In this blog we will have a look at what the impact of a proxy server in your Exchange 2010 environment. The article is split up in two parts. This since we will also have a look at the client part and what the impact of a proxy server for it.

In the environment we will assume that http and https access is only allowed via the proxy server for both servers and clients.

Let’s start with the server side from the Exchange environment and which impact a proxy server has on it. Before doing this we will need to know which features of Exchange will use http/https to perform specific tasks.

Exchange will use http/https for the following tasks:

• Downloading updates for the anti-spam update service
• Downloading updates for Microsoft Forefront Protection for Exchange Server
• Certificate Revocation Lists (CRL) validation
• Hybrid environments to connect to Windows Live/Office 365
• Environments which are using the hosted archive solution
• Several cmdlets such as Get-FederationInformation and Test-WebServicesConnectivity

To solve this you can configure WinHTTP using the Netsh tool which is part of Windows Server since 2003. The tool can be found in the system32 folder.

To configure WinHTTP we first need to navigate to the WinHTTP context:

netsh
netsh>winhttp
netsh winhttp>

First thing you may want to check is if there is a proxy configured already. This can be done by using the following cmdlet:

show proxy

There are several ways you can configure WinHTTP using NetSh. For example if you already configured the proxy settings in IE you can use these as the source:

set proxy source=ie

But if you don’t want to configure the proxy in IE you can provide the configuration by using the following parameters:

• proxy-server: FQDN or ip-address of the proxy including the portnumber
• bypass-list: a list of hosts which can bypass the proxy

The steps for Windows 2003/2008 and 2008R2 are not the same so let’s have a look at both of them:

set proxy-server=proxy:8080 bypass-list =”*.local”

set proxy proxy-server=proxy:8080 bypass-list =”*.local”

You may ask yourself why use the bypass-list parameter? Well it is recommended to configure the local domain as bypass-list. This since both the EMC and EMS use the http protocol. If not configuring this it may have as result that you can’t connect to your Exchange Server by using the EMC/EMS.

Now we finished the server side let’s have a look at the client side. As you may know Exchange offers several services via http/https since Exchange 2007. Outlook 2007 clients and newer versions can benefit from these services.

The following services are offered by Exchange to the Outlook client via http/https:

• autodiscover (default https): for automatic configuration
• Exchange Control Panel (default https): for mail tracking (only Outlook 2010)
• Exchange Web Services (default https): for example: calendar sharing, Free/busy , Out Of Office and MailTips
• Offline Address Book (OAB) (default http): for downloading the OAB files

By default Outlook will use the proxy settings configured in Internet Explorer. So it’s really important to configure the proxy settings and specifically the proxy exclusions to prevent issues.

If you forgot to exclude the url’s by Exchange then you might get this kind of errors:

In the example above the user tries to enable his/her out of office. But since the EWS url is not excluded it can’t check the current status and displays this error.

So which url’s need to be excluded in the proxy list? A list is displayed below:

• Autodiscover url
• ECP url
• EWS url
• OAB url

Which internal url’s your Exchange environment is currently using can be found out by using the following cmdlets:

Autodiscover url:

Get-ClientAccessServer |select AutoDiscoverServiceInternalUri

ECP url:

Get-EcpVirtualDirectory |select InternalUrl

EWS url:

Get-WebServicesVirtualDirectory | select InternalUrl

OAB url:

Get-OabVitualDirectory | select InternalUrl

Optionally you may also want to add the Outlook Web App (OWA) url if you would like to offer webmail on the local network. In that case run the following cmdlet to see which OWA internal url is configured:

Get-OwaVitualDirectory | select InternalUrl

Here ends the blog about a proxy server in an Exchange 2010 environment. Hope you liked the blog if you have any questions don’t hesitate to contact me.

Gepost in Exchange 2010 ~ Geen Reactie

Exchange Federation

In the first part of the article we did had a look at how Exchange Federation Works. After that we had a look at how to configure a Federation Trust and Organizational Configuration.

In this part of the article we will continue with configuring the federation. Most Exchange CAS Servers are placed behind a firewall and in most cases a reverse proxy is placed in front of it too.

Reverse proxy configuration

You can for example use the Threat Management Gateway of Microsoft.  We will assume that the default rules for publishing the Web Services are already configured. The authentication is performed by the TMG instead of the CAS Servers. In most cases Form Based Authentication, Basic or NTLM/Kerberos is used for authentication

The authentication methods can’t be used for the Federation Trust and Organizational Configuration. Because the credentials of a user will be verified by the Microsoft Federation Gateway (MFG) and not by a domain controller.

Because this authentication type is not permitted by the TMG for the several sites the traffic will be blocked. This can be solved by creating separate rules in the TMG for the following sites:

• /EWS/Exchange.asmx/wssecurity
• /Autodiscover/Autodiscover.svc
• /Autodiscover/Autodiscover.svc/wssecurity

The TMG will need to passthrough the traffic  directly to the CAS Server instead of authenticating.

Troubleshooting cmdlet’s

Such as with most things configuring a Federation Trust and Organizational Configurational will not work smoothly always. For example you may think it works but when testing it you will get an error.

Exchange 2010 SP1 contains several test cmdlets to verify the functionality:

• Get-FederationOrganizationIdentifier
• Get-FederationInformation
• Get-FederationTrust
• Get-OrganizationRelationship
• Test-OrganizationRelationship
• Test-FederationTrust

Get-FederationOrganizationIdentifier

With this cmdlet we will retrieve the following information:

• Who is the organization identifier for the Exchange organisatie;
• What are the additional domains which are configured for federation;
• Who is the contact for the trust;
• Is the domain proof TXT validated by the MFG

Get-FederationInformation:

This cmdlet can be used after a configuration trust has been configured. The cmdlet will retrieve the following information:

• Federated domain names;
• Target URLs of the external Exchange organisation;

Example:

Get-FederationInformation –DomainName domain.com

Get-FederationTrust:

Using this cmdlet an overview will be displayed of the configured federation trust of the organization. The following information will be used when the |FL parameter is used:

• ApplicationIdentifier;
• ApplicationUri attributes;
• Certificaat details;
• Token details;

Get-OrganizationRelationship:

Using this cmdlet the settings for the configured organization relationship will be displayed. Information which is being displayed by using this cmdlet:

Example:

Get-OrganizationRelationShop –Identity TrustedDomain

Test-OrganizationRelationship

Using this cmdlet you can test the organization relationshop is configured correctly and i fit Works. This cmdlet needs to be run i.c.w. a valid useraccount.

Voorbeeld:

Test-OrganizationRelationship –UserIdentity johan@domain.com –Identity domain.com –Confirm

The UserIdentity parameter is the account for which a security token will be requested. The Identity is the name of the organization relationship which needs to be tested.

Test-FederationTrust

Performs several tests to validate that the federation trust works correctly. The following tests will be performed:

• Can a connection be made to the MFG;
• Are the certificates valid;
• Can a security token be requested from the MFG.

Example:

Test-FederationTrust –UserIdentity johan@domain.com

In the example above the useraccount will be specified as the UserIdentity. When no UserIdentity is specified the default test mailbox will be used. The default test mailbox can be created by using the New-TestCasConnectivityUser.ps1 script.

Troubleshooting

Certificates

One of the issues you will propably not see many times is an invalid certificate. This can be caused because the certificate is not valid anymore because the certificate is expired.

But it may also occur when you try to request a new certificate. It sounds a bit strange but I did had this issue one. The MFG’s are placed in the GMT timezone. When the Exchange environment is located in another timezone it can occur that the certificate will be generated in the future from MFG perspective. The solution for this issue is wait. In the case of GMT+1 you will have to wait one hour and then try it again

Incorrect external URL for EWS

Because federation is depending on the Exchagne Web Services it is important that the correct external URL’s are configured. When this is not the case the EWS url will not be available and so no free/busy information will be displayed.

To solve this issue you will need to configure the external URL by using the Exchange Management Shell:

Set-WebServicesVirtualDirectory -Identity Server\EWS* -ExternalUrl https://mail.domain.com/EWS/exchange.asmx

Besides this it’s important that the URL is published correctly by the reverse proxy.

