During a troubleshooting sessions at one of our customers I had an issue which can be found on several forums now a days, OWA will only display a blank screen instead of the logon page. But what is the cause of this issue? Well there are several reasons which can cause it:
- not all required Windows Components are installed
- changes have been made in the configuration using IIS
Required Windows Components are missing
The first reason is quite strange as you would expect that the installation of Exchange will check if all required components are in place before starting the installation.
When you forget, for example, the static content item of IIS this may cause the blank screen of OWA. To make it a bit easier you can use the script below to install all required Windows Components on a Windows 2008 server which will become a CAS server:
ServerManagerCmd -i Powershell
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression
If your planning to use Outlook Anywhere don’t forget to install the RPC over HTTP feature:
ServerManagerCmd -i RPC-over-HTTP-proxy
If all the above components are installed you can start installing Exchange 2007.
OWA virtual directory configuration is corrupted
Making configuration changes using IIS may cause you OWA configuration to be corrupted. So don’t use OWA to make changes but use the Exchange Managment Shell or Exchange Management Console to make configuration changes.
But if you made changes using IIS and OWA does not work anymore how can it be solved? Well there is only one solution, remove the OWA virtual directory and recreate it. This can be done by using the remove-owavirtualdirectory and new-owavirtualdirectory cmdlets.
First step is to remove the old OWA directory:
remove-owavirtualdirectory “owa (Default Web Site)”
This will remove the virtual directory as you can see in the screenshot below:
Once the directory is removed we can create a new one by using the cmdlet below:
new-owavirtualdirectory -OwaVersion “Exchange2007″ -Name “owa (Default Web Site)”
This will recreate the OWA virtual directory and if your lucky OWA will work again. This were just 2 options which might cause this issue. If you got the same issue but the above steps didn’t work contact me so I can add them to this article johan (a) johanveldhuis.nl
Gepost in Exchange 2007 ~ Geen Reactie
According to the Technet documentation you should be able to install Exchange 2010 in an environment where Exchange 2007 is running. A while ago I got a question from a customer who had an issue when trying to install Exchange 2010. The problem occured running the setup.com /ps to extend the schema for Exchange, the following error message was displayed:
The schema version of Exchange 2007 SP3 is higher than the one from the Exchange 2010 setup. This makes it impossible to install Exchange 2010.
When you have installed Exchange SP3 you will have to wait for a service pack which will extend the schema. Because a lot of people will probably install Exchange 2007 SP3 this may be included in SP1 for Exchange 2010.
Below an overview of the Exchange versions and which schema version they use:
| Exchange | Schema |
| Exchange 2000 RTM | 4397 |
| Exchange 2000 SP3 | 4397 |
| Exchange 2003 RTM | 6870 |
| Exchange 2003 SP3 | 6936 |
| Exchange 2007 RTM | 10628 |
| Exchange 2007 SP3 | 14625 |
| Exchange 2010 | 14622 |
If you would like to know how you can find out which version of AD schema you are using then take a look at the site below:
open
Gepost in Exchange 2010 ~ 7 Reacties
One of the new features in Exchange 2007 Service Pack 3 is the ability for users to change their password before logging in. Before service pack 3 a user who’s password had expired needed to call the helpdesk to reset their password or use another solution. With this new feature a user will be redirected to another page where he/she can change the password.
But how does this work? In the OWA directory, which you can find here: Exchange\ClientAccess\OWA, you will find a directory called auth. This directory contains several files which are used for login and logout. But besides these files there are two new files expiredpassword.aspx and exppw.dll.
Before you can use the new functionality you will need to make an adjustment in the registry of the CAS server. Go to the following location in the registry:
HLKM\SYSTEM\CurrentControlSet\Services\MSExchange OWA
Create a new DWORD called ChangeExpiredPasswordEnabled and change the value of the key to 1. This should look the same like below:
During the logon (logon.aspx) a check is done if the password is expired and if this is the case the user will be redirected to expiredpassword.aspx.
Before the user can change his/her password he will first needs to specify the old password. Once the password has change the user will be redirected to his/her mailbox.
