Archive for February, 2010

Redirecting to OWA & HTTP to HTTPS Automatically

Posted in Exchange Server with tags , on February 23, 2010 by Karim Hamdy

Most Customers requires auto redirection from HTTP to HTTPS and to OWA virtual directory , here is the way on how to do it :

Redirecting to OWA Virtual Directory :

  1. Start the Internet Information Services (IIS) Manager snap-in.
  2. Expand the local computer, expand Sites, and then click Default Web Site.
  3. At the bottom of the Default Web Site Home pane, click Features View if this option is not already selected.
  4. In the IIS section, double-click HTTP Redirect.
  5. Click to select the Redirect requests to this destination check box.
  6. Type the absolute path of the /owa virtual directory. For example, type https://mail.contoso.com/owa.
  7. Under Redirect Behavior, click to select the Only redirect requests to content in this directory (not subdirectories) check box.
  8. In the Status code list, click Found (302).
  9. In the Actions pane, click Apply.
  10. For the new settings to take effect, open a Command Prompt window, and then type iisreset /noforce to restart IIS.

Redirecting to HTTPS from HTTP :

Open note pad create new file and paste the following code in it :

<!– beginning of HttpRedirect.htm file –>
<script type=”text/javascript”>
function redirectToHttps()
{
var httpURL = window.location.hostname + window.location.pathname;
var httpsURL = “https://&#8221; + httpURL ;
window.location = httpsURL ;
}
redirectToHttps();
</script>
<!– end of HttpRedirect.htm file –>

<!– beginning of HttpRedirect.htm file –><script type=”text/javascript”>function redirectToHttps(){var httpURL = window.location.hostname + window.location.pathname;var httpsURL = “https://&#8221; + httpURL ;window.location = httpsURL ;}redirectToHttps();</script>

<!– end of HttpRedirect.htm file –>

save it as “HttpRedirect.htm”

Now go to IIS Manager and create New Error Page with code 403.4

from response action click insert content from static location and from file path insert the Httpredirect.htm path

from Action Menu click edit feature settings , and select Custom Error Page and set the default page to the HttpRedirect.htm file path and that’s It.

Check Out the Photos for more info.

Exchange 2010 ActiveSync Issue

Posted in Exchange Server on February 22, 2010 by Karim Hamdy

Today i’ve faced an issue regarding ActiveSync in Exchange 2010 , users cannot connect to ActiveSync after checking EventViewer the following error found :

Exchange ActiveSync doesn’t have sufficient permissions to create the “CN=<name>,OU=<OU Name>,DC=****,DC=****,DC=***” container under Active Directory user “Active Directory operation failed on <server>. This error is not retriable. Additional information: Access is denied.

with EventID 1053. after searching it appears to be this user does not have permissions on Exchange Servers . so here is how to resolve it.

Open Active Directory Users and Computers > Advanced Features > Open the user account Properties > Security > Advanced >Select Exchange Servers, and tick the Include inheritable permissions togglethen Apply and OK.

it seems to be this is a bug when upgrading from Exchange 2003 to Exchange 2010 although any new created users does not suffer this issue.

Installing RU1 for Exchange 2010

Posted in Exchange Server on February 17, 2010 by Karim Hamdy

When Installing RU1 for Exchange 2010  you might get Error 1603 in event viewer and the installation ends with no apparent reason All you have to do is Install the RU from an elevated Power Shell.

Also if you experience  long time in “Creating native images for .NET assemblies”  you have 2 choices either to Expose the Exchange server to the internet to allow it to download CRL files or disable this option in IE :

Tools \ Internet Options \ Security \ Check for Publishers Certificate Revocation

OCS & CCM

Posted in OCS/UC on February 14, 2010 by Ahmed Elnaggar

Last week, I was in a multinational   IT company to deploy OCS 2007 R2 server (Office Communication Server 2007 R2). This company wanted to use OCS service to decrease cost and to use OCS features which will help company’s needs and employee’s connections.

They decided to implement OCS 2007 R2 Standard Edition because they will test OCS features in a narrow scope or with a few number of company’s Employees and they wanted to implement the mediation server. But the company depends on Cisco Call Manager server as an IP telephone system and they wanted to make a migration between OCS & CCM to enable users to send & receive calls using their phones devices without needing OCS handsets.

So, as OCS implementers, I was in need to migrate OCS with CCM. I was in need to SIP trunk (Session Initiation Protocol) to enabling this migration process.

Now, I can say with a lot of confidence that the most critical step in this OCS implementation case was the migration process between OCS & CCM via this SIP trunk because we must be in sure that this trunk  really initiated correctly and we must keep in mind that if the migration process is failed, we will be in () case. Why?

We will think in two ways, the first that is the failure belongs to mediation server configuration? The second is the failure belongs to SIP trunk configuration in CCM Server?  So, we should keep in minds that we have to take care in initiation SIP trunk.

