Exchange 2010

All posts tagged Exchange 2010

Lync integration doesn’t work with OWA

During an implementation of Lync 2010 I had an issue with the integration of Lync in OWA. This worked on all CAS servers except one. This despite all the needed software prerequisits had been installed:

And the configuration on both the CAS and Front End Server was completed.

After removing the software and reinstalling it again the issue wasn’t solved either. In the application log the following warning was displayed:

An exception was thrown while attempting to load the IM provider .dll file.
File: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\OWA\bin\Microsoft.Rtc.UCWeb.dll
Unable to load one or more of the requested types. Retrieve the LoaderExceptions property for more information.

For some reason the dll couldn’t be loaded correctly. The solution was pretty wasu just reset IIS using  IISReset /noforce.

After running the command the IM integration worked without any issues.

Turn Off Exchange Store Time-Out Detection

In my last blog we discussed the functionality of quarantining a mailbox if:

  • Thread doing work for a mailbox fails
  • More than five threads in a mailbox that haven’t made progress for a long time (more than 60 seconds)

In some cases this might cause a situation which is not acceptable if this issue occurs multiple times within one week or maybe multiple times a day. In my last blog we talked about how to see that a mailbox is quarantined. But wouldn’t it be nice to monitor it to prevent mailboxes from being quarantined?

When one of the earlier issues occurs the following events will be logged in the application log:

  • Event 10025: Reports a time-out on the Exchange server
  • Event 10026: Reports a time-out on the database
  • Event 10027: Reports a time-out on an individual mailbox

All the events will have the same source MsExchangeIS. Besides the event logs you might decide to use the performance counters to monitor the environment for this specific kind of issue. In this case add the following counters to the Performance Monitor:

  • RPC Request Timeout Detected on Mailbox
  • RPC Request Timeout Detected on Database
  • RPC Request Timeout Detected on Server

The performance counters can be found under the context MsExchangeIS.

But what if you see that this issue happens many times and you want to disable the quarantine functionality? First of all I would not recommend doing this and try to find the source of the issue. This because a large amount of threads will have an impact on your complete environment. But as discussed earlier the quarantining may have a negative impact on the business and so you may lose money. So after reading this think twice discuss this with some colleagues and your manager. If everybody agrees with taking the risks perform the following steps to turn off the quarantine feature:

  • Open Regedit
  • Browse to the following location: HKLM\System\CurrentControlSet\Services\MsExchangeIS\
  • Create a new DWORD (32-bit)called DisableTimeoutDetection
  • Set the value to 1

Although not mentioned in the help files of Microsoft it might be wise to restart the Information Store service after making the change. In this case make sure you dismount all databases or *over them to another DAG node if applicable.

If you want to have more information about this topic visit the page below:

Technet: Turn Off Exchange Store Time-Out Detection open

Redmond my mailbox is quarantined

As you may know Exchange 2010 contains several built-in security features to prevent issues with your server. Think of the back pressure mechanism which protects your Hub Transport from being brought down due to lack of resources.

Another security feature can be found on the Mailbox Server and then specifically in the Information Store process. For those who don’t know what the responsibilities are of the Information Store: almost everything which is database related. For example if the Information Store is down you won’t be able to mount both mailbox and public folder databases.

The feature I am talking about is quarantining a mailbox. But why does Exchange performs this action on mailboxes? Well there are a few reasons why Exchange can decide to place a mailbox in quarantine:

  • Thread doing work for a mailbox fails
  • More than five threads in a mailbox that haven’t made progress for a long time (more than 60 seconds)

As you have seen it all has to do with threads on a mailbox which fail. Every time one of the issues occurs a counter is raised. This counter is stored in the registry. Besides the counter the Information Store keeps the timestamp information about when the issue occurred with the specific mailbox also called the poison mailbox.

You may think why is this setting stored in the registry? Well the reason for this is that the information stored here will be replicated by the cluster database if you are running a high availability environment.  The following registry path is created used to store the keys:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\\Private-{db guid}\QuarantinedMailboxes\{mailbox guid}

In this path the following keys will be created:

  • CrashCount: the amount of crashes detected
  • LastCrashTime: the timestamp of the last occurance of a crash
  • QuarantineState: is a mailbox quarantined or not
  • QuarantineTime: the time the mailbox is placed in quarantine

If the issue doesn’t occur again in two hours the registry key used to store the counter is deleted. The 2 hours is a value which can’t be changed. But there are two other interesting keys:

  • MailboxQuarantineCrashThreshold: how many issue may occur before a mailbox is put in quarantine
  • MailboxQuarantineDurationInSeconds: how long is the mailbox placed in quarantine

By default when three issues occur a mailbox is placed in quarantine. The mailbox will be kept in quarantine for 6 hours (21600 seconds). After the 6 hours are expired the mailbox is removed from quarantine.

Both keys can be found here:

HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeIS\\Private-{db guid}\QuarantinedMailboxes

But what happens to a mailbox put in quarantine? Well the answer is quit short: it isn’t accessible for any end-user. Even background processes such as content indexing and the mailbox assistant can’t access the mailbox. This is because these processes, just like end-users, don’t pass the OPEN_AS_ADMIN  flag. This special flag checks if a user who tries to connects passes the OPEN_AS_ADMIN flag, if true the user will be able to access the mailbox. If a mailbox is placed in quarantine an event is stored with event id 10018.

Besides the automatic release of the mailbox from quarantine it is possible to manually release it from quarantine. But before doing this it is highly recommended to find the cause of the issue. This since a mailbox is not placed in quarantine because it works but it can cause serious issues for the other mailboxes in your environment.

Another reason why to investigate the issue is if you decide to release it manually but the issue still occurs the mailbox will be put in quarantine again.

To manually release the mailbox you will first need to know the GUID of the mailbox. You can lookup the GUID by using the get-mailboxstatistics cmdlet just like this:

Get-Mailbox support |select name, GUID

Once you have found the GUID you will need to find the corresponding registry path. As discussed earlier each poisoned mailbox has the key MailboxQuarantineDurationInSeconds modify the value to for example 0 or 1. After you’ve made the registry key change perform one of the following tasks:

  • Dismount/mount the database
  • Restart the Information Store
  • Reboot your server

Although this last one is a little bit overkill.