Changes are not active immediately

In case a change is made in the federation it might not be effective immediately. This is caused by the fact that caching is used which will result in the old configuration to be used till the cache expires.

For a federation between two Exchange 2010 environments or an Exchange 2010 and Office 365 this can take up to 7 hours.

Autodiscover doesn’t work

Although the autodiscover functionality is not required for configuring the federation it is important to let the federation work eventually. Verify the autodiscover service url is accessible on the lan but also from the internet. If autodiscover doesn’t work correctly this will cause that the other Exchange 2010 environment can’t resolve the necessary information.

Here ends the second part and last part of the Exchange Federation series. If you’ve got any questions about it don’t hesitate to contact me.

Gepost in Exchange 2010 ~ Geen Reactie

Since Exchange 2003 it’s possible to setup a federation between Exchange organizations. Compared to older Exchange versions configuring a federation between two organizations became quiet easy in Exchange 2010.
Although you might encounter some issues while configuring the federation.

In this series of blog articles we will have a look at several issues and will look how to troubleshoot these issues.

But to solve an issue it’s important to understand the concept. There for we will start with an explanation of how federation and how to configure it.
To build a federation between two companies two things will need to be configured:

• Federation Trust;
• Organization Relationship;

Federation trust
Before creating the Organization Relationship we will first need to configure a Federation Trust. This Federation Trust will be setup between the Exchange 2010 on-premises environment and the Microsoft Federation Gateway (MFG).

The MFG is the component in the federation setup which is responsible for authentication and providing authentication tickets. In this case the MFG is also known as the trust broker. The on-premises Exchange environment uses a certificate to authenticate itself to the MFG. The MFG is available in two sorts:

• Business instance, used by Exchange 2010 SP1 and Microsoft Online Services;
• Consumer instance, used by Exchange 2010 RTM, organizations who decide to use a 3rd party certificate and Live@edu;

Microsoft recommends to ensure that both organizations are using the same MFG.
Before you configure a federation trust it’s important to know if you will use federated delegation.
Using federated delegation it’s possible to share information between users in both environments. To use this functionality one of the requirements is that you will create a subdomain which is used for federated delegation. This subdomain may not be the same as the primary SMTP domain which is being used. This subdomain must be set as Organization Identifier. Microsoft recommends to create a subdomain called exchangedelegation.domain.com for this purpose. The MFG will use this subdomain to assign a unique identity to every user. This identity will be used to get a Security Assertions Markup Language (SAML) delegation token. Using this token users can authenticate themselves to the other Exchange organization.

Configuring a Federation Trust can be divided in the following steps:

1. Create a Federation Trust;
2. Retrieve the Domain Proof;
3. Create DNS TXT record;
4. Configure the Organization Identifier and additional domains for Federation;

The first step can be performed by using the Exchange Management Console (EMC) or Exchange Management Shell (EMS). Keep in mind that when you want to use a 3rd party certificate you can only create the Federation Trust using the EMS.

Federation Trust

EMC
The method below will create a trust with the MFG and creates a self-signed certificate for authentication:

• Open the EMC;
• Select the Organization Configuration;
• Select the option New Federation Trust;
• Click the option New;
• Click Finish to close the wizard;

EMS

Get-ExchangeCertificate | ?{$_.friendlyname -eq “Exchange Federated Delegation”} | New-FederationTrust -Name “Microsoft Federation Gateway”

Domain Proof
When the trust has been created we will need to retrieve the domain proof. The domain proof must be used to create a TXT record in the DNS. Using the domain proof a check will be performed if your really the owner of the domain.
The domain proof can only be gathered by using the EMS:

Get-FederatedDomainProof –DomainName domain.com

Keep in mind that if you are going to use Federated Delegation you will need to perform this step for both the subdomain and the mail domains.
Add domains to the Federated Trust
When both the trust and domein proofs are created we can continue by adding the domains to the Federated Trust.
Before you can perform this step you will need to add the subdomain to the accepted domains of Exchange:

New-AcceptedDomain -DomainName exchangedelegation.domain.com -Name FederationDomain

When the cmdlet above has been executed we can configure the federation trust. This will need to be performed in two steps:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway” -AccountNamespace exchangedelegation.domain.com -Enabled $True

Using the cmdlet above we will configure the trust to use the subdomain as the organization identifier. The organization identifier is being used for authentication. During this process a check will be performed if the TXT records can be found in the DNS. If the record can be found the configuration will be updated.
To finalize the federation trust configuration you will need to add all the other domains to the trust. This can be done by using the Add-FederatedDomain cmdlet. Just like the previous cmdlet a check is being performed for the TXT record.

Add-FederatedDomain -DomainName domain.com

Using this step the configuration of the Federation Trust has been completed.

Optionally you can also use the EMC to perform these steps. The advantage of this is that you can perform both steps via the same wizard.

Create an Organization Relationship
To share the free/busy information between the organizations its necessary to create an Organization Relationship.
Creating an Organization Relationship can be performed by using either the EMC or the EMS.

EMC

• Open te EMC;
• Select te Organization Configuration;
• Select the option New Orginization Relationship;
• Configure the name of the other organization on the Introduction page, activate the Organization Relationship and soecify which information you want to make available to the other organization. Optionally you can assign a security group which let’s you only share the information of the members of the group;
• On the External Organization page either chose to manually or automatically configure the relationship. When chosing for the automatic way autodiscover will be used. If things change at the organization side you won’t have to change it manually.
  If selecting the manual method you will need to provide the following information:
  o Federated domains of external Exchange organization: add both exchangedelegation.domain.com and domain.com;
  o Application URI of the external Exchange organization: exchangedelegation.domain.com, this information will be used to request a  delegated token;
  o Autodiscover endpoint of external Exchange organization, this url will be used to retrieve the url’s of the CAS Server. This because the Free/Busy info will be retrieved by using EWS. The url will look like this:
  https://autodiscover.domain.com/autodiscover/autodisover.svc/wssecurity;
• On the New Organization Relationship page verify the configuration and press New to create the Organization Relationshop.

EMS
New-OrganizationRelationship -Name “External Company” -DomainNames “exchangedelegation.domain.com”,”domain.com” -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel LimitedDetails -TargetAutodiscoverEpr “https://autodiscover.domain.com/autodiscover/autodiscover.svc/wssecurity” -TargetApplicationUri “exchangedelegation.domain.com”

In the example above we will configure the Organization Relationship manually. Autodiscover will be used to retrieve the EWS url’s.  If you would like to retrieve the Domainnames, TargetAutodiscoverExpr and TargetApplicationUri automatically you will need to create the Organization Relationship like this:

Get-FederationInformation -DomainName domain.com | New-OrganizationRelationship -Name “External Company” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails

In the example above we will first retrieve the Federation Information of the domain. Next we will use the output of the Get-FederationInformation to create the Organization Relationship.

Clients
To use the features offered by the Organization Relationship you will need to use one of the following clients:

• Outlook 2010
• Outlook Web App/Outlook Web Access
• Outlook 2007

When using Outlook 2007 there’s one thing you should keep in mind. Typing in the SMTP address, just like in Outlook 2010/OWA, doesn’t work with Outlook 2007.  If Outlook 2007 is the only Outlook version which is in use you will need to add all users from the other organization as contacts so they will appear in the Global Address List.

What happens when free/busy information is retrieved?
But what happens when a user request free/busy information of a user in another organization?

In the workflow below a complete overview of the process:

1. User provides a SMTP adress of another user in another organization;
2. The CAS Server checks if Federation is configured;
3. The CAS Server send a token request to the Microsoft Federation Gateway;
4. The Microsoft Federation Gateway verifies if the source organization is trusted by the target organization;
5. The Microsoft Federation Gateway sends a token back to the CAS Server which requested the token. The token is signed and encrypted with the public key of the target organization;
6. The CAS Server sends the free/busy request to the CAS Server of the target organization;
7. The Target CAS Server receives the token;
8. The Target CAS Sever verifies if the organization which sends the request is in the trust list;
9. The Target CAS Server checks which free/busy information may be displayed;
10. The Availability Service requests the information from the mailbox;
11. The answer is send back to the client;

Here ends the first part of how Federations can be used in Exchange 2010. In the next part we will have a look at how you can safely publish it to the internet and will start with some troubleshooting.