For more details, Kindly find below our documentation for creating SIP trunk in CCM Console.SIP Trunk01

Re-enable Disabled Mailbox

Posted in Exchange Server on February 13, 2010 by Karim Hamdy

when you accidently disable mailbox for certain user , so you go to disconnected mailboxes and look for it and it ain’t there ! it could be a problem especially when the disabled mailbox is for a CEO or a director or something , here is the way to get it back :

from PS run the following command

Clean-MailboxDatabase “Database Name”

it should appear on the disconnected mailboxes section in EMC , then you can reconnect it.

Error details: MapiExceptionNotFound: Unable to delete mailbox. (hr=0x8004010f, ec=-2147221233)

Posted in Uncategorized with tags , , , , on February 13, 2010 by Mahmoud Magdy

Hi,
Today we met a weired issue, we were in the middle of a migration from Exchange 2003 to Exchange 2010, mailboxes were moved to the Exchange 2010 but the source mailbox wasn’t deleted and we got the move request done with the following warning Error details: MapiExceptionNotFound: Unable to delete mailbox. (hr=0x8004010f, ec=-2147221233)

to solve this issue please apply service pack 2 to the Exchange 2003 servers, apply rollup update 1 to the Exchange 2010 and the following hotfix to the Exchange 2003 servers: http://support.microsoft.com/kb/940012

the issues should be resolved.
Mahmoud

Enabling NLA on Windows XP for Win 2008 Terminal Services

Posted in Active Directory with tags , on February 12, 2010 by Karim Hamdy
   
 

When connecting to a Windows 2008 Server using remote desktop from a Windows XP client running service pack 2 or earlier, you get the following error message:

The remote computer requires Network Level Authentication, which your computer does not support.

To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA

• Configure Network Level Authentication

1. Click Start, click Run, type regedit, and then press ENTER.
2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. In the details pane, right-click Security Packages, and then click Modify.
4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
6. In the details pane, right-click SecurityProviders, and then click Modify.
7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
8. Exit Registry Editor.
9. Restart the computer.

If you get this error “An authentication error has occurred (Code: 0×80090303)”  All you have to do is request the following Hotfix from Microsoft

http://support.microsoft.com/kb/953760

immediately Rebuild OAB

Posted in Exchange Server with tags , , , , on February 11, 2010 by Mahmoud Magdy

sometimes you want to immediatly rebuild Exchange OAB, in order to that please follow the below steps
1. Run Update-OfflineAddressbook “offline address book” in EMS
2. Restart System Attendant Service on the OAB Generation Server (Mailbox Server)
3. Either run following command in EMS “Update-FileDistributionService CASServerName” or just restart File Distribution Service on CAS Server.

Introducing Ingazat Member: Mahmoud Magdy Bio

Posted in Ingazat/Ingazat News with tags on February 10, 2010 by Mahmoud Magdy

Hello,
I am proud to write the first post introducing myself to you, I am Mahmoud Magdy Tech Lead at Ingazat Information Technology.

Currently I work at Ingazat, my Job is a combination of Architect, Business Development Manager and Technical Evangelist.

I worked before for several firms, I worked for 4 years for globalknowledge, then Joined Microsoft Consulting Services at the gulf as regional consultant, then moved to a real estate company as Infrastructure Manager, before joining Ingazat.

My main competencies are UC including Exchange and OCS, Active Directory ,System Center and Forefront, I started recently to work with ILM and FIM and built a very solid skills within them and hopefully I will blog about them.

I am CCNP, MCITP (Windows 2008, Exchange 2007), MCTS (System Center, OCS), CCA (Citrix) and lots of other technical certificates.

I will let my other colleagues intoduce themselves each in his turn, please follow this blog as cool stuff will be published in the blog soon.

Mahmoud

Dude, Where is my Backup – Understanding Exhcange 2010 backupless Configuration

Posted in Exchange Server with tags , , , , on February 9, 2010 by Mahmoud Magdy

When I started writing this post, I couldn’t get the movie “Dude, Where’s My Car?” and its events out of my head for two reasons.   The first reason is that the conundrum the film’s characters find themselves in reminds me of a similar event in which one of my customers experienced an Exchange disaster and I was brought in to assist.  I realized straightaway the client needed to perform a backup, and when I informed the Exchange Administrator of this he frantically turned to his Backup Administrator and asked him, ‘Dude, where’s my backup?!’  

The second reason I could not shake this movie from my mind while writing this piece is because the same clueless looks that the film’s starring actors had on their faces were identical to the look on the face of the Backup Admin when asked that infamous question.  In fact, I see that look on many of my customers’ faces when I ask them to restore an Exchange backup set for me! 