Here ends the blog about quarantining mailboxes. Hope it doesn’t happen to much in your environment else you got some serious trouble.

More information about this topic can be found on the site below.

Technet – Understanding the Exchange 2010 Store open

Using ActiveSync or BlackBerry you can give users the ability to sync the content of their mailbox to their mobile device. When BYOD will be introduced in a company you might see an explosion of the number of ActiveSync/BlackBerry devices that connect to your Exchange environment.

So before allowing BYOD mobile devices you should do some investigation. There are two parameters which will be affected:

  • IOPS
  • Megacycles

IOPS

Let’s start with looking at the impact a mobile device has on the IOPS Exchange needs to deliver.

Both Activesync and BlackBerry devices will generate additional IOPS per device. RIM did publish a nice document which describes the impact on the IOPS, which depends on the mailbox profile.

Email messages sent or received per mailbox per day Estimated IOPS per BlackBerry device

50

0.06

100

0.12

150

0.18

200

0.24

250

0.30

300

0.35

The numbers above are applicable on an active mailbox copy (DAG) or standalone mailbox copy. The strange thing although is that when you use the HP Sizer for Microsoft Exchange Server 2010 it will multiply the needed IOPS with 2. So it looks like HP did build in some reserves or is using previous values from an earlier Performance Bench Guide from RIM. This because RIM did made some improvements which dramatically decrease the needed IOPS.

I’ve searched for a table which describes the needed IOPS for ActiveSync devices but as far as I know Microsoft did not publish one. When looking at the available sizing tools, for example the HP Sizer for Microsoft Exchange Server 2010, you will see that it multiplies the amount of IOPS with 2. The Exchange 2010 Mailbox Role Requirements calculator will not provide an easy option such as the HP Sizer. The tool from Microsoft does have an option to use a multiplication factor to influence the needed IOPS.

Megacycles

As discussed before the second parameter will be the amount of megacycles needed. In the document mentioned earlier RIM did also publish the megacycles per BlackBerry device which are needed.

Email messages sent or received per mailbox per day Estimated megacycles per BlackBerry device

50

1.5

100

3.0

150

4.5

200

6.0

250

7.5

300

9.0

As you can see the needed megacycles will depend on the amount of messages send/received per day. Compared to the IOPS it has a greater impact. RIM does mention in their document that if you use the sizing recommendations of Microsoft it shouldn’t have a big impact on the CAS Servers. The recommendations RIM points to can be found on this page.

Microsoft also did perform some tests to see the impact on the megacycles when ActiveSync is used. In this case they only did some testing with a specific user mailbox profile.

Client Access

Hub Transport

Mailbox

CPU(MHz/user)

1,60

0,22

1,25

As you can see Microsoft did divide it per Exchange Role. If you use the Exchange 2010 Mailbox Role Requirements calculator you will need the value as listed in the Mailbox column and use the megacycles multiplication factor to increase the megacycles to an additional 1,25 megacycles per mailbox .

What if users will use multiple mobile devices?

Well the answer is quite easy although it is hard to estimate in advance how many users will use multiple devices. When allowing BYOD mobile devices people may use both their mobile phone and their tablet to sync their mailbox content. But it is not limited to two devices.

Throttling policy

Exchange 2010 will allow a maximum of 10 devices which sync via ActiveSync per user. So in worst case users can setup 10 partnerships with devices to your Exchange environment.

The 10 devices limit may be a little bit high. 3 or 4 devices is a reasonable amount. But what if you want to limit the maximum allowed ActiveSync devices per user?

If you want to limit the amount of ActiveSync devices per user you will need to modify the throttling policy settings. Depending on your environment you might decide to create additional throttling policies which will allow more ActiveSync devices for example for the management.

To modify the throttling policy you will need to use the Exchange Management Shell (EMS). The output below is the result of the Get-ThrottlingPolicy:

As you can see the EASMaxDevices is the parameter which will need to be modified to limit the amount of ActiveSync devices which can be used.

To do this you will need to run the Set-ThrottlingPolicy cmdlet:

Set-ThrottlingPolicy Default* -EASMaxDevices 1

The example above will limit the maximum amount of ActiveSync devices to one per user.

Quarantine new devices

By default new users will be allowed to connect to Exchange using ActiveSync. Excluded are users which are a member of a protected group such as administrators. To prevent this you can set the action to quarantine new devices.

Using this option all new devices will be placed in quarantine till an administrator approves the device.

There are two ways to place a device in quarantine:

  • Create a rule for each family
  • Modify the default

Create a rule for each family:

The option can be found in the Exchange Control Panel (ECP) in the Phone & Voice section:

On the ActiveSync Access page scroll down till you see the Device Access Rules and klik on New to create a new rule:

Using the Browse buttons select a family and/or model and select the Quarantine – Let me decide to block or allow later option

Unknown devices

The disadvantage of the rule per family is that not all devices may hit this rule. In this case the default settings are used. These can be changed by pressing the Edit button on top of the page:

This will bring up a new window which gives you the following options:

  • What is the default action taken when an unknown device tries to connect
  • Which user or distribution group must be notified when an unknown device is quarantined
  • Which text needs to be send to the user which tries to connect with an unknown device

How about BlackBerry can this be limited also?

Well in most organizations a BlackBerry Express/Enterprise server is installed which is connected to Exchange. Since the BlackBerry server doesn’t use ActiveSync to sync the EASMaxDevices changed earlier doesn’t have any effect.

A user will need an activation password to connect their device to the BES environment. Administrators will have the option to configure the time a password is valid using the password expiration. Since the password is only valid to activate one device it will prevent the user from connecting multiple devices.  If they want to connect another device they will need to ask their administrator for another activation code.

