With the arrival of Exchange 2010 SP1 the process around mailbox import and export, along with the requirements around it have changed significantly (for the better). 

Under Exchange 2010 RTM the export import process required Outlook 2010 x64 to be installed on the mailbox server where the export was taking place, there were several issues with this, firstly when Exchange 2010 launched Outlook 2010 was a beta product & more to the point you probably didn’t want Outlook installed on your mailbox servers.  Another key issue was that the reliability of the process was pretty poor – sometimes it would just work, other times it would refuse altogether (leaving the admin with the option of having an Exchange server which was also a DC, which resolved the issue) or as happened to me recently it would work for a while and then stop.  Another key issue is the need to run the export interactively, I generally got around this with a scheduled task.  Clearly this isn’t a robust scalable option.

So Exchange SP1 came along and the process has changed radically, some key changes:

• No requirement for Outlook to be installed on the server
• A changed set of criteria parameters allowing more flexibility to be applied to what is exported
• The process is no longer dependant on the PowerShell session used to start it, once submitted the process will run in the background, under the ‘Exchange Trusted Subsystem’ privilege – the location for your import / export must grant this group read / write access

The last option is the one which pleases me most (well shortly followed by the first), much like a mailbox move in 2010 you use the new-mailbox(export/import)request commandlet to request that exchange perform a mailbox export, once the request is submitted you are free to log off the server & walk away, your import / export will continue in the background.  You can view the status of mailbox imports and exports with the Get-mailbox(import/export)request commandlet. 

More detail on these commandlets is published on technet:

Managing mailbox imports and exports: http://technet.microsoft.com/en-us/library/ee633479.aspx

New-MailboxExportRequest: http://technet.microsoft.com/en-us/library/ff459227.aspx

New-MailboxImportRequest: http://technet.microsoft.com/en-us/library/ff459261.aspx

The Microsoft Certified Master Programme is borne out of what used to be known as Ranger training, a Microsoft only programme designed to equip their best technical staff with the best training available with the goal of improving the quality and configuration of Exchange deployments in the wild.  In 2008 Microsoft split the Ranger programme into two streams, Master and Architect.  The Master stream is aimed at people who are delivering Exchange solutions on a daily basis, it is the raw technical side of the Ranger programme, the Architect stream (for which being Master is a pre-requisite to apply) is around showing both raw technical ability and the softer skills such as project management and leadership.

I was fortunate enough to be offered the chance to attend the MCM programme a year or so ago following a discussion internally within Risual on how our consulting team can both further their skill sets and ultimately deliver superior services to our customers.  At that time Exchange 2007 was the current Exchange server product, with Exchange 2010  coming later that year, with that in mind I decided to defer the process until 2010 had launched.  Fast forward to April of this year and I began the application process, this consists of a number of stages, some of them more clear cut than others – there are some pre-requisite MCITP exams you need to have passed, you also need to submit your CV and some project documentation that you have produced, the aim here is to establish if applicants have the right level and type of experience to succeed on the programme.

Once you’ve been accepted into the programme (it took around a month start to finish for my application with contact back and forth), you need to pay the fee ($15,000 in the case of Exchange) and choose your rotation date.  As I had selected a rotation in September (it took about 6 months of pre-planning to find a rotation date which didn’t clash with customer or personal commitments) all went quiet at that point, this is your cue to step up on the reading & lab work (step up, not start – if you don’t already proactively stay immersed with Exchange whenever possible MCM probably isn’t for you).  With respect to pre-reading I focussed on the CHM & the big Exchange blogs (EHLO, Tim McMichael etc), I also picked up the excellent Microsoft Exchange Server 2010 Best Practices book (I’d almost go so far as to say that this book should be on the the official pre-reading list, there’s very little it doesn’t cover in sufficient depth) however actually doing it is what’s going to give you the skills you need – be that lab or customer work – I spent a lot of time trying the new functionality with Exchange 2010 – CAS Arrays, DAG etc…. 

As your rotation draws nearer you will start to be in contact with the team more and more, they will help with things like accommodation and provide you with joining instructions for the first day.  I opted to stay in a corporate apartment with two other people on the course, for me this was an excellent move for many reasons, staying with people who are all going through the same process means you can talk over the days content when you finish class for the day, pick each other up when things don’t go so well & have some company for the three weeks that you’ll be there – as someone who stays in hotels often this is a big one.

