Tuesday, October 19, 2010

Exchange Server 2010 - Management Console Error


While logged onto an Exchange 2010 server, and opening the Exchange Management Console, an error message appears. This error message can be traced to one of two things.  Either the Exchange 2010 Server is really having communication problems with the In-Site Domain Controllers or there is profile corruption on the account you are using to log into the Exchange 2010 Server.  More times than not, it is indeed the profile corruption of the Exchange Management Console file.   


Remediation Steps:

Verify Communication with Domain Controllers:

First Verify the Exchange 2010 Server is not receiving errors during MSExchange DSAccess suitability testing.  This can be verified within the Event log\Application

EventID:  2080
Source:  MSExchange ADAccess


If  not all of your In-Site domain controllers are listed OR the suitability score differs significantly from one another.  Be sure to investigate whether or not there are communication and/or replication issues with your DCs.  If all looks good, move on to the profile corruption fix.

Profile corruption:


1. Log into IOPMAIL01, navigate to the following location:

2. Delete or rename the following file: “Exchange Management Console

3. Log out and log back in. Open the Exchange Management Console and errors should be gone.

Wednesday, October 13, 2010

Exchange Server 2010 SP1 – SSLOffloading


If you will be leveraging a Hardware Load Balancer for your Exchange 2010 environment there are some additional Exchange specific setting modification required to get this working, whether you are using PassThrough, SSLOffloading or ReverseSSL (aka SSLBridging).

  • System Requirements for this configuration:   EXCHANGE SERVER 2010 “SP1”

Options for Load Balancing Exchange 2010 CAS Servers using Hardware Load Balancer:

  • Pass Through


    • Simple and a very common deployment method
      • Configuration Requirements
        • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.
          "TCP/IP Port"=dword:0000ea60 
  • Reverse SSL (aka SSL Bridging) ---  Recommendedimage

    • More advanced configuration, and more advanced forms of loadbalancing available.
      • Benefits:
        • Secure communications end-to-end; no passwords in clear text between HLB and CAS
        • Less configuration required on Exchange 2010 than SSLOffloading below.
        • If your Exchange 2010 CAS are already configured, the only configuration remaining is   Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

          "TCP/IP Port"=dword:0000ea60
      • Disadvantages:
        • Does not offload (encryption and decryption) cpu processing from the CAS Servers.
  • SSLOffloading 

    (Note the script as the end of this article will configure all of these parameters for you)


    • More advanced forms of loadbalancing available.   (This Article provides steps to configure)
      • Configuration Requirements
      • Set MSExchangeAB and MSExchangeRPC static ports (AB and RPC should be set to different port numbers.

        "TCP/IP Port"=dword:0000ea60
    • Remove “Require SSL from Default Website and All Exchange Virtual Directories on each CAS Server
    • Enable Outlook Anywhere, Set Authentication Basic and Set Outlook Anywhere SSLOffloading to TRUE
    • Set OWA for SSLOffloading

      New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD
    • Modify the web.config file for Autodiscover and EWS

      # Configure web.config files
      $path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config
      $path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path
      (Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config


If you configure SSL offloading on an Exchange 2010 CAS server, all user passwords will be sent in clear between the HLB device(s) and the CAS servers, so it's important the traffic is sent over a secure network not accessible by malicious users. If the security policy within the organization states that all passwords should be sent in an encrypted form (even when occurring over a secure network), it's recommended to enable reverse SSL on the HLB device(s). In addition, it's recommended to enable reverse SSL, if the organization does not have a secure network in place between the HLB device(s) and the CAS servers or if there's no noticeable performance gain of offloading SSL to the HLB device(s) in the environment.

SCRIPT to Configure CAS for SSLOffloading

 #This script will configure the Exchange 2010 Client Access Servers

# for Hardware loadBalancer with SSLOffloading enabled.
# System Requirements: EXCHANGE SERVER 2010 "SP1"
# Set registry key

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD

# Assign Static Port for MSExchangeAB

New-Item -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType REG_SZ

# Assign Static Port for MSExchangeRPC

New-ItemProperty -Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 0000ea60

# Disable RequireSSL on websites

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None


"$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None


# Configure web.config files

$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path


Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config 

$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path


Get-Content $path\web.config)| Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}| Set-Content $path\web.config 

# Configure Outlook Anywhere

$enabled = Get-OutlookAnywhere –Identity "$($env:COMPUTERNAME)\RPC*"

If ($enabled)

{Set-OutlookAnywhere –Identity

"$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true}



Write-Host "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"}

Write-Host -f Red "NOTE: Run `"iisreset /noforce`" to complete the process"

Monday, October 11, 2010

Exchange 2010 SP1 Upgrade Install Issues


Installation of Exchange 2010 SP1 Upgrade results in “AuthorizationManager CheckFailed” error, and Exchange is uninstalled.

 Culprit:   Powershell Execution Policy.  Round 3 below describes the remediation steps.   The other rounds merely prove that multiple solutions published over the Internet did not fix this issue.