Monitoring the ActiveSync usage

When allowing BYOD mobile devices to sync with your Exchange environment it might be usefull to perform some kind of monitoring. Using the monitoring features you can see how many ActiveSync devices are syncing with your Exchange environment.

Since the mobile devices will connect to an HTTPS service offered by the CAS most things are logged in the IIS logs.

By default all Exchange related HTTP/HTTPS traffic is logged in the same IIS log. This will cause ActiveSync, EWS, OWA and Powershell traffic to be logged in the same IIS log.

The cause of this is that the default setting is to only have one log file per site:

Since all virtual directories of Exchange are created in the default web site by default all this setting will be applied to these virtual directories to. So reading the log is a little bit difficult although it is possible.

To filter out only the ActiveSync related things you will have to use Export-ActiveSyncLog cmdlet, for example:

Export-ActiveSyncLog –FileName “C:\Windows\System32\LogFiles\W2SVC1\ex12607.log” –UseGMT:$true –OutputPath “C:\ActiveSync Report

This will create a separate file containing only the ActiveSync related stuff.  The example above will only work for one log. If you want to search all the logs for ActiveSync use this:

Get-ChildItem “C:\Windows\System32\LogFiles\W3SVC1″ | Export-ActiveSyncLog –UseGMT:$true –OutputPath “C:\Temp\EASReports

There are some useful scripts that can be found on the internet to perform some additional actions on the logs:

Here ends my blog about the impact BYOD mobile device can have on your Exchange environment. More information about the specific cmdlets can be found on the following sites:

Technet: Export-ActiveSyncLog open
Technet: Set-ThrottlingPolicy open

Exchange 2010 SP2 Rollup 3 released

Microsoft released Rollup 3 for Exchange 2010 SP2 yesterday. The rollup contains fixes for the following issues:

  • 2510607  “Cannot open the free/busy information” error message when you try to view folder permissions in Outlook
  • 2514700  Extra.exe does not trace a single user whose legacyExchangeDN attribute contains one or more special characters in an Exchange Server 2010 environment
  • 2571342  The Folder contacts list is empty when a user views the properties of a mail-enabled public folder in an Exchange Server 2010 environment
  • 2572029  Synchronization of an organizational forms library fails when you use Outlook in Cache mode in an Exchange Server 2010 environment
  • 2586828  The EdgeTransport.exe process consumes 100 percent of CPU resources on an Exchange Server 2010 Edge Transport server
  • 2589233  Meeting requests bypass the requirement for delegate approval and instead book resource mailboxes automatically in an Exchange Server 2010 environment
  • 2633043  “There were no writeable domain controllers found in Active Directory site” error message when you run the ExBPA tool in an Exchange Server 2010 organization
  • 2647396  You cannot disable a public folder by using the “Disable-MailPublicFolder” cmdlet in an Exchange Server 2010 environment
  • 2648263  You cannot open routing log files on Exchange Server 2010 Hub Transport servers in a mixed Exchange Server 2003 and Exchange Server 2010 environment
  • 2667120  MSExchangeAutodiscoverAppPool application pool crashes on an Exchange Server 2010 Client Access server when you try to view the free/busy information about a user in a trusted domain
  • 2668900  Event ID 2915 is logged when you apply a fallback policy to a service account in an Exchange Server 2010 environment
  • 2670099  You cannot open calendar folders that are shared by hidden users in an Exchange Server 2010 environment
  • 2671128  RPC Client Access Cross-Site connectivity issues occur in an Exchange Server 2010 environment
  • 2673542  MRM retention policy in the Junk E-Mail folder does not work when you manually move email messages in an Exchange Server 2010 environment
  • 2673591  Crash occurs in the Autodiscover application pool in an Exchange Server 2010 environment
  • 2674185  MAPI_E_CALL_FAILED errors occur when a MAPI application that uses the MAPI function in Outlook 2007 MAPI or in Outlook 2010 tries to access an Exchange Server 2010 server
  • 2674445  You cannot change the access permissions of a Calendar folder in an Exchange Server 2010 environment
  • 2677872  You cannot use a distribution group in the hierarchical address book when you create the group in Exchange Server 2003
  • 2681250  “550 5.6.0″ NDR when a journal report is sent to an external contact in an Exchange Server 2010 environment
  • 2682047  You cannot access a mailbox for several hours after you disconnect and then reconnect the mailbox in an Exchange Server 2010 SP2 environment
  • 2682408  AddOrganizerToSubject parameter does not take effect when a recurring meeting conflicts with another meeting in an Exchange Server 2010 environment
  • 2682895  Error message when a role assignee runs the Get-MailboxExportRequestStatistics cmdlet in an Exchange Server 2010 environment
  • 2684583  You cannot delete an empty folder in a .pst file by using Outlook in an Exchange Server 2010 environment
  • 2689810  A meeting request that you send from an EWS application is in plain text format instead of HTML format when an attendee opens the request by using Outlook in online mode
  • 2695011  Junk Email settings do not work as expected after you migrate or move a mailbox to an Exchange Server 2010 SP1 Mailbox server
  • 2695022  The E-mail Signature text box is not editable in Outlook Web App when you use Google Chrome in an Exchange Server 2010 environment
  • 2695836  You cannot move a mailbox in an Exchange Server 2010 environment that has a message size limit configured
  • 2696642  An additional line of space is added in each paragraph in an email message when you click the Printable View icon in Outlook Web App in an Exchange Server 2010 environment
  • 2698927  Resource mailbox that has AutoAccept configured does not process a meeting request that contains custom code or script in Exchange Server 2010
  • 2698960  You cannot move some users’ mailboxes from one Exchange Server 2010 mailbox database to another
  • 2698976  Managed Folder Assistant does not process a mailbox that has external contacts in another tenant organization in an Exchange Server 2010 environment
  • 2699023  Event ID 9646 is logged on the Exchange Server 2010 mailbox server when you access a mailbox that has more than 250 folders by using an IMAP4 client
  • 2699577  GAL-related client-only message rule is not applied in Outlook after you apply RU1 for Exchange Server 2010 SP2 in an Exchange Server 2010 environment
  • 2699582  Error message when you play a voice mail by using Outlook 2007 in an Exchange Server 2010 environment
  • 2700544  Multiple recovery items are added to a subfolder of the Recoverable Items folder in an Exchange Server 2010 environment
  • 2705425  UMWorkerProcess.exe consumes large amounts of memory when you try to listen to voice messages by using Outlook Voice Access in an Exchange Server 2010 environment
  • 2705555  The Set-Mailbox cmdlet takes a long time to complete configuration in an Exchange Server 2010 environment
  • 2705570  An error occurs when a user whose mailbox is hidden from the Exchange address list tries to open the Scheduling Assistant tab by using the light version of Outlook Web App
  • 2705647  A user cannot log on to a mailbox that is full by using Outlook Web App in an Exchange Server 2010 environment
  • 2705682  Post-reform spelling rules are not used in the Portuguese (Portugal) dictionary in Outlook Web App in an Exchange Server 2010 environment
  • 2706523  You cannot create a mailbox or mail-enable a mailbox for a disabled user account in an Exchange Server 2010 environment
  • 2708880  You cannot set the “Country/region” attribute of a user mailbox to “Curaçao,” “Bonaire, Sint Eustatius and Saba,” or “Sint Maarten (Dutch part)” by using the Exchange Management Console on an Exchange Server 2010 server