The course is three weeks in length based in Microsoft’s Redmond campus, starting on a Monday morning, finishing on a Saturday after the qualification lab (more on that later), home for me is the UK & I’ve been to the west coast of the US before for holidays, Jetlag is something I struggle with & with this in mind I opted to fly out on the Wednesday of the previous week to get shot of the jet lag, this also gave me a few days to get some more reading in, I stayed in Seattle and when not frantically revising got some sightseeing in.  This was a good move – it took me until Saturday to get into a normal sleeping pattern & feeling human again. 

On the Sunday I met up with Nic and Joel whom I was sharing an apartment with & we headed to Redmond, the anticipation from all of us was immense – nothing quite like a combination of excitement and fear to spark a good conversation! 

Day one started at 7:30am with breakfast followed by a gentle introduction session from David the Exchange MCM PM, our group of 17 consisted of mostly Microsoft employees with 6 external partners like myself. 

Each section was taught by one or more subject matter experts – some internal Microsoft people from the product group, PSS or DSEs, some external people who simply know the product so well they are an ideal person to deliver the content.  The content was delivered principally using PowerPoint with regular whiteboard, demonstrations and lab exercises.

Following the introduction until Wednesday lunchtime was Transport in more depth than you can imagine, day one finished at 10:30pm, this set the pace for the rest of the week – the latter half of the week was given over to CAS & as with Transport the pace was unrelenting and the depth huge.  We were generally in the classroom 12-14 hours each day, with regular short breaks to grab a drink, David also kept us well stocked with Cliff bars, never had them before but they seemed to keep you going when you’re flagging!

Evenings were generally given over to dinner on the run & revising the days material, the first weekend the whole class got together to revise the transport and CAS material ready for the first of three tests, scheduled for 8am on Monday morning – don’t have any illusions of long dinners, drinking all night or sightseeing at the weekends, you don’t have time & you wont be able to get Exchange & the tests off your mind anyway! 

So Monday of week two came around, everyone on time and looking like they hadn’t slept, not just me then…  the test was delivered by the Prometric engine that is familiar to anyone who has taken an MCP exam, that is where the similarity ends however, every question is hard – they are designed to test your understanding of the material often using complex scenarios.  You get your results instantly, wait until the two hours is up and then dive straight into week two, which is all around mailboxes and storage, ranging from the disk architecture your mailbox databases are stored on, through to how Exchange databases are logically structured then finally the mailbox role itself.  Every night we would try and revisit the days content, pulling out what we felt might get tested, sometimes we were right, often we were not!  That weekend was much like the previous, two days of solid revision preparing for Monday’s test.

The week two test was in the same format as the previous one, again once the two hours was up we started on the week three material, which started with UM, then into HA, sizing / capacity planning finishing off with slightly less technical material around operational methods (ITIL etc..).  Friday of the final week was given over to revision, with the final exam being sat that afternoon. 

After the exam the entire group got together and begun preparation for the qualification lab, this is a six hour lab session where you will be given a series of tasks, all of them very simple in themselves, of course nothing will work and you will need to go on a rapid troubleshooting spree.  The lab is open book, you may use the internet, notes etc… the only thing not permitted is connecting to another lab / exchange environment, with this in mind the group spent a few hours getting all the tricks they’d picked up over the years and places to look & we got them written down – this was hugely valuable, both as a revision exercise for the Saturday but also in the lab I had commands at my fingertips to perform common tasks – a timesaver.

So Saturday came around, this was the final piece of the puzzle, we started at 8:30am, ran till lunchtime, stopped for 30 minutes then went back and finished the six hours.  I actually enjoyed the lab (strange as it sounds), it reflects the work I do most of, because of this I found it easier than the written exams.  Unlike the exams you don’t get an instant pass / fail, however you will be told the approximate pass mark and you will therefore have a reasonable idea of how you did, I came out of the lab feeling good about it – I’d completed all apart from one task and felt I’d done enough to pass it.

With the lab out of the way, we went out, had a big steak & a few drinks before retiring for the night (I feel somewhat sorry for our waiting staff, there was a lot of pent up emotion after the last three weeks coming out!), I flew out on the Sunday evening so after packing played a tourist in Seattle for the day & headed for home, some of my fellow candidates went back to work on the Monday, it took me a few days to get back into normal life – MCM is like a bubble, my parents ended up calling my girlfriend asking if I was alive as I’d all but fallen off the face of the planet, even fitting in a call home (factoring in the time difference if you’re coming from outside of the US) is very difficult.

So how did I do?  I passed two out of the three exams and passed the qualification lab.  This left me with a retake, these are be completed at home – if you are in this situation (most people will come home needing to do some form of retake) you book a time with your PM and they will get you up to speed on the process.  I re-took that exam today and am delighted to say I passed it.

