Thursday, December 31, 2009

Exchange 2010 ActiveSync Issue

During last month we had four Exchange 2010 installation.On all of them we had problems when trying to sync mobile devices. The problem was encountered only with old accounts. When we created a new account for testing purposes, it was working fine. In Application Log I found the following record:

Log Name: Application
Source: MSExchange ActiveSync
Date: 12/22/2009 3:02:13 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=,OU=,DC=,DC=local" container under Active Directory user "Active Directory operation failed on . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3

At the beginning the resolution looks simple because you cand find the answer in the description of the error on Application log. All you have to do is to reset permission inheritance for that user. The steps are:

- Open Active Directory Users and Computers management console;
- Enable Advanced Features from View Tab;
- Right click the user (s) and select Properties and after that Security;
- Click Advanced
- Make sure that the “Include inheritable permissions from this object’s parent” is checked and click OK, Apply, etc.

This works for most of the users, but not for users that are members of built-in privileged Active Directory groups. If you have such an account and you reset the permission inheritance you will notice that in up to one hour, the inheritance is gone again. To understand how this work and how you can solve the problem use this link http://policelli.com/blog/?p=136.

Friday, December 25, 2009

Migrate from POP/IMAP accounts to Exchange 2010

At this end of the year we have two projects where we have to migrate the clients from open source email systems to Exchange 2010. They are both using IMAP as email access protocol and we have to import their old emails into the new system. There are two ways to do that – the hard way using email client features and the easy way, using server tools.
I won’t discuss the hard way, since it’s easy in theory and difficult in practice involving a lot of helpdesk work. I will talk about the „easy way” and I will show how using just an easy tool from Microsoft you can import all your emails stored on the old email server.
We will use a tool from Microsoft called „Microsoft Transporter”. This tool was designed for Exchange 2007 and there is no plan to release one for Exchange 2010. So there is a catch here, to use the tool first of all you have to install an Exchange 2007 server in your organisation with Client Access Server role and Mailbox role. After that you have to create a CSV file with all the mailbox information and import this file into Microsoft Transporter, from there you can choose which accounts will be migrated, time range of the data to be migrated and so on. The detailed steps to have a successful migration are:
  1. Install an Exchange 2007 SP2 server within your network as the first Exchange server into organization;
  2. Install CAS and Mailbox role on the Exchange 2007 server;
  3. Install on the Exchange 2007 server the “Microsoft Transporter Tool” selecting only Transporter for Internet Mail;
  4. On the Exchange 2007 server do the following tasks:
    • Run on command prompt “Net user /domain” to get the group membership of the logged account;
    • Add the account that will do the migration to Exchange Recipient Admin group if it’s not already a member;
    • Run on Exchange Shell: “Get-ClientAccessServer |select name,distinguishedname |fl” to get the Distinguished Name of the CAS Server;
    • Run on Exchange Shell: “Add-ADPermission –Identity <fqdn CAS> -User -<user> ExtendedRights ms-Exch-EPI-Impersonation” to add Exchange Impersonation rights to the Exchange 2007 CAS for the user that will do the migration.
  5. Create mailboxes for all the users that you will migrated on the Exchange 2007 server
  6. Create an csv file with the following columns:
    • SourceIdentity: The e-mail account that the user has in the POP3 Server;
    • SourceServer: The name or IP of the POP3 Server;
    • SourceLoginID: the account user name used to connect on the POP3 server;
    • SourcePassword: the user’s password;TargetIdentity:
    • the Exchange Server 2007 identity will receive the data from the previous POP3 Server settings
  7. Import the CSV file into the Transporter Tool using Add Mailboxes command;
  8. In the Transporter Tool, select All Mailboxes from the main screen of the tool and select “Migrate Selected Mailboxes”;
  9. Select IMAP or POP as the protocol;
  10. Select "All emails" on data ranges question then start the migration process;
  11. Wait until all the emails are migrated and review all warnings or errors;
  12. Now all the emails are stored on the Exchange 2007 server and we have to migrate them to the Exchange 2010 server (s);
  13. Install the Exchange 2010 server(s) with roles according to your new email organization design.
  14. Use upgrade procedure from Exchange 2007 to Exchange 2010 from Microsoft Support site to migrate all your email accounts and to remove the Exchange 2007 server.
If you have questions or something is going wrong please write comments to this post.