The rollup can be downloaded from the site below:

download

 

In this blog we will have a look at what the impact of a proxy server in your Exchange 2010 environment. The article is split up in two parts. This since we will also have a look at the client part and what the impact of a proxy server for it.

In the environment we will assume that http and https access is only allowed via the proxy server for both servers and clients.

Let’s start with the server side from the Exchange environment and which impact a proxy server has on it. Before doing this we will need to know which features of Exchange will use http/https to perform specific tasks.

Exchange will use http/https for the following tasks:

  • Downloading updates for the anti-spam update service
  • Downloading updates for Microsoft Forefront Protection for Exchange Server
  • Certificate Revocation Lists (CRL) validation
  • Hybrid environments to connect to Windows Live/Office 365
  • Environments which are using the hosted archive solution
  • Several cmdlets such as Get-FederationInformation and Test-WebServicesConnectivity

To solve this you can configure WinHTTP using the Netsh tool which is part of Windows Server since 2003. The tool can be found in the system32 folder.

To configure WinHTTP we first need to navigate to the WinHTTP context:

netsh
netsh>winhttp
netsh winhttp>

First thing you may want to check is if there is a proxy configured already. This can be done by using the following cmdlet:

show proxy

There are several ways you can configure WinHTTP using NetSh. For example if you already configured the proxy settings in IE you can use these as the source:

set proxy source=ie

But if you don’t want to configure the proxy in IE you can provide the configuration by using the following parameters:

  • proxy-server: FQDN or ip-address of the proxy including the portnumber
  • bypass-list: a list of hosts which can bypass the proxy

The steps for Windows 2003/2008 and 2008R2 are not the same so let’s have a look at both of them:

set proxy-server=proxy:8080 bypass-list =”*.local”

set proxy proxy-server=proxy:8080 bypass-list =”*.local”

You may ask yourself why use the bypass-list parameter? Well it is recommended to configure the local domain as bypass-list. This since both the EMC and EMS use the http protocol. If not configuring this it may have as result that you can’t connect to your Exchange Server by using the EMC/EMS.

Now we finished the server side let’s have a look at the client side. As you may know Exchange offers several services via http/https since Exchange 2007. Outlook 2007 clients and newer versions can benefit from these services.

The following services are offered by Exchange to the Outlook client via http/https:

  • autodiscover (default https): for automatic configuration
  • Exchange Control Panel (default https): for mail tracking (only Outlook 2010)
  • Exchange Web Services (default https): for example: calendar sharing, Free/busy , Out Of Office and MailTips
  • Offline Address Book (OAB) (default http): for downloading the OAB files

By default Outlook will use the proxy settings configured in Internet Explorer. So it’s really important to configure the proxy settings and specifically the proxy exclusions to prevent issues.

If you forgot to exclude the url’s by Exchange then you might get this kind of errors:

In the example above the user tries to enable his/her out of office. But since the EWS url is not excluded it can’t check the current status and displays this error.

So which url’s need to be excluded in the proxy list? A list is displayed below:

  • Autodiscover url
  • ECP url
  • EWS url
  • OAB url

Which internal url’s your Exchange environment is currently using can be found out by using the following cmdlets:

Autodiscover url:

Get-ClientAccessServer |select AutoDiscoverServiceInternalUri

ECP url:

Get-EcpVirtualDirectory |select InternalUrl

EWS url:

Get-WebServicesVirtualDirectory | select InternalUrl

OAB url:

Get-OabVitualDirectory | select InternalUrl

Optionally you may also want to add the Outlook Web App (OWA) url if you would like to offer webmail on the local network. In that case run the following cmdlet to see which OWA internal url is configured:

Get-OwaVitualDirectory | select InternalUrl

Here ends the blog about a proxy server in an Exchange 2010 environment. Hope you liked the blog if you have any questions don’t hesitate to contact me.

Exchange Federation – part II

Exchange Federation

In the first part of the article we did had a look at how Exchange Federation Works. After that we had a look at how to configure a Federation Trust and Organizational Configuration.

In this part of the article we will continue with configuring the federation. Most Exchange CAS Servers are placed behind a firewall and in most cases a reverse proxy is placed in front of it too.

Reverse proxy configuration

You can for example use the Threat Management Gateway of Microsoft.  We will assume that the default rules for publishing the Web Services are already configured. The authentication is performed by the TMG instead of the CAS Servers. In most cases Form Based Authentication, Basic or NTLM/Kerberos is used for authentication

The authentication methods can’t be used for the Federation Trust and Organizational Configuration. Because the credentials of a user will be verified by the Microsoft Federation Gateway (MFG) and not by a domain controller.

