Exchange Ranger Blog

Exchange Server and More

Exchange Server 2010 SP1 RTM!!

So, I have been working with the Exchange TAP and Product Group for months now waiting to make this announcement.  Finally, after months of testing and Microsoft making many improvements, Service Pack 1 for Exchange Server 2010 is officially here and publically available! 

You can see the RTM blog post here.

You can get more information what is in SP1 on my blog as well as TechNet.

The official SP1 bits can be downloaded here.

All I can say is go forth and download as this is the icing on the Exchange 2010 cake…

August 25, 2010 Posted by | Exchange 2010 | Leave a comment

Load Balancing Exchange 2010

In this article, I want to discuss the reasons why Load Balancing is important to Exchange 2010 and what you can do about it.  There seems to always be a big discussion with the customers I work with on why this is necessary, what needs to be balanced, and how to do it. 

So, why is this needed? 

Load balancing is a way to manage which of your servers receive traffic. Load balancing provides failover redundancy to ensure your users continue to receive Exchange service in case of computer failover or switchover. It also enables your deployment to handle more traffic than one server can process while offering a single host name for your clients.

Several changes in Exchange 2010 make load balancing important for your organization. The Exchange RPC Client Access service and the Exchange Address Book service on the Client Access server role improve the user’s experience during Mailbox failovers by moving the connection endpoints for mailbox access from Outlook and other MAPI clients to the Client Access server role instead of to the Mailbox server role. In earlier versions of Exchange, Outlook connected directly to the Mailbox server hosting the user’s mailbox, and directory connections were either proxied through the Mailbox server role or referred directly to a particular Active Directory global catalog server. Now that these connections are handled by the Client Access server role, both external and internal Outlook connections must be load balanced across the array of Client Access servers in a deployment to achieve fault tolerance.

A load-balanced array of Client Access servers is recommended for each Active Directory site and for each version of Exchange. It isn’t possible to share one load-balanced array of Client Access servers for multiple Active Directory sites or to mix different versions of Exchange or service pack versions of Exchange within the same array.

Key Concept for Load Balancing Exchange 2010

Understand the key technology differences in load balancing solutions.  These can affect the Performance, Manageability, Failover detection and automation, and Affinity options available.

So why can’t I use Windows NLB? 

There are a few scenarios in which you will not want to or cannot use WNLB.

  • WNLB can’t be used on Exchange servers where mailbox DAGs are also being used because WNLB is incompatible with Windows failover clustering. If you’re using an Exchange 2010 DAG and you want to use WNLB, you need to have the Client Access server role and the Mailbox server role running on separate servers.

  • Due to performance issues, we don’t recommend putting more than eight Client Access servers in an array that’s load balanced by WNLB.

  • WNLB doesn’t detect service outages. WNLB only detects server outages by IP address. This means if a particular Web service, such as Outlook Web App, fails, but the server is still functioning, WNLB won’t detect the failure and will still route requests to that Client Access server. Manual intervention is required to remove the Client Access server experiencing the outage from the load balancing pool.

  • WNLB configuration can result in port flooding, which can overwhelm networks.

  • Because WNLB only performs client affinity using the source IP address, it’s not an effective solution when the source IP pool is small. This can occur when the source IP pool is from a remote network subnet or when your organization is using network address translation.

    • Your organization has a reverse proxy server that communicates directly with the Client Access server and not through the WNLB virtual IP address. The reverse proxy server hides the client IP addresses from the Client Access server array. Therefore, source IP affinity won’t work as expected. However you may still want to use WNLB to load balance internal traffic.

    • Your organization has many clients accessing your Client Access servers through a very small set of IP addresses. WNLB tends to affinitize an entire class C subnet to one Client Access server.

Ok, so I want to use a Hardware Load Balancer.  Now what…

You need to review what capabilities, as mentioned above your solution has.  Is it a reverse proxy based solution such as Forefront Threat Management Gateway or Unified Access Gateway?  What Affinity options does it support?  These could be (more details are available at http://technet.microsoft.com/en-us/library/ff625247.aspx) :

  • Cookie Based Affinity
  • SSL Session ID
  • Source IP
  • or No Affinity

Microsoft has published at summary of Load Balancer Options which you will want to review prior to making your decision. 

