WE'RE MOVING

Greetings,

The blog has been moved to http://blogs.technet.com/b/infrastructure_blueprint/

Please keep an eye on that new blog as I'll be posting a lot of very new and interesting stuff from time to time.

Regards,
Dr.Kernel

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials in Outlook Anywher

When Exchange 2007 is run under Windows Server 2008, clients who use Exchange 2007 may be repeatedly prompted for their credentials during Outlook Anywhere sessions. This issue occurs when NTLM Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box for the Outlook profile on the client computer. This issue does not occur if Basic Authentication is selected as the authentication method in the Exchange Proxy Settings dialog box. By default, Kernel Mode Authentication is enabled in Internet Information Services (IIS) 7.0 on the Client Access server. To resolve this issue, disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008.


To disable Kernel Mode Authentication for Client Access servers that are running Windows Server 2008

At a command prompt, type the following command, and then press ENTER:


%systemroot%\system32\inetsrv\AppCmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Regards
Saad

Exchange 2007 SP1 Outlook Anywhere and Windows Server 2008

As there is no in-place upgrade from Exchange Server over Windows Server 2003 to Exchange over Server 2008, I think that everyone is going to deploy Exchange 2007 SP1 over Windows Server 2008.. while the product was heavly tested before announcing the supportability of Exchange over Server 2008.. from time to time there are some incidents that's emerge for a reason or another, most of them are caused by some trivial reasons and can be easily overridden..

In our suitcase today, there is an issue, when Exchange Server 2007 SP1 even with latest update (RU3) when it's installed over Windows Server 2008, the outlook anywhere connections is dropped after three times authentication retrials.. then the following error:

The connection to Microsoft Exchange is unavailable. Microsoft Outlook must be online or connected to complete this action.

The problem mainly was caused because Exchange tries to connect by IPv6 first, while it's not configured so it fails, the resolution to this problem is simply to disable the IPv6 over Windows Server 2008 that host the Exchange Server

Best Practices and Guidelines for Hyper-V with Exchange Server 2007 SP1

Today we will talk about the new Hyper-V technology support for the Messaging virtualization from Microsoft, Microsoft released its hardware virtualization software a while ago and eventually the Exchange Server 2007 SP1 is supported in the production environment, in able to make it supported, certain aspects and conditions must be met otherwise you will put yourself in unsupported situation, in this document we will refer to the Windows Server 2008 that will hold the Hyper-V component and will host the virtual servers as the Root, the Virtual Machine that will be running on the Hyper-V are called the Guest, so let's start..

First let's list some of the supported software to fully function in the production over a virtualized environment, below are the list with the latest updates on 26^th August 2008:

• Microsoft Application Virtualization (App-V)
  
• Microsoft BizTalk Server
  
• Microsoft Commerce Server
  
• Microsoft Dynamics AX
  
• Microsoft Dynamics CRM
  
• Microsoft Dynamics NAV
  
• Microsoft Exchange Server (Except UM role)
  
• Microsoft Forefront Client Security
  
• Microsoft Intelligent Application Gateway (IAG)
  
• Microsoft Forefront Security for Exchange (FSE)
  
• Microsoft Forefront Security for SharePoint (FSP)
  
• Microsoft Host Integration Server
  
• Microsoft Internet Security and Acceleration (ISA) Server
  
• Microsoft Office Groove Server
  
• Microsoft Office PerformancePoint Server
  
• Microsoft Office Project Server
  
• Microsoft Office SharePoint Server and Windows SharePoint Services
  
• Microsoft Operations Manager (MOM) 2005
  
• Microsoft Search Server
  
• Microsoft SQL Server 2008
  
• Microsoft System Center Configuration Manager
  
• Microsoft System Center Data Protection Manager
  
• Microsoft System Center Essentials
  
• Microsoft System Center Operations Manager
  
• Microsoft System Center Virtual Machine Manager
  
• Microsoft Systems Management Server (SMS)
  
• Microsoft Visual Studio Team System
  
• Microsoft Windows HPC Server 2008
  
• Windows Server 2003 Web Edition
  
• Microsoft Windows Server Update Services (WSUS)
  
• Windows Web Server 2008
  

Conditions to support Exchange Server 2007:

1. In Microsoft virtualization environment, it must be Windows Server 2008 Hyper-V x64 (Not Virtual Server NOT virtual PC)
   
2. The Virtualization software other than Microsoft Hyper-V must pass the Server Virtualization Validation Program SVVP (at this moment only Hyper-V passed this test)
   
3. Exchange Server 2007 must be with SP1 or later
   
4. Exchange Server 2007 with SP1 must be installed on a guest operating system running Windows Server 2008 x64
   
5. Support high availability and Exchange clustering Local Continuous Replication, Cluster Continuous Replication, Single Copy Cluster and Standby Continuous Replication. However when using Quick Migration with Hyper-V the CCR and SCC will not be supported.
   