Technet – Understanding Federation open

Technet – Creating a Federation Trust open

Gepost in Exchange 2010 ~ Geen Reactie

Earlier today Microsoft has release rollup 2 for Exchange 2010 SP2. This is the first rollup for service pack 2 which is being released. This rollup contains fixes for the following issues:

• 2465015 You cannot view or download an image on a Windows Mobile-based device that is synchronized with an Exchange Server 2010 mailbox
• 2492066 An automatic reply message is still sent after you clear the “Allow automatic replies” check box for a remote domain on an Exchange Server 2010 server
• 2492082 An Outlook 2003 user cannot view the free/busy information of a resource mailbox in a mixed Exchange Server 2010 and Exchange Server 2007 environment
• 2543850  A GAL related client-only message rule does not take effect in Outlook in an Exchange Server 2010 environment
• 2545231   Users in a source forest cannot view the free/busy information of mailboxes in a target forest in an Exchange Server 2010 environment
• 2549255   A meeting item displays incorrectly as multiple all-day events when you synchronize a mobile device on an Exchange Server 2010 mailbox
• 2549286  Inline contents disposition is removed when you send a “Content-Disposition: inline” email message in an Exchange Server 2010 environment
• 2556113 It takes a long time for a user to download an OAB in an Exchange Server 2010 organization
• 2557323 Problems when viewing an Exchange Server 2003 user’s free/busy information in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2563245 A user who has a linked mailbox cannot use a new profile to access another linked mailbox in an Exchange Server 2010 environment
• 2579051  You cannot move certain mailboxes from an Exchange Server 2003 server to an Exchange Server 2010 server
• 2579982 You cannot view the message delivery report of a signed email message by using Outlook or OWA in an Exchange Server 2010 environment
• 2585649 The StartDagServerMaintenance.ps1 script fails in an Exchange Server 2010 environment
• 2588121  You cannot manage a mail-enabled public folder in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2589982 The cmdlet extension agent cannot process multiple objects in a pipeline in an Exchange Server 2010 environment
• 2591572     “Junk e-mail validation error” error message when you manage the junk email rule for a user’s mailbox in an Exchange Server 2010 environment
• 2593011 Warning 2074 and Error 2153 are logged on DAG member servers in an Exchange Server 2010 environment
• 2598985 You cannot move a mailbox from a remote legacy Exchange forest to an Exchange Server 2010 forest
• 2599434 A Public Folder Calendar folder is missing in the Public Folder Favorites list of an Exchange Server 2010 mailbox
• 2599663 The Exchange RPC Client Access service crashes when you send an email message in an Exchange Server 2010 environment
• 2600034 A user can still open an IRM-protected email message after you remove the user from the associated AD RMS rights policy template in an Exchange Server 2010 environment
• 2600289 A user in an exclusive scope cannot manage his mailbox in an Exchange Server 2010 environment
• 2600943  EMC takes a long time to return results when you manage full access permissions in an Exchange Server 2010 organization that has many users
• 2601483  “Can’t open this item” error message when you use Outlook 2003 in online mode in an Exchange Server 2010 environment
• 2604039 The MSExchangeMailboxAssistants.exe process crashes frequently after you move mailboxes that contain IRM-protect email messages to an Exchange Server 2010 SP1 mailbox server
• 2604713  ECP crashes when a RBAC role assignee tries to manage another user’s mailbox by using ECP in an Exchange Server 2010 environment
• 2614698 A display name that contains DBCS characters is corrupted in the “Sent Items” folder in an Exchange Server 2010 environment
• 2616124  Empty message body when replying to a saved message file in an Exchange Server 2010 SP1 environment
• 2616230 IMAP4 clients cannot log on to Exchange Server 2003 servers when the Exchange Server 2010 Client Access server is used to handle proxy requests
• 2616361  Multi-Mailbox Search fails if the MemberOfGroup property is used for the management scope in an Exchange Server 2010 environment
• 2616365  Event ID 4999 when the Store.exe process crashes on an Exchange Server 2010 mailbox server
• 2619237  Event ID 4999 when the Exchange Mailbox Assistants service crashes in Exchange 2010
• 2620361  An encrypted or digitally-signed message cannot be printed when S/MIME control is installed in OWA in an Exchange Server 2010 SP1 environment
• 2620441  Stop-DatabaseAvailabilityGroup or Start-DatabaseAvailabilityGroup cmdlet fails when run together with the DomainController parameter in an Exchange Server 2010 environment
• 2621266  An Exchange Server 2010 database store grows unexpectedly large
• 2621403  “None” recipient status in Outlook when a recipient responds to a meeting request in a short period of time in an Exchange Server 2010 environment
• 2628154  “The action couldn’t be completed. Please try again.” error message when you use OWA to perform an AQS search that contains “Sent” or “Received” in an Exchange Server 2010 SP1 environment
• 2628622 The Microsoft Exchange Information Store service crashes in an Exchange Server 2010 environment
• 2628693 Multi-Mailbox Search fails if you specify multiple users in the “Message To or From Specific E-Mail Addresses” option in an Exchange Server 2010 environment
• 2629713  Incorrect number of items for each keyword when you search for multiple keywords in mailboxes in an Exchange Server 2010 environment
• 2629777  The Microsoft Exchange Replication service crashes on Exchange Server 2010 DAG members
• 2630708 A UM auto attendant times out and generates an invalid extension number error message in an Exchange Server 2010 environment
• 2630967 A journal report is not sent to a journaling mailbox when you use journaling rules on distribution groups in an Exchange Server 2010 environment
• 2632206 Message items rescanned in the background in an Exchange Server 2010 environment
• 2633044 The Number of Items in Retry Table counter displays an incorrect value that causes SCOM alerts in an Exchange Server 2010 SP1 organization
• 2639150 The MSExchangeSyncAppPool application pool crashes in a mixed Exchange Server 2003 and Exchange Server 2010 environment
• 2640218 The hierarchy of a new public folder database does not replicate on an Exchange Server 2010 SP1 server
• 2641077 The hierarchy of a new public folder database does not replicate on an Exchange Server 2010 SP1 server
• 2642189 The RPC Client Access service may crash when you import a .pst file by using the New-MailboxImportRequest cmdlet in an Exchange Server 2010 environment
• 2643950 A seed operation might not succeed when the source mailbox database has many log files in a Microsoft Exchange Server 2010 DAG
• 2644047 Active Directory schema attributes are cleared after you disable a user’s mailbox in an Exchange Server 2010 environment
• 2644264 Disabling or removing a mailbox fails in an Exchange Server 2010 environment that has Office Communications Server 2007, Office Communications Server 2007 R2 or Lync Server 2010 deployed
• 2648682 An email message body is garbled when you save or send the email message in an Exchange Server 2010 environment
• 2649727 Client Access servers cannot serve other Mailbox servers when a Mailbox server encounters a problem in an Exchange Server 2010 environment
• 2649734 Mailbox replication latency may occur when users perform a Multi-Mailbox Search function against a DAG in an Exchange Server 2010 environment
• 2649735 Warning of undefined recipient type of a user after the linked mailbox is moved from an Exchange Server 2007 forest to an Exchange Server 2010 forest
• 2652849 The MailboxCountQuota policy is not enforced correctly in an Exchange Server 2010 hosting mode
• 2665115 Event ID 4999 is logged on an Exchange Server 2010 Client Access server (CAS)

The rollup can be downloaded via the link below:

Download – Exchange 2010 SP2 Rollup 1

Gepost in Exchange 2010 ~ 2 Reacties

Use Outlook cached mode or not?