The Error:

My first installation of Exchange 2010 SP1 upgrade to my existing Exchange 2010 Client Access Server was a complete failure.  Following AD prep and prerequisite checks/installs, I proceeded with the upgrade and During the Preparing Files section of the install I received the “AuthorizationManager Check Failed” message. 


After clicking FINISH on the installation wizard, I noticed that Exchange 2010 no longer existed on that server.  The Removing Exchange files is actually the step prior to “Preparing Files”, isn't that lovely.  Fortunately, I always snapshot my servers prior to Rollup and Service Pack installation, so I was able to rollback and try pass number two. 

Failed Remediation Attempts

Below are the various FAILED remediation steps I took to try and get through this upgrade successfully.  You will see some of these scattered around the Internet.  None of them worked for me.  The solution at the end of this article is the real deal, and fixed my problem.

  • Tried uninstalling previous rollups (Had Rollup 4 installed) – Upgrade failed
  • Changing Execution policy to unrestricted as well as Bypass (local machine policy only) – Upgrade failed.
  • Disabled UAC – Upgrade failed
  • Downloaded instllation (upgrade) exe set to “UNBLOCK” before execution. – Upgrade failed
  • Set within IE (Internet Options \ Advanced \ Security)  - Upgrade failed
  • All inclusive settings from above – Upgrade failed.


The Solution (Successful): 

1.  Download Ex2010 SP1 from the Internet on to the machine you are installing SP1.  Following file download, Right Click the exe file > Properties >  “UNBLOCK”.  Extract the file to a location on the local system.
Note: The download was only executed on the first Exchange 2010 server I upgraded.  I copied the files over to the other Exchange 2010 for the other servers upgraded.

2. Download and Install any prerequisites required for the SP1 installation.

3. Open Powershell and check the ExecutionPolicy for that server.   Be Sure to check the ExecutionPolicy using the GET-EXECUTION POLICY –LIST      command.  If you merely run the Get-ExecutionPolicy command, the LocalMachine execution policy will only be displayed.

If the execution policy is different from the image below, in particular the Machine and User Policy settings being set other than “UNDEFINED” then check to see what is applying the settings.  Could be either Local Policy or Domain Policy (GPO).

The image below lists the desired settings:

To verify a GPO applying the settings, perform the following:

  1. Open a command widows with extended rights “Run as administrator”.
  2. At the command prompt, type and then press ENTER:

    gpresult /z > PolicySettings.txt
  3. Open the file PolicySettings.txt in Notepad and Search for the following entry in the list:


    Note where in the Group Policy hierarchy that this entry resides. Repeat this step to determine whether there are other entries that reference "PowerShell."
  4. If Enabled, modify the GPO setting this value to “NotConfigure”.
  5. Perform a GPUPDATE /force on the Exchange server you are installing SP1 and verify that the policy is no longer applied. 
  6. Verify the settings ExecutionPolicy again like above.  Once things look like above proceed with the installation.
    From Powershell:   Get-ExecutionPolicy –list     image
  7. Once the settings look good, proceed with the upgrade installation.   Be sure to run the installation with elevated privileges.  I normally open a command prompt (Run As Administrator), navigate to the installation directory and execute the installation.
  8. This procedure was successful and consistent across all my Exchange 2010 servers

Of course if youimage have AD DS Group Policy that was the culprit, once you have fixed the policy it should apply (verify though) to the remainder of the Exchange servers. 

Wednesday, October 6, 2010

Cannot Activate Database Copy: Content Index Catalog Files in Failed State



When activating a database copy in an Exchange Server 2010 Database Availability Group it may fail with an error message that catalog index files are in a failed state.



When you view the copy status of the mailbox database the content index is in a failed state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Failed

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy

To resolve the issue update the content index on the server on which it has failed.

[PS] C:\>Update-MailboxDatabaseCopy "Mailbox Database 01\EX1" -CatalogOnly

The content index should now be in a healthy state.

[PS] C:\>Get-MailboxDatabaseCopyStatus | fl name, contentindexstate

Name : Mailbox Database 01\EX1
ContentIndexState : Healthy

Name : Mailbox Database 02\EX1
ContentIndexState : Healthy

After the content index is healthy you can attempt to activate the database copy again.

Friday, August 13, 2010

Forefront Client Security – Collection Database creation Failure



While installing FCS roles (Management, Collection Server, Collection Database, Reporting Server and Reporting Database) on a server, the requirements, the verifying settings and requirements shows all is well (image below).  That is until you initiate the install and the installation bombs out with an error on the creating collection database task.  I have run into many posts about this same issue and just about every one of them has a different solution or they gave up.  Some of the solutions say that its because .NET framework 1.1 is not installed, or Collation settings are not set correctly, etc..  

Now I have tried just about every solution out there, and none of them fixed my issue.  So I took matters into my own hands and ventured away from the standard installation wizard.  Below is the solution that got me to the point where I successfully created the Collection Database on the server, and then I was able to resume installing the remaining roles.