6. Exchange Server 2007 installed without the Unified Messaging Server role, the UM server role is not yet supported
   
7. If you will use virtual hard disks, Only Fixed Size Disks are supported. Differencing, dynamically expanded or any virtual storage are not supported, ONLY FIXED SIZE HARD DISK is supported as virtual disk type
   
8. The Root Server (the one that run the Hyper-V components) must be dedicated server for that purpose, it's not supported to install any other software on the Root server, it should function only as Hyper-V Server
   
9. Hyper-V include a feature called snapshots that you can revert the system back to this captured state, but it's not supported with Exchange Server 2007 Virtual Guest as the Snapshot is not Exchange-Aware
   
10. The virtual processor-to-logical processor mapping must not exceed 2:1 otherwise it's not supported, that's mean if you have server with two processors with dual core, that's make total of 4 logical processors, the maximum supported is 2:1 which is 8 CPUs in this case, note that these 8 CPUs is the maximum allowed per ALL guests on the same root
    
11. hardware-based VSS solutions is not supported to back up virtualized Exchange Server
    

Guidelines, Recommendations and best practices:

1. Use pass-through SCSI storage disks or internet iSCSI storage for better performance
   
2. Before creating virtual disk, it's recommended to start disk defragment on the root server to reduce disk fragments
   
3. Install the integration services on the guest operating system
   
4. Ensure that an enforced Data Execution Prevention (DEP) must be available and enabled on the hardware level
   
5. Put in mind that if you will use Server 2008 datacenter Edition, you physical memory can support up to 1 TERABYTE of memory, with enterprise edition you limited to 64 GB, and for standard only 32 GB of memory
   
6. Put on mind that Hyper-V is supported on physical computers with up to 16 logical processors.
   
7. Also put in the same mind that you can use TPM chip with Bit Locker ® security feature of Windows Server 2008 to secure your virtual hard disks
   
8. The virtual fixed size hard disk is limited in size to 2040 Gigabyte of disk space, while the pass-through physical disks are not limited to a space
   
9. You can take up to 50 snapshots of per guest, it's supported only to make your backup solution for a recovery of Exchange disasters
   
10. When allocating the number of virtual processors don't forget the root server share of the
    
11. Use Windows System Resource Manager WSRM to control the resources utilization
    
12. When calculating the total number of virtual processors required by the root machine, you must also account for both I/O and operating system requirements. In most cases, the equivalent number of virtual processors required in the root operating system for a system hosting Exchange virtual machines is 2. This value should be used as a baseline for the root operating system virtual processor when calculating the overall ratio of physical cores to virtual processors. If performance monitoring of the root operating system indicates you are consuming more processor utilization than the equivalent of 2 processors, you should reduce the count of virtual processors assigned to guest virtual machines accordingly and verify that the overall virtual processor-to-physical core ratio is no greater than 2:1.
    
13. The Exchange server guest machine's storage and network design requires additional considerations for the root machine, specifically, the impact to the CPUs on the root machine. In some hardware virtualization environments (such as Hyper-V), all I/O requests that are made by guest virtual machines are serviced through the root machine. In these environments, we recommend that no other I/O intensive applications (for example, Microsoft SQL Server) be deployed on guest machines that are hosted on the same root machine as Exchange server guest machines.
    
14. Use multiple network adapters for network-intensive VM workloads, and management
    
15. Ensure your storage hardware has I/O bandwidth and capacity to meet current and future needs of the VMs.
    
16. Consider Placing VMs with highly disk-intensive workloads on different physical disks will likely improve overall performance
    
17. If using clustering, make one Exchange cluster node on one Root, and the other node on another Root to truly achieve high availability
    

Mailbox Size Quota are not applied on the user mailbox in Exchange 2007

From time to time, policies changes, and special configuration is requested to add one GB to the executive mailbox size for a reason or another. sometimes we experience and incident that when we change the default quota for a mailbox to higher or lower size, it's not reflected on the outlook client even after restarting outlook many times, it still only feel the old value, meanwhile if we wait for couple of hours, or restart the information store service, you will find that the new configuration is applied immediately… why this behavior?

Well, first it's by design. As when the MSExchangeIS (information store)service starts it read the mailbox configuration and cache this configuration, and the MSExchangeIS service use this cached information to enforce the mailbox size. By default, there are two ways to refresh this cached configuration:

1. Wait for two hours and that will trigger the refresh interval then it will reread the new configuration
   
2. Restart the MSExchangeIS service and it will reread the new configuration
   

Well, that's not practical, our CEO need the new configuration now, otherwise he won't be able to send or receive mails, (or we will get fired) so what's our third option? We need a quick easy without downtime option… do we have such option? Yes we have but this will include only one time restart for the MSExchangeIS service to take the new configuration after the registry modification..

