition as Windows and the user profiles. In the above scenario, Windows and the user profiles would be on C:, but the State Store would be created on D:. USMT 4 will actually capture the data in this scenario and not cause any errors, but the captured data will be invalid and it will not be able to be properly restored.
      By making sure that we save the State Store to the drive that contains Windows and user profiles via the variable SystemDrive, we make sure that this problem does not occur.
    3. There are known scenarios when going from a Windows OS with UAC off to a Windows OS with UAC on that will cause permissions not to be set properly on the State Store if the State Store is located within the Task Sequence cache folder. In these scenarios, user data is restored successfully, but the user will receive an "Access Denied" error message when trying to access their files. Saving the State Store outside of the Task Sequence cache folder will resolve the problem.
  • Even though in Step 15 (Method 1) and Step 6 (Method 2) it is recommended that the State Store be saved to a location outside of the Task Sequence cache folder so that it is not automatically deleted, it is still advisable to delete the State Store at some point after the Task Sequence has completed and the user state has been verified that it has been restored successfully. This can be done properly via the usmtutils.exe utility included with USMT 4. To properly remove the State Store, run the command:
usmtutils.exe /rd <Path_to_State_Store>
where <Path_to_State_Store> is the path as specified in the OSDStateStorePath variable via the "Set Local State Location" task (without the brackets <>).
Not deleting the State Store can cause the following problems:
  • If an administrator tries to access the State Store, it may change the permissions of all of the user files in the State Store to the administrator's permissions. This may cause users not to be able to access their files and they may receive "Access Denied" error messages. For this reason it is recommended that an administrator not try to access the State Store directly.
  • A user deleting files in their profile will not cause the actual file to be deleted since a second link exists to the file in the State Store. Although the user will no longer see the file in their profile, the link to the file will still exist in the State Store, and disk space will not be freed up.
  • In Step 18 (Method 1) and Step 9 (Method 2), the option "Continue on Error" is disabled. This option is originally enabled because with USMT 3, USMT 3 could report a lot of false positive errors, causing the task to un-necessarily fail. However this has been improved in USMT 4 and this situation should rarely happen with USMT 4.
    If the option is left checked and the USMT 4 state capture fails for some reason, the Task Sequence will continue and eventually wipe the drive at the "Apply Operating System Image"/"Apply Operating System" task, causing all user files and settings to be deleted and lost. For this reason it is safer to leave this option unchecked when using USMT 4. Leaving the option unchecked will cause the Task Sequence to fail in the event that users' files are not captured successfully, which is a desired outcome.
  • In Steps 18 and 21 (Method 1) and Steps 9 and 13 (Method 2), the option "Enable verbose logging" is enabled. This is optional, but it is advisable to leave this option enabled to help troubleshoot USMT 4 capture and restore failures. Enabling verbose logging will cause the capture and restore tasks to take a bit longer, but will the add the benefit of having more detailed logs to help resolve problems.
  • The tasks "Request State Store" and "Release State Store" are not needed in the Task Sequences that performs local capture with hardlinking because these tasks are only used when a State Migration Point (SMP) is being used. An SMP is only used when the State Store is saved to a network location. When using hardlinking, the State Store is always saved to the local hard drive and an SMP is not used.
  • In Steps 17 and 20 (Method 1) and Steps 8 and 12 (Method 2), please make sure to make the distinction between the variables specified in the tasks "Set USMT Additional Capture Options" and "Set USMT Additional Restore Options". The variables have similar names but they are different. One is OSDMigrateAdditionalCaptureOptionsand the other is OSDMigrateAdditionalRestoreOptions.

More Information

What is a hardlink and why use the USMT 4 feature of hardlinking?