Since Outlook 2003 it is possible to run Outlook in two modes:

• Online mode
• Cached Exchange mode

But what are the differences between those modes?

Online mode
When the Outlook profile is configured in Online Mode Outlook will create a direct connection to the Information Store of Exchange. This has as advantage that messages will appear almost immidiatly when delivered to the mailbox. When the connection to the Exchange server is not available you don’t have access to the mailbox.

Cached Exchange mode
When the Outlook profile is configured in Cached Exchange mode a local cache file will be created from the mailbox. This file is also known as the offline data file which can be recognized easily when looking at the extension which is OST. By default the file is stored in Local Settings\Application Data\Microsoft\Outlook. When looking at the size of the OST you will see the size is different than the size of the mailbox.

An OST file can be 50 to 80 percent bigger than the mailbox. The cause of this is the method which is being used to store items. Outlook does use a less efficient way then Exchange Server.  

The maximum size of the OST is differs per type:

• Non-Unicode (ANSI): maximum 2 GB;
• Unicode: maximum size is configurable, default 50 GB;

Which type is used can be discovered by using the following steps:

• Select Tools;
• Select the option E-mail accounts;
• Select the Exchange e-mail account and press the change button;
• Select More Settings;
• Select the Advanced tab
• Check the value of Mailbox Mode;

Besides the OST file a user in Cached Exchange Mode also uses Offline Address Book (OAB).

The advantage of Cached Exchange Mode is that mailbox content is also available when you don’t have a connection to Exchange, excluded the new items which haven’t been cached. When connected to Exchange messages will arrive with a slight delay in the mailbox. This is caused by Outlook which will check for new messages every 30 seconds by default. A disadvantage of Cached Exchange Mode that the OST file is only cached locally. When a user is working on another workstation a new OST file will be generated if not available.

Starting from Outlook 2010 Microsoft recommends to use Cached Exchange Mode. When the autodiscover functionality of Exchange is being used you will see that the Cached Exchange Mode will be enabled by default.

In environments with a limited bandwidth (slow connection) you can choose to only download the e0mail headers and the First 256 characters of a message.

When the speed of a network connection is 128 KB or less a connection is stamped as slow connection.

The amount of RPC requests, compared with Online mode, is less. This because the local cache on the workstation is being used.  The influence of the harddisk from the workstation is bigger.

What is being cached?
When using Outlook 2010 by default both the user mailbox and additional mailboxes are added to the cache. The Public Folder is not stored in the cache. It is possible to add Public Folder favorites to the cache but in this case you will need to enable the option manually or via a GPO.

As mentioned earlier Outlook will use an Offline Address Book (OAB). Initially a complete download is being performed of the address book. After that only incremental updates are downloaded from the address book. The OAB is being downloaded once every 24 hours if the OAB contains new data.

When shouldn’t you use Cached Mode?
But are there scenario’s where you don’t want to use Cached Exchange mode?

Yes there are, below an overview of these scenario’s:

• Computers which are being used by multiple people and where a delay of downloading the new messages is not acceptable;
• Environments where compliance and security rules which prohibits the store of data locally;
• The complete cached file can’t be stored because of lack due to disk space;
• Mailboxes greater then 25 GB;
• Virtual or Remote Desktop Service environments where Outlook 2007 and Outlook 2003 is installed. Cached Exchange Mode isn’t supported on a system which offers  Remote Desktop Services;
• Virtual or Remote Desktop Service environments where Outlook 2010 is used but not enough disk space or I/O’s are available;

Impact of Cached Exchange Mode on Outlook functionalities
Besides the earlier called scenarios there are some additional functionalities which are influenced when using Outlook in Cached Exchange Mode. Below an overview of the functionalities:

• Delegate mailbox data stores;
• Shared Folders which are not made available offline;
• Retrieve Free/Busy information;
• Configure/change/disable Out-Of-Office;
• Access to Public Folders;
• Retrieving IRM messages;
• Changing rules;
• Retrieving MailTips;

These functions require a connection to the Exchange environment. When there is no connection this functions are not available. If there is a connection with the Exchange Server it can happen that these functions are working slower then normally. This is only the case when connecting via a connection with a high latency.

Besides the earlier called functionalities there are a few functions which Microsoft doesn’t recommend to use:

• Using the toast alert function with digitale signatures;
• Multiple address book containers;
• Custom properties on the General tab;

Influance of large .ost files
Large ost files can cause performance issues in Outlook. Users can recognize this because Outlook doesn’t respond correctly. This can happen if one of the following tasks is being performed:

• Reading messages;
• Moving messages;
• Removing messages;

Depending on the Outlook version which is being used you will need to use the following guidelines:

Outlook 2007 with performance update or Outlook 2007 SP1 without the cumulative updates of February 2009	Outlook 2007 with SP1 and cumulative updates of  February 2009 or later
2 GB or less Users should not experience any delay2 GB to 4 GB Depending on the hardware a user might experience some delayMore than 4 GB Users will definitely experience a delay using most hardware More than 10 GB The amount of delays will increase	5 GB or less Users should not experience any delay 5 GB to 10 GB Depending on the hardware a user might experience some delay More than 10 GB Users will definitely experience a delay using most hardware More than 25 GB The amount of delays will increase

Cached Exchange Mode i.c.w. BlackBerry devices
Cached Exchange Mode used  i.c.w. mobile devices to synchronize can cause issues. The cause in most cases is that the mobile server will download the message after the message has been downloaded to the Outlook cache file.

BlackBerry Server is one of these mobile servers. The BlackBerry Server will add several properties to a message among them RefID which causes the item store in the Information Store to be changed. If a user does make a change to the message it will be updated in the Information Store. Because the properties of both messages are not the same this will result in conflicts.

The BlackBerry will download the updated item. One of the items is assigned as primary item. The conflict item will be store in the Sync Issues – Conflicts so a user can restore the copy of the message.

To decrease the amount of conlict items it is possible to apply a workaround. This can be done by making a registry change:

• Open regedit
• Go to HKEY_LOCAL_MACHINE\SOFTWARE\Research In Motion\BlackBerry Enterprise Server\Agents
• Create a new Dword which has as value ProcessMailDelay
• Assign a value of 45

Using the workaround we will ensure that the BlackBerry Server will retrieve the mail with a delay of 45 seconds. Note that this should only be used for testing. BlackBerry recommends to decrease this value once you have confirmed this fixes the sync issues.

Cached Exchange Mode i.c.w. Windows Desktop Search
Windows Desktop Search can be used to index the content of a mailbox. In Cached Exchange Mode you will need leave Outlook running to index the content of the OST. When you quit Outlook Windows Desktop Search won’t index the OST.

The advantage of using Cache Exchange Mode i.c.w. Windows Desktop Search is that the requests will be processed locally instead of sending them to the Exchange Server. If you choose to work in Online Mode make sure you are implementing Windows Desktop Search 4.0. Windows Desktop Search 4.0 is the only search engine at this moment which doesn’t create any additional read requests.

Here ends the blog about Outlook and Cached Exchange Mode. As you have seen there are a lot of things you should consider before enabling it. One of these things is the Outlook version that is in use. It will depend on the organization but in most cases you will see that it Cached Exchange Mode will be enabled both for desktops and laptops. Excluded are desktops which are used as flexible workstations.

Gepost in Exchange 2010 ~ Geen Reactie

2012 has arrived, but what has happened in the past year with Exchange 2010? In this blog we will have a look at some of the high lights of the news about Exchange 2010 in 2011.

If we summarize this year you could use the following words:

January

In the begin of January Exchange was awarded as InfoWorld’s Technology of the Year award for the best mail server 2011.

Microsoft published a statement on GAL Segmentation on the 27th of January which was till this moment still not supported in Exchange 2010. The whitepaper which was available for Exchange 2007 would not be updated for Exchange 2010. They announced another solution would be available in Exchange 2010 SP2, this feature got a name a few months later Address Book Policies.

