RSS Subscription 168 Posts and 2,769 Comments

Archive for July, 2007

Free Upgrade to Server 2008 Certifications and Training Materials

Trika released some information on her blog regarding free beta exams that will provide you with a chance to upgrade your certifications for free! Hurry up though. This offer does not last forever. You have up to August 3rd to register and take your beta exam.

If you are an MCSA in Server 2003, you can take the 71-648 exam for a free chance to upgrade your MCSA to the following two certifications:

  • Microsoft Certified Technology Specialist: Windows Server® 2008 Active Directory Configuration
  • Microsoft Certified Technology Specialist: Windows Server® 2008 Network Infrastructure Configuration

If you are an MCSE in Server 2003, you can take the 71-649 exam for a free chance to upgrade your MCSE to the following three certifications:

  • Microsoft Certified Technology Specialist: Windows Server® 2008 Active Directory Configuration
  • Microsoft Certified Technology Specialist: Windows Server® 2008 Network Infrastructure Configuration
  • Microsoft Certified Technology Specialist: Windows Server® 2008 Application Platform Configuration

Microsoft is currently providing a free Server 2008 e-book written by an MVP that will help you on your endeavor of obtaining your Server 2008 certifications. In addition to this Server 2008 e-book, there is also a Powershell Step-by-Step book. These e-books can be obtained by signing in with a Windows Live ID here and following the instructions till you are granted access.

Microsoft has also released some component posters, which some of you have seen in a recent Technet Magazine, of different Server 2008 architectural infrastructures. These posters include diagrams on how a Read-Only Domain Controller Functions, Active Directory Federation Services, and much more works. You can download these component posters here.

Keith Comb has been releasing some screencasts which provide good information on how to get running with different Server 2008 services. You can view these screencasts here.

Changes in functionality from Server 2003 with SP1 to Server 2008 can be found here.

Server 2008 Step-By-Step guides can be found here.

Step-By-Step guide on configuring Server Core can be found here.

A tour of Windows Server 2008 PKI enhancements can be found here.

My torn data pages blog has several informative blog entries regarding certification on Server 2008. You can find their blog here.

Share

BackupExec 11d and Exchange 2007 Problems

I am at a client right now and we are attempting to get BackupExec 11d working with their Storage Area Network (SAN) and a Quantam Scalar i500 tape library system. The issue we are having is that when we try to back up the Exchange Information Store, we are getting an Access Denied message. Naturally with this type of message, we figure that the account on Backup Exec does not have permission to the Information Store. This brings me to this article here. We have properly given the user account all permissions needed to the Information Store. We also tried using a different account that had the same permissions as the article I have just linked, but also ran a couple Exchange Management Shell (EMS) commands to give that user account access to the Exchange Information Stores as well as user’s individual e-mail boxes:

Get-MailboxDatabase | add-adpermission -User “BackupExecAccount” -ExtendedRights Receive-As
Get-MailboxDatabase | add-adpermission -User “BackupExecAccount” -ExtendedRights Send-As
Get-Mailbox | add-mailboxpermission -User “BackupExecAccount” -AccessRights FullAccess

We verified that the BackupExec account does have a mailbox on the Exchange 2007 server and it is not being hidden from the GAL. This user is a local administrator on our Exchange 2007 box due to the user being a Domain Administrator user as well as an Exchange Organization Administrator. I’m not really sure what else it needs access to in order to be able to back up Exchange. We have followed the BackupExec documentation precisely and when that didn’t work, we even tried giving that user account additional permissions to the stores and mailboxes. We even logged on as this BackupExec user and opened up other user’s mailboxes just fine.

So because of all our issues, we initially though we are doing something wrong. Before we began searching on the internet, we ran a few more tests. We found out that when we back up the Information Store to disk, it works fine and we can see navigate the backup granularly. When I say granularly, I mean that we can navigate all the way down to a user’s mailbox. When we attempt to back up to our Quantam Scalar i500, that is when we get our access denied. Because of this new discovery, we figured it was a driver issue. We tried using the generic Microsoft drivers, Symantec BackupExec drivers, as well as Quantam’s drivers. Much to our dismay, drivers did not fix the issue. In addition to this issue, even when we back up to disk, we cannot do any restores.

