Wednesday, August 27, 2008

WHY 32 BIT Version of Exchange 2007 cannot be used for Production?

The 32 bit is design for testing and LAB environment and it is not supported for production environment. What happens if the 32-bit version expired do you have to give up from your LAB and re-build all over again? This is the question I was asked and providing some information below to make it clear for all of us.

  • If the 32-bit version of Exchange Server 2007 doesn't have an EMC to enter a product code
  • 32-bit version only has a 30-days and 90 days
  • It will not expire even the exchange, You can even upgrade an expired Trial Edition of Exchange 2007 RTM to SP1.
  • In the 32-bit version, there is no Exchange Management Console interface for this because you cannot purchase 32-bit licenses.
  • http://technet.microsoft.com/en-us/bb232170.aspx
  • Anti-spam updates won't work with 32 bits

Evaluations and Product Keys


  • When you install Exchange 2007, it is unlicensed and referred to as a Trial Edition. Unlicensed (Trial Edition) servers appear as the Standard Edition, and they are not eligible for support from Microsoft Product Support Services. The Trial Edition expires 120 days after the date of installation.
  • When you start the Exchange Management Console, if you have any unlicensed Exchange 2007 servers in your organization, Exchange will display a list of all unlicensed Exchange 2007 servers and the number of days that are remaining until the trial edition expires. If you have expired unlicensed Exchange 2007 servers you will also see a separate warning for each expired server. For lab, demo and test environments, unless you have a valid reason for rebuilding the environment, or unless you just love our new Setup wizard so much that you just can't stop uninstalling and installing server roles, I recommend that you get used to dealing with the expiration nag dialog, and not rebuild your servers every 120 days. Either way, the choice is yours, but again, you won't lose any functionality when running on an expired Trial Edition.

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Tuesday, August 26, 2008

MIGRATION EXCHANGE 2003 to EXCHANGE 2007




I am about to finish a project located in Washington DC for a government. This project involved taking active directory 2003 and exchange 2003 and bringing into AD 2008 and Exchange 2008. To be honest the team I belong to is "ROCK" smart dedicated , intelligent people, and I have to give most of the credits to the team, prod to be part of a good team

AD 2003 and AD 2008 doesn't have huge differences in my opinion, knowing basic 2003 is the key to understand AD 2008 and life simply gets better with 2008 servers, hands up I started to love windows 2008 server. I love the new idea behind most of the new Microsoft products secure out the box, even exchange won't work because "Anonymous authenticating is not enabled" by default. This is just an example many other things are not there so Microsoft is giving us secure product ,we will have to turn these futures on so we cannot blame Microsoft no more (-:, this is very smart approach in my opinion.

The windows 2008 Core server was a lot of fun to play with but, I have to admin you will need to find tool called "Core configuration" to make your life easy otherwise you will have hard time to configure core servers. I hope that Microsoft soon hae this tool available for us officialy as MS tool.

Steps I have taken going through the migration

  1. Prepare active directory, fix replication issues among DC's
  2. Make sure FRS is happy, as well as SysVol, no journal wrap errors
  3. Use DCdiag /q (quite) until, no errors are reported, fix the issues reported accordingly
  4. Don't touch existing exchange 2003 environment ( I liked this one (-:, didn't have to fix anything)
  5. Build new DC's windows 2008, migrate the functionalities, DNS, DHCP, FSMO roles etc.
  6. Perform IP swap , Old DC IP addresses swap to new build DC's, to prevent , possible application related issues
  7. Build Exchange 2007 mailbox server (SCC single cluster copy), I really think this is a great configuration considering having rock solid SAN is being used and we used NetAPP, hands up I used to work with NetAPP, these appliance are rock solid, so no worries about SAN going down. Having two nodes in active passive configuration is great as one can be used to maintenance and install patches over fail over if it is needed.
  8. Used store calculator to find out MS best practices and followed one SG one DB model as it is recommended by MS.
  9. I have to give many credits to NetAPP Engineers as they know their stuff in and out as well as clustering technologies and Exchange 2007, especially to Mike Mitchell, Denise Otarola and Jason Middleton. Thanks guys for excellent service and deep knowledge.
  10. Installed HTS (Hub transport servers) two for redundancy and high availability
  11. Installed mail gateways as always IronPort as smart host and first line of defense for the corporate network. Thanks to IronPort engineer John for his supports as always.
  12. Installed CAS ( Client access servers) for OWA, Active sync, and Outlook anywhere etc
  13. Configure virtual directories and have a lot of fun with IIS 7.0, looks real nice and neat, finally.
  14. During installing mailbox server created connector to existing exchange 2003 server, the idea behind this was not to change anything on the production environment
  15. Moved some test mailboxes from exchange 2003 to exchange 2007, and test the mail flow.
  16. After make sure moved rest of the users from 03 to 07.
  17. Run into some minor issues such as
  • OWA issues , needed bulk changes in ad used ADMOD (fixed right a way)
  • Some default address book issues (fixed later on)
  1. Changed mail flow, deleted old connectors
  2. Start preparing decommission process for exchange 03
  1. Decommission existing legacy mail servers and domain controllers one by one
  2. Setup ISA server and use it as Proxy , internet firewall, ISA, CAS, and mailbox servers