Wednesday, December 23, 2009

Music and IT

Last week I was invited to the Microsoft Christmas Community Meeting to speak about mobility and to sing some Christmas carols with my band. Since our year end at PRAS is busy like always, I decided that I can do only one thing – to sing :-).
My business associate Andrei told me that it’s not ok for the business to do that, but since one of my dreams was to sing on a stage, I ignored his advices and convinced my friends from the band to do show. We were all nervous about it, but in the end it was a lot of fun and it will remain as a great moment for the participants, for my band and especially for me.
You can find bellow some images and short movies from the first show and maybe the last of “The Future”




Sunday, December 13, 2009

Antivirus for Microsoft Exchange 2010

At PRAS we are in different stages of processes for implementing Exchange 2010 for several clients.
There are two repetitive questions that we get from our clients:
  • What antispam should we use?
  • What antivirus should we use to protect our new mail environment?
For previous Exchange version, based on our former experience as System Administrators at Vodafone, traditionally our answer was: GroupShield from McAfee or if you have more money to invest, a Web Security Appliance from the same producer (or a „blackbox” - how we name it).
There are other producers that provide antivirus and antispam protection for Exchange but we had a bad experience with Bit Defender Security for Exchange so we stayed with the products from McAfee.

For Exchange 2010, we made some researches through the market and as surprise or not, for the moment is no antivirus designed for this product except Microsoft Forefront Protection 2010 for Exchange Server. There is always the option to use a „blackbox” but this has some major disadvantages like no protection from infestations generated by the internal users.
With no other option, we tested the new antivirus and antispam protection for Exchange from Microsoft. There are a few things that make this product a great product:
  • Antispam that is deeply integrated with Exchange and provides a 99% catch rate with less than 1 in 250,000 false positives. The old version had no antispam protection and you had to use standard antispam features included in Exchange 2007;
  • Easy to manage quarantine. In standard antispam protection that could be configured in Exchange 2007 or Exchange 2010 you could configure a quarantine mailbox but the mailbox was so full of spams that it was impossible to check it for false positives;
  • Innovative, hybrid solution to optimize email hygiene in the cloud with joint on-premises management and monitoring. It provides integration with Forefront Online Protection for Exchange;
  • Premium antimalware via multiple antimalware engines which provide 38 times faster detection than any single vendor solution according to AV-test.org;
  • Brand new user interface and easy-to-use console that allows administrators to rapidly identify and respond to security threats. The old console was a little bit difficult to understand and it was not so easy to find some settings or features;
  • Easy to install and configure and set and forget smart defaults.
I am eager to see what the competition has to say about this. It is always great to have the possibility to choose between different products and I am sure that soon we will some interesting choices.

Sunday, November 29, 2009

Exchange 2010 and mobile email access

Tomorrow I will have a new mobile phone, a brand new model – Nokia E72. I am a Nokia fan and probably this will not change in the near future :-).

When i was searching for a new phone, i looked to all new phones on the market, not only to Nokia phones. For me, as an intensive email user, one of the main criteria for choosing a phone is the provided email client and its characteristics. I was looking for a phone that is working with MS Exchange 2010 and has as many email features as possible. Here is what I found out:
Windows Mobile 6.5 – as expected, Windows Mobile (6.1 and 6.5) togheter with Exchange 2010 provides the best user experience and more. Here are some of the new features: Conversation view, Free/busy lookup, Nickname cache, SMS sync, Unified Messaging card , New user interface, Reply state, Installable client, Allow, block, and quarantine control, Server search, HTML e-mail, Mobile management policies, Message flagging
Blackberry – I always thought that Blackberry is only marketing. Why should you pay for a service that you cand have for free using Microsoft ActiveSync?! There is bad or maybe a good news for Blackberry users that intend to use Exchange 2010, for this moment, there is no support for Blackberry Enterprise Server (BES) with Exchange 2010. The only workaround is to install an Exchange 2007 CAS and Mailbox server and later to add Exchange 2010 servers to your organization. So you have to stick with your old Exchange 2007, or you have to invest some additional money in hardware and software.
Nokia – the latest version of Nokia Mail For Exchange (2.9.176) was released before Exchange 2010 launch and does not have some interesting features of this system. Some interesting characteristics: Subfolder access, Support for GAL lookup with Company Directory, Accept / Decline meeting requests , Can search email content using the Search application , Message reply/forward by reference, Message read status replication, Message deletion replication, Full Attachment support (receiving, sending, viewing, editing, saving), Save messages to sent items folder m, Support for many Exchange 2007 mailbox policies , Configurable via device management server, Set out of office message, Set and clear flags on email messages
Iphone – Iphone is by far the most frendly and easy to use phone on the market. Unfortunately, the lastest Iphone OS (3.0) includes only a limited number of features for accessing your Exchange 2007/2010 mailbox: creation of meeting invitations for Exchange users, sync with local address books and Exchange at the same time, access to an Exchange global address list (GAL) or per-folder downloading of Exchange messages. The bad news are: no notes and tasks sync (with Exchange), no full-text search of mail messages and push email remains slow, flaky, and battery-consuming.