Gepost in Exchange 2007 ~ Geen Reactie
Today I had a nice issue at a customer site who tried to install Exchange in a test environment. First I will give a short introduction. Let’s say you have an AD forest which contains a child domain where you want to host Exchange in. You first will need to do some things in the forest before you can install Exchange in the child domain. You will start with the schema upgrade followed by the forest prep. As last step you will prepare the child domain and you could start the Exchange setup to install Exchange.
Normally you will use the same media for all servers, but in Exchange 2007 this can be different. This because Exchange 2007 had a 32-bit version which could be used in test environments or to prepare the schema/forest on a 32-bit DC.
You may think aaahhh that happened ?? Everything was done via the correct steps but when starting the Exchange installation via the GUI the following errors were displayed in the log:
[2/7/2010 11:30:46 PM] [0] Setup has chosen the local domain controller dc.ota.company.corp for initial queries
[2/7/2010 11:30:46 PM] [0] PrepareAD has either not been run or has not replicated to the domain controller used by Setup. Setup will attempt to use the Schema Master domain controller dc.company.corp
[2/7/2010 11:30:46 PM] [0] The schema master domain controller is available
So first checked if the servers can connect to eachother which was no issue. After trying some things we decided to move the schema master to the child domain to look if that would help. But this was also a no go and gave the following warnings:
[2/8/2010 3:32:34 PM] [1] [ERROR] PrepareDomain for domain ota has partially completed. Because of your Active Directory site configuration, you must wait for forest-wide replication to occur, and then run PrepareDomain for ota again.
[2/8/2010 3:32:34 PM] [1] [ERROR] Active Directory operation failed on dc.ota.company.corp. This error is not retriable. Additional information: The specified group type is invalid.
Active directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
Waiting for 15 minutes didn’t fix the issue so we reversed all changes and I decided to start the Exchange setup via the GUI on the schema master. Then I saw the issue immidiatly the files used on the schema master were files for Exchange 2007 RTM and not for Exchange 2007 SP1. After using that files it worked without any issues.
It was a nice jigsaw after all.
Gepost in Exchange 2007 ~ Geen Reactie
Microsoft has released rollup 2 for Exchange 2007 SP2, this rollup contains several fixes among which:
- CAS server becomes slower when a user access a folder with a lot of content
- Meetings will be displayed as all day events while this is not the case when synchronized via a mobile device
- log and database increase abnormally
- mails which need to be send to remote domains get stuck in the queue
These are a few of the fixes in Rollup 2 for a complete overview you can visit the following site.
open
Gepost in Exchange 2007 ~ Geen Reactie
It has been a while ago since the last tutorial, so here is the new one about autodiscover in a multiforest environment. Normally autodiscover may cause some headaches so when deploying it in a multiforest environment this may also be the case. In this tutorial I will explain how you can configure and test autodiscover in a multiforest environment.
open
Gepost in Tutorials ~ 2 Reacties
Autodiscover, a really nice feature of Exchange but it can cause headaches. When implementing it in a multiforest environment you will have to take care of some extra things. In this tutorial I will explain which steps are needed and will let you see what goes wrong when it is not configured correctly.
Below a forest overview of the forests in my test environment:
In this environment the following forests have been created:
- demo.local, the user forest. In this forests all user accounts will be created, this forest will contain a domaincontroller.
- exchange.local, one of the Exchange resource forests. This forest contains an Exchange server with the HUB, CAS and mailbox role installed, besides this it’s the domaincontroller for this forest.
- company.local, the other Exchange resource forest. This forest also contains an Exchange server with the HUB, CAS and mailbox role installed and also will function as a domaincontroller for this forest.
OK now what do we want to achieve. The useraccounts will be created in the demo.local forest. All users will be placed in seperate OU’s per Exchange resource forest. The next step will be to create the linked mailboxes in the resource forests. These forests will contain user accounts but all accounts will be disabled. Users will login to the demo.local domain and will configure their Outlook using autodiscover.
The steps to install a domain controller and install Exchange will be skipped, and I will assume that you have 3 forests containing the earlier mentioned servers including the domain controller and Exchange roles.
First we will create the trust between the forests. Before we can setup the trust we need to ensure that DNS records can be resolved correctly. This can be done by creating a forwarder to the DNS server responsible for the domain. So the DNS server in the user forest will contain a forwarder to the DNS server in the resource forest and vice versa.