Solution Client to Client Access server affinity Failover method Capacity Cost

Hardware load balancer

Depending on the protocol and client, fall back between the following:

  1. Existing cookie
  2. Load balancer-created cookie
  3. SSL ID
  4. Source IP

Automatic failover with minimal client downtime. Hardware load balancers also are able to provide failover for a specific protocol.

++++

$$$

Software load balancer in a separate server layer

Note: TMG and UAG are the only workable solutions for external traffic.

Either load balancer-created cookie or source IP, depending on the protocol and client.

Automatic failover with minimal client downtime.

++

$$

Software load balancer in the same server layer as the Client Access server (WNLB)

Source IP.

Automatic failover with minimal client downtime.

+

$

DNS round robin

Each client gets a random Client Access server IP address.

Manual steps to detect issues and failover. Client DNS caches cause slow failover. This solution breaks affinity for some protocols such as Outlook Web App, Exchange Web Services, and Exchange Control Panel.

+++

$

No load balancer

Separate host names are manually assigned for each Client Access server.

Manual steps to detect issues and failover. Client DNS caches cause slow failover.

+

N/A

 

 

If you need help finding hardware load balancer options, Microsoft has a qualification program for vendors to signup for which then gets their product listed on the Microsoft site for Unified Communication Load Balancers.  This list is available at http://technet.microsoft.com/en-us/office/ocs/cc843611.aspx

June 10, 2010 Posted by | Uncategorized | Leave a comment

What’s new in Outlook 2010

Well, Microsoft has published an detailing all of the new features in Outlook 2010.  There is a lot of new or improved features in this version, and as I said , this release of Outlook and Office 2010 for that matter are a fantastic example of when Microsoft listens to customers and responds with much needed updates.

Some of the changes detailed in the article are:

  • 64 bit and 32 bit versions
    • Just be careful that your add-ins will work with the 64 bit version.
    • Also, you must install the entire Office Suite in the same “bitness”, no intermixing of 32 and 64 bit.
  • Calendar preview in the meeting request
    • You no longer have to click on view calendar to see what in the world is conflicting with that new meeting request you just got.
  • Conversation view and Conversation cleanup
    • This enables you to see the entire conversation even if parts of it are not in the same folder and you can have Outlook delete parts of the conversation you have in newer messages.
  • Multiple Exchange Accounts
    • Currently, I have 4 mailboxes open against 3 different Exchange Orgs, all using Outlook Anywhere.  How cool is that!
  • Tighter integration with OCS and Communicator
  • Roaming Auto Complete (Nicknames)
    • Remember the fun NK2 files, they are now a thing of the past.  Your personal auto-complete list (Nicknames) are now stores in Exchange and go where you go.
  • And if you have Exchange 2010 to boot, you also get these:
    • Call answering and routing rules
    • Centralized Rights Management
    • Integrated Email Online Archive
    • Mailtips
    • Text Messaging through Exchange Activesync
  • Many many more…

Some of the items that have been removed are:

  • ANSI OST File creation support (Unicode will be used only)
  • Calendar rebasing tool (to fix DST issues)
  • WebDav protocol
  • Exchange 2000 and earlier server version connections
  • Most Recently Used list (this was the list of last opened “Other User’s Folders).
  • ScanOST.exe
  • Postmarking of email to signify it isn’t junk email.
  • Quick View (this was the file viewer in Windows 95, 98, and NT4)
  • Remote Mail (now replaced fully with Cache Mode)

May 21, 2010 Posted by | Outlook | Leave a comment

Tests Prove: Windows 2008 R2 Much Better for Exchange 2010!

Well, Microsoft has just released a new blog post showing their test results comparing Windows 2008 SP2 and Windows 2008 R2 and Exchange 2010 when under an Outlook Anywhere load.  Lets face it, Outlook Anywhere is the way of the future!  I know for me, I have to be able to work anywhere, anytime, and I don’t want to worry about VPN solutions and firewalls, so Outlook Anywhere is the answer. 

So, how does R2 help you say?  It provides 10 times smaller CPU usage for the same number and type of OA users, thanks how.  This appears to be due to the significant performance improvements made to the RPC/HTTP feature in R2.  And in case your wondering, this should also benefit Exchange 2007 SP3 (when it becomes publicly available). 

