Monday, December 5, 2011

Microsoft Exchange Server 2010 Service Pack 2 (SP2)

Exchange SP2 has left the building.

It contains some interesting features. The one I like the most is Address Book Policies. With ABP the administrator can easily configure which users can see which Address Book/s. This gives the function that many organizations want to segment address book for users in a supported way instead of the really messy solution by ACL'ing different objects in Exchange.

Other feature is for example the good old OMA is back. It's like OWA but without graphics and probably most used by mobile devices. The official name is 'OWA Mini'.

For you people that want configure your on-premise Exchange installation with O365 in hybrid configuration there is the new 'Hybrid Configuration Wizard' that help you setup the configuration a lot easier than the myriads of manual steps needed before.

Pre-requirement info http://technet.microsoft.com/en-us/library/bb691354.aspx

Release notes http://go.microsoft.com/fwlink/?LinkId=235234

Download link http://www.microsoft.com/download/en/details.aspx?id=28190

Wednesday, August 24, 2011

Exchange Server 2010 Service Pack 1 Update Rollup 5 is released

UR5 for Exchange 2010 SP1 is now released. It contains several bug fixes. Here is the description Exchange 2010 SP1 UR5 - 2582113.
Problem with PDF attachment from MAC clients should finally be resolved. Also the error message "There are no items to show in this view." in Outlook 2010 is resolved.

Here is the download link

The usual warning for customer running forefront security for Exchange is to disable forefront with "fscutility /disable" before applying rollup and afterwards enabled forefront again with "fscutility /enable"
How to Apply Exchange Service Packs and Rollups to a Computer that is Running FSE

Saturday, August 13, 2011

Are you using TMG and having issues publishing Outlook Anywhere?

Ever tried to publish Outlook Anywhere using NTLM with TMG and use Kerberos Constrained Delegation? Many people have tried and failed, or at least had some major trouble before they were finally able to get things going.
To help make things a little easier, here is a simple checklist on how to publish Outlook Anywhere using NTLM with TMG, using Kerberos Constrained Delegation.
The simplest scenario is a single Exchange server and a single TMG server.
simplest scenario is a single Exchange server
1. TMG must be domain joined to use Kerberos Constrained Delegation (KCD), which can be a problem for some organizations. http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html. Domain where TMG is member of must be in Windows 2003 mode and it must be the same domain that your Exchange server is on.
2. Configure KCD.
With ADUC (Active Directory Users and Computers),
Find the TMG computer object, select properties and the Delegation tab,
click “Trust this computer for delegation to specified services only” and then select the “Use any authentication protocol”.
Click Add button and then Click “Users or Computers” button and enter the Exchange server.
Then click “OK” and scroll to find “http – server name”,
click to select it, and then click OK twice to save the configuration.
If you tick the checkbox “Expanded” while selecting protocol you will see that both the FQDN and host name will be in the list.
What you have done now is allowed TMG computer to delegate credentials to the Exchange server, but only if it’s using HTTP, that’s why it’s called constrained delegation.
Why do we mess with the Exchange computer object? Well, Exchange web services run under the local system account, if it was running using a service account, then we must use this account to delegate to instead.
3. Create a Listener and publish rule on TMG.
Start by creating a Listener. As the create Listener wizard goes by select these options:
Select “Require SSL secured connections with clients”,
Select an external IP and a certificate to be used by the listener.
For Authentication you have several options and it all depends on what you want to do, but for this walkthrough select HTTP and Integrated. This means NTLM since we are connecting from internet where there is no Kerberos service is available (or have you put a Domain Controller on Internet?).
Create the publishing rule by starting the Exchange Web Client Access publishing rule wizard.
Select version of Exchange and Outlook Anywhere as the service, and also select “Publish additional folders…”. This will add paths for OAB, EWS and Autodiscover URL.
Select “Publish a server farm of load balanced web servers”,
“Use SSL to connect to the web server or server Farm”,
Internal site name is important: enter a name that is on the certificate used by IIS on Exchange server, that is not the certificate clients “see” when connecting to TMG from internet. This certificate is seen only by TMG.
Create a new Exchange server farm. Give it a name and add your Exchange server to it.
For the connectivity monitoring, select “Send an HTTP/HTTPS Get request”.
Farm is complete.
For the public name, select a name that this publishing rule will accept traffic on.
Select the Listener you created earlier.
For the Authentication delegation select Kerberos constrained delegation and change the SPN to “http/*”.
On user sets, select “All authenticated users”. This can be changed to an AD group to limit who is allowed to use the services you’re publishing.
4. Configure Outlook Anywhere to use NTLM.
Set-OutlookAnywhere -IISAuthenticationMethods 'Ntlm' -ClientAuthenticationMethod 'Ntlm'