Friday, November 20, 2009

Windows 7, Windows Server 2008 R2, Exchange 2010 launch in Cluj and Timisoara

During this week I took part as a speaker to the events organized by Microsoft in Cluj and Timisoara for launching “The new efficiency” products. I was a little skeptical about speaking to this events because of two reasons:
- My lack of experience in speaking to a large crowd of people;
- During my former job as system administrator in Vodafone, the main reason for going to such events was to have a day off from job and to have a free lunch.
After spending almost four days with the guys from Microsoft and speaking to the events I can say that I was completely wrong.
The first thing that I found out is that outside of Bucharest, the people that take part to such events are usually technical people who want to learn about new technologies. They are good listeners and sometime they ask excellent questions. It is definitely a pleasure to speak to a room full of such persons.
Another exciting thing was the interest raised by the new products. As my partners from Microsoft said, Windows 7 was the star… but only for the consumers. In my opinion most of the participants were there to learn about Windows Server 2008 R2 and some of them about Exchange 2010.
Last but not least, you get a lot of emotions when you speak to a large audience but is not an impossible thing to do it. As a speaker you see a lot of things that are not ok, but only a small amount of them are visible from the outside. There are a few important things that you must take care: you have to speak to the audience not to the projector screen, you have to interact with them and you should know what you are talking about.


Wednesday, November 11, 2009

Five reasons to start using MS Exchange 2010

During the last weeks, close to the launch of Exchange 2010, I received a lot of questions regarding the grounds to move to Exchange 2010. I will try to provide my top five reasons to do that.
This means that I won’t compare the new version of MS Exchange with any system that you might use right now because it’s irrelevant. I will tell it’s useful and cool from my perspective as a person that watched the evolution of this product from more than ten years and it is trilled with what he see. Even the product it’s not as revolutionary as it was Exchange 2007, there are a lot of new and improved things that I think will make this product a “blockbuster”
So here it’s my top five:
1. Inexpensive storage – Exchange 2007 required using expensive storage based on SCSI or SAS technology and the only recommended RAID array was RAID10.
With Exchange 2010, the IOPS were dramatically reduced (up to 70%) and now you can use inexpensive SATA storage with RAID5 arrays.
2. Customized disclaimers – we have a customer that traditionally was using Lotus Notes as email solution. I won’t say that it was a bad or a good solution. What I will say is that it was very easy to setup email signatures for each user without expecting the user to do the task.
Now, in Exchange 2010, you can put signatures for each users based on his attributes from Active Directory. It’s just a transport rule that can be implemented in 10 minutes. And you can add even pictures to the signature.
3. Data Availability Groups – I implemented the first high availability (HA) email solution using Exchange 2000 and it was quite difficult to do it. And more than this, you couldn’t have features like geographical distributed clusters (using only Microsoft’s tools) - it was just a cluster with shared storage.
Exchange 2007 was a huge improvement, but it was still complicated to implement HA solutions based on it. You still had to configure a Windows cluster and there were too many options like Cluster Continuous Replication (CCR), Local Continuous Replication (LCR) or standby continuous replication (SCR).
Now everything is based on Data Availability Groups (DAG) that are configured directly from Exchange console or Shell. And you can replicate your data to up to 16 servers each of them using different hardware.
4. Moderated emails – My Company is working in IT services area and the customer service approach is very important to us. When somebody new has hired in my company, for a certain time when he was sending emails to clients somebody else had to check the emails in order to see if they were compliant with our customer service policy. It was a manual process and the user could send at any time emails to the customers without his supervisor knowledge.
With Exchange 2010 it’s possible to automate this process and send automatically all external emails of a user for approval.