So is it worth the money, the time away from work & the effort?  Absolutely – I was extremely fortunate to be in a rotation with such fantastic candidates, as a group we were constantly challenging the material which drove the discussions deeper and really helped my understanding of the content, that group of peers doesn’t stop when you finish the course and pass your exams, infact it gets better – once qualified you’re added as a member of the ‘Ranger DL’ containing all certified Masters / Rangers, what better group of people could you want to ask questions or test theory’s, there are a host of other benefits (which I’m still finding out about ).

Another key point which has stuck in my head is the need to be not only proficient in all of the Exchange roles (this includes Edge and UM!) but also in the surrounding and supporting technologies, AD is obviously a big one – know how to check replication, be fast with ADSI edit / LDP, also be proficient with ISA / TMG, I’m fortunate in that I use ISA / TMG a lot in customer engagements – why wouldn’t you, it’s an excellent way to expose Exchange to the outside world, it is also used heavily in the MCM training – if you’re not competent with it, you’ll struggle with some parts of the training and end up focussing on ISA rather than learning about Exchange.  Studying for and taking the ISA 2006 (I don’t believe there is a TMG MCITP as yet) exam would be a good way to get a good level of competence.

Wow, that was a long one!  Normal service will be resumed shortly!!

If you’re using a load balancer with Exchange 2010 you’ll be wanting to fix the two ports (RPC Client Access and Address book) used for Outlook connectivity (note – this is for non Outlook Anywhere connections), these ports are set on all client access servers, and the RPC Client access port on public folder servers.

If static ports are not configured then every Client Access Server / Public folder server will randomly select ports between 49152-65535 (Server 2008 onwards) to use requiring you to load balance all of those ports – something which could cause resource exhaustion on your load balancer.

To configure static ports two registry entries are required – both are used on Client Access Servers, only one on Public folder servers.

To configure the Address Book key (Client Access Servers only) navigate to the HKLM:\System\CurrentControlSet\services\MSExchangeAB key, create a sub-key called Parameters, then create a String value called ‘RpcTcpPort’ with a value between 49152 – 65535, I chose 60002 in this example:

To configure the Exchange RPC Client Access key (Client Access Servers and Public folder servers) navigate to the HKLM:\System\CurrentControlSet\services\MSExchangeRPC key, create a sub-key called ParametersSystem, then create a String value called ‘TCP/IP Port’ with a value between 49152 – 65535, I chose 60001 in this example:

Once the key has been set the Microsoft Exchange Address Book (Client access servers) and Microsoft Exchange RPC Client Access (Client access and Public Folder servers) services require restarting, once this has been done the netstat command shows our ports:

That shows us that we have two processes, each listening on one port, the final column show’s the PIDs of the processes responsible for those ports, 9092 for 60001 and 12624 for 60002, using task manager I can see the name of the processes associated with those PIDs:

So we can see that our RPCClientAccessService and AddressBook services are responsible for the open ports.

As a side note when configuring your load balancer your should follow the guidance here: http://technet.microsoft.com/en-us/library/ff625248.aspx which details affinity requirements for Exchange client protocols, in our example you would need to load balance 135 (initial connections are made on this port & the RPC service which listens on it returns to the Outlook client which ports it should connect to, which of course will be the static ports listed above) and ports 60001, 60002 (RPC Client access and Address Book services).

The aim of this post was to document the static port setting process & provide some background on why you might do it, this is generally done when using load balancing of some description – which is a whole other topic in itself which I’ve not covered here.  There is some excellent Technet documentation available on the subject here: http://technet.microsoft.com/en-us/library/ff625248.aspx, I hope to provide some blog posts around HLB (Hardware Load Balancers) & their configuration / integration with Exchange in due course.

Rob

Many of my customers use Exchange Active Sync (EAS) to provide user’s access to their mailboxes whilst they’re on the move, as someone who is field based it’s invaluable, alongside this device policies are generally implemented to enforce a PIN code, encrypt the data on the device etc…

The main issue with the above is generally any user with an exchange account can use EAS to connect to their mailbox, this may or may not be a problem dependant on your organisation, for example if you require encryption to be used on the mobile device and a user connects a device claiming to support encryption (but it doesn’t, no prizes for pointing out which manufacturer fell foul of this) then you potentially have sensitive data on an easily lost mobile device.

We have a number of options to control EAS access, firstly if you’re using a reverse proxy such as TMG and you’re pre-authenticating your users at TMG you can restrict access based on Windows group membership – only allowing those users who have been issued with corporate mobile devices.  That’s a good start, however it doesn’t stop a user who is granted access from connecting any device they like.  To get device based control you need to break out Exchange PowerShell and use the Set-CasMailbox, Set-ActiveSyncOrganizationSettings and New-ActiveSyncDeviceAccessRule commandlets. 

