Exchange 2010 - Publishing Outlook Anywhere using NTLM Authentication on ISA 2006

Microsoft's recommendation is to setup Outlook Anywhere through ISA 2006 using Basic Authentication but I was faced with a dilema trying to get this working in our environment.

After rolling out a new Exchange 2010 Cluster with an F5 load balancer we found if Outlook Anywhere was disabled or setup with basic a user on a domain machine would get prompted for a password. This was random and we have not been able to resolve. This doesn't seem to happen if we don't use the Load Balancer but that is another issue we are working to resolve.

In the meantime we have created a GPO to set the Outlook Exchange Proxy Settings (http://support.microsoft.com/kb/961112 if you are interested). This works well however greys out the options you use to set the client.

So a user that takes their work pc home and tries to connect fails as they are trying to authenticate to OA with NTLM. This can be done!!!!

A frustrated admin had refused to take Microsoft's answer and tested different settings until a suitable solution was found. I followed the settings from the blog and it worked a treat.

http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=17

Kudos goes to Erik for doing the hard yards. I hope this prevents someone wasting the time I and I am sure Erik has wasted in getting this to work.

Exchange 2010 Migration - Technical and Political minefield

For the last 6 months our organisation has been planning for a migration from Exchange 2007 to Exchange 2010. While the steps to complete this task are widely documented all over the blogging world, there are a few points I found little information on and thus wasted hours researching.

Exchange 2010 SP1

Unlike EX2007 Sp1, Sp2 and Sp3, Exchange 2010 Sp1 has to be installed over an RTM version of Exchange 2010. While Microsoft advises that it is possible to install Exchange from SP1 files, there are a good number of issues from this release. Less of a Service Pack and more of a feature Release (Exchange 2010 R2 maybe?) Sp1 introduces a number of additional features requested by the community.

Being an early adopter has its advantages but in this case it didn't pay in spades. OWA missing web files, issues with EMC and other general beta-ness that confirmed Microsoft had rushed the release before it was ready. Test, test and more testing was needed before going live. While we did test it not to the extent that was needed. Fortunately we are in the position to be able to co-locate and thus the initial upgrade was on non-production servers.

Load Balancing Exchange 2010.

Our Org is fortunate to possess an F5 fully redundant load balancer. While an excellent device with an endless level of configuration, beware of how the LB is configured. After migrating the Unified messaging team with no issues we sat on it for a week conteent with the performance and stability. We then proceeded to run a second migration group which consisted of the remaining 50 ICT staff members. After that we struck issue after issue of Outlook hanging, users being prompted for passwords and general inconsistency of product not seen in our Exchange environment.

After getting most users working, we found after some testing that it appeared exchange was working correctly and all Serivces, URL's and IIS instances were setup correctly. Turns out following product documentation doesn't always pay off. A Virtual server script designed to facilitate the use of OA through the LB was breaking the Outlook client. This change had been made a day early but the UM team had slightly different client setups. Fail!

While assuming it was an exchange issue would of nailed it 9-10 this was certainly a third party issue and a frustrating one at that.

GPO's for Outlook 2007 and 2010

When deploying Office 2007 a couple of years ago, the Exchange proxy settings were deployed when installing office. This caused an issue as in certain circumstances when migrated to Exchange 2010 the client would switch to HTTPS instead of TCP/IP randomly. This presented a problem as the URL did not and could not resolved to the LB. There are many VB scripting solutions to sort this but we found a supported KB on dealing with this issue.

http://support.microsoft.com/kb/961112

Setup a GPO, filtered it based on group, adding the users to change the Outlook settings as we migrate them. By far the neatest solution and one that should of been part of the original Group Policy Templates. As with all GPO settings applied this ability for the user to modify this change presents an issue as OA works differently externally.

Politics

Enter a new Government and a new organisational change bringing a merger to the table. What began a simple migration handled in-house by our team become difficult with the politics taking over. With our neigbours still on Exchange 2003 and jostling to outsource and the incumbent migrating the Exchange 2010, bigwigs felt our migration points out the canyon between both of the groups in direction. We are doing all of this works to provide a better services for our clients and we will continue. Ohh the slippery slope we slide!!

Do and Don't of IT - Exchange 2010 Console load error.

Recently I thought it would be a good idea to build an exchange environment at home on a VMWare server I use for hosting other sandpit type play boxes used to expand my knowledge. Completed the following.

1. Built 2k8 R2 server on vmware, patched and setup.

2. Copied the built server to a new vmware server and renamed.

3. Installed and configured DC, DNS and Certificate server.

4. Installed Exchange 2010 pre-req's and setup required services.

5. Installed Exchage 2010 RTM (Had issues in our environment at work installing from SP1 and not upgrading).

6. Setup free domain and re-directed personal email to Exchange box. Setup webmail, activesync.

Now at this point I created a new user and logged them into exchange. I also created another admin to manage my exchange system. The admin account was setup as domain admin yet couldn't start the EMC. Wierd but thought I would sort later. Next step.