5. Exchange control panel – In the old Exchange versions all the management was made traditionally by the administrator. Now some easy but time consuming tasks can be delegated to normal users. And all are performed from email client (ex. group management, multimailbox search)

Tuesday, November 10, 2009

Sunday, November 8, 2009

MS Exchange 2010 launch in Romania

Last week, on November 5th, Microsoft launched in Romania three new products: Windows 7, Windows 2008 R2 and Exchange 2010. I was on the stage to present a study case about the first implementation of Exchange 2010 in Romania that was made by PRAS. The other persons in pictures are: Jean-Philippe Courtois – President at Microsoft International, Liviu Dragan – General Manager at Total Soft and Fotis Karonis – CIO at Romtelecom.

Sunday, November 1, 2009

Issue in MS Exchange 2007 SP1 version

Recently we had to provide a MS OCS 2007 R2 test account for one of our clients. To be able to test all the features of the product we had to give him an email account as well. When we made some tests to see if everything was working as expected we found out that the RPC over HTTPS connectivity was broken and the email autoconfiguration was not working any more. Looking backward we found out that the last major change in our system was to upgrade our MS Exchange 2007 system to SP1. We made some extensive search and we found out that the problem is generated by the usage of TCP/IPv6.
Windows Server 2008 has made TCP/IPv6 the default communication protocol stack over which connections are made by clients connecting to the server that is running Microsoft Exchange. The RPCProxy component tries to connect to the DSProxy component through port 6004 over TCP/IPv6. However, the DSProxy component does not listen on the TCP/IPv6 stack, which causes connection requests from the RPCProxy component to fail.
As a solution, in Exchange 2007 SP1, for clients to connect by using Outlook Anywhere when the Client Access server is running on Windows Server 2008, TCP/IPv6 connectivity must be manually disabled on all Exchange servers that have the Client Access server role installed.
Multiple-server technology
To disable TCP/IPv6 in a multiple-server topology where the Client Access server role is not running on the same Exchange server as the Mailbox server role

1.Under Network Connections, select the network adapter, and then click Properties.
2.In the properties window, click to clear the check box for Internet Protocol Version 6 (IPv6).
(Clearing this check box causes the RPCProxy component on the Client Access server to use TCP/IPv4 to talk to the DSProxy component on the Mailbox server)
3.Click Start, and then click Run.
4.Type regedit in the Open box.
5.Using Registry Editor, locate the following registry key:
HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
6.Right-click the Parameters key, click New, and then click DWORD (32-bit) Value. For the key, add the following values:

Name: DisabledComponents
Data: 0xFFFFFFFF

7.Restart the Client Access server.

Single-server technology
The preceding procedure does not work for a single-server topology where the Client Access server role is running on the same Exchange server as the Mailbox server role. This is because the loopback interface (an interface that is used when communicating through TCP/IP to a process on the same computer) continues to use TCP/IPv6. In this case, you must perform the following steps to disable TCP/IPv6.
To disable TCP/IPv6 in a single-server topology where the Client Access server role is running on the same Exchange server as the Mailbox server role
1.Open the hosts file located at %SystemRoot%\system32\drivers\etc\ by using an editor such as Notepad.
(In this step, %SystemRoot% refers to the local hard disk where the Windows system files are located. )
2.Search for the line that contains the terms "::1" and "localhost"
3.Type a number sign (#) at the beginning and end of the line to make the line a comment.
4.Press ENTER and, on the next line, type the following lines to provide the TCP/IPv4 address, hostname, and FQDN name for the Exchange server that is running both the Client Access and Mailbox server roles:

TCP/IPv4 address           host name of the computer
TCP/IPv4 address           FQDN of the computer
5.Click Save, and then close the file.

This solution was taken from the MS Technet articles. It's not very difficult to solve the problem but it was a little bit difficult to find it :-).