I am still working on finishing this project and I will be posting more issues and experiences on my blog

--Oz Ozugurlu

MVP (Exchange) MCITP (EMA),

MCITP (SA) MCSE 2003, M+, S+,

MCDST, Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

The specified address list could not be edited



Outlook:

After migration exchange 2003 to exchange 2007, I run into some little fix issues as I solve them I am posting here for others to gain some guidelines and quick solutions. This particular issue is well documented below MS link.


Problem:

Receiving following errors below

"The specified address list could not be edited. Address list created using legacy versions of Microsoft Exchange must be upgraded by using the "forceUgrade" parameter of the "Set-AddressList" cmdlet"

Solution

Followed MS link, the very first thing I have done was to run following command


Get-GlobalAddressList Format-List Name,*RecipientFilter*,ExchangeVersion


I start replacing the names I got from output following CMD lets
The specified address list could not be edited. Address list created using legacy versions of Microsoft Exchange must be upgraded by using the

"forceUgrade" parameter of the "Set-AddressList" cmdlet

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3718345&SiteID=17



Get-GlobalAddressList Format-List Name,*RecipientFilter*,ExchangeVersion

Get-EmailAddressPolicy Format-List Name,*RecipientFilter

Set-EmailAddressPolicy "Default Policy" -IncludedRecipients AllRecipients


Set-AddressList "Public Folders" -RecipientFilter { RecipientType -eq 'PublicFolder' }


Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}


--Oz Ozugurlu
MVP (Exchange)MCITP (EMA),
MCITP (SA)MCSE 2003, M+, S+,
MCDSTSecurity+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Wednesday, August 20, 2008

OWA 2007 HTTP to HTTPS Re-DIRECT IIS 7.0 PART-I




This one took me some time to complete with the help Biswas, Pushpendu , so I have to give him the credits. We just deployed Exchange 2007 and did not have time to stand up ISA (Politics) . Anyway without ISA we open up the CAS to the SSL from outside world( security people must be horrified now (-: ).

Client did not want to type https://smtp25.blogspot.com/ each time they need to use OWA in exchange 2007 and asked for HTTP to SSL redirection and /owa redirection, which makes total sense anyways

Short story they wanted to open a browser and just type http://smtp25.blogspot.com/ and get to OWA page. (SSL)

This is part one, part two I will show you step by step with how to do achive same goal

Goal:

Redirect http reques to SSL and /owa on exchange 2007 with IIS 7.0 ( Windows 2008)

Overal Process

  • Connect to exchange 2007 (CAS) server and open up IIS 7.0
  • Go to run, type, Inetmgr
  • Locate default page , modify 403-4.htm located on (C:\inetpub\custerr\en-US\403.htm)

    Tips: use windows search if you need it (- :

    Use the simple HTML code I am providing (Thanks to Pushpendu Biswas)

    Just replace the SMTP domain name to your own

    Modify the 403-4.htm, save it

    Go to HTTP redirect on the default website, select

    Redirect request to this destination abnd palce /owa

    And make sure there is no further configuration is needed, OWA virtual directory needs to be un-touched.