7. Upgraded Exchange 2010 to Sp1 and then rollup pack 1 for SP1.

Now it all started to fall apart. I could not load the console from the admin account i created or the Domain administrator account. This is the error I was getting.

The following error occured when retrieving user information for Domain\administrator
The operation could not be performed because object 's-1-5-21-4280747840-81974243-757702645-500' couldnt be found on
dc.domain.com. It was running command Get-LogonUser

CMDlet failed. Cmdlet Get-User, parameters {Identity=s-1-5-21-4280747840-81974243-757702645-500}

Spent alot of time trying to diagnose the issue. Turns out I had missed a vital step in my install. I had not sys preped my second machine after copying it over once built. Should of realised when my admin user had not been able to make changes on the Exchange server.

To sort I did the following steps.

- Shutdown Exchange-Services
- Copy the entire Database-Folder to a temporary location (or use the virtual data-disk for the new VM)
- Shutdown Exchange-VM
- Install new VM or import a template and change the SID with sysprep (!!)
- Remove old server account from AD
- Rename the new VM with the old name and join the domain
- Add the server account to the AD-group "Microsoft Exchange System Objects/Exchange Install Domain Servers" (to avoid MSEXCHANGEADTOPOLOGY-server startup error)
- Copy the Exchange-database to the same driver/folder
- Run "Setup /m:RecoverServer /InstallWindowsComponents" from Exchange 2010 SP1 Folder

Resolved the issue and now is all working. Thanks to Little Ghost for picking up the solution.

Found all my Info at http://msexchangeteam.com/archive/2010/09/01/456094.aspx

Over and out

Exchange 2007 Store.exe hanging

Recently when moving accounts between exchange servers we encountered an issue where store.exe would enter the hung state. This was very difficult to diagnose as there were no errors apparent in the event viewer. Symptoms appeared when mail began to pool in the mail queue waiting to be delivered.

From there it was apparent that the mail submission service was failing. The store.exe was still running however not responding. The service could not be stopped and would error trying to close.

After sending a mem dump of the running store.exe to Microsoft, they identified several accounts exhibiting issues we narrowed to an individual database. Creating the environment where the store.exe would fail was challenging until we realised the backup solution System Centre Data Protection Manager was running when the store.exe entered the hung state. When DPM attempted to backup these accounts recently moved to the affected database, the store.exe would hang.

To resolve this issue we have sent the database to Microsoft for analysis but needed to resolve this issue in the short term. To resolve, each account over 2gig in size was exported to pst and the SCANPST application was used oneach of the accounts until there were no errors (Only minor inconsistencies were identified). Once complete the pst was imported and the issue appeared to be resolved.

Our TAM outlined a previous issue where email imported during a migration to Microsoft products using a third party tool created a header too large for Exchange to handle causing exchange and the server to blue screen. As we used this third party tool but coming from Groupwise instead of Lotus Notes, it is conceivable that a similar issue could be causing this issue. The database has been sent to Microsoft to be analysed to look for such an issue. I will update this post with the result.

Exchange 2010 - Filtering the Global AddressList

Been an interesting month in my world, have rolled out Exchange 2010 to our students at the org I work for. We have found an issue where functionality from 2007 has been removed because the practice is un-supported. The fact that MS has deemed it necassary to implement a block to stop users doing this tells me there were obviously plenty of orgs that need this functionality.

Currently in Exchange 2007 I have filtered out all 50k students from our Global Address List. Out clients deemed this amount of accounts making the address book un-workable. The main issue is the lack of Technology Savy the staff have, not being able to easily understand the search function in the address book.

Now when in 2010 we go to open a student from the Student Address List we get an access denied. I have been told that all accounts need to be in the Global address list. This would be fine if Outlook provided the ability to holistically manage the address books from a centralised perspective.

Currently documenting our business drivers that require this functionality but we are disappointed in the denial of a function without any clear reason why other than "Not supported"

Managing Co-existence During Exchange 2010 Migration

As discussed in the previous post, Microsoft provide a Deployment assistant that now has been updated to include Migration from Ex2007, Ex2003 and new deployment of Ex2010.

http://technet.microsoft.com/en-au/exdeploy2010/default.aspx#Home

One of the issues faced during the co-existence of 2007-2010 is how you manage each of the systems. The 2007 Management console won't manage most of the pertinent tasks on 2010.

There is some information available on the net. Thus far I have found this article from the exchange team outlining the tasks and where they can be completed.

http://msexchangeteam.com/archive/2010/01/08/453722.aspx

I would also like to point out that 2010 does not come in a 32bit flavour so ensure you have a 64bit version of Vista or Win 7 if you would like to manage exchange from your local pc.