In this scenario I am going to change the default settings for the organisation to quarantine a new EAS device, notify the administrator and then create specific rules for users who require EAS access (much the same as you would configure a firewall, start with no access and then grant it as required).

Firstly to set the Organisation policy to  quarantine new devices and notify my two administrators, Bob and Dave:

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients bob@risual.com, dave@risual.com

Now when users connect using EAS to their mailbox they will not be permitted, as well as this they will receive and email from Exchange with the following subject:

“Your mobile phone is temporarily blocked from synchronizing with the server while permission to access is being verified.”

Our two administrators will also receive an email, with the following subject:

“The mobile phone that belongs to domain\user has been quarantined. Synchronization with the server via Exchange ActiveSync is blocked until you take action.”

In the body of this email the device ID of the EAS device which is trying to connect is listed, to allow our user to connect with that device the set-casmailbox commandlet should be used:

Set-CASMailbox –Identity user@domain.com –ActiveSyncAllowedDeviceIDs <deviceid from admin email>

Our user’s device will then be allowed to synchronise with Exchange and all will be well.  This is fine, except if you have 1000’s of users with devices, it quickly becomes very tedious for the Administrator, another solution is to allow access based on the Device Model and / or Device Type (for example your organisation probably issues largely the same devices to all users), this is achieved using the New-ActiveSyncDeviceAccessRule commandlet to allow all your specific devices, there are several way’s to find out what your device model / type is, in the email sent to a user informing them that their device cannot connect the body contains this information, another way is to use Get-ActiveSyncDeviceStatistics:

[PS] C:\Windows\system32>Get-ActiveSyncDeviceStatistics -Mailbox rob

RunspaceId                    : b30b569e-eee9-49a8-ac08-1a4a5ce3cc27

FirstSyncTime                 : 21/04/2010 08:58:08

SyncStateUpgradeTime          :

As you can see in this example I have an iPhone conneected to my lab mailbox, the two fields that we’re interested in are device model and device type, you may have also noticed the DeviceID field, this is the same value which is used in my earlier example with set-casmailbox, another way of viewing the information is to use the Phone tab within ECP, you can drill down and view some of the information available in the above commandlet:

So to allow our device globally we use the New-ActiveSyncDeviceRule commandlet:

New-ActiveSyncDeviceRule –QueryString iPhone – Characteristic DeviceModel –AccessLevel Allow

This will create a rule allowing devices reporting their devicemodel as ‘iPhone’ to connect to Exchange using EAS.

Rob

On server 2008r2 you can do import-module servermanager & then add-windowsfeature to configure features etc.. from PowerShell, this doesn’t exist out of the box on 7, however if you install this: http://code.msdn.microsoft.com/PSClientManager you have an equivalent set of modules

Handy eh!

Rob

As part of a larger project I’ve been involved with which uses an IIS7 web application (I’ve been helping the client with their infrastructure and integrating the application with AD) we hit an issue where some 3rd party pieces of code were using absolute links *tut tut*! rather than relative ones, this had the side effect that a user would start off their session using an SSL secured https session & after performing certain tasks would find themselves on http.  Not ideal!  The application also has a requirement that the web servers are able to connect to themselves on port 80 – this could not be changed & interfering with this connection would break functionality.

To resolve this I’ve implemented the Microsoft URL Rewrite module 2 for IIS7, with the following configuration:

1. Download and install the IIS URL re-writing module: http://www.iis.net/download/urlrewrite
2. Go to the site in IIS manager & navigate to URL Rewrite in the right hand pain
3. Create a new inbound rule with the following settings:
4. Match URL:
1. Requested URL: ‘Matches the pattern’
2. Using: ‘Regular Expressions’
3. Pattern: ‘(.*)’
4. Ignore Case: ‘True’
5. Conditions:
1. Input ‘{HTTPS}’ Type ‘Matches the pattern’ Pattern ‘^OFF$’
2. Input ‘{LOCAL_ADDR}’ Type ‘Does not match the pattern’ Pattern ‘127\.0\.0\.1\’
6. Action: ‘Redirect’ Redirect URL: ‘https://{HTTP_HOST}/{R:1}’ Append Query String: True Redirect type: ‘See Other (303)’

This will not only correct broken URLs which get returned but will redirect users who hit the site via http to https which is a requirement for the service.