One day after the statement Kevin Allison announced that UDP notifications would be reintroduced in Exchange 2010. This due to the fact that many customers asked for it. The functionality would be available after installing Rollup 3. The result of reintroducing the feature was that the release date of the Rollup would be rescheduled.

February

The Windows Server team released SP1 for Windows 2008 R2. But what does this mean for Exchange 2010? On the 11th of February the MsExchange Team came with an answer. Both Exchange 2010 RTM and Exchange 2010 SP1 will be supported with this SP. For Exchange 2010 SP1 the seperate hotfixes 979744, 983440, 979099, 982867 and 977020 are not required anymore. This hotfixes are included in the Service Pack for Windows 2008 R2.

March

On the 7th of March Microsoft released Rollup 3 for Exchange 2010 SP1. Everyone was curious about the UDP notifications feature which became available with this Rollup. But short after the release the fora did contain a lot of messages about Exchange 2010 i.c.w. BlackBerry devices. Messages would be send twice which of course could have a big impact for some companies.

On the 14th of March Microsoft published the following message on the MsExchangeTeam blog:

We have received notification of an issue impacting some customers which have
RIM BlackBerry devices connecting to an Exchange 2010 SP1 RU3 environment. At
this stage we are actively working with RIM to identify the exact scenarios in
which customers are reporting this issue in order to narrow down the root cause
of the problem and identify a suitable resolution for it.

As a precautionary measure we have deactivated the download page for Exchange
2010 SP1 RU3 until we can identify the appropriate next steps.

Rollup 3 was removed the update from the download center.

April

OWA Automobile Edition, Twitter-Ready Mail, Boss OOFs, Email Etiquette Enforcement (EEE) Agent, Automatic Randomized MRM (ARM) Assistant, Active Inbox Rules (AIR) Agent, Mobile Read Receipts and Exchange Configuration. All new features which were announced on the 1ste of April. All these features where one big April foul which caused a lot of nice reactions from some people.

In March Rollup 3 was removed, on the 6th of April Rollup 3v3 was released. This release fixe the BlackBerry issue and contained the original fixes which where included in Rollup 3.

On the 13th of April Microsoft announced the Exchange ActiveSync Logo Program. This certification program for ActiveSync devices was created by Micrsoft together with an external lab. Devices should support the following features to be certified for the program:

• Direct Push email, contacts & calendar
• Accept, Decline & Tentatively Accept meetings
• Rich formatted email (HTML)
• Reply/Forward state on email
• GAL Lookup
• Autodiscover
• ABQ strings (device type and device model) provided
• Remote Wipe
• Password Required
• Minimum Password Length
• Timeout without User Input
• Number of Failed Attempts

Microsoft did release the program to give enterprises a way to improve the support they can give to their users which are using several kinds of mobile devices.

On the 15th of April a new recommendation was published on the MsExchange Team blog: Enable Kerberos authenication for clients. One of the reasons is because NTLM might cause a bottleneck. Before Exchange 2010 SP1 Kerberos was not really an option. In SP1 Microsoft did introduce a functionality which made it possible to use an  alternate service account (ASA). This account needs to be assigned to all CAS Servers in the Array and needs to contain the correct service principale names (SPN’s).

To simplify the configuration Microsoft released a script called: RollAlternateServiceAccountPassword.ps1. Using this script it was possible to configure the ASA on all CAS Array members. Besides this the script contained an option to create a scheduled task which changes the password on pre-defined frequency.

Besides the new recommendation a .NET update caused some issues. By installing the update on an Exchange 2010 Server which has Windows 2008 SP2 of Windows 2008 R2 RTM as OS the following issues might occur:

• Exchange Management Shell does not start
• Exchange Management Console does not start
• There might be a crash in Exchange Mailbox Replication Service (it is not
  clear yet if this is related)
• Event Viewer might have trouble opening

On the 20th of April Microsoft did release an update to fix this issue.

May

On the 16th of May an announcement was made about changes which are made to in the hardware virtualization support for Exchange 2010. These changes were only applicable for Exchange 2010 SP1:

• The Unified Messaging server role is supported in a virtualized environment.
• Combining Exchange 2010 high availability solutions (database availability
  groups (DAGs)) with hypervisor-based clustering, high availability, or migration
  solutions that will move or automatically failover mailbox servers that are
  members of a DAG between clustered root servers, is now supported.

The day after Kevin Allison announced SP2 on TechEd Atlanta. SP2 would contain a lot of fixes for issues customers reported and a few new features:

• Outlook Web App (OWA) Mini
• Cross-Site Silent Redirection for Outlook Web App
• Hybrid Configuration Wizard
• Address Book Policies

On TechEd Atlanta the new features were included in a presentation of  Greg Taylor. SP2 would be available in the second half of 2011.

June

On the 22 of June it was time for Rollup 4. First everything looked OK. But on the 13th of July Microsoft did publish a post which had as title Exchange 2010 SP1 RU4 Removed from Download Center.

Rollup 4 introduced some issues when moving or copying folders. The subfolders and content would be deleted from these folders. But the items could recover the items by using the Recoverable Item folder.

It took 2 weeks before Rollup4v2 was released on the 27th of July.

July

On the 5th of July Microsoft did announce a new tool: the PST Capture tool. This tool could be used to search the network for PST files and import them in Exchange 2010. The tool was planned for in 2011.

August

On the 23rd of August Rollup 5 was released. Of cource a lot of people did hold back after the issues in the previous two Rollups. But Rollup 5 did not contain a lot of big issues.

In March of this year the Internet Explorer team did release the new version of Internet Explorer, IE 9. After a few days some issues where reported about IE 9 i.c.w. the Exchange Management Console (EMC). When closing the EMC the following message was displayed:

In August the Exchange Team published a statement about the issue. The Exchange Team did investigate the issue together with the MMC and Internet Explorer Team for a solution. Finally a special hotfix was released which solved the issue. In december 2011 this hotfix was included in a security update for IE 9(KB 2618444).

October

Rollup 6 was the latest Rollup which was release for Exchange 2010 SP1 in 2011. This Rollup was released by Microsoft on the 27th of October.

On the 11th of October the support ended for Exchange 2010 RTM. Starting from this date only support will be given on Exchange 2010 environment which are running SP1.

In Exchange 2010 SP1 the /hosting parameter was introduced. By using this parameter to install Exchange it was possible to create a multi-tenant Exchange 2010 environment. The solution offerered delivered a small set of functions to end users compared to an on-premise Exchange 2010 environment. Besides this it doesn’t contain any automation tools for example for creating users.

In October Microsoft announced that the /hosting parameter would not be futher developed. Hosting parties who already implemented Exchange this way will still be supported by Microsoft according to the Exchange Support Cycle.

November

On DevConnections, begin November, it was time for some new about SP2.  Kevin Allison announced that SP2 would be released at the end of November/begin December.

December

Eventually on the 12th of December Microsoft did publish the following message on the MsExchangeTeam blog:

I had previously mentioned that Exchange 2010 Service Pack 2 would be coming this year – and it’s here! I’m pleased to announce the availability of Exchange Server 2010 Service Pack 2 which is ready to download.

Gepost in Exchange 2010 ~ Geen Reactie

Earlier this year a blog on the Exchange Team site was poste by Ross Smith IV. In this blog he encouraged to use Kerberos as authentication method for Outlook clients.

In a lot of Exchange environments you will see that it is implemented. When you are using a CAS Array you will need to create an alternate service account (ASA) for this. This can be done by using the  RollAlternateserviceAccountPassword.ps1 script. Keep in mind that when using the CreateScheduledTask parameter the scheduled task will run as the account who created the scheduled task.

After registering the correct SPN’s on the ASA account Kerberos will work in most cases. In some scenario’s a typo is made which results in incorrect SPN’s being registered. When this is the case you can solve it by using setspn or AdsiEdit.

But what if Kerberos sometimes works and sometimes not, or does only work for specific users?  If it doesn’t work a user will not be able to access his/her mailbox.

The easiest way to figure out if Kerberos is to change the Outlook profile.

On the security tab of the account you will need to change the value of Logon network security to NTLM. If the user can access his/her mailbox after this you know that Kerberos is causing the issue.