Next step is to create the trust, this can be done via netdom command:
Netdom trust trusted_domain_name /domain: trusting_domain_name /verify
Or via Active Directory Domains and Trusts, this can be done via the wizard:
Specify the name of the user forest.
<
In the next step you will specify the type of trust you want to create, in this case a forest trust.
Then we will define that the trust only needs to be an outgoing trust, this because users from the user forest only need to authenticate in the resource forest and not vice versa.
As an option you can also arrange that the trust will be created in both forests, for this you will need to specify an account with enough permissions.
Once specified click on next
One of the lasts steps is choosing between forest-wide or selective authentication. With this we can configure if the complete forest gets access to the resource forest of that this will need to be configured per user.
After a short overview you must click on next to create the trust and the following screen will be displayed.
If you like you can perform an extra check.
After the test is performed the test results will be displayed.
Before we will continue with the next steps we need to create the user in the user forest. This can be done via Active Directory Users & Computers and can be a standard user. When the user is created we can create the linked mailbox, for this we need to open the Exchange Management Console or Exchange Management Shell.
For creating the linked mailbox via a commandline execute the following command:
New-Mailbox -Database “Mailbox Database” -Name “Demo User” -LinkedDomainController “dc.demo.local” -LinkedMasterAccount demo\demouser -OrganizationalUnit Exchange\Users -UserPrincipalName demouser@exchange.local-LinkedCredential:(Get-Credential demo\administrator)
Or using the GUI, once opened go to recipient configuration and select the mailbox item.
Rightclick on the mailbox item and choose the option new mailbox.
A wizard will be opened.
Choose the option linked mailbox and click the next button.
After this you have the option to select an existing user or create a new user, keep in mind that this will be in the resource forest and not in the user forest.
Fill in the required fields and press next to continue.
Select the database where you want to create the mailbox of the user and select an activesync and managed folder policy for this user if you like.
In the next screen we will select the master account to which the mailbox will be need to assigned, this will be a user in the user forest. You can easily select the user by pressing on the browse button. When you have selected the user press next to continue.
A short overview will be displayed and when pressing next again the user and mailbox will be created.
As you can see in the screen above the user and mailbox have been created successfully.
When the mailbox is created we can perform some tests, this tests will not succeed as the user forest will not know anything about the autodiscover functionality in the resource forest.
First we will start Outlook and the following screen will be displayed.
We will fill in all the required information and press next to continue.
After several seconds Outlook will display a message that it can’t setup a secure connection and that you will have the option to setup an unsecure connection, click on next to try this.
This will also not succeed and Outlook tells you to verify the information. In this case we are 100% sure that the specified information is correct so why does Outlook will display the error.
This is what a client does when using the autodiscover functionality from the LAN:
As you can see a query is done for a Service Connection Point (SCP), this object can be found in the configuration partition of the Active Directory which does not exist in the user forest.
To doublecheck this we will need to open adsiedit on a domain controller in the user forest. Once opened open the configuration partition and go to:
CN=Services, CN=Configuration, CN=domain, CN=local
To create the SCP in the user forest we will need to execute the following command on the Exchange server in the resource forest:
Export-AutoDiscoverConfig -DomainController DomainControllerName -TargetForestDomainController TargetForestDomainControllerName -MultipleExchangeDeployments $true
I think the parameters are clear enough but maybe the last one will need some additional information. When the parameter MultipleExchangeDeployments is set to TRUE you will tell the forests that you have multiple Exchange forests. Not really exciting you may think but it is. The parameter will also export the accepted domains which are defined in the Exchange environment. When adding an extra accepted domain you will need to execute this command again to update the SCP object.
When you have a look with adsiedit again on the domain controller in the user forest you will see that the object for the autodiscover service has been created.
Per Exchange forest a folder will be created, in our case exchange.local and company.local.
When you will get the properties of the folder and have a look at the values of keywords and serviceBindingInformation you will see that it points to the resource forest. The keyword attribute contains the Active Directory Site of the site from which the CAS is a member. The serviceBindingInformation attribute contains the FQDN of the CAS server in the following format https://ex.exchange.local/autodiscover/autodiscover.xml. When the replication has succeeded between the user forest and the resource forest it’s time to try it again so we will start Outlook.