Handy fix – I’d often use TMG / ISA to resolve this but this customer’s solution does not feature those products (the site is being deployed internally).

Rob

As part of a recent engagement I was asked to implement a solution to automatically export & archive System and Security logs from servers to a central location, the requirements were:

• Nightly time stamped archive of Security and System event logs to a central location
• Clear the local log once the archive has been successfully taken

I put together the following PowerShell script to achieve the above:

$locallocation = "c:\logs\"
$remotelocation = "\\fileserver\EventLogs\"
$localmachine = $env:computername

$evtlgs = Get-WMIObject -Class Win32_NTEventLogFile -Computer $localmachine
foreach ($log in $evtlgs)
    {
    if ($log.LogFileName -eq "System" -or $log.LogFileName -eq "Security")
        {
        $timestamp = get-date -f yyyyMMddHHmmss
        $path = $log.LogFileName + $timestamp
        $store = $locallocation+$path+".evt"
        $backup = ($log.backupeventlog($store)).ReturnValue
        if($backup -eq 0)
            {
            $log.ClearEventLog() | out-null
            }     
        move-item $locallocation* $remotelocation$localmachine\
        }
    }

The above script is executed by a Scheduled Task (which on another note are brilliant on Server 2008), the lines you’re interested in are the top 2 lines which configure a local location to write the log out to and the remote location to move the log to once it has been written.  I ran this script using a service account which has permission to write to the local and remote locations. 

If you wanted a different selection of logs to be archived you would adjust the

if ($log.LogFileName -eq "System" -or $log.LogFileName -eq "Security")

line to suit your requirements.

In our requirement the logs had to be archived daily, this was simply achieved by configuring task scheduler to run once per day at the desired time, no code changes are required. 

The requirement for only clearing the local log if the export was successful is met by checking the exit code form the backup, if this wasn’t 0 then the log wont be cleared.

I recently hit a problem with CWA being published behind TMG, CWA was accessible internally from a terminal server but would throw the above error when login was attempted via TMG’s reverse proxy. 

The solution (for me – there is a fair bit written about this involving SPNs which were not the issue in this case), was to enable anonymous authentication on the AuthMainCommandHandler.ashx file (within the /cwa directory) within IIS & all is well again, it is reported that this issue only occurs on Server 2008 & is an issue with the site creation wizard.

My colleague Simon also hit this issue publishing CWA behind UAG, so worth checking.

SharePoint is not my usual topic of conversation I will admit, however this caused me pain & isn’t documented from what I could find.

For what ever reason my local SharePoint workspace recently broke, giving me this error when I tried to launch it:

I tried the various recover my account links etc.. all to no avail, I came to the conclusion that I needed to re-import the backup of my workspace, however to do this I needed to delete the broken on my laptop, I couldn’t do this as I couldn’t log in to the workspace… 

So after some digging around I found the following location (this is on Windows 7, if you’re on something older, upgrade!):

C:\Users\<username>\AppData\Local\Microsoft\Office\Groove\User\Accounts

Under here are some folders with seemingly random names, deleting the folders essentially reset SharePoint Workspace to it’s defaults & allowed me to re-import my backup – note I only had one account configured, if you have more than one you’ll need to find a way to identify which is the one for your broken account – measure twice, cut once!  Doing this will obliterate your account & any data stored locally which means anything not uploaded yet will be lost – this wasn’t an issue for me but be aware of it before you delete the account folder, if it is an issue for you this solution probably isn’t suitable.

Server 2008 AD schema onwards has a very cool feature called fine-grained password policies, these can be a bit arduous to setup, the easiest way that I’ve found to set them up is to create an ldifde answer file and import them using that.  In this example I’m creating a password policy called ServiceAccounts and applying it to the group called ServiceAccounts. 

dn: CN=ServiceAccounts, CN=Password Settings Container,CN=System,DC=robsdesk,DC=com
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:0
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:5
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=ServiceAccounts,OU=DomainManagement,DC=robsdesk,DC=com

Execute this command:

Ldifde -i -f pso.ldf

This will create a policy with the following attributes:

• Maximum password age of 2 days
• Minimum password age of 1 day
• Minimum password length of 8 characters
• Password history
• Require complexity
• Store with reversible encryption
• 30 minute lockout observation window
• 30 minute lockout
• Lockout after 5 failures
• Precedence of 20 – like MX records the lowest ‘cost’ comes first.

Make accounts you want to apply the policy to a member of the group.  You can edit the settings in the policy using ADSIEdit by navigating to the Password Settings Container within the System container. 

More detail can be found here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Cheers,

Rob