Why do a farm of servers instead of just a single server? With a farm, you get the opportunity to do monitoring of the published server. This means that if you encounter that the published server doesn’t work while monitoring, it won’t even try to send traffic to the published server. Flexibility is another thing, you never know what will happen in the future, servers may be added, changed or removed and it’s easier to change the farm membership instead of redoing the publishing rule.
“Test Rule” button. This function is really good but when using KCD it will often fail. One reason for failure is that there is a firewall running between or on the published server which blocks traffic to port 445 and 139. TechNet has a good post related to “test rule” button failure
Another failure is when you set change configuration on the Authentication Delegation tab to use KCD and set the SPN to “http/*”, a star tell TMG to replace it with the published server FQDN when doing the KCD. Unfortunately, TMG doesn’t do this when you click “Test Rule” button. My thought on this is function behind “Test Rule” button only takes this text string and doesn’t translate the star to FQDN. KCD will fail because it is not allowed to delegate to http/*. To overcome this while testing your configuration,replace “http/*” with “http/x” where x is one of the previously allowed delegation. If you have multiple servers in your farm, you should change configuration and test every published server. When done, don’t forget to change back to “http/*”.
One more plus is that even if you have Basic authentication enabled on the Listener, you can still use KCD on the Authentication Delegation tab, which is good for clients who don’t know how to use NTLM.
advanced configuration with multiple CAS
The difference with this configuration is that we have a Load Balancer between TMG and CAS. This provides us with a couple of options. Either a) configure TMG to send traffic to Load Balancer, or b) configure TMG to send traffic directly to CAS.
The problem with the first option is that Load Balancer most likely thinks everything comes from TMG and therefore will not distribute traffic to all CAS, but instead sends it to only one of them. This can be fixed by using more sophisticated distribution algorithms on Load Balancer. But in order for that to work, we need to disable SSL between TMG and Load Balancer, and also allow HTTP to CAS. We also have another source to troubleshoot if something breaks. Another thing is the KCD configuration. Since there is no computer account for Load Balancer, the KCD needs to be configured with a name that TMG can use for the delegation. You must add the SPN string to the msDS-AllowedToDelegateTo attribute on the TMG computer account and finally this invented name must be configured in the publishing rule in the delegation tab as the SPN. This is a valid configuration, but with many variables’ in it I think it’s much too .The other option with TMG sending traffic to CAS servers directly and bypass Load Balancer is much easier to configure and to troubleshoot.
Picture only shoving a single TMG and a single Load Balancer but they can in fact me multiple of them for redundancy and load distribution. Either way, it doesn’t matter when you use KCD.
Connectivity monitoring
TMG will periodically connect to the published server. How TMG connects depends on the connectivity monitoring configuration. We selected to “Send an HTTP/HTTPS Get request” together with a URL. This means that TMG will connect to this URL and if it gets a response back it will allow traffic on this rule.
If you publish for example outlook anywhere you would most certain need to publish a couple of more URL’s than the /RPC such as /OAB, /EWS and /Autodiscover. Sad story here is that TMG cannot monitor more than one URL. If we monitor /rpc directory then all other can fail without TMG noticing it so TMG will still end traffic to one farm member even though for example the EWS service don’t work on it.
Solution can be to have individual publishing rule for each service you publish. Another solution could be your own developed solution. Create a script that monitor services of your choice, and simply create a file in an IIS directory if every service is working or delete the file if something is not working. In TMG we can then configure the URL to point to this file.
RPCping
If you published Outlook Anywhere you verify configuration with rpcping.exe.
Be aware of that rpcping has several parameters and you have to specify them correctly. Here is an example.
rpcping -t ncacn_http -s mapi.corp.contoso.com -o RpcProxy=oa.contoso.com -P "billg,contoso,Password2" -I "billg,contoso,Password2" -H 2 -u 10 -a connect -F 3 -v 3 -a connect -e 6001
This means connect to the rpcproxy name “oa.contoso.com” and the internal server name with mapi.corp.contoso.com. User name is billg, password is Password2,netbios domain name is contoso both for the rpcproxy auth and auth to internal server, e = 6001 means internal tcp port 6001 which is on out of the three ports used by outlook anywhere. The others are 6002 and 6004.
The other parameters aren’t that easy to figure out but you can read everything about them here http://support.microsoft.com/kb/831051.

