During a troubleshooting sessions at one of our customers I had an issue which can be found on several forums now a days, OWA will only display a blank screen instead of the logon page. But what is the cause of this issue? Well there are several reasons which can cause it:
- not all required Windows Components are installed
- changes have been made in the configuration using IIS
Required Windows Components are missing
The first reason is quite strange as you would expect that the installation of Exchange will check if all required components are in place before starting the installation.
When you forget, for example, the static content item of IIS this may cause the blank screen of OWA. To make it a bit easier you can use the script below to install all required Windows Components on a Windows 2008 server which will become a CAS server:
ServerManagerCmd -i Powershell
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression
If your planning to use Outlook Anywhere don’t forget to install the RPC over HTTP feature:
ServerManagerCmd -i RPC-over-HTTP-proxy
If all the above components are installed you can start installing Exchange 2007.
OWA virtual directory configuration is corrupted
Making configuration changes using IIS may cause you OWA configuration to be corrupted. So don’t use OWA to make changes but use the Exchange Managment Shell or Exchange Management Console to make configuration changes.
But if you made changes using IIS and OWA does not work anymore how can it be solved? Well there is only one solution, remove the OWA virtual directory and recreate it. This can be done by using the remove-owavirtualdirectory and new-owavirtualdirectory cmdlets.
First step is to remove the old OWA directory:
remove-owavirtualdirectory “owa (Default Web Site)”
This will remove the virtual directory as you can see in the screenshot below:
Once the directory is removed we can create a new one by using the cmdlet below:
new-owavirtualdirectory -OwaVersion “Exchange2007″ -Name “owa (Default Web Site)”
This will recreate the OWA virtual directory and if your lucky OWA will work again. This were just 2 options which might cause this issue. If you got the same issue but the above steps didn’t work contact me so I can add them to this article johan (a) johanveldhuis.nl
Gepost in Exchange 2007 ~ Geen Reactie
One of the new features in Exchange 2007 Service Pack 3 is the ability for users to change their password before logging in. Before service pack 3 a user who’s password had expired needed to call the helpdesk to reset their password or use another solution. With this new feature a user will be redirected to another page where he/she can change the password.
But how does this work? In the OWA directory, which you can find here: Exchange\ClientAccess\OWA, you will find a directory called auth. This directory contains several files which are used for login and logout. But besides these files there are two new files expiredpassword.aspx and exppw.dll.
Before you can use the new functionality you will need to make an adjustment in the registry of the CAS server. Go to the following location in the registry:
HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA
Create a new DWORD called ChangeExpiredPasswordEnabled and change the value of the key to 1. This should look the same like below:
During the logon (logon.aspx) a check is done if the password is expired and if this is the case the user will be redirected to expiredpassword.aspx.
Before the user can change his/her password he will first needs to specify the old password. Once the password has change the user will be redirected to his/her mailbox.
Gepost in Exchange 2007 ~ Geen Reactie
Today I had a nice issue at a customer site who tried to install Exchange in a test environment. First I will give a short introduction. Let’s say you have an AD forest which contains a child domain where you want to host Exchange in. You first will need to do some things in the forest before you can install Exchange in the child domain. You will start with the schema upgrade followed by the forest prep. As last step you will prepare the child domain and you could start the Exchange setup to install Exchange.
Normally you will use the same media for all servers, but in Exchange 2007 this can be different. This because Exchange 2007 had a 32-bit version which could be used in test environments or to prepare the schema/forest on a 32-bit DC.
You may think aaahhh that happened ?? Everything was done via the correct steps but when starting the Exchange installation via the GUI the following errors were displayed in the log:
[2/7/2010 11:30:46 PM] [0] Setup has chosen the local domain controller dc.ota.company.corp for initial queries
[2/7/2010 11:30:46 PM] [0] PrepareAD has either not been run or has not replicated to the domain controller used by Setup. Setup will attempt to use the Schema Master domain controller dc.company.corp
[2/7/2010 11:30:46 PM] [0] The schema master domain controller is available
So first checked if the servers can connect to eachother which was no issue. After trying some things we decided to move the schema master to the child domain to look if that would help. But this was also a no go and gave the following warnings:
[2/8/2010 3:32:34 PM] [1] [ERROR] PrepareDomain for domain ota has partially completed. Because of your Active Directory site configuration, you must wait for forest-wide replication to occur, and then run PrepareDomain for ota again.
[2/8/2010 3:32:34 PM] [1] [ERROR] Active Directory operation failed on dc.ota.company.corp. This error is not retriable. Additional information: The specified group type is invalid.
Active directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
Waiting for 15 minutes didn’t fix the issue so we reversed all changes and I decided to start the Exchange setup via the GUI on the schema master. Then I saw the issue immidiatly the files used on the schema master were files for Exchange 2007 RTM and not for Exchange 2007 SP1. After using that files it worked without any issues.
It was a nice jigsaw after all.
Gepost in Exchange 2007 ~ Geen Reactie
Microsoft has released rollup 2 for Exchange 2007 SP2, this rollup contains several fixes among which:
- CAS server becomes slower when a user access a folder with a lot of content
- Meetings will be displayed as all day events while this is not the case when synchronized via a mobile device
- log and database increase abnormally
- mails which need to be send to remote domains get stuck in the queue
These are a few of the fixes in Rollup 2 for a complete overview you can visit the following site.
open
Gepost in Exchange 2007 ~ Geen Reactie
Last months you may receive spam which looks like to be sent from an account from your own domain. When you investigate the issue you will discover that this it not the case. But why does Exchange doesn’t do something with this kind of spam. I found the answer on Exchangepedia blog. Each mail which is received from the internet will be accepted with the anonymous user, when removing this user from the connector you won’t be able to receive mail from the internet. This account has some rights which are needed, one of these rights is the Ms-Exch-Accept-Authoritative-Domain-Sender which ensure that every session which contains a message from an authoritative domain will not be checked.