Another way to look at this, as pointed out by the Microsoft blog post is that using identical hardware for both OS versions, R2 supported 14,000 OA users, while SP2 only supported 6,500!

 

Check out the source at: http://msexchangeteam.com/archive/2010/04/30/454805.aspx

 

May 3, 2010 Posted by | Client Access Server, Exchange 2010 | Leave a comment

Office 2010 RTM’ed

I received an email from Microsoft last Friday (4/16/10) exclaiming that they have Released to Manufacturing Office 2010.  I have been using a pre-release beta for many months since I have been part of the thousands Beta-Testing this release and I can tell you that it is a fantastic product.  In the release I have been using, and I mean using every day all day long, I have had no issues to report.  I mean none, zero, no crashes, no compatibility problems, no problems at all!  I HIGHLY recommend that organizations still stuck on Office 2003 or earlier upgrade immediately once this becomes publicly available.  The email from Microsoft is included below, for your enjoyment.

Office 2010 RTM Email

April 19, 2010 Posted by | Uncategorized | Leave a comment

Exchange 2010 SP1 Coming…

So, I have been waiting and waiting and waiting to finally start talking about what is coming in Service Pack 1 for Exchange Server 2010.  Although the NDA I am held to will not allow me to tell you everything that is coming in SP1, I can still talk a bit about the features already revealed by this

First of all, what can we say is coming in SP1?

  • Feature enhancements to OWA
  • Mobile user and management improvements
  • EMC UI enhancements
  • Online Arching and Discovery enhancements
  • Server side PST export/import (without Outlook)
  • Message Records Management (Retention Tagging) tool improvements in EMC
  • ActiveSync Enhancements including tether-free IRM support
  • The usual hotfix inclusions
  • And so many more (that darn NDA!)

There are so many changes and improvements, that I hardly know where to start.  So, I will just dive right in and start at the top of this list.

Outlook Web App

This set of changes is the most visible to end users and is a very welcome set of updates.  To start with, OWA once again has themes.  These themes are many and varied and are selectable right from the main OWA page by clicking on “Options”

theme change in SP1 Within OWA, you can also select multiple messages for action (similar to Gmail or your iPhone/iPAD).  Exchange CAS server will also allow for your browser to pre-fetch message content within OWA so that actions users take will feel instantaneous and will not slow down their browsing experience. 

The entire interface has been simplified and cleaned up a lot.  I showed the new interface to my children (ages 15 – 7) and they felt right at home in the new interface without much instruction from me at all.  One of the most asked about feature in OWA was to once again enable the reading pane to be placed at the bottom or the right side (RTM only enabled the right side).  This has been updated in SP1. 

Archiving and E-Discovery

To start with, we can now create the Online Archive mailbox on a different database than the users primary mailbox (YEAH!!).  This enables us to design the system with tiered storage and availability policies.  And to go one step further, if you provision the archive with the intention of consuming the users PST archives, we can now import the PST file directly into the Archive right on the server and without Outlook being installed on the server.  Once last note, Microsoft is also planning on releasing an update to Outlook 2007 that will enable it to see and participate in the Online Archives.

On the E-Discovery front, a few changes exist there as well, including search preview and search result de-duplication.  Also, when reviewing the search results, you can now add annotations to your review to make your task more efficient.

Archiving and E-Discovery

Since many administrators prefer to use the Exchange Management Console (EMC) instead of Powershell (EMS), Microsoft has placed a great deal of emphasis on UI improvements in SP1 including those in EMC and ECP.  Some of the improvements are:

  • Create/configure Retention Tags + Retention Policies in EMC
  • Configure Transport Rules in ECP
  • Configure Journal Rules in ECP
  • Configure MailTips in ECP
  • Provision and configure the Personal Archive in ECP
  • Configure Litigation Hold in ECP & EMC
  • Configure Allow/Block/Quarantine mobile device policies in ECP
  • RBAC role management in ECP
  • Configure Database Availability Group (DAG) IP Addresses and Alternate Witness Server in EMC
  • Recursive public folder settings management (including permissions) in EMC

    Wrap-Up

    So, to close this blog post, I have to say that this Service Pack is one of the best ones in recent memory and since I know for a fact that most of what it contains are a direct consequence of the feedback many customers and architects like myself have provided. 