Hardlinking is a feature of NTFS where multiple links can exist to one file on the hard drive. As long as one link exists, the file is not deleted. When a file has multiple links to it, the file will appear to exist in different locations in the file system, but the file only exists once on the hard drive. When the file is deleted from one location, as long as other links to the file still exist, the file is not actually deleted, and the file will still appear in the other locations that it has links to. The file is not deleted until it has been deleted from all of the locations that it has links to.
When USMT local capture is used without hardlinking, files are copied from their original location into the local State Store. For this reason, there has to be sufficient space on the hard drive to store all of the captured files. Even when compression is used, this can mean needing enough space on the hard drive somewhere in the area of almost double the amount of space taken up by the original files. If the original files take 30GB of space, then the hard drive will need about 30GB of free space on it.
When USMT 4 with hardlinking is used, instead of a file being copied to the local State Store, a second link to the file is created in the local State Store. The time taken to create the link to the file in the State Store is almost instantaneous, does not vary with the size of the file, and is much faster than trying to copy the file to the local State Store. The time it takes to capture 30GB of data will only take a bit longer than the time it takes to capture 1GB of data. When not using hardlinking, the amount of time taken to capture 30GB of data would be significantly longer than capturing 1GB of data.
Additionally hardlinking requires almost no additional hard drive space. The only additional hard drive space taken by USMT 4 with hardlinking are administrative files that keep track of where the files need to be restored to. This usually only takes a few MB of disk space vs. the potential GB of disk space taken when hardlinking is not used.
When USMT 4 with hardlinking is used in a ConfigMgr 2007 SP2 Task Sequence via the "Capture User State" task and the OSDStateStorePath and OSDMigrateAdditionalCaptureOptions variables, during the "Capture User State" task, new links are created for the captured files in the State Store location . All of the original links to the files are then deleted during the "Apply Operating System Image" task via recursive delete and wipe of the hard drive. However, because a second link exists in the State Store, and because the State Store is not deleted or wiped during the "Apply Operating System Image" task, the original files remains intact and are not deleted. Later in the Task Sequence via the "Restore User State" task and the OSDStateStorePath and OSDMigrateAdditionalRestoreOptions variables, the original links to the files are recreated back to their original location.
USMT 4 hardlinking also has the advantage over saving the State Store on a network location, such as a State Migration Point (SMP), in that it does not have to take the time to copy the files up to the network share, bandwidth is not used, and a server with plenty of disk space for saving the State Stores is not needed.
To summarize, USMT 4 with hardlinking has the following advantages:
  1. It is significant faster than either copying the captured files to the local State Store or a State Store located on a network share (SMP).
  2. It requires only a few additional MB of disk space vs potential GB of disk space, whether on the local hard drive or on a network share on a server (SMP).
  3. It saves network bandwidth when opting to use hardlinking over a network share (SMP).
The only disadvantage that hardlinking has is that it could potentially run into problems if there is file corruption on the hard drive, the hard drive has bad sectors, or the hard drive is having some other type of problems. However these problems would also be exposed when using local capture without hardlinking. In these scenarios, running a CHKDSK /R on the hard drive is advisable, and a full format of the drive may also be advisable. A network share (SMP) may be needed in these cases.

Why are the two above methods not valid when using a ConfigMgr 2007 Task Sequence created with the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard?