Here is the simple HTML file you need toi replace 403-4.htm


<html>
<head>
<title>Redirect to the right page</title>
<META http-equiv="refresh" content="0;URL=https://webmail.smtp25.gov/owa">
</head>
</html>


Oz Ozugurlu

MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Sunday, August 17, 2008

ServerManagerCMD -i





If you already start messing around with exchange 2007 and windows 2008 you will notice the windows 2008 is real fun to play with. The idea is simple not everything is installed by default and we administrators need to install whatever they need either from GUI or from command line

So what is the best way to learn these new commands and windows 2008? I would say practice and use command line instead GUI, this is just me (- :

  • Open command line on windows 2008 and let's install Power Shell from command line
  • Command ServerManagerCMD
  • -I (Install)
  • -Q (Query to see the available options)


ServerManagerCMD –I PowerShell




ServerManagerCMD –I Telnet-Client



Do you want more, have fun

  • ServerManagerCmd -i Web-Server
  • ServerManagerCmd -i Web-ISAPI-Ext
  • ServerManagerCmd -i Web-Metabase
  • ServerManagerCmd -i Web-Lgcy-Mgmt-Console
  • ServerManagerCmd -i Web-Basic-Auth
  • ServerManagerCmd -i Web-Digest-Auth
  • ServerManagerCmd -i Web-Windows-Auth
  • ServerManagerCmd -i Web-Dyn-Compression

How to Install Exchange 2007 SP1 Prerequisites

691354


Oz Ozugurlu
MVP (Exchange)MCITP (EMA), MCITP (SA)MCSE 2003, M+, S+, MCDSTSecurity+, Project +, Server +Blog: http://www.smtp25.blogspot.com

Saturday, August 16, 2008

PLACING CAS (CLIENT ACCESS SERVERS) IN DMZ Good Idea?




We tried to place CAS in DMZ like VLAN today and of course we failed to make it work, after several hours work. Everyone will talks about Swiss cheese, when it comes to placing Exchange into DMZ, which makes me fell hungry all the time, since I love cheese and any kind. And makes me laugh on the idea of picturing little million wholes on the DMZ firewall going back into the protected network.

So the bottom line is CAS or OWA severs will not be placed on DMZ or DMZ like VLAN, because of Swiss cheese, keep reading if you are not understanding what a Swiss Cheese in DMZ scenarios

  • With the CAS on the inside with no further firewalling, clearly this would place the rest of your networks wide open for attack.
  • CAS servers are so well connected to everything on the intranet that you'd have to open your internal Perimeter network firewall up so it would look like Swiss cheese.
  • You'll be weakening your internal perimeter network firewall, since you would need to open up a bunch of ports.
  • From past experience we know that many Exchange customers who try to put Exchange 2003 FE servers (which were supported running in the perimeter network) in the perimeter network run into all kinds of configuration and functionality problems related to firewall configuration. This translates to lots of deployment complexity.
  • The recommendation is to have the Client Access Server as the first Exchange 2007 Server role installed in each Active Directory site. If you were to just have a Mailbox Server role in any given site without a Client Access Server no users would be able to connect to their mailboxes via Outlook Web Access, ActiveSync, Exchange Web Services, POP3 and IMAP4.

How people in the world deploy CAS?

http://msexchangeteam.com/archive/2007/01/05/432079.aspx

http://technet.microsoft.com/en-us/library/aa997148(EXCHG.80).aspx

http://technet.microsoft.com/en-us/library/bb794751.aspx

Planning for Client Access Servers

http://technet.microsoft.com/en-us/library/bb232184.aspx

Overview of Exchange Server 2007 CAS Proxying

http://msexchangeteam.com/archive/2007/09/04/446918.aspx

Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Friday, August 15, 2008

How to Make BULK CHANGES IN Active Directory .DIT DataBase?

Time to time ADDS administrators (Active Directory Domain Services administrator) will need to perform Bulk operations in ADDS .Dit database. This isn't the rocket scientist work actually as long as you got the right tools. So go ahead and download ADMODIFY and save it on your DC or administrator workstation first.