    I sincerely thank the Exchange Product Group for listening and taking what your customers say to heart and then doing what is needed to make the product that much better.

    As time and my NDA permits, I will blog on more features and improvements coming in SP1.  Until then, you can look forward to obtaining your own copy of Exchange Server 2010 Service Pack 1 beta around the TechEd timeframe in June. 

  • April 8, 2010 Posted by | Uncategorized | 1 Comment

    Microsoft Releases Exchange 2010 Installation Guides

    Microsoft has officially released (on 4/7/2010) the Exchange Server 2010 Installation Guide Templates.  These are beginning points for organizations to use to create server built procedure documentation.  These are well written and a great starting point for any organization to begin their install docs from!

    You can download them at: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=5f9dbd88-dadf-4ad9-9f28-ad35a1ab1da2

    April 8, 2010 Posted by | Uncategorized | Leave a comment

    Free/Busy Federation Troubleshooting

    I have had the pleasure of being the administrator of the very first organization to implement the new Exchange 2010 Free/Busy Federation (from now on I will call it F/B Fed) infrastructure last year during the Exchange 2010 TAP (Technical Adaption Program).  In doing so, I have been given the opportunity to work directly with a couple of the Microsoft Exchange Product Group members (thank you Ladislau and Matthias!!!) that guided me through the initial implementation and troubleshooting of Free/Busy Federation when it occasionally went awry.  I could probably write a small whitepaper on what I have learned, however for the purposes of this blog post, I wanted to delve into the latest issue I had. 

    Recently, the public certificate we had been using for OWA, etc… and therefore for F/B Fed was going to expire and the cert vendor had made some changes to the UC certs they offered so we had to make a cert change, not just a renewal.  After we installed the new certificate and began using it for all the other web services (OWA, OA, EAS, etc…), we turned to F/B Fed and ran two commands with the intent of rolling to the new certificate.

    Set-FederationTrust -Identity MyFederationTrust -Thumbprint <your new cert thumbprint here>

    Set-FederationTrust "MyFederationTrust" –PublishFederationCertificate

    The problem is, it didn’t work.  The new certificate didn’t get rolled to as it should have.  Instead, I received the error shown below.

    An error occurred accessing Windows Live. Detailed information: "The request failed with HTTP status 403: Forbidden.".

    + CategoryInfo: ResourceUnavailable: (:) [Set-FederationTrust], LiveDomainServicesAccessException

    + FullyQualifiedErrorId: 7CDAC73F,Microsoft.Exchange.Management.SystemConfigurationTasks.SetLiveFederationTrust

    Next, I validated that the new certificate was in fact valid and that the certificate was enabled for Server Authentication.

    server-auth-sample So Far, everything looked ok, but we still couldn’t roll the cert properly and federation had stopped working as well.  ARGH..

    After a bit more trial and error, it had seemed like the Set-FederationTrust command shown earlier had finally worked, at least it didn’t give me an error when I ran it, however, F/B Fed still wasn’t working and when I ran Test-FederationTrust –Verbose, I received the following error in response.

    RunspaceId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    Id         : OrganizationPreviousCertificate
    Type       : Error
    Message    : Certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object is expired.

    With the help of Matthias, I ran the following script in order to attempt to push the old certificate completely out of the Federation system.

    $a = Get-FederationTrust

    Set-FederationTrust -Identity $a.Identity -Thumbprint $a.OrgPrivCertificate

    Set-FederationTrust -Identity $a.Identity –PublishFederationCertificate

    Unfortunately, when I ran the second command, I received a new error.

    Federation certificate with thumbprint "C54359E291F10213…" must have a unique Subject Key Identifier.  The Subject Key Identifier "1A29F0C8C62971EA524BE4…" is already used by the certificate with thumbprint "C54359E291F10213…".