Because this authentication type is not permitted by the TMG for the several sites the traffic will be blocked. This can be solved by creating separate rules in the TMG for the following sites:

  • /EWS/Exchange.asmx/wssecurity
  • /Autodiscover/Autodiscover.svc
  • /Autodiscover/Autodiscover.svc/wssecurity

The TMG will need to passthrough the traffic  directly to the CAS Server instead of authenticating.

Troubleshooting cmdlet’s

Such as with most things configuring a Federation Trust and Organizational Configurational will not work smoothly always. For example you may think it works but when testing it you will get an error.

Exchange 2010 SP1 contains several test cmdlets to verify the functionality:

  • Get-FederationOrganizationIdentifier
  • Get-FederationInformation
  • Get-FederationTrust
  • Get-OrganizationRelationship
  • Test-OrganizationRelationship
  • Test-FederationTrust

Get-FederationOrganizationIdentifier

With this cmdlet we will retrieve the following information:

  • Who is the organization identifier for the Exchange organisatie;
  • What are the additional domains which are configured for federation;
  • Who is the contact for the trust;
  • Is the domain proof TXT validated by the MFG

Get-FederationInformation:

This cmdlet can be used after a configuration trust has been configured. The cmdlet will retrieve the following information:

  • Federated domain names;
  • Target URLs of the external Exchange organisation;

Example:

Get-FederationInformation –DomainName domain.com

Get-FederationTrust:

Using this cmdlet an overview will be displayed of the configured federation trust of the organization. The following information will be used when the |FL parameter is used:

  • ApplicationIdentifier;
  • ApplicationUri attributes;
  • Certificaat details;
  • Token details;

Get-OrganizationRelationship:

Using this cmdlet the settings for the configured organization relationship will be displayed. Information which is being displayed by using this cmdlet:

Example:

Get-OrganizationRelationShop –Identity TrustedDomain

Test-OrganizationRelationship

Using this cmdlet you can test the organization relationshop is configured correctly and i fit Works. This cmdlet needs to be run i.c.w. a valid useraccount.

Voorbeeld:

Test-OrganizationRelationship –UserIdentity johan@domain.com –Identity domain.com –Confirm

The UserIdentity parameter is the account for which a security token will be requested. The Identity is the name of the organization relationship which needs to be tested.

Test-FederationTrust

Performs several tests to validate that the federation trust works correctly. The following tests will be performed:

  • Can a connection be made to the MFG;
  • Are the certificates valid;
  • Can a security token be requested from the MFG.

Example:

Test-FederationTrust –UserIdentity johan@domain.com

In the example above the useraccount will be specified as the UserIdentity. When no UserIdentity is specified the default test mailbox will be used. The default test mailbox can be created by using the New-TestCasConnectivityUser.ps1 script.

Troubleshooting

Certificates

One of the issues you will propably not see many times is an invalid certificate. This can be caused because the certificate is not valid anymore because the certificate is expired.

But it may also occur when you try to request a new certificate. It sounds a bit strange but I did had this issue one. The MFG’s are placed in the GMT timezone. When the Exchange environment is located in another timezone it can occur that the certificate will be generated in the future from MFG perspective. The solution for this issue is wait. In the case of GMT+1 you will have to wait one hour and then try it again

Incorrect external URL for EWS

Because federation is depending on the Exchagne Web Services it is important that the correct external URL’s are configured. When this is not the case the EWS url will not be available and so no free/busy information will be displayed.

To solve this issue you will need to configure the external URL by using the Exchange Management Shell:

Set-WebServicesVirtualDirectory -Identity Server\EWS* -ExternalUrl https://mail.domain.com/EWS/exchange.asmx

Besides this it’s important that the URL is published correctly by the reverse proxy.

Changes are not active immediately

In case a change is made in the federation it might not be effective immediately. This is caused by the fact that caching is used which will result in the old configuration to be used till the cache expires.

For a federation between two Exchange 2010 environments or an Exchange 2010 and Office 365 this can take up to 7 hours.

Autodiscover doesn’t work

Although the autodiscover functionality is not required for configuring the federation it is important to let the federation work eventually. Verify the autodiscover service url is accessible on the lan but also from the internet. If autodiscover doesn’t work correctly this will cause that the other Exchange 2010 environment can’t resolve the necessary information.

Here ends the second part and last part of the Exchange Federation series. If you’ve got any questions about it don’t hesitate to contact me.

Exchange Federation – part I

Since Exchange 2003 it’s possible to setup a federation between Exchange organizations. Compared to older Exchange versions configuring a federation between two organizations became quiet easy in Exchange 2010.
Although you might encounter some issues while configuring the federation.

In this series of blog articles we will have a look at several issues and will look how to troubleshoot these issues.

But to solve an issue it’s important to understand the concept. There for we will start with an explanation of how federation and how to configure it.
To build a federation between two companies two things will need to be configured:

  • Federation Trust;
  • Organization Relationship;

Federation trust
Before creating the Organization Relationship we will first need to configure a Federation Trust. This Federation Trust will be setup between the Exchange 2010 on-premises environment and the Microsoft Federation Gateway (MFG).

The MFG is the component in the federation setup which is responsible for authentication and providing authentication tickets. In this case the MFG is also known as the trust broker. The on-premises Exchange environment uses a certificate to authenticate itself to the MFG. The MFG is available in two sorts:

  • Business instance, used by Exchange 2010 SP1 and Microsoft Online Services;
  • Consumer instance, used by Exchange 2010 RTM, organizations who decide to use a 3rd party certificate and Live@edu;

Microsoft recommends to ensure that both organizations are using the same MFG.
Before you configure a federation trust it’s important to know if you will use federated delegation.
Using federated delegation it’s possible to share information between users in both environments. To use this functionality one of the requirements is that you will create a subdomain which is used for federated delegation. This subdomain may not be the same as the primary SMTP domain which is being used. This subdomain must be set as Organization Identifier. Microsoft recommends to create a subdomain called exchangedelegation.domain.com for this purpose. The MFG will use this subdomain to assign a unique identity to every user. This identity will be used to get a Security Assertions Markup Language (SAML) delegation token. Using this token users can authenticate themselves to the other Exchange organization.