Note:  I have only encountered this issue on Windows 2003 x32.  All other installs on Win2008 have been successful.   Below is an image of the FCS server and the roles (consolidated).




A little more information about my configuration will explain the solution.   I had the OS installed on C:\ (Of Course), and SQL 2005 installed on E: Drive.  Well eventhough I configured SQL 2005 default database location to the E:\ drive (which of course was permissioned correctly), and specified E:\… for the installation files,  the FCS Client installation wizard was still attempting to create the Database on C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data. 

The wizard does not do what you would expect it to do.  Has a mind of its own apparently.

The FIX”:

Permission the SQLServer2005MSSQLUser$<computername>$MSSQLSERVER local group and/or the Installation Account your are using Full control , and permission to the MSSQL\  and child directories.  Once this was completed, I was able to complete the Collectino Database creation process and installation FCS Server.  Following the installation, you can move the databases to the desired location.  To do that you will have to stop Client Security services, detach the databases (OnePoint and SystemCenterReporting), move the files and Attach the databases.


Exchange 2010 – Antivirus Exclusions


If you're deploying file-level scanners on Exchange 2010 servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both memory-resident and file-level scanning. This section describes directory exclusions, process exclusions, and file name extension exclusions for each server or server role

Directory Exclusions





Server role

Exclusion Type



Exclusion Consolidated Paths

Mailbox Server Role



Command to Retrieve the location:  

Get-MailboxDatabase -server <servername> | format-list *path*




Log Files










Database Content Indexes (default is same location as databases)





Group Metrics files

%ExchangeInstallPath%\GroupMetricsExchangeInstallPath%\TransportRoles\Logs   and %ExchangeInstallPath%\Logging)




Offline Address Book Files





IIS System Files





Temporary Folder

Same Path where Eseutil.exe resides




Mailbox database temporary folder





Any Exchange aware Anti-Virus Folders





Mailbox Server that is a member of a Database Availability Group (DAG)





Witness Server directories:  (Typically on the Hub Transport Server)



Hub Transport Server Role


Log Files:  Message Tracking, Connectivity logs,…

Default path:   %ExchangeInstallPath%\TransportRoles\Logs

Command to Retrieve the location: 

Get-TransportServer <serverName> | Format-List *logpath*,*tracingpath*




Pickup and Replay directories

Default Path:  %ExchangeInstallPath%\TransportRoles

Command to Retrieve the location:

Get-TransportServer <serverName> fl *dir*path*




Queue database, checkpoint and log files

Default path:  %ExchangeInstallPath%\TransportRoles\Data\Queue




Sender Reputation database, checkpoint, log files

Default Path:  %ExchangeInstallPath%\TransportRoles\Data\SenderReputation




IP filter Database, Checkpoint, log files

Default Path:  %ExchangeInstallPath%\TransportRoles\Data\IpFilter




Temporary Folders

Exchange Servere Temp folder:  TMP  





OLE Conversions:    %ExchangeInstallPath%\Working\OleConvertor




Any Exchange aware Anti-Virus Folders



Edge Transport Server Role


AD LDS log files

Default:  %ExchangeInstallpath%\TransportRoles\Data\ADAM




Pickup and Replay directories

Default Path:  %ExchangeInstallPath%\TransportRoles

Command to Retrieve the location:

Get-TransportServer <serverName> fl *dir*path*




Queue database, checkpoint and log files

Default path:  %ExchangeInstallPath%\TransportRoles\Data\Queue




Sender Reputation database, checkpoint, log files

Default Path:  %ExchangeInstallPath%\TransportRoles\Data\SenderReputation




IP filter Database, Checkpoint, log files

Default Path:  %ExchangeInstallPath%\TransportRoles\Data\IpFilter




Temporary Folders

Exchange Servere Temp folder:  TMP  





OLE Conversions:    %ExchangeInstallPath%\Working\OleConvertor




Any Exchange aware Anti-Virus Folders



Client Access Server Role


Servers using IIS 7.0:    Temporary files

"%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files"




Servers using IIS 6.0:  Temporary files

"%SystemRoot%\IIS Temporary Compressed Files"




IIS System Files










Internet Related Sub Folders





Servers with POP3:  





Servers with IMAP4:





Temporary Folders for Conversions:

Exchange Servers Temp Folder:   TMP







Unified Messaging Server Role


Grammer Files for different locales





Voice Prompts





VoiceMail Files





Temporary Files



Forefront Protection for Exchange


Forefront install folder

Default: "%Program Files%\Microsoft Forefront Security\Exchange Server"

%Program Files%\Microsoft Forefront Security\Exchange Server



Archived Messages

Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Archive"




Quarantined files

Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Quarantine"




Antivirus Engine files

Default:  "%Program Files%\Microsoft Forefront Security\Exchange Server\Data\Engines\x86"




Configuration Files

Default:  %Program Files%\Microsoft Forefront Security\Exchange Server\Data


Process Exclusions





Server role

Exclusion Type

Process exclusions



Set these for all Server Roles














































































































Forefront Protection for Exchange Server