Besides this an event will be logged in the system event log. Because a small set of logging is enabled on the Windows Servers you won’t see the Kerberos issue on that side. To enabled the logging you will need to make a change in the registry:

• start regedit
• browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
• create a Dword called LogLevel
• change the value of the Dword to 0×1

Logging is directly enabled after creating the registry key and after a refresh you will see several Kerberos errors in the log.

Another option is to create a network trace using Wireshark or Netmon. In both cases you will see the following message in the trace:

0xD – KDC_ERR_BADOPTION: KDC cannot accommodate requested option

When you will search the internet for this error you will see you are not the only one. But let’s start from the begin instead of going to directly to the solution.

One of the first things you will need to do is run SetSPN -L “ASA account”  to verify that all correct SPN’s are registered. The SPN’s should be unique. Despite I have seen environments where the domain controllers also contain two SPN’s named ExchangeAB followed by the netbios and fqdn. To verify if the SPN’s are unique you can use SetSPN -Q “SPN VALUE” , for example SetSPN -Q ExchangeAB/*.

As displayed in the screenshot above you will see ExchangeAB will be found four times. Two times on the Exchange Server and two times on the DC.

As fas as we can see at this moment everything looks OK. Time to continue troubleshooting. But with which step can you continue when you have the error above? Klist.exe or Kerbtray.exe will not help a lot because in most cases renewing the tickets won’t solve the issue.

After some research together with a customer we found the root cause of the issue.

Microsoft did change the UDP packet size starting from Windows 2003. In Windows XP the UDP packet size was set to 2000, starting from 2003 it has been set to 1465. I think you know what will happen when Kerberos will send a package. Kerberos will use UDP by default . This will result in incompleted packages which will arrive at servers containing Windows 2003 or above as OS.

But why does the issue only happens for some users? This depends on the Kerberos ticket size. The size of a Kerberos ticket is determind by:

• length of the password
• membership of groups
• do the groups contain other nested groups

To solve this issue you will need to make a registry change:

• start regedit
• browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
• create a Dword called MaxPacketSize
• change the value of the Dword to 1

By making this change all Kerberos packages which are bigger then 1K will be send by using Kerberos over TCP.

Restart the computer and change the Outlook profile to Negotiate Authentication. Verify if you can access the mailbox. Using klist.exe or kerbtray.exe verify of the tickets will be created correctly. Both tools are part of the resource kit for Windows 2003. In Windows 7 and 2008 klist is a part of the OS.

In this screenshot two Kerberos tickets are listed which are being used by Exchange. If all authentication is performed by using Kerberos you will see the following Kerberos tickets:

• exchangeMDB
• exchangeRFR
• exchangeAB
• http

When you will look in the event log of the client you won’t find any Kerberos messages.

Microsoft has published a complete document about troubleshooting Kerberos authentication issues. You can find the document here.

Gepost in Blog ~ Geen Reactie

 In a lot of Exchange environments you will see that a hardware load balancer is used to load balance the traffic to the Client Access Servers (CAS) and Hub Transport Servers (HUB).

In this article we will have a look at the Barracuda Load Balancers and specifically the two-armed setup. In this two-armed setup solution the Barracuda has two separate IP-addresses one on the WAN interface and one on the LAN interface.

System configuration

This is the first pitfall which isn’t mentioned in the whitepaper Barracuda published for Exchange 2010. You will need to place Exchange in a separate VLAN/Subnet for this. Why? If you don’t do it there are a few thinks which don’t work:

• Servers/applications which connect via RPC won’t be able to connect
• The Enable Client Impersonation option can’t be used for the other protocols: SMTP/IMAP etc.

So for example if your company network contains two VLAN’s create another one which does contain Exchange.

The second thing is the gateway. Once of the requirements for the load balancer in a two-armed configuration is that the network configuration is modified so all traffic outside the subnet will be send to the load balancer.

In normal situations this is not a big issue but in a co-existence phase with for example Exchange 2003 it might be an issue. To solve this issue create a persistent route temporarily and remove it once Exchange 2003 has been removed.

Rules

The rule part described in the whitepaper will described only the RPC and HTTP(s) part of the load balancer. But as probably a lot of organizations does are not the only two protocols who are used.

Most organizations also will use SMTP and IMAP, and some even POP3. In all cases it might be interesting to load balance those three protocols also.

But let’s start with having a look at HTTP because you can fine tune the parameters of this rule also. As discussed earlier the option Enable Client Impersonation is disabled by default. This will make it harder to troubleshoot because every client IP is replaced by the VIP of the Load Balancer. So change this option to enabled to ensure that the real client IP is written to the IIS log.

Both SMTP and IMAP can be published by using the service type TCP Proxy. Using this service type you also have the option to Enable Client Impersonation just like HTTP, which is published using the Layer 7 – HTTPS service type.

In the whitepaper you will find persistence time and session time-out. Both values are very important to configure correctly. Using values which are too high may cause a service to fail.

So what are the correct values to use? Well there are a few options. Let’s first have a look at the persistence time. Using this parameter we can configure the persistence time of a connection. Persistence is used to ensure a client will setup a connection to the same real server if it connects within the configured persistence time period. If you configure this value to high the following could happen. An application is using SMTP to send messages. The real server used by the client fails. But since the persistence time is not expired the client will be redirected to this server by the load balancer until the time has expired. This results in messages queuing up on the application server.

To prevent this kind of issues either configure no persistence or configure a low persistence time (for example 5 seconds). The first method is recommended.

The second parameter session time-out, how long does a session need to be kept before a connection is closed. In most cases a low value, or even a zero value, is the way to go. This since as long traffic is send across the connection it won’t be terminated.

At the end of this blog a complete overview is displayed which contains all necessary settings for the Exchange rules.

SSL Offloading

One of the benefits of a load balancer is that you can use it to perform SSL Offloading. Using this feature you can move the encryption and decryption tasks from the Client Access Servers to the hardware load balancer. This has as advantage that the CPU of the Client Access Server will not have to do these tasks which are both CPU intensive.

The SSL Offloading configuration can be split in three parts:

• Import the certificate
• Configure the rules
• Exchange configuration

Import the certificate

Importing the certificate on the load balancer is pretty straight forward. Before you start ensure that you’ve got a copy of the certificate including the private key and if applicable the intermediate certificates.

Once you’ve gathered all the stuff you can install it on the load balancer by going to the certificate page. On the certificate page provide the following information:

• Name: an identifier for the certificate
• Password: the password which is used to secure the certificate
• Signed certificate: the location of the PFX file

Press Upload to store the certificate on the load balancer and your ready to continue with the next step.

Configure the rules

SSL Offloading can only be performed on the rule that is used to load balance the web services, for example Outlook Web App, Exchange Control Panel, Autodiscover, Exchange Web Services and the Offline Address Book (optional).

Edit the rule which is created for load balancing the web services and go to the SSL Offloading section.

The load balancer side has now been configured for SSL offloading. Now it’s time for the Exchange side.

Exchange configuration

The Exchange configuration part is explained very well on this Wiki page:

Exchange Wiki Load Balancing

For this reason I won’t explain the steps you will have to take. Although I recommend to use the script below which can also be found on the Wiki page:

Set-OutlookAnywhere –Identity “$($env:COMPUTERNAME)\RPC (Default Web Site)” -SSLOffloading $true

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA’ -Name SSLOffloaded -Value 1 -PropertyType DWORD

Import-Module webadministration
Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/OWA”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/ECP”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/OAB”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/EWS”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/Microsoft-Server-ActiveSync”

Set-WebConfigurationProperty -Filter //security/access -name sslflags -Value “None” -PSPath IIS:\ -Location “Default Web Site/Autodiscover”

iisreset /noforce

(source: http://social.technet.microsoft.com/wiki/contents/articles/how-to-configure-ssl-offloading-in-exchange-2010.aspx)

Test is everything works

The most important step if everything is configured is test if everything works. But how can you test all the services?