Configuring a Federation Trust can be divided in the following steps:

  1. Create a Federation Trust;
  2. Retrieve the Domain Proof;
  3. Create DNS TXT record;
  4. Configure the Organization Identifier and additional domains for Federation;

The first step can be performed by using the Exchange Management Console (EMC) or Exchange Management Shell (EMS). Keep in mind that when you want to use a 3rd party certificate you can only create the Federation Trust using the EMS.

Federation Trust

EMC
The method below will create a trust with the MFG and creates a self-signed certificate for authentication:

  • Open the EMC;
  • Select the Organization Configuration;
  • Select the option New Federation Trust;
  • Click the option New;
  • Click Finish to close the wizard;

EMS

Get-ExchangeCertificate | ?{$_.friendlyname -eq “Exchange Federated Delegation”} | New-FederationTrust -Name “Microsoft Federation Gateway”

Domain Proof
When the trust has been created we will need to retrieve the domain proof. The domain proof must be used to create a TXT record in the DNS. Using the domain proof a check will be performed if your really the owner of the domain.
The domain proof can only be gathered by using the EMS:

Get-FederatedDomainProof –DomainName domain.com

Keep in mind that if you are going to use Federated Delegation you will need to perform this step for both the subdomain and the mail domains.
Add domains to the Federated Trust
When both the trust and domein proofs are created we can continue by adding the domains to the Federated Trust.
Before you can perform this step you will need to add the subdomain to the accepted domains of Exchange:

New-AcceptedDomain -DomainName exchangedelegation.domain.com -Name FederationDomain

When the cmdlet above has been executed we can configure the federation trust. This will need to be performed in two steps:

Set-FederatedOrganizationIdentifier -DelegationFederationTrust “Microsoft Federation Gateway” -AccountNamespace exchangedelegation.domain.com -Enabled $True

Using the cmdlet above we will configure the trust to use the subdomain as the organization identifier. The organization identifier is being used for authentication. During this process a check will be performed if the TXT records can be found in the DNS. If the record can be found the configuration will be updated.
To finalize the federation trust configuration you will need to add all the other domains to the trust. This can be done by using the Add-FederatedDomain cmdlet. Just like the previous cmdlet a check is being performed for the TXT record.

Add-FederatedDomain -DomainName domain.com

Using this step the configuration of the Federation Trust has been completed.

Optionally you can also use the EMC to perform these steps. The advantage of this is that you can perform both steps via the same wizard.

Create an Organization Relationship
To share the free/busy information between the organizations its necessary to create an Organization Relationship.
Creating an Organization Relationship can be performed by using either the EMC or the EMS.

EMC

  • Open te EMC;
  • Select te Organization Configuration;
  • Select the option New Orginization Relationship;
  • Configure the name of the other organization on the Introduction page, activate the Organization Relationship and soecify which information you want to make available to the other organization. Optionally you can assign a security group which let’s you only share the information of the members of the group;
  • On the External Organization page either chose to manually or automatically configure the relationship. When chosing for the automatic way autodiscover will be used. If things change at the organization side you won’t have to change it manually.
    If selecting the manual method you will need to provide the following information:
    Federated domains of external Exchange organization: add both exchangedelegation.domain.com and domain.com;
    Application URI of the external Exchange organization: exchangedelegation.domain.com, this information will be used to request a  delegated token;
    o Autodiscover endpoint of external Exchange organization, this url will be used to retrieve the url’s of the CAS Server. This because the Free/Busy info will be retrieved by using EWS. The url will look like this:
    https://autodiscover.domain.com/autodiscover/autodisover.svc/wssecurity;
  • On the New Organization Relationship page verify the configuration and press New to create the Organization Relationshop.

EMS
New-OrganizationRelationship -Name “External Company” -DomainNames “exchangedelegation.domain.com”,”domain.com” -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel LimitedDetails -TargetAutodiscoverEpr “https://autodiscover.domain.com/autodiscover/autodiscover.svc/wssecurity” -TargetApplicationUri “exchangedelegation.domain.com

In the example above we will configure the Organization Relationship manually. Autodiscover will be used to retrieve the EWS url’s.  If you would like to retrieve the Domainnames, TargetAutodiscoverExpr and TargetApplicationUri automatically you will need to create the Organization Relationship like this:

Get-FederationInformation -DomainName domain.com | New-OrganizationRelationship -Name “External Company” -FreeBusyAccessEnabled $true -FreeBusyAccessLevel -LimitedDetails

In the example above we will first retrieve the Federation Information of the domain. Next we will use the output of the Get-FederationInformation to create the Organization Relationship.

Clients
To use the features offered by the Organization Relationship you will need to use one of the following clients:

  • Outlook 2010
  • Outlook Web App/Outlook Web Access
  • Outlook 2007

When using Outlook 2007 there’s one thing you should keep in mind. Typing in the SMTP address, just like in Outlook 2010/OWA, doesn’t work with Outlook 2007.  If Outlook 2007 is the only Outlook version which is in use you will need to add all users from the other organization as contacts so they will appear in the Global Address List.

What happens when free/busy information is retrieved?
But what happens when a user request free/busy information of a user in another organization?

In the workflow below a complete overview of the process:

  1. User provides a SMTP adress of another user in another organization;
  2. The CAS Server checks if Federation is configured;
  3. The CAS Server send a token request to the Microsoft Federation Gateway;
  4. The Microsoft Federation Gateway verifies if the source organization is trusted by the target organization;
  5. The Microsoft Federation Gateway sends a token back to the CAS Server which requested the token. The token is signed and encrypted with the public key of the target organization;
  6. The CAS Server sends the free/busy request to the CAS Server of the target organization;
  7. The Target CAS Server receives the token;
  8. The Target CAS Sever verifies if the organization which sends the request is in the trust list;
  9. The Target CAS Server checks which free/busy information may be displayed;
  10. The Availability Service requests the information from the mailbox;
  11. The answer is send back to the client;

Here ends the first part of how Federations can be used in Exchange 2010. In the next part we will have a look at how you can safely publish it to the internet and will start with some troubleshooting.