The safe way to do so (if you do it right) is to change the default refresh interval for the mailbox information cache by a regkey called Reread Logon Quotas Interval this value have some dependencies, so if you gonna change it you have to change two other values as well including the DSAccess (part of MAD.EXE, remember it?)

Make sure you backup the registry first, and do the following steps: (please guys, we are talking about MSExchangeIS service, so which server we will do that on?? Choose the right answer: 1) Mailbox server role, 2) the exchange server that hold the mailboxes, 3) the Exchange 2007 server that's NOT CAS, HUB, UM nor edge?)

yeeeeah james you right, the mailbox server role that we will do the following action on, because MSExchangeIS is the service that's responsible for the Mailbox Database activities, and it's only installed on this server role.. this configuration will be configured in multiple steps bulk to get the same final configuration, as I said it have some dependencies..

Part A of configuration:

1. Open RUN – type regedit
   
2. Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
   
3. Right click the ParametersSystem container and choose NEW then choose DWORD value and name it Reread Logon Quotas Interval
   
4. Right click the value you just created and choose Modify
   
5. Ensure that the base is Decimal, and add the value you want to configure in seconds, e.g. for 20 minutes enter there a value of 1200
   

Part B of configuration:

1. Open RUN – type regedit
   
2. Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
   
3. Right click the ParametersSystem container and choose NEW then choose DWORD value and name it Mailbox Cache Age Limit
   
4. Right click the value you just created and choose Modify
   
5. Ensure that the base is Decimal, and add the value you want to configure in Minutes, e.g. for 1 hour enter there a value of 60
   

Part C of configuration:

1. Open RUN – type regedit
   
2. Navigate to this location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0
   
3. If the location is not present, right click the MSExchange ADAccess and choose new KEY and name it Instance0
   
4. Right click the Instance0 container and choose NEW then choose DWORD value and name it CacheTTLUser
   
5. Right click the value you just created and choose Modify
   
6. Ensure that the base is Decimal, and add the value you want to configure in Seconds, e.g. for 20 Minutes enter there a value of 1200
   

Close regedit, and restart the information store service, from now on the cached information will be kept only for the configured amount of time

Regards

Mohammed Saad

Error (Exchange is unable to create a public folder tree ) when create a Public Folder database in Exchange Server 2007

 

An new symptom we faced these days, that when you want to create a new Public Folder Database in Exchange 2007, you will get error message like this one "Exchange is unable to create a public folder tree", in the EMC you will find the wizard give you an error message like this one:

 

Summary: 2 item(s). 0 succeeded, 1 failed.

Elapsed time: 00:00:00

New Public Folder Database Failed

Error: Exchange is unable to create a public folder tree for the public folder database that you specified.

Active Directory operation failed on MSaad.MCS.com. The object 'CN=Public Folders,CN=Folder Hierarchies,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Microsoft CS,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MCS,DC=com' already exists.

The object exists.

Exchange Management Shell command attempted:

new-publicfolderdatabase -StorageGroup 'MSaad\First Storage Group' -Name 'Public Folder Database' -EdbFilePath 'C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group\Public Folder Database.edb'

Elapsed Time: 00:00:01

Mount Public Folder Database Cancelled

 

Resolution:

Open adsiedit.msc and change the value of msExchPFTreeType to 1, let's do it step by step:

1. Install adsiedit.msc (ship with windows server 2003 support tool run adsiedit.msc from RUN
   
2. Expand Configuration [Server_Name.Domain_Name.Root_Domain], and then expand CN=Configuration,DC=Domain_Name ,DC=Root_Domain.
   
3. Expand CN=Services, expand CN=Microsoft Exchange, expand CN=Domain_Name, expand CN=Administrative Groups, expand CN=Exchange Administrative Group (FYDIBOHF23SPDLT), and then click CN=Folder Hierarchies.
   
4. In the details pane, right-click CN=Public Folders, and then click Properties.
   
5. In the Attributes list, click the msExchPFTreeType, and then click Edit.
   
6. In the Value box, type 1, and then click OK two times.
   
7. On the File menu, click Exit.
   
8. In the Services snap-in, restart the Microsoft Exchange Information Store service.
   

 

Then create the PF DB again, it should work fine now.

Event ID 9187 and 9186 appear after move Exchange Servers from one OU to another

 

When you rename the OU that contain computer account for exchange server, or if you move exchange server from one OU to another, Exchange will generate this warning:

 

Event ID: 9186

Source: MSExchangeSA

Type: Warning

Category: General

Description:

Microsoft Exchange System Attendant has detected that the local computer is not a member of group 'cn=Exchange Domain Servers,cn=Microsoft Exchange Security Groups,dc=domainname,dc=com'. System Attendant is going to add the local computer into the group.