Wednesday, August 3, 2011

More proxyaddresses scripts

Remember the post about Remove proxy addresses Script? It was developed for Exchange 2007 and did not work for Exchange 2010.
People wrote comments with suggestions (thank you all for that) and I thought I published an updated version that work with Exchange 2010 together with another script that add SMTP addresses.
# Remove proxy addresses
# change the Get-Mailbox statement in line 7 to select only a subset of mailboxes

$DomainToRemove = "*@olddomain.com"

#get mailboxes and iterate through
Get-Mailbox -ResultSize Unlimited | foreach {
$_.Alias
# .emailaddresses returns array
# loop each email address
for ($i=$_.EmailAddresses.Count;$i -ge 0; $i--)
{
$address = $_.EmailAddresses[$i]
#Write-Host $address
# removes all addresses with $DomainToRemove
if ($address.SmtpAddress -like $DomainToRemove )
{
Write-host("Remove smtp adress: " + $address.AddressString.ToString() )
# remove address in the array
$_.EmailAddresses.RemoveAt($i)
}
}
# save changes
$_ | Set-Mailbox -EmailAddresses $_.EmailAddresses
Write-Host
}






And the Add proxy addresses script.



# Add proxy addresses
# change the Get-Mailbox statement in line 8 to select only a subset of mailboxes

$AddressSearchedFor = "*@domaintocopy.com"
$DomainToAdd = "@newdomain.com"

#get mailboxes and iterate through
Get-Mailbox -ResultSize Unlimited | foreach{
$_.Alias
# .emailaddresses returns array
# loop each email address
for ($i=$_.EmailAddresses.Count;$i -ge 0; $i--)
{
$address = $_.EmailAddresses[$i]
#Write-Host $address

# look for SMTP addresses in source
if ($address.SmtpAddress -like $AddressSearchedFor )
{
# get the left part of address
$a = [string] $address
$b = $a.indexof("@")
$a = $a.substring(5, $b-5 )
#Write-Host $

# Add SMTP address
Write-host("Adding smtp adress: " + $a + $DomainToAdd )
# add address in the array
$_.EmailAddresses.add("smtp:" + $a + $DomainToAdd)
}
# save changes
$_ | Set-Mailbox -EmailAddresses $_.EmailAddresses
}
Write-Host
}



Friday, July 8, 2011

Exchange Server 2007 Service Pack 3 Update Rollup 4

UR4 for Exchange 2007 SP3 is now out.it contains several bug fixes. One particular fix is the one with MAC sending attached PDF and outlook cannot see it.

Read KB2509911 to see the full list of bug fixes. Here is the download link

Friday, July 1, 2011

Outlook authentication popup when database move or failover

Have you noticed that when you run Exchange 2010 DAG and move the active database to another node, outlook throw an authentication prompt.

The behavior according to many sources including Microsoft is that a move or failover should go almost unnoticed by the end user. Well it does sometime, but many times outlook popups the authentication prompt.

Messed around in my lab with all kind of configurations and discovered that the prompt is to the outlook anywhere URL. This makes sense because the database goes offline and then another database goes online. This takes a short moment but the only component that should see this is CAS and outlook should still have connection to your Hardware Load Balancer or CAS if you don’t have a HLB. So if outlook is aware of a database goes offline then this is kind of valid.

To try things a little bit more I configured the system not to resolve the Outlook anywhere URL when connected to the internal network and then I did a move of active database again and I was very surprised that outlook still did popup for the outlook anywhere URL without actually being able to resolve it in DNS or even less actually connecting to it.

I figured there must be some caching going on here and to be safe I simply reboot everything. But outlook behaved the same, prompting me for credentials for an URL that could not be reached.

Finally I poked around in the configuration and decided to change the authentication scheme for outlook anywhere to Windows Integrated. I did not have a TMG or UAG in the system so I did not need to configure Kerberos Constrained Delegation (that’s another story).

Placed an outlook on the outside of the network and things went smooth; NTLM let me in directly with my cached domain credentials.

Moved outlook to the internal network and still everything worked as it should. Finally did move of the active database to another server. Outlook did not even blink, well almost, it just said it’s not connected and then a couple of seconds later it said connected again.

Well this must be one of the rare occasions when everything worked as it should according to various sources. Did about 20 more move of the active mailbox database and not a single time did outlook give me authentication prompt.

Well, I reconfigured outlook anywhere to use basic clear text authentication again and moved the database back and forth and about half the times outlook gave me the annoying authentication prompt.

Did some more testing with various setup and different version of outlook but the behavior is the same. When outlook anywhere is configured with basic clear text I get authentication prompts and when configured with Windows Integrated everything work without a hiccup.

Do we have any drawbacks by configure windows integrated authentication on outlook anywhere? Yes there is. Depending on if you have ISA/TMG/UAG doing Kerberos Constrained Delegation against your CAS, everything must belong to the same windows domain. Well, not exactly everything but all accounts used in the process, that is computer and user accounts.
This means if you have multiple forests or multiple domains and publishing Outlook Anywhere with pre-authentication on TMG/UAG, you’re almost forced to use Basic Authentication.