We will fill in the required info and will press next
As you can see above the automatic configuration of Outlook has succeeded and we can use Outlook to confirm this.
Interesting links:
MsExchange Team: Configuration Tips and common troubleshooting steps for multiple forest deployment of Autodiscover service open
Technet: White Paper: Exchange 2007 Autodiscover Service open
Technet: How to create a linked mailbox open
Gepost in ~ Geen Reactie
Today I brought a new Exchange environment in the air. This time it was a greenfield situation, an environment which is completely seperated from the old environment. A big part of the server environment is virtualized, one of them is the Exchange server. Citrix XenServer was selected as the virtualization environment, and as it is listed on the list on the Microsoft site it should not be a problem.
So after the design was approved by the customer we started with the installation. Since some small things needed to be done on other servers I opened Xencenter so I can easily get access to all servers. It should not be a big problem you may think, till Exchange started with preparing the AD. After a few minutes the following error was displayed you do not have permissions to read the security descriptor on cn=deleted objects,cn=configuration,dc=ishw,dc=local. Very strange because the account had enough permissions and the replication between the dc’s went OK. So I started to search for the cause of the issue and found a few possibilities:
- change the driveletter of the cd/dvd-rom, this was not an option since the installation was placed on a fileshare
- fix the permissions with ADAM, as this option brings some risks with it I skipped this one and saved it for later
- install it via the console, a little bit probelematic with a vm, so i tried RDP with the /console or /admin option
This last optionwas the solution, so XenCenter will make a RDP connection without the /console or /admin option. If your planning to install Exchange in a XenServer environment keep an eye on this.
Below some interesting articles”
Microsoft Support Policies and Recommendations for Exchange Servers in Hardware Virtualization Environments open
Security descriptor error during Exchange Server 2007 schema extension open
Technet Forum: Exchange 2007 Install Error : Read Security Descriptor open
Gepost in Exchange 2007 ~ Geen Reactie
Starting from Exchange 2010 Microsoft will not use single instance storage anymore. But what did single instance storage do and what are the pro’s/cons of it?
Single instance storage has been a part of Exchange since Exchange 4.0 and is a part of it until Exchange 2007 and did not change very much. Single instance storage will allow a message which has been sent to 50 users will be saved one time per mailstore. Exchange will place a pointer in the other mailboxes which point to the original message, this is applied both to the message and the attachment. Since Exchaneg 2007 Exchange will only apply SIS on the attachments. This will not be applied if Exchange is upgraded to 2007 from Exchange 2000/2003. In this case it will apply SIS on both the message and attachment if the following statements are true:
- the mailboxes must be kept together in the new database
- a transistion instead of a migration is done to Exchange 2007
You may think, why is Microsoft not using SIS anymore in Exchange 2010? The reason for this is quit simple, storage is cheaper nowadays. One of the benefits of SIS was that you need less space on the storage environment, one of the con’s was that it took more IOPS. Today the focus is more on reducing the IOPS instead of reducing the disk-capacity.
Below some usefull links:
Technet: understanding single instance storage open
MsExchange Team: single instance storage in Exchange 2007 open
Harold Wong’s Blog site: Exchange 2010 archiving and retention open
Gepost in Exchange ~ Geen Reactie
A really simple Powershellscript, the script below will make it possible to create a room and will add extra permissions to it:
Param(
[string] $room
)
New-Mailbox -database “MBX-srv\Mailbox Database” -Name $room -OrganizationalUnit “Conference Rooms” -DisplayName $room -UserPrincipalName $room@domain.local -Room
Add-adpermission $room -User domain\administrator -Extendedrights “Receive-As”
Executing the script:: new-room.ps1 “meetingroom1″
The script will place all rooms in the OU named Conference Rooms.
First the name will be read that is specified after the name of the parameter room$. After this the mailbox will be created as a mailbox of the type room. The last step is setting the extra permissions, this is done by using the command add-adpermission, in this case the receive-as will be added but also send-as is an option.
Below a few links to the Technet pages of the used commands:
Technet add-adpermission open
Technet new-mailbox open
Gepost in Exchange 2007 ~ Geen Reactie