Backups in Exchange have always been a point of concern for me due to my experiences while working as an Infrastructure Manager.  In one instance I thought I had done everything I should have:  I had everything in place, our Exchange was up and running and I assigned a team to backup Exchange, AD, SQL and most of our critical systems.   We tested the restore steps and everything ran smoothly, but when we had a disaster you can already predict what happened – we experienced another backup set failure which cost us two hours of downtime. 

The secret to successfully restoring Exchange has always been a mystery.  A successful restore even for an Exchange guru is a tedious task!  We are fortunate that today we have assistance in the form of DB portability, power shells, and wizards for backups and restores; but even with this help, the task of restoring Exchange remains tedious.

Other issues that arose with the introduction of Exchange 2007 were the single item and single mailbox restoration.  It is now possible to restore a single mailbox, or better yet a single item, but clever software is needed to perform the task.  You must also properly train and prepare your IT staff, and remember that the software and hardware requirements for either type of restoration are expensive.   You must carefully compare your options when purchasing decent backup software since their prices can be high.

You say you want a revolution…

Well you know, when Microsoft introduced Exchange 2010 that’s exactly what they brought.  For the first time, Microsoft is recommending that administrators perform backup-less deployments.  When I heard that I laughed out loud, as I am sure many of you are, since for years as consultants and as customers we have always been told to backup everything, most importantly our Exchange data, so just exactly how will this revolution of backup-less Exchange deployments change the world?

So Microsoft has a real solution…

Would you like to hear the plan? If you are shocked by this new recommendation then let me set your mind at ease : ‘it’s gonna be alright.’ If you feel like it will take awhile for you to trust Microsoft’s recommendation then you are not alone.  It took me, a technically savvy (and extremely humble) guy nearly 3 months to accept this fact, but what it really took was for me to design a backup-less configuration for the first time.  After designing this configuration I have learned the benefits of going backup-less, so please join me as I explain them to you.

Backups’ Background:

Historically, I have always considered Exchange backups to be more important than Exchange itself. ‘Why?’ you might ask.  My answer is multi-fold:  because it guarantees that I will be back online in the blink of an eye if the system goes down.  Plus , it will enable me to recover items for users that have been hard deleted, and more importantly this is the only way to flush and delete the logs of the mailbox database (previously this was tied to the Storage Group.)  The other not-so-popular method of deleting such logs is known as circular logging.

Backup in Exchange 2003 was straight forward, but with Exchange 2007 Microsoft introduced the concept of database copies which provided a new way to backup your Exchange data.

Now you can perform a backup from the passive copy, which provides enough data to help you discern what the online copy is suffering from (i.e. IOPs, users access, AV Scan.)  When you back up the passive copy, and the backup to the passive copy is complete, then the database is marked as backed up and logs are deleted from passive and active copy.

As mentioned previously, doing Exchange backups historically required costly backup software as well as hardware, including storage, backup tapes, tapes libraries, and backup hustle.

Microsoft made a bold decision to change the Exchange world by introducing backup-less configuration, which I will now discuss in more detail.

Less is more, don’t you agree?

What does backup-less really mean?  It simply means that you do not have to backup your Exchange data, or at the very least it gives you the ability for the first time to not have to back it up.

I can completely understand many of you doubting that this is in fact a possibility, to never have to backup your Exchange data, but before you make your decision let us explore Backup-less architectures and learn how they really work. 

Backup-Less Architecture:

As stated above, backup in E12 could be done to the passive copy but this is only true for CCR of LCR.  At the time, this was a viable option: to backup the passive node and then once backup is done the passive copy updates the database header, notifies the active node, and the active node deletes the logs.

Issues to consider before designing or deploying a Backup-less configuration:

–          Data protection, Database health, Database recovery.

–          What to do when you lose data.

–          How to delete your logs.

–          How to restore items and mailboxes like before.

In order to address these issues, you must understand how Backup-less Configurations work:

When you want to configure your Exchange in Backup-less, you should have at least two copies of the data (Active/Passive.) Microsoft recommends doing Backup-less in more than 3 copies (Active/Passive/Passive) configuration. In order to configure your infrastructure to be Backup-less, you must obtain three copies of the data and configure circular logging on the mailbox database.

I can hear you saying, ‘Circular logging?! No way!’ And I understand your reaction, but keep in mind we never do circular logging unless we have strong reason to, so let us see how circular logging works with the Backup-less.

Real World Example:

To illustrate how circular logging works with backup-less, let us consider the following example:

You have a mailbox store called MB1 that has 3 copies of it on Servers 1, 2 and 3. MB1 is active on Server 1 and has two copies on Servers 2 and 3. Now you want to configure it in Backup-less.   All you have to do is configure the mailbox database to do circular logging, and once you do so Exchange will change its architecture slightly and perform circular logging in another way.