There are multiple options to test these services. All these tests can be run from a client so you don’t have to install the Exchange Management Tools on your machine.

Using Outlook

The easiest way is to use Outlook. Perform the following tasks to confirm Outlook can still function correctly:

• Check if you can connect to your mailbox and if applicable the public folders
• Force a complete download of the Offline Address Book
• Check if you can enable/disable Out of Office
• Check if you can view the free/busy information
• Use the Test E-mail Autoconfiguration to confirm the autodiscover functionality still works

The only two things which can’t be tested using Outlook are Outlook Web App (OWA) and the Exchange Control Panel (ECP) if using Outlook 2007. If you are using Outlook 2010 you can test the ECP by for example going getting the message tracking info of a message.

Using Internet Explorer

The other method, although not comparable with Outlook, is using Internet Explorer. Using Internet Explorer you can only test the web services offered by Exchange:

• Autodiscover: https://autodiscover.domain.com/autodiscover/autodiscover.xml
  This will give an Invalid Request 600 error
• Exchange Web Services: https://mail.domain.com/EWS/Exchange.asmx
  Will give an XML output with several settings
• Offline Address Book: https://mail.domain.com/OAB/guid/oab.xml
  Will give an XML output with references to the OAB files
• Outlook Web App: https://owa.domain.com/owa

Will show you the Outlook Web App login page

• Exchange Control Panel: https://owa.domain.com/ecp

Will show you the Exchange Control panel login

Using the Exchange Management Shell

As final option you could test it using the Exchange Management Shell. One important remark has to be made. You can’t perform the test cmdlet’s anymore from the servers this because the traffic won’t be accepted because it will create a loop in your network.

So to test the services you will need to perform them from a client which contains the Exchange Management Tools.

The following cmdlets can be used:

• Autodiscover: Test-OutlookWebServices
• Exchange Web Services: Test-WebServicesConnectivity
• Exchange Control Panel connectivity: Test-EcpConnectivity
• Outlook Web Apps: Test-OwaConnectivity
• Test RPC connection: Test-OutlookConnectivity

Here ends the article about how to use the Barracuda Load Balancer in combination with Exchange 2010. As promised earlier below you will find the rules which you need to configure in the load balancer:

RPC

Service name	Parameter	Waarde
Outlook	Port	All
	Protocol	TCP
	Service Type	Layer 4
	Auto-Recover	Yes
	Action	Default failure response
	Default Scheduling Policy	Weighted Round Robin
	Adaptive Scheduling	None
	Testing Method	ICMP Ping
	Test Delay	30
	Persistence Time	1200
	Persistence Netmask	255.255.255.255
	Enable Notification	No
	Minimum Real Servers	0
	Enabled IPS	No

Real Server	Parameter	Waarde
IP-Address of server	Name	servername
	Weight	100
	Status	Enabled
	Direct Server Return	Disable

Web Services

Service name	Parameter	Value
Exchange Web Services	Port	443
	Protocol	TCP
	Service Type	Layer 7 – HTTPS
	Auto-Recover	Yes
	Action	Default failure response
	Default Scheduling Policy	Weighted Round Robin
	Adaptive Scheduling	None
	Testing Method	Simple-HTTP
	Test Delay	30
	Persistence Time	1200
	Persistence Type	HTTP Header
	Header Name	Authorization
	Enable HTTPS/SSL	Yes
	SSL Certificate	Your ssl certificate
	Enable Notification	No
	Minimum Real Servers	0
	Enable IPS	No
	Enable Client Impersonation	Yes
	Session Timeout	0

Real Server	Parameter	Value
IP-Address of server	Name	servername
	Port	80
	Weight	100
	Status	Enabled
	Direct Server Return	Disable
	Enable HTTPS/SSL	No
	Validate Certificate	Yes
	Testing Method	Simple HTTP
	Port	80
	Test Target	/owa/auth/logon.aspx
	Test Match	2600 Microsoft Corporation
	Additional Headers	User-Agent: Barracuda Load Balancer Server Monitor
	Status Code	200
	Test Delay	30

SMTP

Service name	Parameter	Value
SMTP	Port	25
	Protocol	TCP
	Service Type	TCP Proxy
	Auto-Recover	Yes
	Action	Default failure response
	Default Scheduling Policy	Weighted Round Robin
	Adaptive Scheduling	None
	Testing Method	ICMP Ping
	Test Delay	30
	Persistence Time	0
	Persistence Type	None
	Persistence Mask	255.255.255.255
	Enable HTTPS/SSL	No
	SSL Certificate	Your ssl certificate
	Enable Notification	No
	Minimum Real Servers	0
	Enable IPS	No
	Enable Client Impersonation	Yes
	Session Timeout	5

Real Server	Parameter	Value
IP-Address of server	Name	servername
	Port	25
	Weight	100
	Status	Enabled
	Direct Server Return	Disable
	Enable HTTPS/SSL	No
	Validate Certificate	Yes
	Testing Method	Use Service Test Method
	Test Delay	30

IMAP

Service name	Parameter	Value
Web Services	Port	143
	Protocol	TCP
	Service Type	TCP Proxy
	Auto-Recover	Yes
	Action	Default failure response
	Default Scheduling Policy	Weighted Round Robin
	Adaptive Scheduling	None
	Testing Method	TCP Port Check
	Test Delay	30
	Persistence Time	0
	Persistence Type	None
	Persistence Mask	255.255.255.255
	Enable HTTPS/SSL	No
	SSL Certificate	Your ssl certificate
	Enable Notification	No
	Minimum Real Servers	0
	Enable IPS	No
	Enable Client Impersonation	Yes
	Session Timeout	60

Real Server	Parameter	Value
IP-Address of server	Name	servername
	Port	143
	Weight	100
	Status	Enabled
	Direct Server Return	Disable
	Enable HTTPS/SSL	No
	Validate Certificate	Yes
	Testing Method	Use Service Test Method
	Test Delay	30

POP3

Service name	Parameter	Value
Web Services	Port	110
	Protocol	TCP
	Service Type	TCP Proxy
	Auto-Recover	Yes
	Action	Default failure response
	Default Scheduling Policy	Weighted Round Robin
	Adaptive Scheduling	None
	Testing Method	TCP Port Check
	Test Delay	30
	Persistence Time	0
	Persistence Type	None
	Persistence Mask	255.255.255.255
	Enable HTTPS/SSL	No
	SSL Certificate	Your ssl certificate
	Enable Notification	No
	Minimum Real Servers	0
	Enable IPS	No
	Enable Client Impersonation	Yes
	Session Timeout	60

Real Server	Parameter	Value
IP-Address of server	Name	servername
	Port	110
	Weight	100
	Status	Enabled
	Direct Server Return	Disable
	Enable HTTPS/SSL	Yes
	Validate Certificate	Yes
	Testing Method	Use Service Test Method
	Test Delay	30

Special thanks to GianPaolo Corona for providing the screenshots and assisting in getting this configuration working.

If you have some other config suggestions don’t hesitate to contact me.