The above methods are not valid when using a ConfigMgr 2007 Task Sequence created with the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard because the Task Sequences created using the Wizard already have hardlinking enabled by default.
If a ConfigMgr 2007 Task Sequence created with the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard is inspected, it will be missing the "Set Task Sequence Variable" tasks that set the variables OSDStateStorePath, OSDMigrateAdditionalCaptureOptions, and OSDMigrateAdditionalRestoreOptions. So if the Task Sequence is missing the steps that sets these variables, and these variables are required to do hardlinking, how does the Task Sequence accomplish hardlinking?
It does this via the task "Determine Local or Remote UserState" task and the MDT script ztiuserstate.wsf. If the USMT 3 package is selected at the "Determine Local or Remote UserState" task, the ztiuserstate.wsf script determines if there is enough space on the hard drive to do a local capture (without hardlinking since it is USMT 3), and if not, it will perform a network capture via a State Migration Point (SMP). Based on which capture method determined by the ztiuserstate.wsf script is used, it defines the appropriate variables, OSDStateStorePath, OSDMigrateAdditionalCaptureOptions, and OSDMigrateAdditionalRestoreOptions, and along with conditions set on the relevant tasks, the Task Sequence will perform the appropriate capture.
However if the USMT 4 package is selected at the "Determine Local or Remote UserState" task, since disk space is not an issue, the ztiuserstate.wsf script will always default to local capture with hardlinking. It will then set the appropriate variables for the Task Sequence to perform a hardlink migration.
There is one problem though with using the ztiuserstate.wsf script. The ztiuserstate.wsf script defaults the State Store to the subdirectory StateStore within the Task Sequence cache folder. For the reasons stated in the notes above about saving the State Store within the Task Sequence cache folder, it is not always desirable to save the State Store within the Task Sequence cache folder.
The Task Sequence created by the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard actually works around the first issue (State Store is deleted even if the data was not restored) by moving the State Store out of the Task Sequence cache folder via the ztimovestatestore.wsf script and the "Move State Store" task. The State Store is moved whether or not the Task Sequence succeeds or fails. However the other two problems can still happen.
To resolve the other two problems and save the State Store outside of the Task Sequence cache folder when using a Task Sequence created with the MDT 2010/MDT 2010 Update 1 "Create Microsoft Deployment Task Sequence" Wizard, follow the below steps:
  1. In the ConfigMgr 2007 Admin console, navigate to the "Computer Management" --> "Operating System Deployment" --> "Task Sequences" node.
  2. Right click on the affected Task Sequence created using the MDT Wizard and choose "Edit".
  3. Click on the "Determine Local or Remote UserState" task and then go to "Add" --> "General" --> "Set Task Sequence Variable". This should create a "Set Task Sequence Variable" task after "Determine Local or Remote UserState" task but before the "Request State Store" task.
  4. In the newly created "Set Task Sequence Variable Task":
    • Next to the "Name:" text box, enter in:
      Set Local State Location
    • Next to the "Task Sequence Variable:" text box, enter in
      OSDStateStorePath
    • Next to the "Value:" text box, enter in:
      %SystemDrive%\StateStore
  5. Click on the "OK" or "Apply" button to save the task sequence.
The above steps resets the variable OSDStateStorePath to a path outside of the Task Sequence cache folder after the "Determine Local or Remote UserState" task and the ztiuserstate.wsf script sets it to the StateStore subdirectory within the Task Sequence cache folder.

Can an existing ConfigMgr 2007 Task Sequence that does not have any USMT tasks including the "Capture User State" and "Restore User State" tasks be modified to do USMT 4 hardlinking?

Yes, but the order of the steps and where they are placed in the Task Sequence are critical. The five tasks that need to be added, and the order that they need to run in are as follows:
  • Set Local State Location
  • Set USMT Additional Capture Options
  • Capture User State
  • Set USMT Additional Restore Options
  • Restore User State
In addition, any "Format and Partition Disk" tasks need to be disabled.
The first three tasks, Set Local State Location, Set USMT Additional Capture Options, and Capture User State, have to run in the original full Windows OS before the Task Sequence boots into WinPE. This is usually before a "Restart Computer" task, such as the "Restart in Windows PE" task. The tasks also have to be placed into a group that has a condition where it only runs in the full Windows OS and not in WinPE. This can be accomplished by setting a condition on the group where the Task Sequence variable _SMSTSInWinPE equals false. The prevents the tasks from running in Bare Metal scenarios where the PCs are booted directly into WinPE and state capture is not needed.
The last two tasks, Set USMT Additional Restore Options and Restore User State, have to run in the newly deployed full Windows OS at some point after the "Setup Windows and ConfigMgr" task, preferably towards the end of the Task Sequence after all applications have been installed.
The Capture User State and Restore User State tasks are built in tasks of ConfigMgr 2007. They can be found under the "Add" --> "User State" menu in a Task Sequence.
The Set Local State Location, Set USMT Additional Capture Options, and Set USMT Additional Restore Options are all actually Set Task Sequence Variable tasks. For instructions on how to properly set up these tasks, see the two above methods.
As a general guide and template to modifying the existing Task Sequence, Method 1 above can be used to create a Task Sequence that serves as the template and guide to modifying the existing Task Sequence.