All you need to do follow the pictures below and don't forget to replace my domain name to your own. This is extremely hand tool and can save your life one day TRUST me, so be familiar by playing with it







  • Domain: SMTP25.org
  • Domain list: dc=smtp25,dc=org
  • Domain controller list: dc1.smtp25.org

Select the entire domain or OU PS: In this example I have 50.000 users

  • Click add to list
  • Click select all
  • Click select
  • Click account

Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Problems occurred trying to use your mailboxes, Exception message: Active Directory operation failed on Dc1.smtp25.org



Scenario:


Exchange 2007 migration after moving mailboxes from exchange 2003 to exchange 2007 users can not log into OWA and receiving errors "problems occurred trying to use your mailboxes". The fix for this error is going to be easy.

Error:

Exception message: Active Directory operation failed on Dc1.smtp25.org. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Fix:

  • Open ADUC,
  • Locate the user having trouble (turn advance futures on, by clicking view if you are not seeing security tab)
  • Put a check mark where it says "Include inheritable permissions from this object parent" or simply click restore
  • Go back to OWA and now you should be able to login


Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Thursday, August 14, 2008

Setting BES Permissions on Exchange 2007




We will make the BESAdmin account member of Exchange ViewOnlyAdmin role and assign Send-as Receive- as rights. All you need to do is to replace your Exchange server name with yours and the BESAccount name.

Remember the use EMS (Exchange management Shell) not WPS (Windows power Shell)

Log on to Exchange 2007 Server

Start, Programs,MES 2007, EMS

  • Bes account name: BESAdmin
  • Exchange 2007 Server name: SMTP25CMS


Addexchangeadministrator "BESAdmin" –role ViewOnlyAdmin



get-mailboxserver SMTP25CMS add-adpermission -user BESAdmin -accessrights ExtendedRight -extendedRights Send-As, Receive-As, ms-Exch-Store-admin



RIM KB

Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com

Tuesday, August 12, 2008

PRODLY representing A love song about ... Exchange Server 2007?

Enjoy first official Microsoft white paper song (- : from MSexchange team

Most people write love songs about other people, but the folks on Microsoft's Exchange Server team were enamored enough with its Auto discover capability to give it an Elton John-style musical treatment.

OK, so it's not exactly destined for the Billboard charts, but at least it's more melodic than the typical Microsoft white paper. And it's not nearly as cheesy as the Microsoft sales team's infamous Springsteen spoof.

David Sterling, the Exchange Web Services engineer behind the Autodiscover song, explains how it came to be in this blog post.

Taken from

http://blog.seattlepi.nwsource.com/microsoft/archives/145822.asp

Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com

Saturday, August 9, 2008

Replicating Directory Changes in Filtered Set access rights for the naming context



After installing first DC/GC windows 2008, receiving following error on DCdiag

Error:

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:

DCdiag /q is giving errors after installing fist DC into existing forest. Domain. The event id is also complaining about same problem. After doing a little research found out the problem is being caused not running
adprep /rod prep yet in the domain. So running this will get rid of from errors below.
Insert your windows 2008 installation disk into CD-Room or ISO. Go to command line and copy and paste below command (make sure D is the cd-room, or change it to appropriate drive letter in your server

  • D:\sources\adprep\adprep /rodcprep
  • After running this command you will get output similar to this

Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\20080809195019 for more information


Starting test: WIN09DC1

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=ForestDnsZones,DC=smtp25,DC=org

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=DomainDnsZones, DC=smtp25,DC=org

......................... DC2 failed test NCSecDesc

Starting test: NetLogons

......................... DC2 passed test NetLogons

Starting test: ObjectsReplicated

......................... DC2 passed test ObjectsReplicated

Starting test: Replications

[WIN09DC1DsBindWithSpnEx() failed with error 1722,

The RPC server is unavailable..

......................... DC2 failed test Replications

Starting test: RidManager



This is the process to contact the infrastructure master and update the permission on the application directory partition adprep /rodcprep will take care permissions on the Infrastructure master in order for us to install RODC's. This is the process to contact the infrastructure master and update the permission on the application directory partition

Oz Ozugurlu

MVP (Exchange)

MCITP (EMA), MCITP (SA)

MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +

Blog: http://www.smtp25.blogspot.com