More information about Kerberos Constrained Delegation will be posted in a later post.

Thursday, June 30, 2011

Office 2010 Service Pack 1

Together with the release of Microsoft Office 365, Microsoft also released SP1 for Office 2010.

Read KB2460049, Description of Office 2010 SP1.

Download links is found in KB2510690, List of all Office 2010 SP1 packages.

Exchange Server 2010 Service Pack 1 Update Rollup 4

UR4 for Exchange 2010 SP1 have fixed several bugs, both stuff that users see and also some things that only Exchange admin see.
Information about the update is found in KB2509910

Thursday, April 28, 2011

Schedule your Exchange 2010 scripts

If you’re running Exchange you most likely want to run script on a regular basis.

Here is how you schedule a Exchange 2010 management shell script.

Copy your script file into a folder of your choice. ex. c:\script\script.ps1

The most tricky part is how to actually start the powershell script to run. This is set on the actions tab.
Create new action with “start a program” and for program/script enter the path to powershell.exe
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

for the argument textbox, enter
-Command “. 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\script\script.ps1”

The RemoteExchange.ps1 is the script that start a remote Exchange 2010 Management shell session to an Exchange 2010 server. The last part is the path to your script.

Several settings on the job depends on what your script does.
You might need to run the script highest privileges, Configure for Windows 7, Windows Server 2008 R2 etc.

If you know that your script normally take 5 min to run, it’s a good practice to use settings to either stop if it runs for a long time and also block multiple instances to run at the same time.

Another handy thing you can include in your script is actually to make the Exchange snapin to load from the script instead of having the task load it.
Here is an example.

# some Exchange script
# bla bla.

# Load the Exchange snapin if it's no already present.
function LoadExchangeSnapin
{
if (! (Get-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:SilentlyContinue) )
{
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction:Stop
}
}


# The meat of the script!
&{

"*** some Exchange Script started ***" >> scriptlogfile.log
[DateTime]::Now >> scriptlogfile.log

# Load the Exchange cmdlets.
& LoadExchangeSnapin

# the rest of the script

[DateTime]::Now >> scriptlogfile.log
"*** some Exchange Script ended ***" >> scriptlogfile.log
}


Wednesday, April 6, 2011

Powershell multi-value attributes

Now and then you encounter that you must handle multivalued properties in Exchange Management Shell (EMS). This can be a little tricky of you don’t know how to do this.

I will give some examples to highlight different syntaxes you can use. I will use the attribute RemoteIPRanges on ReceiveConnector but examples can be used on any multi-value attribute.

Adding some IP ranges. This will overwrite every IP range already present.
Set-ReceiveConnector <Connector name> -RemoteIPRanges "192.168.10.10", "192.168.10.11"

List multivalued properties.
Get-ReceiveConnector <Connector name>).RemoteIPRanges



Adding additional IP. This is completed by first save the range array into $range variable. Adding values to the $range variable and then write the info in $range variable to the receiveconnector.

$range = (Get-ReceiveConnector <Connector name>).RemoteIPRanges

$range += "192.168.10.12"


Set-ReceiveConnector <Connector name> -RemoteIPRanges $range



You can also remove entries from the array with the same method as adding.

$range -= "192.168.10.12"



Because you have all entries in the $range variable you can do things like copy ranges from one connector to another one.

$range = (Get-ReceiveConnector <Connector name>).RemoteIPRanges

Set-ReceiveConnector <another Connector name> -RemoteIPRanges $range

Thursday, February 17, 2011

Question about Exchange licensing?

A lot of question I get is about licensing, when do I need Enterprise CAL, can I create a Database Availability Group with Standard version etc.

Well Microsoft has a god page for telling you all alternatives and options. Microsoft Exchange Server 2010 Licensing

Tuesday, February 1, 2011

Lync 2010 cumulative update 1 – Jan 2011

Lync CU1 Jan 2011 updates

Software KB

Lync 2010 (32 and 64 bit)

2467763

Lync Server 2010

2493736

Lync 2010 Phone Edition (Tanjay)

2493722

Lync 2010 Phone Edition (Aries-Aastra)

2493724

Lync 2010 Phone Edition (Aries-Polycom)

2493723

Lync 2010 Attendee (Admin Install)

2467762

Lync 2010 Attendee (User mode install)

2467761

Lync 2010 Attendant (32 & 64 bit are a combined patch)

2467760

Lync 2010 Group Chat Client

2467765

Lync 2010 Group Chat Admin

2467764

Happy patching