When circular logging is enabled on the database, the logs are written to the Hard disk.  Once the data is committed to the database, logs will be flushed.   In Backup-less (DAG environment only) this changes the Exchange behavior: logs are written but never get flushed until logs are replicated and marked as checked at the other database copies.

To understand this, let us go back to our example: MB1 has log E01 that is waiting to be written.  E01 is written to the DB and now it gets held in Server 1 when before it would have gotten flushed.

Server 1 replicates E01 to Server 2, Server 2 copies the log and it remains in Server 1 where it checks the logs and marks it as healthy/inspected and notifies Server 1.   Server 1 does the same with Server 3 and once Server 3 verifies its logs and reports to Server 1 that its copy of E01 is healthy/inspected, then Server 1 deletes and flushes the logs.

There are 2 questions that might arise at this point:

–          Why didn’t Exchange wait until the log is replayed at Server 2 and Sever 3?

–          Does Server 1 wait until it replicates the data to all of its adjacent servers? (In our example server 2 and server 3)

The answer to the first question is Exchange will not wait for the log replay because you might have a lagged replay configured on your DB copy.   This means that you might replay the logs 48 hours later which translates into huge numbers of logs for Exchange.

I do not have a confirmed answer to the second question yet, but if you attended an Exchange 2010 Advanced storage session you will know that an Exchange server can recover and resend the logs, and even better, the specific bits in case of database corruption.  But if Server 1 deletes its logs and the same for Server 2, then where does Server 3 get its logs from?

Hopefully by now the answer to that question is a little bit clearer.   Exchange now has a self-based mechanism to flush its logs, but Backup-less configuration is not a specific setting that you assign to Exchange.  By that I mean you don’t go to the options page and check the box stating this is a Backup-less organization; rather, this is a group of configurations that you apply to Exchange so you can deploy a Backup-less configuration.  It is important to remember that this behavior is the same if you have 2 copies and do circular logging, even if you do backup.

There are several pertinent questions that we should answer one at a time:

–          What about the health of my Database, Database availability, and uptime?

Exchange 2010 has a self-healing mechanism.   What that means is that if page No. 485950 gets written to a bad block, or gets corrupted logically or physically, then Exchange 2010 can replicate this page from another server by copying only the required page with the next replication cycle.   This keeps the Exchange database healthy and minimizes the replication requirements.

If Exchange cannot make the active database healthy then we have DAGs that pick the best available copy and make it an active copy.   Typically if a physical server failed, a Hard disk failed, or a database failed physically or logically, you would not need your backup since you already have two copies.  This means you don’t need your backup!  (Are you becoming a backup-less fan yet?)

Now the other dimension is minimizing the storage cost.  Since you have three copies of the database, and since Exchange 2010 has 70% less IOPs, you no longer need expensive SCSI disks, or even a SAN.  I recommend using a JBOD configuration which is much more cost effective than any other storage option.  Thus, in a backupless configuration, you can have three copies of your data and reduce both the backup software and hardware cost.  (Considering jumping on the backup-less bandwagon now?)

–          What should I do if I want to replace a single item or a mailbox?

Before answering that, first ask yourself how many times as an Exchange admin you had to do that (restore an item or mailbox for a user).  In my career, I only had to do it at most three to five times.   It might be different in your organization, but in general most Exchange administrators do not need to do that on regular basis.

Since we have cheaper storage we can increase the mailbox store dumpster.   It is set at 14 days by default, but now you can increase it and ask the users to recover their mailbox store.   You can also use the new RBAC  (role-based access control) model and give helpdesk personnel  the permission to search the Exchange dumpster and perform discovery within it using PowerShell in order to recover items for users…..meaning you as the Exchange Admin does not have to!

–          Don’t I need a backup at all?

I will not say that you don’t need to backup the Exchange system at all, but you might want to consider backing it up as a second layer of protection.  If you do perform a backup-less configuration, then your first line of defense is not the backup sets any more, it is your Exchange 2010 Backup-less configuration,.  In other words, it is done automatically.

I know after being told for years to backup everything, most especially Exchange data, so I know it will be difficult to change your thinking radically with a single article.  You probably have legislations that make you comply with 3 years’ restore SLA.   But if you are one of the Exchange admins that do not have to abide by such legislations, then you should consider Backup-less Configuration.

Hopefully you now understand the architecture change of the circular logging, DAGs, and how to do backup-less configurations.   Backup-less configuration is still an un-documented feature of Exchange 2010 and you will not find much information about it.   My recommendation is that you open your mind to the idea and take care in calculating the total cost required for backup gear as compared to the B-less cost, without forgetting their technical and operational requirements as well.  I cannot say that backup-less is for everyone, but it is a great option that can save you money, and one you should give decent thought to. 

I look forward to bringing you another thought-provoking article within a month, and until that time I wish you the best uptimes and the fastest Exchange servers!