So this is when we began digging deeper online. I found the following articles:
https://forums.symantec.com/syment/board/message?board.id=115&message.id=7386
https://forums.symantec.com/syment/board/message?board.id=115&message.id=13559

These two links describe the issues we are having. So it looks as though we are not alone. Many other people are having these issues. What I don’t understand is, this is a very big thing. How can BackupExec be released and not have full functionality with backing up to disk? I could understand if it was a driver issue with the tape library system we are using, but it is ridiculous that so many people are having issues with backing up to tape library. Not to mention that when we do actually back up to disk and it works, we have problems restoring items.

So to conclude, I would just like to say that I am disgusted at Symantec for releasing a product with so many issues. Not too mention they were having many complaints regarding these issues and took them several months to acknowledge these issues according to other users. We can only hope now that Symantec will hastily fix their product, do adequate testing, and release a product that works as intended. I will post updates to this as we find out more information.

Update

I feel really bad about posting this blog entry, but we have made a mistake. Apparently the client we were working with applied a registry hack which prevents certain MAPI clients from accessing the Exchange Server. The client implemented this because they wanted only Outlook 2007 clients from connecting to Exchange. You can see the KB article on how to do this here. Since Backup Exec makes a MAPI connection to the Exchange Server, it gets denied since it’s not recognized as an Outlook 2007 MAPI connection. Once this registry modification was undone and the Exchange server rebooted, Backup Exec works completely as advertised. Backup Exec is an excellent product and we have been very satisfied with the product.

Share

Publishing Exchange 2007 Autodisover in ISA 2006

Edit: I have went into pretty good detail on the different methods you can use to publish Exchange Services including Autodiscover here.

In Exchange versions previous to Exchange 2007, users would store data inside a public folder. This data included free/busy information, Out of Office messages, Offline Address Book, etc. Beginning with Exchange 2007, this information is stored in Internet Information Services (IIS). The process of distributing these services in Exchange 2007 is known as web distribution. Keep in mind that you will need to have Outlook 2007 clients to support web distribution. If you are running clients previous to Outlook 2007, you will still need to use public folders.

As you can see in the following image, in Exchange 2007, IIS contains several new directories than its predecessor, Exchange 2003:

The Autodiscover directory is used by the Autodiscover service to provide automatic profile configuration for Outlook 2007 clients as well as compatible mobile devices, such as Windows Mobile 6. In addition to automatic profile configuration, it provides the external URLs necessary to connect to web distributed services. Another directory is the EWS directory which provides access to web distributed services. These web distributed services include the Availability service, Out of Office (OOF) messages, etc. The Availability service grants users on-demand access to free-busy information. For more information regarding the Availability service, please visit the following site: http://msexchangeteam.com/archive/2006/10/23/429296.aspx. The OAB directory is used to store the Offline Address Book (OAB) which provides an offline copy of the Global Adress List (GAL). The file distribution service copies the OAB files from the OAB generation server to the CAS server for web distribution. To learn more about OAB web distribution, please visit the following site: http://msexchangeteam.com/archive/2006/11/15/431502.aspx.

Prerequisite

Properly configure IIS on your Client Access Server (CAS) to host the certificate(s) needed for external and internal access. The certificate recommended for this configuration is a Unified Communications (UC) certificate. You can read more about these different configurations here.

Note: For this article, we will be using a UC certificate that contains 4 Subject Alternative Names (SANs). Our requested certificate’s CN was webmail.shudnow.net. The first SAN name requested was also webmail.shudnow.net. Our request was created using the following EMS command:

New-Exchangecertificate -domainname webmail.shudnow.net, autodiscover.shudnow.net, casserver.shudnow.net, casserver -Friendlyname Shudnow -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname “c=US, o=Shudnow Inc, CN=webmail.shudnow.net”

  1. NetBIOS name of CAS (casserver)- used if there is a need/want to connect to services such as OWA using the NetBIOS name of the CAS while connected to the internal network.
  2. FQDN name of CAS (casserver.shudnow.net)- used so we can publish Autodiscover internal URLs to point directly to the CAS.
  3. Autodiscover.shudnow.net – used so external clients can retrieve external URLs to connect to web distributed services.
  4. Intuitivname.shudnow.net – used for services such as Outlook Web Access, Outlook Anywhere, Exchange ActiveSync, web service distribution (OAB, OOF, and Availability). Common FQDNs used are exchange.domain.com, owa.domain.com, mail.domain.com, webmail.domain.com, etc. This article will use the example FQDN: webmail.shudnow.net.