Technet – Understanding Federation open

Technet – Creating a Federation Trust open

What happened to Exchange 2010 in 2011

2012 has arrived, but what has happened in the past year with Exchange 2010? In this blog we will have a look at some of the high lights of the news about Exchange 2010 in 2011.

If we summarize this year you could use the following words:

January

In the begin of January Exchange was awarded as InfoWorld’s Technology of the Year award for the best mail server 2011.

Microsoft published a statement on GAL Segmentation on the 27th of January which was till this moment still not supported in Exchange 2010. The whitepaper which was available for Exchange 2007 would not be updated for Exchange 2010. They announced another solution would be available in Exchange 2010 SP2, this feature got a name a few months later Address Book Policies.

One day after the statement Kevin Allison announced that UDP notifications would be reintroduced in Exchange 2010. This due to the fact that many customers asked for it. The functionality would be available after installing Rollup 3. The result of reintroducing the feature was that the release date of the Rollup would be rescheduled.

February

The Windows Server team released SP1 for Windows 2008 R2. But what does this mean for Exchange 2010? On the 11th of February the MsExchange Team came with an answer. Both Exchange 2010 RTM and Exchange 2010 SP1 will be supported with this SP. For Exchange 2010 SP1 the seperate hotfixes 979744, 983440, 979099, 982867 and 977020 are not required anymore. This hotfixes are included in the Service Pack for Windows 2008 R2.

March

On the 7th of March Microsoft released Rollup 3 for Exchange 2010 SP1. Everyone was curious about the UDP notifications feature which became available with this Rollup. But short after the release the fora did contain a lot of messages about Exchange 2010 i.c.w. BlackBerry devices. Messages would be send twice which of course could have a big impact for some companies.

On the 14th of March Microsoft published the following message on the MsExchangeTeam blog:

We have received notification of an issue impacting some customers which have
RIM BlackBerry devices connecting to an Exchange 2010 SP1 RU3 environment. At
this stage we are actively working with RIM to identify the exact scenarios in
which customers are reporting this issue in order to narrow down the root cause
of the problem and identify a suitable resolution for it.

As a precautionary measure we have deactivated the download page for Exchange
2010 SP1 RU3 until we can identify the appropriate next steps.

Rollup 3 was removed the update from the download center.

April

OWA Automobile Edition, Twitter-Ready Mail, Boss OOFs, Email Etiquette Enforcement (EEE) Agent, Automatic Randomized MRM (ARM) Assistant, Active Inbox Rules (AIR) Agent, Mobile Read Receipts and Exchange Configuration. All new features which were announced on the 1ste of April. All these features where one big April foul which caused a lot of nice reactions from some people.

In March Rollup 3 was removed, on the 6th of April Rollup 3v3 was released. This release fixe the BlackBerry issue and contained the original fixes which where included in Rollup 3.

On the 13th of April Microsoft announced the Exchange ActiveSync Logo Program. This certification program for ActiveSync devices was created by Micrsoft together with an external lab. Devices should support the following features to be certified for the program:

  • Direct Push email, contacts & calendar
  • Accept, Decline & Tentatively Accept meetings
  • Rich formatted email (HTML)
  • Reply/Forward state on email
  • GAL Lookup
  • Autodiscover
  • ABQ strings (device type and device model) provided
  • Remote Wipe
  • Password Required
  • Minimum Password Length
  • Timeout without User Input
  • Number of Failed Attempts

Microsoft did release the program to give enterprises a way to improve the support they can give to their users which are using several kinds of mobile devices.

On the 15th of April a new recommendation was published on the MsExchange Team blog: Enable Kerberos authenication for clients. One of the reasons is because NTLM might cause a bottleneck. Before Exchange 2010 SP1 Kerberos was not really an option. In SP1 Microsoft did introduce a functionality which made it possible to use an  alternate service account (ASA). This account needs to be assigned to all CAS Servers in the Array and needs to contain the correct service principale names (SPN’s).

To simplify the configuration Microsoft released a script called: RollAlternateServiceAccountPassword.ps1. Using this script it was possible to configure the ASA on all CAS Array members. Besides this the script contained an option to create a scheduled task which changes the password on pre-defined frequency.

Besides the new recommendation a .NET update caused some issues. By installing the update on an Exchange 2010 Server which has Windows 2008 SP2 of Windows 2008 R2 RTM as OS the following issues might occur:

  • Exchange Management Shell does not start
  • Exchange Management Console does not start
  • There might be a crash in Exchange Mailbox Replication Service (it is not
    clear yet if this is related)
  • Event Viewer might have trouble opening

On the 20th of April Microsoft did release an update to fix this issue.

May

On the 16th of May an announcement was made about changes which are made to in the hardware virtualization support for Exchange 2010. These changes were only applicable for Exchange 2010 SP1:

  • The Unified Messaging server role is supported in a virtualized environment.
  • Combining Exchange 2010 high availability solutions (database availability
    groups (DAGs)) with hypervisor-based clustering, high availability, or migration
    solutions that will move or automatically failover mailbox servers that are
    members of a DAG between clustered root servers, is now supported.

The day after Kevin Allison announced SP2 on TechEd Atlanta. SP2 would contain a lot of fixes for issues customers reported and a few new features:

  • Outlook Web App (OWA) Mini
  • Cross-Site Silent Redirection for Outlook Web App
  • Hybrid Configuration Wizard
  • Address Book Policies

On TechEd Atlanta the new features were included in a presentation of  Greg Taylor. SP2 would be available in the second half of 2011.

June

On the 22 of June it was time for Rollup 4. First everything looked OK. But on the 13th of July Microsoft did publish a post which had as title Exchange 2010 SP1 RU4 Removed from Download Center.

Rollup 4 introduced some issues when moving or copying folders. The subfolders and content would be deleted from these folders. But the items could recover the items by using the Recoverable Item folder.

