Thursday, December 31, 2009

Exchange 2010 ActiveSync Issue

During last month we had four Exchange 2010 installation.On all of them we had problems when trying to sync mobile devices. The problem was encountered only with old accounts. When we created a new account for testing purposes, it was working fine. In Application Log I found the following record:

Log Name: Application
Source: MSExchange ActiveSync
Date: 12/22/2009 3:02:13 PM
Event ID: 1053
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Exchange ActiveSync doesn't have sufficient permissions to create the "CN=,OU=,DC=,DC=local" container under Active Directory user "Active Directory operation failed on . This error is not retriable. Additional information: Access is denied.
Active directory response: 00000005: SecErr: DSID-03152492, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
".
Make sure the user has inherited permission granted to domain\Exchange Servers to allow List, Create child, Delete child of object type "msExchangeActiveSyncDevices" and doesn't have any deny permissions that block such operations.
Details:%3

At the beginning the resolution looks simple because you cand find the answer in the description of the error on Application log. All you have to do is to reset permission inheritance for that user. The steps are:

- Open Active Directory Users and Computers management console;
- Enable Advanced Features from View Tab;
- Right click the user (s) and select Properties and after that Security;
- Click Advanced
- Make sure that the “Include inheritable permissions from this object’s parent” is checked and click OK, Apply, etc.

This works for most of the users, but not for users that are members of built-in privileged Active Directory groups. If you have such an account and you reset the permission inheritance you will notice that in up to one hour, the inheritance is gone again. To understand how this work and how you can solve the problem use this link http://policelli.com/blog/?p=136.

Friday, December 25, 2009

Migrate from POP/IMAP accounts to Exchange 2010

At this end of the year we have two projects where we have to migrate the clients from open source email systems to Exchange 2010. They are both using IMAP as email access protocol and we have to import their old emails into the new system. There are two ways to do that – the hard way using email client features and the easy way, using server tools.
I won’t discuss the hard way, since it’s easy in theory and difficult in practice involving a lot of helpdesk work. I will talk about the „easy way” and I will show how using just an easy tool from Microsoft you can import all your emails stored on the old email server.
We will use a tool from Microsoft called „Microsoft Transporter”. This tool was designed for Exchange 2007 and there is no plan to release one for Exchange 2010. So there is a catch here, to use the tool first of all you have to install an Exchange 2007 server in your organisation with Client Access Server role and Mailbox role. After that you have to create a CSV file with all the mailbox information and import this file into Microsoft Transporter, from there you can choose which accounts will be migrated, time range of the data to be migrated and so on. The detailed steps to have a successful migration are:
  1. Install an Exchange 2007 SP2 server within your network as the first Exchange server into organization;
  2. Install CAS and Mailbox role on the Exchange 2007 server;
  3. Install on the Exchange 2007 server the “Microsoft Transporter Tool” selecting only Transporter for Internet Mail;
  4. On the Exchange 2007 server do the following tasks:
    • Run on command prompt “Net user /domain” to get the group membership of the logged account;
    • Add the account that will do the migration to Exchange Recipient Admin group if it’s not already a member;
    • Run on Exchange Shell: “Get-ClientAccessServer |select name,distinguishedname |fl” to get the Distinguished Name of the CAS Server;
    • Run on Exchange Shell: “Add-ADPermission –Identity <fqdn CAS> -User -<user> ExtendedRights ms-Exch-EPI-Impersonation” to add Exchange Impersonation rights to the Exchange 2007 CAS for the user that will do the migration.
  5. Create mailboxes for all the users that you will migrated on the Exchange 2007 server
  6. Create an csv file with the following columns:
    • SourceIdentity: The e-mail account that the user has in the POP3 Server;
    • SourceServer: The name or IP of the POP3 Server;
    • SourceLoginID: the account user name used to connect on the POP3 server;
    • SourcePassword: the user’s password;TargetIdentity:
    • the Exchange Server 2007 identity will receive the data from the previous POP3 Server settings
  7. Import the CSV file into the Transporter Tool using Add Mailboxes command;
  8. In the Transporter Tool, select All Mailboxes from the main screen of the tool and select “Migrate Selected Mailboxes”;
  9. Select IMAP or POP as the protocol;
  10. Select "All emails" on data ranges question then start the migration process;
  11. Wait until all the emails are migrated and review all warnings or errors;
  12. Now all the emails are stored on the Exchange 2007 server and we have to migrate them to the Exchange 2010 server (s);
  13. Install the Exchange 2010 server(s) with roles according to your new email organization design.
  14. Use upgrade procedure from Exchange 2007 to Exchange 2010 from Microsoft Support site to migrate all your email accounts and to remove the Exchange 2007 server.
If you have questions or something is going wrong please write comments to this post.

Wednesday, December 23, 2009

Music and IT

Last week I was invited to the Microsoft Christmas Community Meeting to speak about mobility and to sing some Christmas carols with my band. Since our year end at PRAS is busy like always, I decided that I can do only one thing – to sing :-).
My business associate Andrei told me that it’s not ok for the business to do that, but since one of my dreams was to sing on a stage, I ignored his advices and convinced my friends from the band to do show. We were all nervous about it, but in the end it was a lot of fun and it will remain as a great moment for the participants, for my band and especially for me.
You can find bellow some images and short movies from the first show and maybe the last of “The Future”




Sunday, December 13, 2009

Antivirus for Microsoft Exchange 2010

At PRAS we are in different stages of processes for implementing Exchange 2010 for several clients.
There are two repetitive questions that we get from our clients:
  • What antispam should we use?
  • What antivirus should we use to protect our new mail environment?
For previous Exchange version, based on our former experience as System Administrators at Vodafone, traditionally our answer was: GroupShield from McAfee or if you have more money to invest, a Web Security Appliance from the same producer (or a „blackbox” - how we name it).
There are other producers that provide antivirus and antispam protection for Exchange but we had a bad experience with Bit Defender Security for Exchange so we stayed with the products from McAfee.

For Exchange 2010, we made some researches through the market and as surprise or not, for the moment is no antivirus designed for this product except Microsoft Forefront Protection 2010 for Exchange Server. There is always the option to use a „blackbox” but this has some major disadvantages like no protection from infestations generated by the internal users.
With no other option, we tested the new antivirus and antispam protection for Exchange from Microsoft. There are a few things that make this product a great product:
  • Antispam that is deeply integrated with Exchange and provides a 99% catch rate with less than 1 in 250,000 false positives. The old version had no antispam protection and you had to use standard antispam features included in Exchange 2007;
  • Easy to manage quarantine. In standard antispam protection that could be configured in Exchange 2007 or Exchange 2010 you could configure a quarantine mailbox but the mailbox was so full of spams that it was impossible to check it for false positives;
  • Innovative, hybrid solution to optimize email hygiene in the cloud with joint on-premises management and monitoring. It provides integration with Forefront Online Protection for Exchange;
  • Premium antimalware via multiple antimalware engines which provide 38 times faster detection than any single vendor solution according to AV-test.org;
  • Brand new user interface and easy-to-use console that allows administrators to rapidly identify and respond to security threats. The old console was a little bit difficult to understand and it was not so easy to find some settings or features;
  • Easy to install and configure and set and forget smart defaults.
I am eager to see what the competition has to say about this. It is always great to have the possibility to choose between different products and I am sure that soon we will some interesting choices.