ISA 2006 RTM Configuration

Update1 (08/18/2008) – It’s been over a year since this article was released.  Things have changed.  Below I explain to create a new rule for Autodiscover, set All users for authentication, etc..  ISA 2006 SP1 is now out and supports SAN certs.  As of now, when I configure ISA 2006 SP1, I leave autodiscover in the Outlook Anywhere Rule, leave Authenticated Users on, and add the autodiscover FQDN to the Public Name Tab as I do below.  So please keep these things in mind due to the remaining section of ISA 2006 is based off of RTM and not SP1.

You must ensure that you go onto the CAS and export the certificate with its private key and import that into ISA 2006 (Please make sure you have the licenses needed for installing a certificate on multiple servers if required by your certificate vendor). A guide on how to do this is out of the scope of this blog. Once the certificate has been imported on the ISA 2006, ISA configuration can begin. Start by publishing each Exchange 2007 role as needed. In ISA 2006, each rule will need to be published by itself. You can see this by looking at the following screen:

The Outlook Anywhere rule contains several /paths/ as can be seen by the following screenshot:

Because Outlook 2007 will contact the Autodiscover service by using https://autodiscover.shudnow.net/Autodiscover/Autodiscover.xml, we will need to remove the /Autodiscover/ Path from the Outlook Anywhere rule and create a dedicated rule just for the Autodiscover.

There are also several other /paths/ that are new to publishing Exchange 2007. As you recall from the previous IIS screenshot from the CAS, there is an /EWS/ and /OAB/ path that allow us to publish the OAB and EWS web distributed folders. In the Exchange ActiveSync (EAS) rule, there is a /Microsoft-Server-Activesync/ path that is used to publish Exchange Active Sync. Because the Public Name for these rules are configured to webmail.shudnow.net, we will need to publish the external URLs on the CAS server to distribute these services to external clients via https://webmail.shudnow.net.

Autodiscover Rule

With the Autodiscover rule created, there are a few configuration settings that need to be modified. The first is done by opening the Autodiscover Rule and navigating to the To: Tab. We need to ensure the, “This rule applies to the published site:” equates to the Common Name of the internal certificate. Since we are using the same certificate on both the CAS and ISA, the common name will be the same on both certificates. Using a separate certificate on your CAS and ISA is out of the scope of this article. The IP Address must be the IP address of the CAS server.

The next tab you will need to modify is the Public Name tab. Because this rule will be listening for a request to Autodiscover.shudnow.net, we will need to ensure this rule accepts requests that are destined to Autodiscover.shudnow.net

You will see an error on the Listener tab that states there is an issue with certificates. Disregard this error as it doesn’t affect us. ISA does not see the certificate contains subject alternative names and will work even though the Public Name is set to something other than the Common Name of the certificate.

Note: Microsoft has stated that ISA 2006 SP1 will support SAN certificates (which means all SAN names in a SAN Certificate).  SP1 is due out late summer at earliest.

The final change to the Autodiscover rule that is needed is to modify authentication. Click on the Users tab and remove All Authenticated Users. Add the All Users group. There is currently a bug in Exchange 2007 that does not allow ISA 2006 to publish the Exchange 2007 Autodiscover when All Registered Users is selected. Look out for a fix in Exchange 2007 SP1.

Configuring Autodiscover on CAS

In order to allow a smooth connection to web distributed folders, we need to configure internal and external URLs. Internal URLs are provided to domain-joined clients who have direct connectivity to Active Directory. Because they have direct connectivity to AD, they will be able to pull authoritative internal web distribution URLs directly from the Service Connection Point (SCP). The SCP is an object that gets installed in Active Directory when a CAS is installed. The SCP contains an authoritative list of all Autodiscover service URLs in the forest where Exchange 2007 is installed.