To prevent this you will need to remove some rights from the connector by using the following command:
Get-ReceiveConnector “Internet” | Get-ADPermission -user “NT AUTHORITY\Anonymous Logon” | where {$_.ExtendedRights -like “ms-exch-smtp-accept-authoritative-domain-sender”} | Remove-ADPermission
Please keep in mind that this also will have some consequences for other applications/devices which will use this connector using the anonymous user. For this application/devices you will need to create a separate connector.
Gepost in Exchange 2007 ~ Geen Reactie
I know it may sound strange, Chinese signs in non-delivery reports. After some investigation I discovered something which made the problem stranger then I first thought. When the message was printed the text was displayed in Dutch.
When the same mail was sent from an Outlook 2003/2007 client the problem was not there. So I decided to start searching on the internet and after a while I found something on the Technet forum which looked pretty much on the problem I had.
The problem is caused by a bug in Outlook XP which will not be fixed anymore. To make the problem clear I summarized some details below:
- mail-client is Outlook XP
- happens only when a NDR is delivered in HTML format
- when the mail is printed everything look OK
To fix this issue you will need to tell your Hub server that every NDR needs to be sent as a plain-text NDR, this can be done by executing the following Powershell command:
Get-TransportServer | Set-TransportServer –InternalDsnSendHtml $False
Another solution is upgrading your Outlook client to 2003 or higher.
Gepost in Exchange 2007 ~ Geen Reactie
Today I brought a new Exchange environment in the air. This time it was a greenfield situation, an environment which is completely seperated from the old environment. A big part of the server environment is virtualized, one of them is the Exchange server. Citrix XenServer was selected as the virtualization environment, and as it is listed on the list on the Microsoft site it should not be a problem.
So after the design was approved by the customer we started with the installation. Since some small things needed to be done on other servers I opened Xencenter so I can easily get access to all servers. It should not be a big problem you may think, till Exchange started with preparing the AD. After a few minutes the following error was displayed you do not have permissions to read the security descriptor on cn=deleted objects,cn=configuration,dc=ishw,dc=local. Very strange because the account had enough permissions and the replication between the dc’s went OK. So I started to search for the cause of the issue and found a few possibilities:
- change the driveletter of the cd/dvd-rom, this was not an option since the installation was placed on a fileshare
- fix the permissions with ADAM, as this option brings some risks with it I skipped this one and saved it for later
- install it via the console, a little bit probelematic with a vm, so i tried RDP with the /console or /admin option
This last optionwas the solution, so XenCenter will make a RDP connection without the /console or /admin option. If your planning to install Exchange in a XenServer environment keep an eye on this.
Below some interesting articles”
Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments open
Security descriptor error during Exchange Server 2007 schema extension open
Technet Forum: Exchange 2007 Install Error : Read Security Descriptor open
Gepost in Exchange 2007 ~ Geen Reactie
A really simple Powershellscript, the script below will make it possible to create a room and will add extra permissions to it:
Param(
[string] $room
)
New-Mailbox -database “MBX-srv\Mailbox Database” -Name $room -OrganizationalUnit “Conference Rooms” -DisplayName $room -UserPrincipalName $room@domain.local -Room
Add-adpermission $room -User domain\administrator -Extendedrights “Receive-As”
Executing the script:: new-room.ps1 “meetingroom1″
The script will place all rooms in the OU named Conference Rooms.
First the name will be read that is specified after the name of the parameter room$. After this the mailbox will be created as a mailbox of the type room. The last step is setting the extra permissions, this is done by using the command add-adpermission, in this case the receive-as will be added but also send-as is an option.
Below a few links to the Technet pages of the used commands:
Technet add-adpermission open
Technet new-mailbox open
Gepost in Exchange 2007 ~ Geen Reactie
Exchange 2010 will propably be RTM soon, so before that a new tutorial for Exchange 2007.
This time about installing a certificate, this contains several steps:
- creating the certificate request
- generating the certificate with a CA server
- install the certificate
The steps above will be described step by step and will help you through the process of installing a certificate on an Exchange 2007 CAS server.
open
Gepost in Exchange 2007 ~ 2 Reacties
At least I had time to upgrade Exchange to SP2 and install Exchange 2010 RC in the same organization. Everything went well on first sight. The only issue which I discovered was when opening the CAS server below the server configuration folder. In that case it displayed the following error message: “Unable to create IIS (Internet Information Services) Directory Entry. Error Message is: Access is denied. HResult =-2147024891.
After some searching on the internet I found the solution. The problem was caused by the group Exchange Trusted Subsystem, this one was not a member of the local administrators group on the Exchange 2007 servers.
After making the change and rebooting the Exchange 2010 RC server the problem was solved and I could continue with testing Exchange 2007 SP2 i.c.w. Exchange 2010 RC. In some cases you may need to reboot all Exchange servers.
But why the group Exchange Trusted Subsystem? This group is introduced in Exchange 2010, is a universal group and has read/write permissions on all Exchange objects in the Exchange organization. When navigating through the menu’s Powershell commands will be executed using a user which is a member of this group. To make this possible you will need to ensure that the group Exchange Trusted Subsystem has enough rights on the objects.
Gepost in Exchange 2007 ~ Geen Reactie