The current members of the group are ********* and add some DNs for the group members

 

This warning sometime followed by an Error from MSExchangeSA as well indicating it tried to add the computer account to the group and it failed with event ID 9187.

 

This is due to the natural behavior for system attendant service as by design, when this service start at the first time it cache the Distinguished Name for the Exchange server computer account, and when this DN changes it require to be reflected on the MSExchangeSA service cache, to flush this cache only we need to restart MSExchangeSA service by services.msc console or by powershell and this events will go away.

 

Regards

Mohamed Saad

When you run the get-ExchangeAdministrator cmdlet, you receive the following message: The account is not a member of Exchange View Only Administrators

 

Well, this problem does not occur when you install the Mailbox role, the Client Access role, or the Hub Transport role. It's just when you add a passive node to a CMS… what happen in the background is the computer account for the passive node take full control over the CMS object in active directory.

 

Symptom:

The nature of the problem is visible when you go to organization configuration in the EMC and a yellow line comes up in the top and stating that a certain computer account (which is the secondly added node to the cluster-passive-) is not member of exchange view only administrator, of when you open EMS (powershell) and type Get-ExchangeAdministrator you will find the same warning indication there..

 

Resolution:

1. Open the AdsiEdit.msc tool that is included in Windows Support Tools.
   
2. Connect to the domain.
   
3. Locate the following object:
   
4. CN=Clustered Mailbox server,CN=Servers,CN= Exchange Administrative Group (code),CN= Administrative Groups,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=com
   
5. Right-click this object, and then click Properties, go to security tab
   
6. Find the computer account for the passive node
   
7. Remove all permissions for that node except read permission
   
8. Click advanced and add the following permission for the passive node account (Apply to: This Object Only)
   
   1. Write property msExchEdgeSyncCred
      
   2. Write property msExchServerSite
      
9. In the advanced window add the following permissions for the passive node account ( Apply to: This object and all child objects)
   
   1. List Contents
      
   2. In the properties tab, check all properties that's start with (Read)
      

 

Get-ExchangeAdministrator

 

And viola, no more, it's done J

 

Remove the Internal IP Addresses From Message Headers

Once upon a time in Qatar, I was wondering if I can remove the internal IP addresses from the messages headers, as I saw it at that time as a security breach to expose the internal IP addresses to the external world maybe a way to help penetrators doing their job :)

I went through this article at Microsoft Technet, and it's recommended to read this article, fabulous!

To get the internal names and IPs in a message through outlook, right click the message in the left pane and choose properties, and you will find all internal data, and in OWA for Exchange 2007, It's included in the Exchange 2007 only OWA, a button called Message Details that will do the job fine on web access

the command will stripe the internal IPs and hostnames from the message sent from your internal network, what it does in the background is it remove the anonymous permission from the ms-Exch-Send-Headers-Routing attribute from the receive connector by this command:

Get-SendConnector "Connector Name" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights "ms-Exch-Send-Headers-Routing" -user "NT AUTHORITY\Anonymous Logon

Reference:
http://technet.microsoft.com/en-us/aa998662.aspx

Have an annoying virus in your MB DB? send it for Microsoft for analysis :)

Pretty nifty, just send email to this email address submit_virus@fss.microsoft.com


To prepare an archive file that contains the files that you want to submit, follow the steps in the "How to prepare files for submission" section. Attach the archive file to the e-mail message. When you submit the file, make sure that you include the following data.

Your name, e-mail address, and telephone numberMicrosoft will send all responses to the e-mail address that you use to submit the files. When you submit the archive file, Microsoft processes the file and then sends a determination of the files that is based on the current Microsoft malicious software definitions. If it is necessary, adjust your incoming mail filters to make sure that you receive this message.

Sample typeIf the submission includes files that you believe were incorrectly determined to be malicious software, add the words "False Positive" to the e-mail Subject line. Otherwise, the files will be assumed to be malicious software.

Support case number (optional)A support case number is not required to submit files for analysis. However, if a support case is already open for this submission, you can include this case number on the message Subject line.

Other information to include

The names of any scan engines that you are using.

Forefront Security products that you are using. For example, these might include Forefront Security for Exchange Server or Forefront Security for SharePoint.

Platform information. For example, this might be Windows Vista, Windows Server 2003, Windows 2000, or another version of Windows.

Description of the virus activity.


How to prepare files for submission:

1.In Windows Explorer, open the folder that contains the suspected malicious software files.
2.Right-click a blank area in the window, point to New, and then click Compressed (zipped) Folder.
3.Type malware.zip to name the new archive file, and then press ENTER.
4.Drop the suspected malicious software files into the archive file as you would drop them into a typical Windows folder.
5.Double-click the archive file.
6.On the File menu, click Add a Password.
7.In the Password box, type infected.
8.In the Confirm Password box, retype infected, and then click OK.