    + CategoryInfo: InvalidArgument: (:) [Set-FederationTrust], ProvisionerConfigException

    + FullyQualifiedErrorId: 4CFC5CA6,Microsoft.Exchange.Management.SystemConfigurationTasks.SetLiveFederationTrust

    So, it seemed at the time that the issue was more of a security one due to the beta we are running for Service Pack 1, so we tried a different approach.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    If ($c.msExchFedOrgPrevPrivCertificate -ne $null) { $c.PutEx(1, "msExchFedOrgPrevPrivCertificate", 0) }

    If ($c.msExchFedOrgPrevCertificate -ne $null) { $c.PutEx(1, "msExchFedOrgPrevCertificate", 0) }

    $c.SetInfo()

    I ran that script (without error) and waited for AD to replicate.  Afterwards, I ran Test-FederationTrust –Verbose again, this time with a slightly different error, yet still related to the “msExchFedOrgPrevPrivCertificate” attribute.

    RunspaceId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    Id         : OrganizationPreviousCertificate

    Type       : Error

    Message    : Unable to find certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.

    Hmmm…  that is interesting, now I don’t have a value in that attribute at all!  So I checked that by running Get-FederationTrust | fl and sure enough, this attribute was empty from Exchange’s point of view.  However, not fully convinced, Ladislau recommended I run the script below just to ensure it really was missing from AD.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    $c | fl * -force

    And of course, it was actually missing from AD as well….

    Come to find out, I had hit a new unknown bug on cert rolling and had to run this final script to set the msExchFedOrgPrevPrivCertificate attribute and get F/B Fed working again.

    $a = get-federationtrust

    $b = "LDAP://" + $a.DistinguishedName

    $c = [ADSI]$b

    $c.msExchFedOrgPrevPrivCertificate = $c.msExchFedOrgPrivCertificate

    $c.SetInfo()

    Now, when I run Test-FederationTrust –Verbose I get a “Success” on all tests!  And our users are happy because Free/Busy Federation is once again working as advertised.  I hope these little insights are helpful to others when they use their favorite search engine to find answers to their own Federation issues. 

    Until next time…   

    March 18, 2010 Posted by | Uncategorized | Leave a comment

    Download the updated E2010 Mailbox Server Role Calc!

    Well, the boys in Redmond (thanks Ross and the soon to be Greg) for another fantastic update to the Exchange 2010 Storage Server Role Calculator!  There are a bunch of fixes in this version since the release of version 3.5.  According to the Version Notes, these include:

    Version 3.6 – Fixed Number of Mailboxes per Database (I/O Driven) calculation formula to round down thereby adding additional IO buffer in the max number of mailboxes per database that could be supported in JBOD scenario (Perry Thompson); comment fixes
    Version 3.7 – Fixed processor core calculations for secondary datacenter that resulted in error when only lagged copies are deployed; formatting fixes
    Version 3.8 – Fixed number of lagged copy server calculation to round (Justin Brown)
    Version 3.9 – Fixed required mailbox core CPU calculations to take into account that certain site resilient scenarios result in neither datacenter supporting a single server failure
    Version 4.0 – Fixed /DAG LUN Size calculation to calculate based on number of servers and not total number of database copies (Wilfried van Oosterhout)
    Version 4.1 – Added better explanation in JBOD scenario when disk selection falls short either via capacity or IO reasons (Jeremy Gagne)
    Version 4.2 – Added Restore LUN RAID parity options (Robert Gillies and Rick Shire)
    Version 4.3 – Conditional Formatting fixes (Robert Gillies)
    Version 4.4 – Added minimum number of global catalog cores (James Reed)
    Version 4.5 – Improved formatted capacity calculation formula (Kyryl Perederiy)

    Lets just say it is well worth the download!  So… What are you waiting for….  http://msexchangeteam.com/files/12/attachments/entry453145.aspx

    February 17, 2010 Posted by | Uncategorized | Leave a comment

    OCS 2007 R2 Workload Architecture Poster

    I ran into a poster that Microsoft published a few days ago that details the traffic flow of protocols and ports used in each workload within Office Communications Server 2007 R2 (OCS 2007 R2). OCS 2007 R2 supports the following workloads: IM and Presence, Conferencing, Application Sharing, and Enterprise Voice. These filtered views can assist you in architecting your deployment of Communications Server 2007 R2. The different server roles are described along with server certificate requirements. Firewall and DNS configuration requirements are also described.

    Get your copy at: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=af2c17cb-207c-4c52-8811-0aca6dfadc94

    January 28, 2010 Posted by | Uncategorized | Leave a comment

    Follow

    Get every new post delivered to your Inbox.