It took 2 weeks before Rollup4v2 was released on the 27th of July.

July

On the 5th of July Microsoft did announce a new tool: the PST Capture tool. This tool could be used to search the network for PST files and import them in Exchange 2010. The tool was planned for in 2011.

August

On the 23rd of August Rollup 5 was released. Of cource a lot of people did hold back after the issues in the previous two Rollups. But Rollup 5 did not contain a lot of big issues.

In March of this year the Internet Explorer team did release the new version of Internet Explorer, IE 9. After a few days some issues where reported about IE 9 i.c.w. the Exchange Management Console (EMC). When closing the EMC the following message was displayed:

In August the Exchange Team published a statement about the issue. The Exchange Team did investigate the issue together with the MMC and Internet Explorer Team for a solution. Finally a special hotfix was released which solved the issue. In december 2011 this hotfix was included in a security update for IE 9(KB 2618444).

October

Rollup 6 was the latest Rollup which was release for Exchange 2010 SP1 in 2011. This Rollup was released by Microsoft on the 27th of October.

On the 11th of October the support ended for Exchange 2010 RTM. Starting from this date only support will be given on Exchange 2010 environment which are running SP1.

In Exchange 2010 SP1 the /hosting parameter was introduced. By using this parameter to install Exchange it was possible to create a multi-tenant Exchange 2010 environment. The solution offerered delivered a small set of functions to end users compared to an on-premise Exchange 2010 environment. Besides this it doesn’t contain any automation tools for example for creating users.

In October Microsoft announced that the /hosting parameter would not be futher developed. Hosting parties who already implemented Exchange this way will still be supported by Microsoft according to the Exchange Support Cycle.

November

On DevConnections, begin November, it was time for some new about SP2.  Kevin Allison announced that SP2 would be released at the end of November/begin December.

December

Eventually on the 12th of December Microsoft did publish the following message on the MsExchangeTeam blog:

I had previously mentioned that Exchange 2010 Service Pack 2 would be coming this year – and it’s here! I’m pleased to announce the availability of Exchange Server 2010 Service Pack 2 which is ready to download.

Kerberos authentication fails sporadically

Earlier this year a blog on the Exchange Team site was poste by Ross Smith IV. In this blog he encouraged to use Kerberos as authentication method for Outlook clients.

In a lot of Exchange environments you will see that it is implemented. When you are using a CAS Array you will need to create an alternate service account (ASA) for this. This can be done by using the  RollAlternateserviceAccountPassword.ps1 script. Keep in mind that when using the CreateScheduledTask parameter the scheduled task will run as the account who created the scheduled task.

After registering the correct SPN’s on the ASA account Kerberos will work in most cases. In some scenario’s a typo is made which results in incorrect SPN’s being registered. When this is the case you can solve it by using setspn or AdsiEdit.

But what if Kerberos sometimes works and sometimes not, or does only work for specific users?  If it doesn’t work a user will not be able to access his/her mailbox.

The easiest way to figure out if Kerberos is to change the Outlook profile.

On the security tab of the account you will need to change the value of Logon network security to NTLM. If the user can access his/her mailbox after this you know that Kerberos is causing the issue.

Besides this an event will be logged in the system event log. Because a small set of logging is enabled on the Windows Servers you won’t see the Kerberos issue on that side. To enabled the logging you will need to make a change in the registry:

  • start regedit
  • browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  • create a Dword called LogLevel
  • change the value of the Dword to 0×1

Logging is directly enabled after creating the registry key and after a refresh you will see several Kerberos errors in the log.

Another option is to create a network trace using Wireshark or Netmon. In both cases you will see the following message in the trace:

0xD – KDC_ERR_BADOPTION: KDC cannot accommodate requested option

When you will search the internet for this error you will see you are not the only one. But let’s start from the begin instead of going to directly to the solution.

One of the first things you will need to do is run SetSPN -L “ASA account”  to verify that all correct SPN’s are registered. The SPN’s should be unique. Despite I have seen environments where the domain controllers also contain two SPN’s named ExchangeAB followed by the netbios and fqdn. To verify if the SPN’s are unique you can use SetSPN -Q “SPN VALUE” , for example SetSPN -Q ExchangeAB/*.

As displayed in the screenshot above you will see ExchangeAB will be found four times. Two times on the Exchange Server and two times on the DC.

As fas as we can see at this moment everything looks OK. Time to continue troubleshooting. But with which step can you continue when you have the error above? Klist.exe or Kerbtray.exe will not help a lot because in most cases renewing the tickets won’t solve the issue.

After some research together with a customer we found the root cause of the issue.

Microsoft did change the UDP packet size starting from Windows 2003. In Windows XP the UDP packet size was set to 2000, starting from 2003 it has been set to 1465. I think you know what will happen when Kerberos will send a package. Kerberos will use UDP by default . This will result in incompleted packages which will arrive at servers containing Windows 2003 or above as OS.

But why does the issue only happens for some users? This depends on the Kerberos ticket size. The size of a Kerberos ticket is determind by:

  • length of the password
  • membership of groups
  • do the groups contain other nested groups

To solve this issue you will need to make a registry change:

  • start regedit
  • browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
  • create a Dword called MaxPacketSize
  • change the value of the Dword to 1

By making this change all Kerberos packages which are bigger then 1K will be send by using Kerberos over TCP.

Restart the computer and change the Outlook profile to Negotiate Authentication. Verify if you can access the mailbox. Using klist.exe or kerbtray.exe verify of the tickets will be created correctly. Both tools are part of the resource kit for Windows 2003. In Windows 7 and 2008 klist is a part of the OS.

In this screenshot two Kerberos tickets are listed which are being used by Exchange. If all authentication is performed by using Kerberos you will see the following Kerberos tickets:

  • exchangeMDB
  • exchangeRFR
  • exchangeAB
  • http

When you will look in the event log of the client you won’t find any Kerberos messages.

Microsoft has published a complete document about troubleshooting Kerberos authentication issues. You can find the document here.