Because we created an Autodiscover rule that listens for connections on Autodiscover.shudnow.net, an Outlook 2007 client as well as a compatible mobile client connecting from a remote network will be able to contact the Autodiscover service to have their profile automatically be configured as well as find the external URLs for web distributed services. Because ISA is publishing these web distributed folders via webmail.shudnow.net, we need to configure the external URLs to use https://webmail.shudnow.net/ServiceAddress. This way when a client connects from the outside network, they will see these external URLs are configured using https://webmail.shudnow.net/OAB and https://webmail.shudnow.net/EWS.

When using a UC certificate with the 4 URLs specified earlier in this article, we can allow an internal client to connect directly to the CAS bypassing ISA. If you are not using the UC certificate, you will most likely be using the same internal and external URL. This is because when not using the UC certificate, you will be need to separate your IIS websites to accommodate multiple certificates. One blank default web site for your self-signed certificate, one site for all your web distributed services, OWA, and Outlook Anywhere that will contain your webmail.shudnow.net certificate, and finally an Autodiscover website for your Autodiscover.shudnow.net certificate. Because you will be only using 3 certificates, you will not have the FQDN of the CAS server defined in your certificates. Because of this, you will need to point both the internal and external URL to webmail.shudnow.net. Because the UC certificate contains both the FQDN of our CAS and the FQDN webmail.shudnow.net, we can point the internal URL to the FQDN of the CAS server and the external URL to the webmail.shudnow.net FQDN for which we configured ISA to accommodate. As stated in the prerequisite section, you can read about these two different types of certificate configurations here.

As of late September, Microsoft has added a new method to make the Autodiscover service accessible from the outside with a single certificate. This is through the use of SRV records. You can read more about this new type of configuration here.

EWS Configuration

In order to see what internal and external URLs are set for the EWS folder, we can run the Get-WebServicesVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the external URL to go through https://webmail.shudnow.net. The EWS /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://casserver.shudnow.net/EWS/Exchange.asmx -ExternalURL https://webmail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Note: You must ensure that you enable Basic Authentication on the EWS folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation.

OAB Configuration

In order to see what internal and external URLs are set for the OAB folder, we can run the Get-OABVirtualDirectory | FL cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The OAB /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://casserver.shudnow.net/OAB -ExternalURL https://webmail.shudnow.net/OAB -RequireSSL:$true

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The same goes for Basic Authentication on the OAB directory. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Outlook Anywhere Configuration

Currently, in Exchange 2007, Outlook anywhere only works using Basic Authentication. To enable Outlook anywhere and configure it to use the webmail.shudnow.net with basic authentication, use the following command:

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “webmail.shudnow.net” -ExternalAuthenticationMethod “Basic” -SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on RTM. For SP1, substitute -ExternalAuthenticationMethod with ClientAuthenticationMethod.

Exchange ActiveSync

In order to see what external URLs are set for the Microsoft-Server-Activesync folder, we can run the Get-ActiveSyncVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The Microsoft-Server-Activesync /path/ is configured in its own ActiveSync rule which accepts connections from webmail.shudnow.net (Remember the public name and the To: tab should both be configured to accept connections from webmail.shudnow.net)

In order to configure the External URL, we need to use the following commands:

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://webmail.shudnow.net/Microsoft-Server-Activesync

Unified Messaging Configuration

In order to see what internal and external URLs are set for the UnifiedMessaging folder, we can run the Get-UMVirtualDirectory cmdlet in the EMS. When a client is on the external network, they will need to go through the published rule in ISA. This is why we configure the External URL to go through https://webmail.shudnow.net. The unifiedmessaging /path/ is configured in the Outlook Anywhere rule which accepts connections from webmail.shudnow.net (Remember the public name tab is configured to accept connections from webmail.shudnow.net). We will configure the internal URL to go directly to the CAS server bypassing ISA since the FQDN of the CAS server is defined as one of the subject alternative names in our Unified Communications Certificate.

In order to configure the Internal and External URL, we need to use the following commands:

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://casserver.shudnow.net/UnifiedMessaging/Service.asmx -ExternalURL https://webmail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: You must ensure that you enable Basic Authentication on the UnifiedMessaging folder in IIS due to the Outlook Anywhere rule using Basic Authentication Delegation.

Share

Welcome to my blog!

I’d like to welcome everyone to my blog. I’m just another IT guy who lives in the Chicagoland area. My hobbies include billiards, watching movies, listening to music, and spending time with my family. When I’m not doing these things, I am doing my other hobby: geeking it up with computers.

Share