Gepost in Exchange 2010 ~ 4 Reacties

Microsoft has released Rollup 6 for Exchange Server 2010 SP1. This rollup will fix the following issues:

• 2431609 (http://support.microsoft.com/kb/2431609/ ) An update is available that updates the message of a retention policy in OWA for Exchange Server 2010
• 2449266 (http://support.microsoft.com/kb/2449266/ ) EWS drops the TCP connection to the EWS client application without any error message in a Microsoft Exchange Server 2010 environment
• 2480474 (http://support.microsoft.com/kb/2480474/ ) A Users do not receive quota warning messages after applying SP1 for Exchange 2010
• 2514820 (http://support.microsoft.com/kb/2514820/ ) An incoming fax message is not delivered to the recipient in an Exchange Server 2010 SP1 environment
• 2521927 (http://support.microsoft.com/kb/2521927/ ) Disabling the Exchange ActiveSync Integration feature for OWA does not take effect in OWA Premium clients in an Exchange Server 2010 environment
• 2528854 (http://support.microsoft.com/kb/2528854/ ) The Microsoft Exchange Mailbox Replication service crashes on a computer that has Exchange Server 2010 SP1 installed
• 2535289 (http://support.microsoft.com/kb/2535289/ ) The Microsoft Exchange Information Store service crashes occasionally when you run an antivirus application on an Exchange Server 2010 Mailbox server
• 2536313 (http://support.microsoft.com/kb/2536313/ ) Slow message delivery and mailbox access for journaling mailboxes on an Exchange Server 2010 server
• 2544246 (http://support.microsoft.com/kb/2544246/ ) You receive a NRN of a meeting request 120 days later after the recipient accepted the request in an Exchange Server 2010 SP1 environment
• 2548246 (http://support.microsoft.com/kb/2548246/ ) The Microsoft Exchange Information Store service crashes occasionally when a folder view is corrupted on an Exchange Server 2010 mailbox server
• 2549183 (http://support.microsoft.com/kb/2549183/ ) “There are no objects to select” message when you try to use the EMC to specify a server to connect to in an Exchange Server 2010 SP1 environment
• 2549289 (http://support.microsoft.com/kb/2549289/ ) A RBAC role assignee can unexpectedly run the Add-MailboxPermission command or the Remove-MailboxPermission command on an Exchange Server 2010 server that is outside the role assignment scope
• 2555851 (http://support.microsoft.com/kb/2555851/ ) A mailbox does not appear in certain address lists after you run commands on the mailbox in an Exchange Server 2010 SP1 environment
• 2559814 (http://support.microsoft.com/kb/2559814/ ) A user cannot add or remove delegates from a mailbox by using Outlook in an Exchange Server 2010 environment
• 2561514 (http://support.microsoft.com/kb/2561514/ ) Exchange Server 2003 user cannot view the free/busy information of a user in a different federated organization
• 2563860 (http://support.microsoft.com/kb/2563860/ ) You cannot create a new mailbox database if you already have 1000 mailbox databases in an Exchange Server 2010 environment
• 2567409 (http://support.microsoft.com/kb/2567409/ ) Certain free/busy messages are not replicated from an Exchange Server 2010 server to an Exchange Server 2003 server
• 2571791 (http://support.microsoft.com/kb/2571791/ ) Retention policies are applied to Contact items unexpectedly in an Exchange Server 2010 environment
• 2572052 (http://support.microsoft.com/kb/2572052/ ) Certain properties of a recurring meeting request from external email accounts are missing in an Exchange Server 2010 SP1 environment
• 2575005 (http://support.microsoft.com/kb/2575005/ ) You cannot start the EMC or the EMS in an Exchange Server 2010 Service Pack 1 environment
• 2578631 (http://support.microsoft.com/kb/2578631/ ) Certain users cannot send email messages to a mail-enabled public folder in an Exchange Server 2010 environment
• 2579172 (http://support.microsoft.com/kb/2579172/ ) Items that are deleted or moved still appear in the original folder when you use Office Outlook in online mode to access an Exchange Server 2010 mailbox
• 2579671 (http://support.microsoft.com/kb/2579671/ ) No results returned when you use the ExpandGroup method in EWS to retrieve a list of members of a Dynamic Distribution Group in an Exchange Server 2010 environment
• 2582095 (http://support.microsoft.com/kb/2582095/ ) The SmtpMaxMessagesPerConnection property of a send connector is not replicated to the subscribed Edge Transport server in an Exchange Server 2010 environment
• 2600835 (http://support.microsoft.com/kb/2600835/ ) The RPC Client Access service crashes when you delete an attachment of an item by using Outlook in online mode in an Exchange Server 2010 SP1 environment
• 2601701 (http://support.microsoft.com/kb/2601701/ ) The memory usage of the MSExchangeRepl.exe process keeps increasing when you perform a VSS backup on Exchange Server 2010 databases
• 2616127 (http://support.microsoft.com/kb/2616127/ ) “0×80041606″ error code when you use Outlook in online mode to search for a keyword against a mailbox in an Exchange Server 2010 environment
• 2617126 (http://support.microsoft.com/kb/2617126/ ) The Store.exe process crashes when you send an email message that has attachments in an Exchange Server 2010 SP1 environment
• 2627769 (http://support.microsoft.com/kb/2627769/ ) Some time zones in OWA are not synchronized with Windows in an Exchange Server 2010 environment

The rollup can be downloaded from the site below:

Update Rollup 6 for Exchange Server 2010 SP1 open

Gepost in Exchange 2010 ~ Geen Reactie

 As you may know Exchange by default has one Offline Address Book (OAB) and one Global Address List (GAL). The GAL contains all objects for which Exchange attributes are configured. For example groups, userobjects and contacts.

The OAB will be generated once a day by the generation server. Within an Exchange environment only one server is responsible for generating the OAB. This is always a server which contains the Mailbox Role.

To find out which server is responsible for generating the OAB you can use two methods:

Exchange Management Console (EMC)

• Open Organization Management
• Select the Mailbox object
• Select the tab Offline Address Book

Exchange Management Shell (EMS)

• Run the following cmdlet get-offlineaddressbook | select name,server

On the generation server you will find the ExchangeOAB directory inside the Exchange directory. In this directory another folder is created. The name of this directory is the GUID from the OAB. Inside this directory several files are stored:

• lzx, the addressbook files
• oab.xml, the index which points to the addressbook files. Without the oab.xml file the client will not be able to find and download the addressbook files.

The OAB can be distributed via two methods:

• Public Folders
• Web

The Public Folders may be configured to have additional replica’s. This ensures that the OAB files are stored in multiple Public Folder databases. But how are the OAB files distributed to the Client Access Servers (CAS)?

To distribute the OAB to the configured CAS Servers the File Distribution service is used. This service runs on all CAS Servers and will check if a new OAB is available every 8 hours.

Sometimes this can has as effect that the users who are using Outlook in Online Mode and Outlook Web App can see new users earlier. This is sometimes very anoying.

To change this process you must change the pollinterval via EMS. This can be done by using the set-oabvirtualdirectory cmdlet:

Set-OabVirtualDirectory -identity “servername\OAB (Default Web Site)” -pollinterval 120

Using the example above we will reconfigure the CAS Servers to check every 2 hours for an update. But keep in mind that the GAL will only be generated once per day. If you wish to update an object perform the following steps:

• update the object
• wait for AD replication
• run the following cmdlet Update-GlobalAddressList “Default Global Address List”
• run the following cmdlet Update-OfflineAddressBook “servername\OAB (Default Web Site)”
• run cmdlet Update-FileDistributionService

If you only want to distribute the OAB to the CAS Servers run the following cmdlet Update-FileDistributionService. This will ensure that the CAS Servers will check if an update is available for the OAB.

If there are still issues you will need to enable logging. The logging needs to be enabled on the CAS Servers which are responsible for distributing the OAB:

Set-EventLog -Identity “MsExchangeFDS\General -Level Expert
Set-EventLog -Identity “MsExchangeFDS\FileReplication -Level Expert

Force a replication using the File Replication service to verify if an update is available:

Update-FileDistributionService -identity servername

Once the cmdlet is executed check the application event log to verify the replication has occured.

In the screenshot above you can see the data synchronisation has started. In this case the Web distribution has just been enabled but the CAS server doesn’t have a copy.

Once the OAB has been synchronized succesfully you will see the message above in the event log. When you browse to the directory X:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OAB zal you will find a directory which contains both the oab.xml and addressbook files.

Don’t forget to reset the logging level back to the original level once ready with troubleshooting:

Set-EventLog -Identity “MsExchangeFDS\General -Level Lowest
Set-EventLog -Identity “MsExchangeFDS\FileReplication -Level Lowest

Here ends the blog about how the OAB is distributed to the CAS Servers. If you would like to have more information about the cmdlet’s have a look at the sites below:

Technet: Update-FileDistributionService open
Technet: Update-GlobalAddresslist: open
Technet: Update-OfflineAddressBook: open

Gepost in Exchange 2010 ~ Geen Reactie